本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 擔任角色的方法
在使用者、應用程式或服務可以使用您建立的角色之前,您必須[授予切換到該角色的許可](id_roles_use_permissions-to-switch.md)。您可以使用連接至群組或使用者的任何政策,來授予必要的許可。授予許可後,使用者可以從 AWS 管理主控台、Tools for Windows PowerShell、 AWS Command Line Interface (AWS CLI) 和 [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API 擔任角色。
**重要**
當您以程式設計方式而不是在 IAM 主控台中建立角色時,則除了 `RoleName` 之外,您還可以選擇新增高達 512 個字元的 `Path`,該字元長度最多 64 個字元。不過,如果您想要在 中使用具有**切換角色**功能的角色 AWS 管理主控台,則合併的 `Path`和 `RoleName`不得超過 64 個字元。
用於擔任角色的方法決定誰可以擔任該角色以及角色工作階段可以持續多久。使用 `AssumeRole*` API 操作時,您擔任的 IAM 角色是資源。呼叫 `AssumeRole*` API 操作的使用者或角色是主體。
下表比較擔任角色的方法。
| 擔任角色的方法 | **誰可以擔任這個角色** | **指定憑證生命週期的方法** | **憑證存留期 (最小 \$1 最大 \$1 預設)** |
| --- | --- | --- | --- |
| AWS 管理主控台 | 使用者或角色¹ (透過[切換角色](id_roles_use_switch-role-console.md)) | Role (角色) 摘要頁面上的 Maximum session duration (最大工作階段持續時間) | 15 分鐘 \$1 最大工作階段持續時間設定² \$1 1 小時 |
| [https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) CLI 或 [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API 操作 | 使用者或角色¹ | duration-seconds CLI 或 DurationSeconds API 參數 | 15 分鐘 \$1 最大工作階段持續時間設定² \$1 1 小時 |
| [https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html) CLI 或 [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) API 操作 | 任何使用 SAML 驗證的使用者 | duration-seconds CLI 或 DurationSeconds API 參數 | 15 分鐘 \$1 最大工作階段持續時間設定² \$1 1 小時 |
| [https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) CLI 或 [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) API 操作 | 使用 OIDC 提供者進行身分驗證的任何使用者 | duration-seconds CLI 或 DurationSeconds API 參數 | 15 分鐘 \$1 最大工作階段持續時間設定² \$1 1 小時 |
| 使用 [ 建構的](id_roles_providers_enable-console-custom-url.md)主控台 URLAssumeRole | 使用者或角色 | SessionDuration URL 中的 HTML 參數 | 15 分鐘 \$1 12 小時 \$1 1 小時 |
| 使用 [ 建構的](id_roles_providers_enable-console-custom-url.md)主控台 URLAssumeRoleWithSAML | 任何使用 SAML 驗證的使用者 | SessionDuration URL 中的 HTML 參數 | 15 分鐘 \$1 12 小時 \$1 1 小時 |
| 使用 [ 建構的](id_roles_providers_enable-console-custom-url.md)主控台 URLAssumeRoleWithWebIdentity | 使用 OIDC 提供者進行身分驗證的任何使用者 | SessionDuration URL 中的 HTML 參數 | 15 分鐘 \$1 12 小時 \$1 1 小時 |
¹ 使用來自一個角色的憑證來擔任不同的角色稱為[角色鏈結](id_roles.md#iam-term-role-chaining)。當您使用角色鏈結時,角色的工作階段持續時間限制為一小時。這適用於 AWS 管理主控台 角色切換 AWS CLI和 API 操作。此限制不適用於從使用者憑證初始擔任角色,也不適用於在使用執行個體設定檔的 Amazon EC2 執行個體上執行的應用程式。
² 此設定的值可介於 1 小時至 12 小時。有關修改最大工作階段持續時間設定的詳細資訊,請參閱 [IAM 角色管理](id_roles_manage.md)。此設定決定取得角色憑證時可以請求的最大工作階段持續時間。例如,當您使用 [AssumeRole\$1](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API 操作來擔任角色時,可以使用 `DurationSeconds` 參數指定工作階段長度。使用此參數指定 900 秒 (15 分鐘) 到角色的最大工作階段持續時間設定之間的角色工作階段長度。在主控台中切換角色的 IAM 使用者會被授予最長工作階段持續時間或使用者工作階段中的剩餘時間,以較短者為準。假設您在角色上設定 5 小時的最大持續時間。已登入主控台 10 小時的 IAM 使用者 (超出預設最大值 12 小時) 會切換至角色。可用的角色工作階段持續時間為 2 小時。如要了解如何查看角色的最大值,請參閱本頁後述的 [更新角色的最大工作階段持續時間](id_roles_update-role-settings.md#id_roles_update-session-duration)。
**備註**
工作階段持續時間設定上限不會限制由 AWS 服務擔任的工作階段。
Amazon EC2 IAM 角色憑證不受角色中設定的工作階段持續時間上限的限制。
若要允許使用者在角色工作階段中再次擔任目前角色,請在角色信任政策中將角色 ARN 或 AWS 帳戶 ARN 指定為主體。 AWS 服務 會提供運算資源,例如 Amazon EC2、Amazon ECS、Amazon EKS 和 Lambda,可提供臨時登入資料並自動更新這些登入資料。此可確保您始終擁有一組有效的憑證。對於這些服務,不需要再次擔任目前的角色即可取得臨時憑證。但是,如果您想要傳遞[工作階段標籤](id_session-tags.md)或一個[工作階段政策](access_policies.md#policies_session),則需要再次擔任目前的角色。若要了解如何修改角色信任政策以新增主要角色 ARN 或 AWS 帳戶 ARN,請參閱 [更新角色信任政策](id_roles_update-role-trust-policy.md)。
**Topics**
+ [從使用者切換至 IAM 角色 (主控台)](id_roles_use_switch-role-console.md)
+ [切換到 IAM 角色 (AWS CLI)](id_roles_use_switch-role-cli.md)
+ [切換至 IAM 角色 (Tools for Windows PowerShell)](id_roles_use_switch-role-twp.md)
+ [切換到 IAM 角色 (AWS API)](id_roles_use_switch-role-api.md)
+ [使用 IAM 角色為在 Amazon EC2 執行個體上執行的應用程式授予許可](id_roles_use_switch-role-ec2.md)
+ [使用執行個體設定檔](id_roles_use_switch-role-ec2_instance-profiles.md)
# 從使用者切換至 IAM 角色 (主控台)
當您做為 IAM 使用者、IAM Identity Center 中的使用者、SAML 聯合角色或 Web 聯合身分角色登入時,才能切換角色。*角色*會指定一組許可,您可以使用這些許可來存取您需要 AWS 的資源。不過,您不登入角色,但一旦以 IAM 使用者身分登入後,就可以切換到 IAM 角色。這會暫時擱置了原始使用者許可,而不是為您提供指派給該角色的許可。該角色可以在您自己的帳戶或任何其他 AWS 帳戶中。如需有關角色、其優勢以及建立方式的詳細資訊,請參閱 [IAM 角色](id_roles.md) 和 [IAM 角色建立](id_roles_create.md)。
您的使用者以及您切換到任何角色的許可都不會累計。每次只有一組許可是作用中。當您切換角色時,您會暫時放棄使用者許可並使用指派給該角色的許可。當您退出角色後,您的使用者許可會自動恢復。
當您在 中切換角色時 AWS 管理主控台,主控台一律會使用您的原始登入資料來授權切換。例如,如果您切換到 RoleA,IAM 會使用您的原始憑證確定是否允許您擔任 RoleA。如果您接著*在使用 RoleA* RoleA 時切換到 RoleB, AWS 仍然會使用**原始**登入資料來授權切換,而不是 RoleA 的登入資料。
**注意**
以 IAM Identity Center 中的使用者、SAML 聯合角色或 Web 聯合身分角色登入時,您將在啟動工作階段時擔任 IAM 角色。例如,當 IAM Identity Center 中的使用者登入 AWS 存取入口網站時,他們必須先選擇與角色相關的許可集,才能存取 AWS 資源。
