管理 IAM 访问密钥 - 适用于 Ruby 的 Amazon 开发工具包
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

管理 IAM 访问密钥

用户需要自己的访问密钥以编程方式调用Amazon来自 的Amazon适 SDK for Ruby。要满足这一需要,您可以创建、修改、查看或轮换 IAM 用户的访问密钥 (访问密钥 ID 和秘密访问密钥)。默认情况下,当您创建访问密钥时,其状态为“Active”(活动)。这表示用户可以将访问密钥用于 API 调用。有关 访问密钥的更多信息,请参阅管理 IAM 用户的访问密钥

在此示例中,您使用Amazon适 SDK for Ruby 可以:

  1. 列表AmazonIAM 用户访问密钥,使用AWS::IAM::Client #list_access_keys

  2. 使用 Aws::IAM::Client#create_access_key 创建访问密钥。

  3. 使用 Aws::IAM::Client#get_access_key_last_used 确定访问密钥的上次使用时间。

  4. 使用 Aws::IAM::Client#update_access_key 停用访问密钥。

  5. 使用 Aws::IAM::Client#delete_access_key 删除访问密钥。

Prerequisites

在运行示例代码之前,您需要安装并配置Amazon适 SDK for Ruby,如下所述:

您还需要创建脚本中指定的用户 (my-user)。您可以在 IAM 控制台中或以编程方式创建新 IAM 用户,如添加新 IAM 用户中所示。

Example

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX - License - Identifier: Apache - 2.0 # This code example demonstrates how to: # 1. List access keys for a user in AWS Identity and Access Management (IAM). # 2. Create an access key for a user. # 3. Determine when a user's access keys were last used. # 4. Deactivate an access key for a user. # 5. Delete an access key for a user. require 'aws-sdk-iam' # Lists information about access keys for a user in # AWS Identity and Access Management (IAM). # # Prerequisites: # - The user in IAM. # # @param iam [Aws::IAM::Client] An initialized IAM client. # @param user_name [String] The name of the user. # @example # puts list_access_keys(Aws::IAM::Client.new, 'my-user') def list_access_keys(iam, user_name) response = iam.list_access_keys(user_name: user_name) if response.access_key_metadata.count.positive? puts 'Access key IDs:' response.access_key_metadata.each do |key_metadata| puts " #{key_metadata.access_key_id}" end else puts "No access keys found for user '#{user_name}'." end rescue Aws::IAM::Errors::NoSuchEntity puts "Error listing access keys: cannot find user '#{user_name}'." exit 1 rescue StandardError => e puts "Error listing access keys: #{e.message}" end # Creates an access key for a user in AWS Identity and Access Management (IAM). # # Prerequisites: # - The user in IAM. # # @param iam [Aws::IAM::Client] An initialized IAM client. # @param user_name [String] The name of the user. # @return [Aws::IAM::Types::AccessKey] Information about the new access key; # otherwise, the string 'Error'. # @example # puts create_access_key(Aws::IAM::Client.new, 'my-user') def create_access_key(iam, user_name) response = iam.create_access_key(user_name: user_name) access_key = response.access_key puts 'Access key created:' puts " Access key ID: #{access_key.access_key_id}" puts " Secret access key: #{access_key.secret_access_key}" puts 'Keep a record of this information in a secure location. ' \ 'This will be the only time you will be able to view the ' \ 'secret access key.' return access_key rescue Aws::IAM::Errors::LimitExceeded puts 'Error creating access key: limit exceeded. Cannot create any more. ' \ 'To create more, delete an existing access key, and then try again.' return 'Error' rescue StandardError => e puts "Error creating access key: #{e.message}" return 'Error' end # Lists information about when access keys for a user in # AWS Identity and Access Management (IAM) were last used. # # Prerequisites: # - The user in IAM. # # @param iam [Aws::IAM::Client] An initialized IAM client. # @param user_name [String] The name of the user. # @example # puts access_keys_last_used(Aws::IAM::Client.new, 'my-user') def access_keys_last_used(iam, user_name) response = iam.list_access_keys(user_name: user_name) response.access_key_metadata.each do |key_metadata| last_used = iam.get_access_key_last_used(access_key_id: key_metadata.access_key_id) if last_used.access_key_last_used.last_used_date.nil? puts " Key '#{key_metadata.access_key_id}' not used or date undetermined." else puts " Key '#{key_metadata.access_key_id}' last used on " \ "#{last_used.access_key_last_used.last_used_date}" end end rescue StandardError => e puts "Error determining when access keys were last used: #{e.message}" end # Deactivates an access key in AWS Identity and Access Management (IAM). # # Prerequisites: # - A user in IAM. # - An access key for that user. # # @param iam [Aws::IAM::Client] An initialized IAM client. # @param user_name [String] The name of the user. # @param access_key_id [String] The ID of the access key. # @return [Boolean] true if the access key was deactivated; # otherwise, false. # @example # exit 1 unless access_key_deactivated?( # Aws::IAM::Client.new, # 'my-user', # 'AKIAIOSFODNN7EXAMPLE' # ) def access_key_deactivated?(iam, user_name, access_key_id) iam.update_access_key( user_name: user_name, access_key_id: access_key_id, status: 'Inactive' ) return true rescue StandardError => e puts "Error deactivating access key: #{e.message}" return false end # Deletes an access key in AWS Identity and Access Management (IAM). # # Prerequisites: # - A user in IAM. # - An access key for that user. # # @param iam [Aws::IAM::Client] An initialized IAM client. # @param user_name [String] The name of the user. # @param access_key_id [String] The ID of the access key. # @return [Boolean] true if the access key was deleted; # otherwise, false. # @example # exit 1 unless access_key_deleted?( # Aws::IAM::Client.new, # 'my-user', # 'AKIAIOSFODNN7EXAMPLE' # ) def access_key_deleted?(iam, user_name, access_key_id) iam.delete_access_key( user_name: user_name, access_key_id: access_key_id ) return true rescue StandardError => e puts "Error deleting access key: #{e.message}" return false end # Full example call: def run_me iam = Aws::IAM::Client.new user_name = 'my-user' create_key = true # Set to false to not create a new access key. delete_key = true # Set to false to not delete any generated access key. puts "Access keys for user '#{user_name}' before attempting to create an " \ 'additional access key for the user:' list_access_keys(iam, user_name) access_key = '' if create_key puts 'Attempting to create an additional access key...' access_key = create_access_key(iam, user_name) if access_key == 'Error' puts 'Additional access key not created. Stopping program.' exit 1 end puts 'Additional access key created. Access keys for user now are:' list_access_keys(iam, user_name) end puts 'Determining when current access keys were last used...' access_keys_last_used(iam, user_name) if create_key && delete_key puts 'Attempting to deactivate additional access key...' if access_key_deactivated?(iam, user_name, access_key.access_key_id) puts 'Access key deactivated. Access keys for user now are:' list_access_keys(iam, user_name) else puts 'Access key not deactivated. Stopping program.' puts 'You will need to delete the access key yourself.' end puts 'Attempting to delete additional access key...' if access_key_deleted?(iam, user_name, access_key.access_key_id) puts 'Access key deleted. Access keys for user now are:' list_access_keys(iam, user_name) else puts 'Access key not deleted. You will need to delete the ' \ 'access key yourself.' end end end run_me if $PROGRAM_NAME == __FILE__