适用于 PHP 的 IAM 开发工具包示例 - Amazon SDK for PHP
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

适用于 PHP 的 IAM 开发工具包示例

以下代码示例向您展示如何通过使用Amazon SDK for PHP用 IAM 进行。

操作展示如何调用具体 IAM 函数的代码节选。

方案展示如何通过调用多个 IAM 函数来完成特定任务的代码示例。

每个示例都包含一个指向 GitHub 的链接,其中包含了有关如何在上下文中设置和运行代码的说明。

操作

以下代码示例显示如何将 IAM 策略附加到角色。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); $assumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"{$user['Arn']}\"}, \"Action\": \"sts:AssumeRole\" }] }"; $assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument); echo "Created role: {$assumeRoleRole['RoleName']}\n"; $listAllBucketsPolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}] }"; $listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument); echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n"; $service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']); public function attachRolePolicy($roleName, $policyArn) { return $this->customWaiter(function () use ($roleName, $policyArn) { $this->iamClient->attachRolePolicy([ 'PolicyArn' => $policyArn, 'RoleName' => $roleName, ]); }); }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。AttachRolePolicyAmazon SDK for PHPAPI 参考.

以下代码示例显示如何创建 IAM 策略。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); $listAllBucketsPolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}] }"; $listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument); echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n"; public function createPolicy(string $policyName, string $policyDocument) { $result = $this->customWaiter(function () use ($policyName, $policyDocument) { return $this->iamClient->createPolicy([ 'PolicyName' => $policyName, 'PolicyDocument' => $policyDocument, ]); }); return $result['Policy']; }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。CreatePolicyAmazon SDK for PHPAPI 参考.

以下代码示例显示如何创建 IAM 角色。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); $assumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"{$user['Arn']}\"}, \"Action\": \"sts:AssumeRole\" }] }"; $assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument); echo "Created role: {$assumeRoleRole['RoleName']}\n"; /** * @param string $roleName * @param string $rolePolicyDocument * @return array * @throws AwsException */ public function createRole(string $roleName, string $rolePolicyDocument) { $result = $this->customWaiter(function () use ($roleName, $rolePolicyDocument) { return $this->iamClient->createRole([ 'AssumeRolePolicyDocument' => $rolePolicyDocument, 'RoleName' => $roleName, ]); }); return $result['Role']; }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。CreateRoleAmazon SDK for PHPAPI 参考.

以下代码示例显示如何创建 IAM 服务相关角色。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function createServiceLinkedRole($awsServiceName, $customSuffix = "", $description = "") { $createServiceLinkedRoleArguments = ['AWSServiceName' => $awsServiceName]; if ($customSuffix) { $createServiceLinkedRoleArguments['CustomSuffix'] = $customSuffix; } if ($description) { $createServiceLinkedRoleArguments['Description'] = $description; } return $this->iamClient->createServiceLinkedRole($createServiceLinkedRoleArguments); }

以下代码示例显示如何创建 IAM 用户。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); $user = $service->createUser("iam_demo_user_$uuid"); echo "Created user with the arn: {$user['Arn']}\n"; /** * @param string $name * @return array * @throws AwsException */ public function createUser(string $name): array { $result = $this->iamClient->createUser([ 'UserName' => $name, ]); return $result['User']; }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。CreateUserAmazon SDK for PHPAPI 参考.

以下代码示例显示如何获取 IAM 策略。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function getPolicy($policyArn) { return $this->customWaiter(function () use ($policyArn) { return $this->iamClient->getPolicy(['PolicyArn' => $policyArn]); }); }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。GetPolicyAmazon SDK for PHPAPI 参考.

以下代码示例显示如何获取 IAM 角色。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function getRole($roleName) { return $this->customWaiter(function () use ($roleName) { return $this->iamClient->getRole(['RoleName' => $roleName]); }); }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。GetRoleAmazon SDK for PHPAPI 参考.

以下代码示例显示如何获取 IAM 账户密码策略。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function getAccountPasswordPolicy() { return $this->iamClient->getAccountPasswordPolicy(); }

以下代码示例显示如何列出 IAM 的 SAML 提供商。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function listSAMLProviders() { return $this->iamClient->listSAMLProviders(); }

以下代码示例显示如何列出 IAM 组。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function listGroups($pathPrefix = "", $marker = "", $maxItems = 0) { $listGroupsArguments = []; if ($pathPrefix) { $listGroupsArguments["PathPrefix"] = $pathPrefix; } if ($marker) { $listGroupsArguments["Marker"] = $marker; } if ($maxItems) { $listGroupsArguments["MaxItems"] = $maxItems; } return $this->iamClient->listGroups($listGroupsArguments); }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。ListGroupsAmazon SDK for PHPAPI 参考.

以下代码示例显示如何列出 IAM 角色的内联策略。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function listRolePolicies($roleName, $marker = "", $maxItems = 0) { $listRolePoliciesArguments = ['RoleName' => $roleName]; if ($marker) { $listRolePoliciesArguments['Marker'] = $marker; } if ($maxItems) { $listRolePoliciesArguments['MaxItems'] = $maxItems; } return $this->customWaiter(function () use ($listRolePoliciesArguments) { return $this->iamClient->listRolePolicies($listRolePoliciesArguments); }); }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。ListRolePoliciesAmazon SDK for PHPAPI 参考.