## 角色工作階段
當您切換角色時,您的 AWS 管理主控台 工作階段預設會持續 1 小時。IAM 使用者工作階段預設為 12 小時,其他使用者可能已定義不同的工作階段持續時間。在主控台中切換角色時,您會取得角色工作階段持續時間上限或使用者工作階段中的剩餘時間 (以較短者為準)。您無法透過擔任角色來延長工作階段持續時間。
例如,假設為角色設定的最大工作階段持續時間為 10 小時。您決定切換至該角色時,已登入主控台 8 小時。使用者工作階段還剩餘 4 小時,因此允許的角色工作階段持續時間為 4 小時,而不是工作階段持續時間上限 10 小時。下表顯示在主控台中切換角色時如何判斷 IAM 使用者的工作階段持續時間。
| IAM 使用者工作階段剩餘時間為... | 角色工作階段持續時間為… |
| --- | --- |
| 小於角色最大工作階段持續時間 | 使用者工作階段中的剩餘時間 |
| 大於角色最大工作階段持續時間 | 最大工作階段持續時間值 |
| 等於角色最大工作階段持續時間 | 最大工作階段持續時間值 (近似值) |
使用來自一個角色的憑證來擔任不同的角色稱為[角色鏈結](id_roles.md#iam-term-role-chaining)。使用角色鏈結時,無論為個別角色設定的工作階段持續時間上限為何,工作階段持續時間都將限制為一小時。這適用於 AWS 管理主控台 角色切換 AWS CLI和 API 操作。
**注意**
有些 AWS 服務主控台可以在角色工作階段過期時自動續約,而無需您採取任何動作。有些主控台可能會提示您重新載入瀏覽器頁面以重新驗證您的工作階段。
## 考量事項
+ 如果您以 身分登入,則無法切換角色 AWS 帳戶根使用者。
+ 必須授予使用者依政策切換角色的許可。如需說明,請參閱[向使用者授予切換角色的許可](id_roles_use_permissions-to-switch.md)。
+ 您無法將 中的角色切換 AWS 管理主控台 為需要 [ExternalId](id_roles_common-scenarios_third-party.md#id_roles_third-party_external-id) 值的角色。您只能透過呼叫支援 `ExternalId` 參數的 [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API 來切換到此類角色。
## 若要切換至角色
1. 按照 *AWS 登入 User Guide* 中的 [Sign in to the AWS 管理主控台](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) 中適合使用者類型的登入程序操作。
1. 在 中 AWS 管理主控台,選擇右上角導覽列上的使用者名稱。它通常如下:***username*@*account\$1ID\$1number\$1or\$1alias***。
1. 選取下列其中一種方法來切換角色:
+ 選擇**切換角色**。
+ 若已選擇加入多工作階段支援,請選擇**新增工作階段**,然後選取**切換角色**。
**注意**
您可以在 AWS 管理主控台中的單一 Web 瀏覽器中同時登入最多五個不同的身分。如需詳細資訊,請參閱 *AWS 管理主控台 Getting Started Guide* 中的 [Signing in to multiple accounts](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/multisession.html)。
1. 在 **Switch Role (切換角色)** 頁面上,輸入帳戶 ID 號碼或帳戶別名以及管理員提供的角色名稱。
**注意**
如果管理員已使用路徑 (例如 `division_abc/subdivision_efg/roleToDoX`) 建立角色,則必須在 **Role (角色)** )方塊中輸入該完整路徑和名稱。如果僅輸入角色名稱,或者組合的 `Path` 和 `RoleName` 超過 64 個字元,則角色切換失敗。這是存放角色名稱的瀏覽器 cookie 的限制。如果發生這種情況,請聯絡您的管理員,並要求他們減小路徑和角色名稱的大小。
1. (選用) 您可以輸入顯示名稱,然後選取在主控台導覽列中反白顯示角色的顯示顏色。
+ 在**顯示名稱**欄位中,鍵入當此角色處於作用中時,要在導覽列上顯示之用以取代使用者名稱的文字。根據帳戶和角色資訊建議使用名稱,但您可以將其變更為對您有意義的任何名稱。
+ 在**顯示顏色**欄位中,選取顏色以反白顯示顯示名稱。
名稱和顏色有助於在此角色處於作用中時提醒您,這會變更您的許可。例如,對於允許您存取測試環境的角色,您可以指定 **Test** 的 **Display name** (顯示名稱) 並在 **Color** (顏色)中選擇綠色。對於允許您存取生產的角色,您可以指定 **Production** 的 **Display name** (顯示名稱) 並在 **Color** (顏色)中選擇紅色。
1. 選擇 **Switch Role** (切換角色)。顯示名稱和顏色將替換導覽列上的使用者名稱,您可以開始使用該角色授予您的許可。
1. 完成需要 IAM 角色的任務後,您可以切換回原始工作階段。這將移除角色提供的額外許可,並讓您返回標準許可。
1. 在 IAM 主控台中,選擇導覽列右上角的角色 **Display Name** (顯示名稱)。
1. 選擇**切換回**。
例如,假設您使用使用者名稱 `123456789012` 登入到帳戶編號 `Richard`。使用過 `admin-role` 角色後,您想要停止使用該角色並傳回您的原始許可。若要停止使用角色,請選擇 **admin-role @ 123456789012**,然後選擇**切換回**。
![\[圖形定位切「換返回」函數,可停止使用 IAM 角色並返回原始使用者。\]](http://docs.aws.amazon.com/zh_tw/IAM/latest/UserGuide/images/role-stop-using.png)
**提示**
您使用的最後幾個角色會顯示在選單。下次想要切換到其中一個角色時,您只需選擇所需的角色。如果角色未顯示在功能表上,則只需手動鍵入帳戶和角色資訊。
## 其他資源
+ [向使用者授予切換角色的許可](id_roles_use_permissions-to-switch.md)
+ [授予使用者將角色傳遞至 AWS 服務的許可](id_roles_use_passrole.md)
+ [建立角色以將許可授予 IAM 使用者](id_roles_create_for-user.md)
+ [建立角色以將許可委派給 AWS 服務](id_roles_create_for-service.md)
+ [IAM 角色疑難排解](troubleshoot_roles.md)
# 切換到 IAM 角色 (AWS CLI)
「角色」**指定一組許可,您可以使用它來存取所需的 AWS 資源。從這個意義上說,類似於 [AWS Identity and Access Management中的使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) (IAM)。當您以使用者身分登入時,您將取得一組特定的許可。不過,您不登入角色,但以使用者身分登入後,就可以切換角色。這會暫時擱置了原始使用者許可,而不是為您提供指派給該角色的許可。該角色可以在您自己的帳戶或任何其他 AWS 帳戶中。如需有關角色、其優勢以及建立和設定方式的詳細資訊,請參閱 [IAM 角色](id_roles.md) 和 [IAM 角色建立](id_roles_create.md)。要了解在擔任角色時使用的各種方法,請參閱 [擔任角色的方法](id_roles_manage-assume.md)。
**重要**
您的 IAM 使用者以及您擔任的任何角色的許可都不會累計。每次只有一組許可是作用中。當您擔任角色時,您會暫時放棄以前的使用者或角色許可,並使用指派給該角色的許可。當您退出角色後,您的使用者許可會自動恢復。
當您以 IAM 使用者身分登入時,您可以使用角色來執行 AWS CLI 命令。當您以已使用角色的[外部身分驗證使用者 ](id_roles_providers.md)([SAML](id_roles_providers_saml.md) 或 [OIDC](id_roles_providers_oidc.md)) 登入時,您也可以使用角色來執行 AWS CLI 命令。此外,您可以使用角色從 Amazon EC2 執行個體執行 AWS CLI 命令,而該執行個體透過執行個體描述檔連接到角色。當您以 AWS 帳戶根使用者身分登入時,則無法擔任該角色。
[**角色鏈結**](id_roles.md#iam-term-role-chaining) – 您也可以使用角色鏈結,以使用角色的許可來存取第二個角色。
在預設情況下,您的角色工作階段持續一小時。使用 `assume-role*` CLI 操作擔任此角色時,可以為 `duration-seconds` 參數指定值。此值的範圍可以從 900 秒 (15 分鐘) 到角色的最大工作階段持續時間設定的值。如果在主控台中切換角色,您工作階段的持續時間會限制為最多一小時。若要了解如何檢視角色的最大值,請參閱 [更新角色的最大工作階段持續時間](id_roles_update-role-settings.md#id_roles_update-session-duration)。
如果使用角色鏈結時,則工作階段持續時間最多限制為一小時。如果您隨後使用 `duration-seconds` 參數提供大於一小時的值,則操作會失敗。
## 範例案例:切換到生產角色
假設您是在開發環境中工作的 IAM 使用者。在此情況下,您偶爾需要透過 [AWS CLI](https://aws.amazon.com/cli/) 在命令列中使用生產環境。您已經有存取金鑰憑證組可供您使用。這可以是指派給標準 IAM 使用者的存取金鑰對。或者,如果您以 SAML 或 OIDC 聯合身分主體的身分登入,則它可以是最初指派給您的角色的存取金鑰對。如果您目前的許可授予您擔任特定 IAM 角色的能力,則可以在 AWS CLI 組態檔案中的「設定檔」中識別該角色。然後使用指定 IAM 角色的許可來執行該命令,而不是原始身分。請注意,當您在 AWS CLI 命令中指定該設定檔時,您正在使用新角色。在這種情況下,您無法同時在開發帳戶中使用原始許可。原因是一次只有一組許可有效。
**注意**
基於安全考量,管理員可以[檢閱 AWS CloudTrail 日誌](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds),以了解在其中執行動作的人員 AWS。當您擔任角色時,系統管理員可能需要您指定來源身分或角色工作階段名稱 。如需詳細資訊,請參閱[`sts:SourceIdentity`](reference_policies_iam-condition-keys.md#ck_sourceidentity)及[`sts:RoleSessionName`](reference_policies_iam-condition-keys.md#ck_rolesessionname)。
**切換到生產角色 (AWS CLI)**
1. 如果您從未使用 AWS CLI,則必須先設定預設的 CLI 設定檔。開啟命令提示字元並設定您的 AWS CLI 安裝,以使用來自 IAM 使用者或聯合角色的存取金鑰。如需詳細資訊,請參閱《AWS Command Line Interface 使用者指南》**中的[設定 AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-quick-configuration)。
執行 [aws configure](https://docs.aws.amazon.com/cli/latest/reference/configure/) 命令,如下所示:
```
aws configure
```
當出現提示時,請提供下列資訊:
```
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-east-2
Default output format [None]: json
```
1. 在 Unix 或 Linux `.aws/config` 檔案中,或在 Windows `C:\Users\USERNAME\.aws\config` 檔案中建立角色的新描述檔。下列範例會建立稱為 `prodaccess` 的描述檔,以切換到 `ProductionAccessRole` 帳戶中的角色 `123456789012`。您從建立角色的帳戶管理員處取得角色 ARN。叫用此設定檔時, AWS CLI 會使用 的登入資料`source_profile`來請求角色的登入資料。因此,做為 `source_profile` 參考的身分必須具有 `sts:AssumeRole` 中指定角色的 `role_arn` 許可。
```
[profile prodaccess]
role_arn = arn:aws:iam::123456789012:role/ProductionAccessRole
source_profile = default
```
1. 建立新設定檔之後,指定 參數的任何 AWS CLI 命令都會在連接到 IAM 角色的許可下`--profile prodaccess`執行,`ProductionAccessRole`而不是預設使用者。
```
aws iam list-users --profile prodaccess
```
如果指派給 `ProductionAccessRole` 的許可啟用列出目前 AWS 帳戶中的使用者,則此命令有效。
1. 若要傳回原始憑證授予的許可,請執行不帶 `--profile` 參數的命令。會使用您在 中設定的預設設定檔中的登入資料 AWS CLI 還原至 [Step 1](#step-configure-default)。
如需詳細資訊,請參閱《AWS Command Line Interface 使用者指南》**中的[擔任角色](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html)。
## 範例案例:允許執行個體描述檔角色來切換到另一個帳戶中的角色
假設您使用兩個 AWS 帳戶,並且您想要允許在 Amazon EC2 執行個體上執行的應用程式在兩個帳戶中執行[AWS CLI](https://aws.amazon.com/cli/)命令。假設 EC2 執行個體存在於帳戶 `111111111111`。該執行個體包含 `abcd` 執行個體描述檔角色,該角色會允許應用程式在相同 `111111111111` 帳戶中對 `amzn-s3-demo-bucket1` 儲存貯體執行唯讀 Amazon S3 任務。不過,也必須允許應用程式擔任 `efgh` 跨帳戶角色來在帳戶 `222222222222` 中執行任務。若要執行此操作,`abcd` EC2 執行個體描述檔角色必須有以下許可政策:
***帳戶 111111111111 `abcd` 角色許可政策***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountLevelS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowListAndReadS3ActionOnMyBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1/*",
"arn:aws:s3:::amzn-s3-demo-bucket1"
]
},
{
"Sid": "AllowIPToAssumeCrossAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222222222:role/efgh"
}
]
}
```
------
假設 `efgh` 跨帳戶角色允許在相同 `222222222222` 帳戶中對 `amzn-s3-demo-bucket2` 儲存貯體的唯讀 Amazon S3 任務。若要執行此操作,`efgh` 跨帳戶角色必須有以下許可政策:
***帳戶 222222222222 `efgh` 角色許可政策***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountLevelS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowListAndReadS3ActionOnMyBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket2/*",
"arn:aws:s3:::amzn-s3-demo-bucket2"
]
}
]
}
```
------
`efgh` 角色必須允許 `abcd` 執行個體設定檔角色擔任該角色。若要執行此操作,`efgh` 角色必須有以下信任政策:
***帳戶 222222222222 `efgh` 角色信任政策***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "efghTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::111111111111:role/abcd"}
}
]
}
```
------
若要接著在帳戶 中執行 AWS CLI 命令`222222222222`,您必須更新 CLI 組態檔案。在 AWS CLI 組態檔案中,將 `efgh` 角色識別為「描述檔」且 `abcd` EC2 執行個體描述檔角色識別為「憑證來源」。然後,使用 `efgh` 角色 (而不是原始 `abcd` 角色) 的許可執行 CLI 命令。
**注意**
基於安全考量,您可以使用 AWS CloudTrail 來稽核帳戶中角色的使用。若要在 CloudTrail 日誌中的不同主體使用角色時區分角色工作階段,您可以使用角色工作階段名稱。當 依本主題所述代表使用者 AWS CLI 擔任角色時,角色工作階段名稱會自動建立為 `AWS-CLI-session-nnnnnnnn`。以下 *nnnnnnnn* 是整數,代表 [Unix epoch 時間](http://wikipedia.org/wiki/Unix_time)中的時間 (自 1970 年 1 月 1 日午夜 UTC 的秒數)。如需詳細資訊,請參閱《AWS CloudTrail 使用者指南》**中的 [CloudTrail 事件參考](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/eventreference.html)。
**讓 EC2 執行個體設定檔角色切換到跨帳戶角色 (AWS CLI)**
1. 您不需要設定預設 CLI 描述檔。您反而可以從 EC2 執行個體描述檔中繼資料載入憑證。在 `.aws/config` 檔案中為角色建立新的設定檔。下列範例會建立 `instancecrossaccount` 的描述檔,以切換到 `efgh` 帳戶中的角色 `222222222222`。呼叫此描述檔時, AWS CLI 會使用 EC2 執行個體描述檔中繼資料的憑證來請求角色的憑證。因此,EC2 執行個體設定檔角色必須具有在 `sts:AssumeRole` 中指定角色的 `role_arn` 許可。
```
[profile instancecrossaccount]
role_arn = arn:aws:iam::222222222222:role/efgh
credential_source = Ec2InstanceMetadata
```
1. 建立新設定檔之後,指定 參數的任何 AWS CLI 命令都會在連接到帳戶 中`efgh`角色的許可下`--profile instancecrossaccount`執行`222222222222`。
```
aws s3 ls amzn-s3-demo-bucket2 --profile instancecrossaccount
