适用于 PHP 的 AWS 开发工具包
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

通过AWS SDK for PHP版本 3 使用 IAM 策略

您通过创建策略向用户授予权限。策略是一个文档,其中列出了用户可以执行的操作以及这些操作会影响的资源。默认情况下会拒绝未显式允许的任何操作或资源。可将策略附加到用户、用户组、用户代入的角色以及资源。

以下示例演示如何:

GitHub 上的此处提供了AWS SDK for PHP版本 3 的所有示例代码。

凭证

在运行示例代码之前,您需要配置 AWS 凭证,如适用于 PHP 的 AWS 开发工具包版本 3 的凭证中所述。然后导入AWS SDK for PHP,如适用于 PHP 的 AWS 开发工具包版本 3 的基本使用模式中所述。

创建策略

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $myManagedPolicy = '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "RESOURCE_ARN" }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": "RESOURCE_ARN" } ] }'; try { $result = $client->createPolicy(array( // PolicyName is required 'PolicyName' => 'myDynamoDBPolicy', // PolicyDocument is required 'PolicyDocument' => $myManagedPolicy )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

将策略附加到角色

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $roleName = 'ROLE_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedRolePolicies = $client->getIterator('ListAttachedRolePolicies', ([ 'RoleName' => $roleName, ])); if (count($attachedRolePolicies) > 0) { foreach ($attachedRolePolicies as $attachedRolePolicy) { if ($attachedRolePolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachRolePolicy(array( // RoleName is required 'RoleName' => $roleName, // PolicyArn is required 'PolicyArn' => $policyArn )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

将策略附加到用户

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $userName = 'USER_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedUserPolicies = $client->getIterator('ListAttachedUserPolicies', ([ 'UserName' => $userName, ])); if (count($attachedUserPolicies) > 0) { foreach ($attachedUserPolicies as $attachedUserPolicy) { if ($attachedUserPolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachUserPolicy(array( // UserName is required 'UserName' => $userName, // PolicyArn is required 'PolicyArn' => $policyArn, )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

将策略附加到组

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->attachGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

分离用户策略

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachUserPolicy(array( // UserName is required 'UserName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

分离组策略

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

删除策略

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deletePolicy(array( // PolicyArn is required 'PolicyArn' => 'string' )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

删除角色策略

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteRolePolicy(array( // RoleName is required 'RoleName' => 'string', // PolicyName is required 'PolicyName' => 'string' )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

删除用户策略

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteUserPolicy(array( // UserName is required 'UserName' => 'string', // PolicyName is required 'PolicyName' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

删除组策略

导入

require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyName is required 'PolicyName' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }