使用 IAM 策略 - 适用于 Ruby 的 Amazon 开发工具包
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 IAM 策略

IAM 策略是指定一项或多项权限的文档。有关 IAM 策略的更多信息,请参阅 IAM 策略概述

在此示例中,您使用Amazon适 SDK for Ruby 可以:

  1. 使用 Aws::IAM::Client#create_policy 创建策略。

  2. 使用 Aws::IAM::Client#get_policy 获取有关策略的信息。

  3. 使用 Aws::IAM::Client#attach_role_policy 将策略附加到角色。

  4. 使用 Aws::IAM::Client#list_attached_role_policies 列出附加到角色的策略。

  5. 使用 Aws::IAM::Client#detach_role_policy 从角色分离策略。

Prerequisites

在运行示例代码之前,您需要安装并配置Amazon适 SDK for Ruby,如下所述:

您还需要创建脚本中指定的角色 (my-role)。您可以在 IAM 控制台中执行此操作。

Example

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX - License - Identifier: Apache - 2.0 # The following code example shows how to: # 1. Create a policy in AWS Identity and Access Management (IAM). # 2. Attach the policy to a role. # 3. List the policies that are attached to the role. # 4. Detach the policy from the role. require 'aws-sdk-iam' # Creates a policy in AWS Identity and Access Management (IAM). # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param policy_name [String] A name for the policy. # @param policy_document [Hash] The policy definition. # @return [String] The new policy's Amazon Resource Name (ARN); # otherwise, the string 'Error'. # @example # puts create_policy( # Aws::IAM::Client.new, # 'my-policy', # { # 'Version': '2012-10-17', # 'Statement': [ # { # 'Effect': 'Allow', # 'Action': 's3:ListAllMyBuckets', # 'Resource': 'arn:aws:s3:::*' # } # ] # } # ) def create_policy(iam_client, policy_name, policy_document) response = iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) return response.policy.arn rescue StandardError => e puts "Error creating policy: #{e.message}" return 'Error' end # Attaches a policy to a role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role to attach the policy to. # @param policy_arn [String] The policy's Amazon Resource Name (ARN). # @return [Boolean] True if the policy was attached to the role; # otherwise, false. # @example # exit 1 unless policy_attached_to_role?( # Aws::IAM::Client.new, # 'my-role', # 'arn:aws:iam::111111111111:policy/my-policy' # ) def policy_attached_to_role?(iam_client, role_name, policy_arn) iam_client.attach_role_policy(role_name: role_name, policy_arn: policy_arn) return true rescue StandardError => e puts "Error attaching policy to role: #{e.message}" return false end # Displays a list of policy Amazon Resource Names (ARNs) that are attached to a # role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role. # @example # list_policy_arns_attached_to_role(Aws::IAM::Client.new, 'my-role') def list_policy_arns_attached_to_role(iam_client, role_name) response = iam_client.list_attached_role_policies(role_name: role_name) if response.key?('attached_policies') && response.attached_policies.count.positive? response.attached_policies.each do |attached_policy| puts " #{attached_policy.policy_arn}" end else puts 'No policies attached to role.' end rescue StandardError => e puts "Error checking for policies attached to role: #{e.message}" end # Detaches a policy from a role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role with an attached policy. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role to detach the policy from. # @param policy_arn [String] The policy's Amazon Resource Name (ARN). # @return [Boolean] True if the policy was detached from the role; # otherwise, false. # @example # exit 1 unless policy_detached_from_role?( # Aws::IAM::Client.new, # 'my-role', # 'arn:aws:iam::111111111111:policy/my-policy' # ) def policy_detached_from_role?(iam_client, role_name, policy_arn) iam_client.detach_role_policy(role_name: role_name, policy_arn: policy_arn) return true rescue StandardError => e puts "Error detaching policy from role: #{e.message}" return false end # Full example call: def run_me role_name = 'my-role' policy_name = 'my-policy' # Allows the caller to get a list of all buckets in # Amazon Simple Storage Service (Amazon S3) that are owned by the caller. policy_document = { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': 's3:ListAllMyBuckets', 'Resource': 'arn:aws:s3:::*' } ] } detach_policy_from_role = true iam_client = Aws::IAM::Client.new puts "Attempting to create policy '#{policy_name}'..." policy_arn = create_policy(iam_client, policy_name, policy_document) if policy_arn == 'Error' puts 'Could not create policy. Stopping program.' exit 1 else puts 'Policy created.' end puts "Attempting to attach policy '#{policy_name}' " \ "to role '#{role_name}'..." if policy_attached_to_role?(iam_client, role_name, policy_arn) puts 'Policy attached.' else puts 'Could not attach policy to role.' detach_policy_from_role = false end puts "Policy ARNs attached to role '#{role_name}':" list_policy_arns_attached_to_role(iam_client, role_name) if detach_policy_from_role puts "Attempting to detach policy '#{policy_name}' " \ "from role '#{role_name}'..." if policy_detached_from_role?(iam_client, role_name, policy_arn) puts 'Policy detached.' else puts 'Could not detach policy from role. You must detach it yourself.' end end end run_me if $PROGRAM_NAME == __FILE__