```
如果指派給 `efgh` 角色的許可允許列出目前 AWS 帳戶中的使用者,則此命令有效。
1. 若要在帳戶 `111111111111` 中返回原始 EC2 執行個體設定檔許可,在不使用 `--profile` 參數的情形下執行 CLI 命令。
如需詳細資訊,請參閱《AWS Command Line Interface 使用者指南》**中的[擔任角色](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html)。
# 切換至 IAM 角色 (Tools for Windows PowerShell)
「角色」**指定一組許可,您可以使用它來存取所需的 AWS 資源。從這個意義上說,類似於 [AWS Identity and Access Management中的使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) (IAM)。當您以使用者身分登入時,您將取得一組特定的許可。不過,您不登入角色,但一旦登入後就可以切換角色。這會暫時擱置了原始使用者許可,而不是為您提供指派給該角色的許可。該角色可以在您自己的帳戶或任何其他 AWS 帳戶中。如需有關角色、其優勢以及建立和設定方式的詳細資訊,請參閱 [IAM 角色](id_roles.md) 和 [IAM 角色建立](id_roles_create.md)。
**重要**
您的 IAM 使用者以及您切換到任何角色的許可都不會累計。每次只有一組許可是作用中。當您切換角色時,您會暫時放棄使用者許可並使用指派給該角色的許可。當您退出角色後,您的使用者許可會自動恢復。
本節說明在 AWS Tools for Windows PowerShell命令列中如何切換角色。
假設您在開發環境中有一個帳戶,偶爾需要使用 [Tools for Windows PowerShell](https://aws.amazon.com/powershell/) 在命令列中使用生產環境。您已經有一個存取金鑰憑證組可供您使用。這些可以是指派給標準 IAM 使用者的存取金鑰對。或者,如果您以 SAML 或 OIDC 聯合身分主體身分登入,則它們可以是最初指派給您的角色的存取金鑰對。您可以使用這些憑證來執行 `Use-STSRole` cmdlet,該 cmdlet 將新角色的 ARN 做為參數傳送。該命令傳回所請求角色的臨時安全憑證。然後,您可以在後續 PowerShell 命令中使用這些憑證,並使用角色的許可存取生產中的資源。使用該角色時,您無法在開發帳戶中使用您的使用者許可,因為一次只能有一組許可有效。
**注意**
基於安全考量,管理員可以[檢閱 AWS CloudTrail 日誌](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds),以了解在其中執行動作的人員 AWS。當您擔任角色時,系統管理員可能需要您指定來源身分或角色工作階段名稱 。如需詳細資訊,請參閱[`sts:SourceIdentity`](reference_policies_iam-condition-keys.md#ck_sourceidentity)及[`sts:RoleSessionName`](reference_policies_iam-condition-keys.md#ck_rolesessionname)。
請注意,所有存取金鑰和權杖僅為範例,不能如下所示般使用。以您實際環境中的適當值取代。
**切換至角色 (Tools for Windows PowerShell)**
1. 開啟 PowerShell 命令提示字元並設定預設設定檔以使用來自目前 IAM 使用者或聯合身分角色的存取金鑰。如果您之前已使用 Tools for Windows PowerShell,則可能已經完成。請注意,只有在以 IAM 使用者身分 (而非 AWS 帳戶根使用者) 登入時才能切換角色。
```
PS C:\> Set-AWSCredentials -AccessKey AKIAIOSFODNN7EXAMPLE -SecretKey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -StoreAs MyMainUserProfile
PS C:\> Initialize-AWSDefaults -ProfileName MyMainUserProfile -Region us-east-2
```
如需詳細資訊,請參閱*AWS Tools for PowerShell 《 使用者指南*》中的[使用 AWS 登入](https://docs.aws.amazon.com/powershell/latest/userguide/specifying-your-aws-credentials.html)資料。
1. 若要擷取新角色的憑證,請執行下列命令以切換到 123456789012 帳戶中的 `RoleName` 角色。您從建立角色的帳戶管理員處取得角色 ARN。此命令還需要您提供工作階段名稱。您可以為此選擇任何文字。以下命令請求憑證,然後從傳回的結果物件中擷取 `Credentials` 屬性物件,並將其存放在 `$Creds` 變數中。
```
PS C:\> $Creds = (Use-STSRole -RoleArn "arn:aws:iam::123456789012:role/RoleName" -RoleSessionName "MyRoleSessionName").Credentials
```
`$Creds` 是一個物件,現在包含您在下列步驟中所需的 `AccessKeyId`、 `SecretAccessKey` 和 `SessionToken` 元素。以下範例命令說明典型的值:
```
PS C:\> $Creds.AccessKeyId
AKIAIOSFODNN7EXAMPLE
PS C:\> $Creds.SecretAccessKey
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
PS C:\> $Creds.SessionToken
AQoDYXdzEGcaEXAMPLE2gsYULo+Im5ZEXAMPLEeYjs1M2FUIgIJx9tQqNMBEXAMPLECvSRyh0FW7jEXAMPLEW+vE/7s1HRp
XviG7b+qYf4nD00EXAMPLEmj4wxS04L/uZEXAMPLECihzFB5lTYLto9dyBgSDyEXAMPLE9/g7QRUhZp4bqbEXAMPLENwGPy
Oj59pFA4lNKCIkVgkREXAMPLEjlzxQ7y52gekeVEXAMPLEDiB9ST3UuysgsKdEXAMPLE1TVastU1A0SKFEXAMPLEiywCC/C
s8EXAMPLEpZgOs+6hz4AP4KEXAMPLERbASP+4eZScEXAMPLEsnf87eNhyDHq6ikBQ==
PS C:\> $Creds.Expiration
Thursday, June 18, 2018 2:28:31 PM
```
1. 若要將這些憑證用於任何後續命令,請將它們包含在 `-Credential` 參數中。例如,以下命令使用角色中的憑證,僅在角色被授予 `iam:ListRoles` 許可且因此可以執行 `Get-IAMRoles` cmdlet 時才起作用:
```
PS C:\> get-iamroles -Credential $Creds
```
1. 若要傳回原始憑證,只需停止使用 `-Credentials $Creds` 參數,並允許 PowerShell 恢復存放在預設設定檔中的憑證。
# 切換到 IAM 角色 (AWS API)
「角色」**指定一組許可,您可以使用它來存取 AWS 資源。從這個意義上說,類似於 [IAM 使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html)。委託人 (人員或應用程式) 擔任角色來接收臨時許可,以執行必要的任務並與 AWS 資源互動。該角色可以在您自己的帳戶或任何其他 AWS 帳戶中。如需有關角色、其優勢以及建立和設定方式的詳細資訊,請參閱 [IAM 角色](id_roles.md) 和 [IAM 角色建立](id_roles_create.md)。要了解在擔任角色時使用的各種方法,請參閱 [擔任角色的方法](id_roles_manage-assume.md)。
**重要**
您的 IAM 使用者以及您擔任的任何角色的許可都不會累計。每次只有一組許可是作用中。當您擔任角色時,您會暫時放棄以前的使用者或角色許可,並使用指派給該角色的許可。當您退出角色後,原本的許可會自動恢復。
若要擔任角色,應用程式會 AWS STS [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)呼叫 API 操作,並傳遞要使用的角色 ARN。此操作會建立使用臨時憑證的新工作階段。此工作階段的許可,即為以身分為基礎的政策指派給角色的許可。
當您呼叫 [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) 時,您可以選擇性地傳遞內嵌或受管[工作階段政策](access_policies.md#policies_session)。工作階段政策是一種進階政策,且您會在以程式設計方式建立角色或聯合身分使用者工作階段的臨時憑證工作階段時,以參數方式傳遞。您可以使用 `Policy` 參數傳遞單一 JSON 內嵌工作階段政策文件。您可以使用 `PolicyArns` 參數,指定多達 10 個受管工作階段政策。所產生工作階段的許可會是實體的身分類型政策和工作階段政策的交集。當您需要將角色的臨時憑證提供給某人時,工作階段政策便可派上用場。他們可以在後續 AWS API 呼叫中,使用角色的臨時憑證來存取擁有該角色的帳戶中的資源。您無法使用工作階段政策來授予超出即將以身分為基礎政策所允許的許可。若要進一步了解 如何 AWS 決定角色的有效許可,請參閱 [政策評估邏輯](reference_policies_evaluation-logic.md)。