以下代码示例显示如何列出 IAM 策略。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function listPolicies($pathPrefix = "", $marker = "", $maxItems = 0) { $listPoliciesArguments = []; if ($pathPrefix) { $listPoliciesArguments["PathPrefix"] = $pathPrefix; } if ($marker) { $listPoliciesArguments["Marker"] = $marker; } if ($maxItems) { $listPoliciesArguments["MaxItems"] = $maxItems; } return $this->iamClient->listPolicies($listPoliciesArguments); }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。ListPoliciesAmazon SDK for PHPAPI 参考.

以下代码示例显示如何列出附加到 IAM 角色的策略。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function listAttachedRolePolicies($roleName, $pathPrefix = "", $marker = "", $maxItems = 0) { $listAttachRolePoliciesArguments = ['RoleName' => $roleName]; if ($pathPrefix) { $listAttachRolePoliciesArguments['PathPrefix'] = $pathPrefix; } if ($marker) { $listAttachRolePoliciesArguments['Marker'] = $marker; } if ($maxItems) { $listAttachRolePoliciesArguments['MaxItems'] = $maxItems; } return $this->iamClient->listAttachedRolePolicies($listAttachRolePoliciesArguments); }

以下代码示例显示如何列出 IAM 角色。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); /** * @param string $pathPrefix * @param string $marker * @param int $maxItems * @return Result * $roles = $service->listRoles(); */ public function listRoles($pathPrefix = "", $marker = "", $maxItems = 0) { $listRolesArguments = []; if ($pathPrefix) { $listRolesArguments["PathPrefix"] = $pathPrefix; } if ($marker) { $listRolesArguments["Marker"] = $marker; } if ($maxItems) { $listRolesArguments["MaxItems"] = $maxItems; } return $this->iamClient->listRoles($listRolesArguments); }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。ListRolesAmazon SDK for PHPAPI 参考.

以下代码示例显示如何列出 IAM 用户。

SDK for PHP

$uuid = uniqid(); $service = new IamService(); public function listUsers($pathPrefix = "", $marker = "", $maxItems = 0) { $listUsersArguments = []; if ($pathPrefix) { $listUsersArguments["PathPrefix"] = $pathPrefix; } if ($marker) { $listUsersArguments["Marker"] = $marker; } if ($maxItems) { $listUsersArguments["MaxItems"] = $maxItems; } return $this->iamClient->listUsers($listUsersArguments); }
  • GitHub 中查找说明和更多代码。

  • 有关 API 信息,请参阅。ListUsersAmazon SDK for PHPAPI 参考.

场景

以下代码示例显示了如何:

  • 创建一个没有权限的用户。

  • 创建授予对 Amazon S3 存储桶的列出权限

  • 添加策略以允许用户代入角色。

  • 承担该角色并使用临时证书列出 Amazon S3 存储桶。

  • 删除策略、角色和用户。

SDK for PHP

namespace Iam\Basics; require 'vendor/autoload.php'; use Aws\Credentials\Credentials; use Aws\S3\Exception\S3Exception; use Aws\S3\S3Client; use Aws\Sts\StsClient; use Iam\IamService; echo("--------------------------------------\n"); print("Welcome to the Amazon IAM getting started demo using PHP!\n"); echo("--------------------------------------\n"); $uuid = uniqid(); $service = new IamService(); $user = $service->createUser("iam_demo_user_$uuid"); echo "Created user with the arn: {$user['Arn']}\n"; $key = $service->createAccessKey($user['UserName']); $assumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"{$user['Arn']}\"}, \"Action\": \"sts:AssumeRole\" }] }"; $assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument); echo "Created role: {$assumeRoleRole['RoleName']}\n"; $listAllBucketsPolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}] }"; $listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument); echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n"; $service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']); $inlinePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"sts:AssumeRole\", \"Resource\": \"{$assumeRoleRole['Arn']}\"}] }"; $inlinePolicy = $service->createUserPolicy("iam_demo_inline_policy_$uuid", $inlinePolicyDocument, $user['UserName']); //First, fail to list the buckets with the user $credentials = new Credentials($key['AccessKeyId'], $key['SecretAccessKey']); $s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]); try { $s3Client->listBuckets([ ]); echo "this should not run"; } catch (S3Exception $exception) { echo "successfully failed!\n"; } $stsClient = new StsClient(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]); sleep(10); $assumedRole = $stsClient->assumeRole([ 'RoleArn' => $assumeRoleRole['Arn'], 'RoleSessionName' => "DemoAssumeRoleSession_$uuid", ]); $assumedCredentials = [ 'key' => $assumedRole['Credentials']['AccessKeyId'], 'secret' => $assumedRole['Credentials']['SecretAccessKey'], 'token' => $assumedRole['Credentials']['SessionToken'], ]; $s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $assumedCredentials]); try { $s3Client->listBuckets([ ]); echo "this should now run!\n"; } catch (S3Exception $exception) { echo "this should now not fail\n"; } $service->detachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']); $deletePolicy = $service->deletePolicy($listAllBucketsPolicy['Arn']); echo "Delete policy: {$listAllBucketsPolicy['PolicyName']}\n"; $deletedRole = $service->deleteRole($assumeRoleRole['Arn']); echo "Deleted role: {$assumeRoleRole['RoleName']}\n"; $deletedKey = $service->deleteAccessKey($key['AccessKeyId']); $deletedUser = $service->deleteUser($user['UserName']); echo "Delete user: {$user['UserName']}\n";