创建 IAM 角色 - Amazon 适用于 Ruby 的 SDK
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

创建 IAM 角色

以下示例创建了角色 my_groovy_role,以便 Amazon EC2 可以访问 us-west-2 区域中的 Amazon S3 和 Amazon DynamoDB。

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX - License - Identifier: Apache - 2.0 require 'aws-sdk-iam' # Creates a role in AWS Access and Identity Management (IAM). # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] A name for the role. # @param assume_role_policy_document [String] # @param policy_arns [Array] An array of type String representing # Amazon Resource Names (ARNs) corresponding to available # IAM managed policies. # @return [String] The ARN of the new role; otherwise, the string 'Error'. # @example # puts create_role( # Aws::IAM::Client.new, # 'my-ec2-s3-dynamodb-full-access-role', # { # Version: '2012-10-17', # Statement: [ # { # Effect: 'Allow', # Principal: { # Service: 'ec2.amazonaws.com' # }, # Action: 'sts:AssumeRole' # } # ] # }, # [ # 'arn:aws:iam::aws:policy/AmazonS3FullAccess', # 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess' # ] # ) def create_role( iam_client, role_name, assume_role_policy_document, policy_arns ) iam_client.create_role( role_name: role_name, assume_role_policy_document: assume_role_policy_document.to_json ) policy_arns.each do |policy_arn| iam_client.attach_role_policy( policy_arn: policy_arn, role_name: role_name, ) end return iam_client.get_role(role_name: role_name).role.arn rescue StandardError => e puts "Error creating role: #{e.message}" return 'Error' end # Full example call: def run_me role_name = 'my-ec2-s3-dynamodb-full-access-role' # Allow the role to trust Amazon Elastic Compute Cloud (Amazon EC2) # within the AWS account. assume_role_policy_document = { Version: '2012-10-17', Statement: [ { Effect: 'Allow', Principal: { Service: 'ec2.amazonaws.com' }, Action: 'sts:AssumeRole' } ] } # Allow the role to take all actions within # Amazon Simple Storage Service (Amazon S3) # and Amazon DynamoDB across the AWS account. policy_arns = [ 'arn:aws:iam::aws:policy/AmazonS3FullAccess', 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess' ] iam_client = Aws::IAM::Client.new puts "Attempting to create the role named '#{role_name}'..." role_arn = create_role( iam_client, role_name, assume_role_policy_document, policy_arns ) if role_arn == 'Error' puts 'Could not create role.' else puts "Role created with ARN '#{role_arn}'." end end run_me if $PROGRAM_NAME == __FILE__