![\[PermissionsWhenPassingRoles_Diagram\]](http://docs.aws.amazon.com/zh_tw/IAM/latest/UserGuide/images/role_passed_policy_permissions.png)
當您以 IAM 使用者身分登入,或者作為已使用角色的[外部身分驗證使用者](id_roles_providers.md) ([SAML](id_roles_providers_saml.md) 或 [OIDC](id_roles_providers_oidc.md)) 登入時,可以呼叫 `AssumeRole`。您還可以使用[*角色鏈結*](id_roles.md#iam-term-role-chaining),它使用角色來擔任第二個角色。當您以 AWS 帳戶根使用者身分登入時,則無法擔任該角色。
在預設情況下,您的角色工作階段持續一小時。當您使用 AWS STS [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API 操作擔任此角色時,您可以指定 `DurationSeconds` 參數的值。此值的範圍可以從 900 秒 (15 分鐘) 到角色的最大工作階段持續時間設定的值。若要了解如何檢視角色的最大值,請參閱 [更新角色的最大工作階段持續時間](id_roles_update-role-settings.md#id_roles_update-session-duration)。
如果使用角色鏈結時,則工作階段最多限制為一小時。如果您隨後使用 `DurationSeconds` 參數提供大於一小時的值,則操作會失敗。
**注意**
基於安全考量,管理員可以[檢閱 AWS CloudTrail 日誌](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds),以了解在其中執行動作的人員 AWS。當您擔任角色時,系統管理員可能需要您指定來源身分或角色工作階段名稱 。如需詳細資訊,請參閱[`sts:SourceIdentity`](reference_policies_iam-condition-keys.md#ck_sourceidentity)及[`sts:RoleSessionName`](reference_policies_iam-condition-keys.md#ck_rolesessionname)。
下列程式碼範例示範如何建立使用者並擔任角色。
**警告**
為避免安全風險,在開發專用軟體或使用真實資料時,請勿使用 IAM 使用者進行身分驗證。相反地,搭配使用聯合功能和身分提供者,例如 [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)。
+ 建立沒有許可的使用者。
+ 建立一個可授予許可的角色,以列出帳戶的 Amazon S3 儲存貯體。
+ 新增政策,讓使用者擔任該角色。
+ 使用暫時憑證,擔任角色並列出 S3 儲存貯體,然後清理資源。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
global using Amazon.IdentityManagement;
global using Amazon.S3;
global using Amazon.SecurityToken;
global using IAMActions;
global using IamScenariosCommon;
global using Microsoft.Extensions.DependencyInjection;
global using Microsoft.Extensions.Hosting;
global using Microsoft.Extensions.Logging;
global using Microsoft.Extensions.Logging.Console;
global using Microsoft.Extensions.Logging.Debug;
namespace IAMActions;
public class IAMWrapper
{
private readonly IAmazonIdentityManagementService _IAMService;
///
/// Constructor for the IAMWrapper class.
///
/// An IAM client object.
public IAMWrapper(IAmazonIdentityManagementService IAMService)
{
_IAMService = IAMService;
}
///
/// Attach an IAM policy to a role.
///
/// The policy to attach.
/// The role that the policy will be attached to.
/// A Boolean value indicating the success of the action.
public async Task AttachRolePolicyAsync(string policyArn, string roleName)
{
var response = await _IAMService.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Create an IAM access key for a user.
///
/// The username for which to create the IAM access
/// key.
/// The AccessKey.
public async Task CreateAccessKeyAsync(string userName)
{
var response = await _IAMService.CreateAccessKeyAsync(new CreateAccessKeyRequest
{
UserName = userName,
});
return response.AccessKey;
}
///
/// Create an IAM policy.
///
/// The name to give the new IAM policy.
/// The policy document for the new policy.
/// The new IAM policy object.
public async Task CreatePolicyAsync(string policyName, string policyDocument)
{
var response = await _IAMService.CreatePolicyAsync(new CreatePolicyRequest
{
PolicyDocument = policyDocument,
PolicyName = policyName,
});
return response.Policy;
}
///
/// Create a new IAM role.
///
/// The name of the IAM role.
/// The name of the IAM policy document
/// for the new role.
/// The Amazon Resource Name (ARN) of the role.
public async Task CreateRoleAsync(string roleName, string rolePolicyDocument)
{
var request = new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = rolePolicyDocument,
};
var response = await _IAMService.CreateRoleAsync(request);
return response.Role.Arn;
}
///
/// Create an IAM service-linked role.
///
/// The name of the AWS Service.
/// A description of the IAM service-linked role.
/// The IAM role that was created.
public async Task CreateServiceLinkedRoleAsync(string serviceName, string description)
{
var request = new CreateServiceLinkedRoleRequest
{
AWSServiceName = serviceName,
Description = description
};
var response = await _IAMService.CreateServiceLinkedRoleAsync(request);
return response.Role;
}
///
/// Create an IAM user.
///
/// The username for the new IAM user.
/// The IAM user that was created.
public async Task CreateUserAsync(string userName)
{
var response = await _IAMService.CreateUserAsync(new CreateUserRequest { UserName = userName });
return response.User;
}
///
/// Delete an IAM user's access key.
///
/// The Id for the IAM access key.
/// The username of the user that owns the IAM
/// access key.
/// A Boolean value indicating the success of the action.
public async Task DeleteAccessKeyAsync(string accessKeyId, string userName)
{
var response = await _IAMService.DeleteAccessKeyAsync(new DeleteAccessKeyRequest
{
AccessKeyId = accessKeyId,
UserName = userName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM policy.
///
/// The Amazon Resource Name (ARN) of the policy to
/// delete.
/// A Boolean value indicating the success of the action.
public async Task DeletePolicyAsync(string policyArn)
{
var response = await _IAMService.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM role.
///
/// The name of the IAM role to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteRoleAsync(string roleName)
{
var response = await _IAMService.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM role policy.
///
/// The name of the IAM role.
/// The name of the IAM role policy to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteRolePolicyAsync(string roleName, string policyName)
{
var response = await _IAMService.DeleteRolePolicyAsync(new DeleteRolePolicyRequest
{
PolicyName = policyName,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM user.
///
/// The username of the IAM user to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteUserAsync(string userName)
{
var response = await _IAMService.DeleteUserAsync(new DeleteUserRequest { UserName = userName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM user policy.
///
/// The name of the IAM policy to delete.
/// The username of the IAM user.
/// A Boolean value indicating the success of the action.
public async Task DeleteUserPolicyAsync(string policyName, string userName)
{
var response = await _IAMService.DeleteUserPolicyAsync(new DeleteUserPolicyRequest { PolicyName = policyName, UserName = userName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Detach an IAM policy from an IAM role.
///
/// The Amazon Resource Name (ARN) of the IAM policy.
/// The name of the IAM role.
/// A Boolean value indicating the success of the action.
public async Task DetachRolePolicyAsync(string policyArn, string roleName)
{
var response = await _IAMService.DetachRolePolicyAsync(new DetachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Gets the IAM password policy for an AWS account.
///
/// The PasswordPolicy for the AWS account.
public async Task GetAccountPasswordPolicyAsync()
{
var response = await _IAMService.GetAccountPasswordPolicyAsync(new GetAccountPasswordPolicyRequest());
return response.PasswordPolicy;
}
///
/// Get information about an IAM policy.
///
/// The IAM policy to retrieve information for.
/// The IAM policy.
public async Task GetPolicyAsync(string policyArn)
{
var response = await _IAMService.GetPolicyAsync(new GetPolicyRequest { PolicyArn = policyArn });
return response.Policy;
}
///
/// Get information about an IAM role.
///
/// The name of the IAM role to retrieve information
/// for.
/// The IAM role that was retrieved.
public async Task GetRoleAsync(string roleName)
{
var response = await _IAMService.GetRoleAsync(new GetRoleRequest
{
RoleName = roleName,
});
return response.Role;
}
///
/// Get information about an IAM user.
///
/// The username of the user.
/// An IAM user object.
public async Task GetUserAsync(string userName)
{
var response = await _IAMService.GetUserAsync(new GetUserRequest { UserName = userName });
return response.User;
}
///
/// List the IAM role policies that are attached to an IAM role.
///
/// The IAM role to list IAM policies for.
/// A list of the IAM policies attached to the IAM role.
public async Task> ListAttachedRolePoliciesAsync(string roleName)
{
var attachedPolicies = new List();
var attachedRolePoliciesPaginator = _IAMService.Paginators.ListAttachedRolePolicies(new ListAttachedRolePoliciesRequest { RoleName = roleName });
await foreach (var response in attachedRolePoliciesPaginator.Responses)
{
attachedPolicies.AddRange(response.AttachedPolicies);
}
return attachedPolicies;
}
///
/// List IAM groups.
///
/// A list of IAM groups.
public async Task> ListGroupsAsync()
{
var groupsPaginator = _IAMService.Paginators.ListGroups(new ListGroupsRequest());
var groups = new List();
await foreach (var response in groupsPaginator.Responses)
{
groups.AddRange(response.Groups);
}
return groups;
}
///
/// List IAM policies.
///
/// A list of the IAM policies.
public async Task> ListPoliciesAsync()
{
var listPoliciesPaginator = _IAMService.Paginators.ListPolicies(new ListPoliciesRequest());
var policies = new List();
await foreach (var response in listPoliciesPaginator.Responses)
{
policies.AddRange(response.Policies);
}
return policies;
}
///
/// List IAM role policies.
///
/// The IAM role for which to list IAM policies.
/// A list of IAM policy names.
public async Task> ListRolePoliciesAsync(string roleName)
{
var listRolePoliciesPaginator = _IAMService.Paginators.ListRolePolicies(new ListRolePoliciesRequest { RoleName = roleName });
var policyNames = new List();
await foreach (var response in listRolePoliciesPaginator.Responses)
{
policyNames.AddRange(response.PolicyNames);
}
return policyNames;
}
///
/// List IAM roles.
///
/// A list of IAM roles.
public async Task> ListRolesAsync()
{
var listRolesPaginator = _IAMService.Paginators.ListRoles(new ListRolesRequest());
var roles = new List();
await foreach (var response in listRolesPaginator.Responses)
{
roles.AddRange(response.Roles);
}
return roles;
}
///
/// List SAML authentication providers.
///
/// A list of SAML providers.
public async Task> ListSAMLProvidersAsync()
{
var response = await _IAMService.ListSAMLProvidersAsync(new ListSAMLProvidersRequest());
return response.SAMLProviderList;
}
///
/// List IAM users.
///
/// A list of IAM users.
public async Task> ListUsersAsync()
{
var listUsersPaginator = _IAMService.Paginators.ListUsers(new ListUsersRequest());
var users = new List();
await foreach (var response in listUsersPaginator.Responses)
{
users.AddRange(response.Users);
}
return users;
}
///
/// Update the inline policy document embedded in a role.
///
/// The name of the policy to embed.
/// The name of the role to update.
/// The policy document that defines the role.
/// A Boolean value indicating the success of the action.
public async Task PutRolePolicyAsync(string policyName, string roleName, string policyDocument)
{
var request = new PutRolePolicyRequest
{
PolicyName = policyName,
RoleName = roleName,
PolicyDocument = policyDocument
};
var response = await _IAMService.PutRolePolicyAsync(request);
return response.HttpStatusCode == HttpStatusCode.OK;
}
///
/// Add or update an inline policy document that is embedded in an IAM user.
///
/// The name of the IAM user.
/// The name of the IAM policy.
/// The policy document defining the IAM policy.
/// A Boolean value indicating the success of the action.
public async Task PutUserPolicyAsync(string userName, string policyName, string policyDocument)
{
var request = new PutUserPolicyRequest
{
UserName = userName,
PolicyName = policyName,
PolicyDocument = policyDocument
};
var response = await _IAMService.PutUserPolicyAsync(request);
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Wait for a new access key to be ready to use.
///
/// The Id of the access key.
/// A boolean value indicating the success of the action.
public async Task WaitUntilAccessKeyIsReady(string accessKeyId)
{
var keyReady = false;
do
{
try
{
var response = await _IAMService.GetAccessKeyLastUsedAsync(
new GetAccessKeyLastUsedRequest { AccessKeyId = accessKeyId });
if (response.UserName is not null)
{
keyReady = true;
}
}
catch (NoSuchEntityException)
{
keyReady = false;
}
} while (!keyReady);
return keyReady;
}
}
using Microsoft.Extensions.Configuration;
namespace IAMBasics;
public class IAMBasics
{
private static ILogger logger = null!;
static async Task Main(string[] args)
{
// Set up dependency injection for the AWS service.
using var host = Host.CreateDefaultBuilder(args)
.ConfigureLogging(logging =>
logging.AddFilter("System", LogLevel.Debug)
.AddFilter("Microsoft", LogLevel.Information)
.AddFilter("Microsoft", LogLevel.Trace))
.ConfigureServices((_, services) =>
services.AddAWSService()
.AddTransient()
.AddTransient()
)
.Build();
logger = LoggerFactory.Create(builder => { builder.AddConsole(); })
.CreateLogger();
IConfiguration configuration = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("settings.json") // Load test settings from .json file.
.AddJsonFile("settings.local.json",
true) // Optionally load local settings.
.Build();
// Values needed for user, role, and policies.
string userName = configuration["UserName"]!;
string s3PolicyName = configuration["S3PolicyName"]!;
string roleName = configuration["RoleName"]!;
var iamWrapper = host.Services.GetRequiredService();
var uiWrapper = host.Services.GetRequiredService();
uiWrapper.DisplayBasicsOverview();
uiWrapper.PressEnter();
// First create a user. By default, the new user has
// no permissions.
uiWrapper.DisplayTitle("Create User");
Console.WriteLine($"Creating a new user with user name: {userName}.");
var user = await iamWrapper.CreateUserAsync(userName);
var userArn = user.Arn;
Console.WriteLine($"Successfully created user: {userName} with ARN: {userArn}.");
uiWrapper.WaitABit(15, "Now let's wait for the user to be ready for use.");
// Define a role policy document that allows the new user
// to assume the role.
string assumeRolePolicyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
$" \"AWS\": \"{userArn}\"" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
// Permissions to list all buckets.
string policyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
" \"Statement\" : [{" +
" \"Action\" : [\"s3:ListAllMyBuckets\"]," +
" \"Effect\" : \"Allow\"," +
" \"Resource\" : \"*\"" +
"}]" +
"}";
// Create an AccessKey for the user.
uiWrapper.DisplayTitle("Create access key");
Console.WriteLine("Now let's create an access key for the new user.");
var accessKey = await iamWrapper.CreateAccessKeyAsync(userName);
var accessKeyId = accessKey.AccessKeyId;
var secretAccessKey = accessKey.SecretAccessKey;
Console.WriteLine($"We have created the access key with Access key id: {accessKeyId}.");
Console.WriteLine("Now let's wait until the IAM access key is ready to use.");
var keyReady = await iamWrapper.WaitUntilAccessKeyIsReady(accessKeyId);
// Now try listing the Amazon Simple Storage Service (Amazon S3)
// buckets. This should fail at this point because the user doesn't
// have permissions to perform this task.
uiWrapper.DisplayTitle("Try to display Amazon S3 buckets");
Console.WriteLine("Now let's try to display a list of the user's Amazon S3 buckets.");
var s3Client1 = new AmazonS3Client(accessKeyId, secretAccessKey);
var stsClient1 = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey);
var s3Wrapper = new S3Wrapper(s3Client1, stsClient1);
var buckets = await s3Wrapper.ListMyBucketsAsync();
Console.WriteLine(buckets is null
? "As expected, the call to list the buckets has returned a null list."
: "Something went wrong. This shouldn't have worked.");
uiWrapper.PressEnter();
uiWrapper.DisplayTitle("Create IAM role");
Console.WriteLine($"Creating the role: {roleName}");
// Creating an IAM role to allow listing the S3 buckets. A role name
// is not case sensitive and must be unique to the account for which it
// is created.
var roleArn = await iamWrapper.CreateRoleAsync(roleName, assumeRolePolicyDocument);
uiWrapper.PressEnter();
// Create a policy with permissions to list S3 buckets.
uiWrapper.DisplayTitle("Create IAM policy");
Console.WriteLine($"Creating the policy: {s3PolicyName}");
Console.WriteLine("with permissions to list the Amazon S3 buckets for the account.");
var policy = await iamWrapper.CreatePolicyAsync(s3PolicyName, policyDocument);
// Wait 15 seconds for the IAM policy to be available.
uiWrapper.WaitABit(15, "Waiting for the policy to be available.");
// Attach the policy to the role you created earlier.
uiWrapper.DisplayTitle("Attach new IAM policy");
Console.WriteLine("Now let's attach the policy to the role.");
await iamWrapper.AttachRolePolicyAsync(policy.Arn, roleName);
// Wait 15 seconds for the role to be updated.
Console.WriteLine();
uiWrapper.WaitABit(15, "Waiting for the policy to be attached.");
// Use the AWS Security Token Service (AWS STS) to have the user
// assume the role we created.
var stsClient2 = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey);
// Wait for the new credentials to become valid.
uiWrapper.WaitABit(10, "Waiting for the credentials to be valid.");
var assumedRoleCredentials = await s3Wrapper.AssumeS3RoleAsync("temporary-session", roleArn);
// Try again to list the buckets using the client created with
// the new user's credentials. This time, it should work.
var s3Client2 = new AmazonS3Client(assumedRoleCredentials);
s3Wrapper.UpdateClients(s3Client2, stsClient2);
buckets = await s3Wrapper.ListMyBucketsAsync();
uiWrapper.DisplayTitle("List Amazon S3 buckets");
Console.WriteLine("This time we should have buckets to list.");
if (buckets is not null)
{
buckets.ForEach(bucket =>
{
Console.WriteLine($"{bucket.BucketName} created: {bucket.CreationDate}");
});
}
uiWrapper.PressEnter();
// Now clean up all the resources used in the example.
uiWrapper.DisplayTitle("Clean up resources");
Console.WriteLine("Thank you for watching. The IAM Basics demo is complete.");
Console.WriteLine("Please wait while we clean up the resources we created.");
await iamWrapper.DetachRolePolicyAsync(policy.Arn, roleName);
await iamWrapper.DeletePolicyAsync(policy.Arn);
await iamWrapper.DeleteRoleAsync(roleName);
await iamWrapper.DeleteAccessKeyAsync(accessKeyId, userName);
await iamWrapper.DeleteUserAsync(userName);
uiWrapper.PressEnter();
Console.WriteLine("All done cleaning up our resources. Thank you for your patience.");
}
}
namespace IamScenariosCommon;
using System.Net;
///
/// A class to perform Amazon Simple Storage Service (Amazon S3) actions for
/// the IAM Basics scenario.
///
public class S3Wrapper
{
private IAmazonS3 _s3Service;
private IAmazonSecurityTokenService _stsService;
///
/// Constructor for the S3Wrapper class.
///
/// An Amazon S3 client object.
/// An AWS Security Token Service (AWS STS)
/// client object.
public S3Wrapper(IAmazonS3 s3Service, IAmazonSecurityTokenService stsService)
{
_s3Service = s3Service;
_stsService = stsService;
}
///
/// Assumes an AWS Identity and Access Management (IAM) role that allows
/// Amazon S3 access for the current session.
///
/// A string representing the current session.
/// The name of the IAM role to assume.
/// Credentials for the newly assumed IAM role.
public async Task AssumeS3RoleAsync(string roleSession, string roleToAssume)
{
// Create the request to use with the AssumeRoleAsync call.
var request = new AssumeRoleRequest()
{
RoleSessionName = roleSession,
RoleArn = roleToAssume,
};
var response = await _stsService.AssumeRoleAsync(request);
return response.Credentials;
}
///
/// Delete an S3 bucket.
///
/// Name of the S3 bucket to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteBucketAsync(string bucketName)
{
var result = await _s3Service.DeleteBucketAsync(new DeleteBucketRequest { BucketName = bucketName });
return result.HttpStatusCode == HttpStatusCode.OK;
}
///
/// List the buckets that are owned by the user's account.
///
/// Async Task.
public async Task?> ListMyBucketsAsync()
{
try
{
// Get the list of buckets accessible by the new user.
var response = await _s3Service.ListBucketsAsync();
return response.Buckets;
}
catch (AmazonS3Exception ex)
{
// Something else went wrong. Display the error message.
Console.WriteLine($"Error: {ex.Message}");
return null;
}
}
///
/// Create a new S3 bucket.
///
/// The name for the new bucket.
/// A Boolean value indicating whether the action completed
/// successfully.
public async Task PutBucketAsync(string bucketName)
{
var response = await _s3Service.PutBucketAsync(new PutBucketRequest { BucketName = bucketName });
return response.HttpStatusCode == HttpStatusCode.OK;
}
///
/// Update the client objects with new client objects. This is available
/// because the scenario uses the methods of this class without and then
/// with the proper permissions to list S3 buckets.
///
/// The Amazon S3 client object.
/// The AWS STS client object.
public void UpdateClients(IAmazonS3 s3Service, IAmazonSecurityTokenService stsService)
{
_s3Service = s3Service;
_stsService = stsService;
}
}
namespace IamScenariosCommon;
public class UIWrapper
{
public readonly string SepBar = new('-', Console.WindowWidth);
///
/// Show information about the IAM Groups scenario.
///
public void DisplayGroupsOverview()
{
Console.Clear();
DisplayTitle("Welcome to the IAM Groups Demo");
Console.WriteLine("This example application does the following:");
Console.WriteLine("\t1. Creates an Amazon Identity and Access Management (IAM) group.");
Console.WriteLine("\t2. Adds an IAM policy to the IAM group giving it full access to Amazon S3.");
Console.WriteLine("\t3. Creates a new IAM user.");
Console.WriteLine("\t4. Creates an IAM access key for the user.");
Console.WriteLine("\t5. Adds the user to the IAM group.");
Console.WriteLine("\t6. Lists the buckets on the account.");
Console.WriteLine("\t7. Proves that the user has full Amazon S3 access by creating a bucket.");
Console.WriteLine("\t8. List the buckets again to show the new bucket.");
Console.WriteLine("\t9. Cleans up all the resources created.");
}
///
/// Show information about the IAM Basics scenario.
///
public void DisplayBasicsOverview()
{
Console.Clear();
DisplayTitle("Welcome to IAM Basics");
Console.WriteLine("This example application does the following:");
Console.WriteLine("\t1. Creates a user with no permissions.");
Console.WriteLine("\t2. Creates a role and policy that grant s3:ListAllMyBuckets permission.");
Console.WriteLine("\t3. Grants the user permission to assume the role.");
Console.WriteLine("\t4. Creates an S3 client object as the user and tries to list buckets (this will fail).");
Console.WriteLine("\t5. Gets temporary credentials by assuming the role.");
Console.WriteLine("\t6. Creates a new S3 client object with the temporary credentials and lists the buckets (this will succeed).");
Console.WriteLine("\t7. Deletes all the resources.");
}
///
/// Display a message and wait until the user presses enter.
///
public void PressEnter()
{
Console.Write("\nPress to continue. ");
_ = Console.ReadLine();
Console.WriteLine();
}
///
/// Pad a string with spaces to center it on the console display.
///
/// The string to be centered.
/// The padded string.
public string CenterString(string strToCenter)
{
var padAmount = (Console.WindowWidth - strToCenter.Length) / 2;
var leftPad = new string(' ', padAmount);
return $"{leftPad}{strToCenter}";
}
///
/// Display a line of hyphens, the centered text of the title, and another
/// line of hyphens.
///
/// The string to be displayed.
public void DisplayTitle(string strTitle)
{
Console.WriteLine(SepBar);
Console.WriteLine(CenterString(strTitle));
Console.WriteLine(SepBar);
}
///
/// Display a countdown and wait for a number of seconds.
///
/// The number of seconds to wait.
public void WaitABit(int numSeconds, string msg)
{
Console.WriteLine(msg);
// Wait for the requested number of seconds.
for (int i = numSeconds; i > 0; i--)
{
System.Threading.Thread.Sleep(1000);
Console.Write($"{i}...");
}
PressEnter();
}
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 .NET 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Bash ]
**AWS CLI 使用 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function iam_create_user_assume_role
#
# Scenario to create an IAM user, create an IAM role, and apply the role to the user.
#
# "IAM access" permissions are needed to run this code.
# "STS assume role" permissions are needed to run this code. (Note: It might be necessary to
# create a custom policy).
#
# Returns:
# 0 - If successful.
# 1 - If an error occurred.
###############################################################################
function iam_create_user_assume_role() {
{
if [ "$IAM_OPERATIONS_SOURCED" != "True" ]; then
source ./iam_operations.sh
fi
}
echo_repeat "*" 88
echo "Welcome to the IAM create user and assume role demo."
echo
echo "This demo will create an IAM user, create an IAM role, and apply the role to the user."
echo_repeat "*" 88
echo
echo -n "Enter a name for a new IAM user: "
get_input
user_name=$get_input_result
local user_arn
user_arn=$(iam_create_user -u "$user_name")
# shellcheck disable=SC2181
if [[ ${?} == 0 ]]; then
echo "Created demo IAM user named $user_name"
else
errecho "$user_arn"
errecho "The user failed to create. This demo will exit."
return 1
fi
local access_key_response
access_key_response=$(iam_create_user_access_key -u "$user_name")
# shellcheck disable=SC2181
if [[ ${?} != 0 ]]; then
errecho "The access key failed to create. This demo will exit."
clean_up "$user_name"
return 1
fi
IFS=$'\t ' read -r -a access_key_values <<<"$access_key_response"
local key_name=${access_key_values[0]}
local key_secret=${access_key_values[1]}
echo "Created access key named $key_name"
echo "Wait 10 seconds for the user to be ready."
sleep 10
echo_repeat "*" 88
echo
local iam_role_name
iam_role_name=$(generate_random_name "test-role")
echo "Creating a role named $iam_role_name with user $user_name as the principal."
local assume_role_policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"$user_arn\"},
\"Action\": \"sts:AssumeRole\"
}]
}"
local role_arn
role_arn=$(iam_create_role -n "$iam_role_name" -p "$assume_role_policy_document")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Created IAM role named $iam_role_name"
else
errecho "The role failed to create. This demo will exit."
clean_up "$user_name" "$key_name"
return 1
fi
local policy_name
policy_name=$(generate_random_name "test-policy")
local policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]}"
local policy_arn
policy_arn=$(iam_create_policy -n "$policy_name" -p "$policy_document")
# shellcheck disable=SC2181
if [[ ${?} == 0 ]]; then
echo "Created IAM policy named $policy_name"
else
errecho "The policy failed to create."
clean_up "$user_name" "$key_name" "$iam_role_name"
return 1
fi
if (iam_attach_role_policy -n "$iam_role_name" -p "$policy_arn"); then
echo "Attached policy $policy_arn to role $iam_role_name"
else
errecho "The policy failed to attach."
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn"
return 1
fi
local assume_role_policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"$role_arn\"}]}"
local assume_role_policy_name
assume_role_policy_name=$(generate_random_name "test-assume-role-")
# shellcheck disable=SC2181
local assume_role_policy_arn
assume_role_policy_arn=$(iam_create_policy -n "$assume_role_policy_name" -p "$assume_role_policy_document")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Created IAM policy named $assume_role_policy_name for sts assume role"
else
errecho "The policy failed to create."
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn"
return 1
fi
echo "Wait 10 seconds to give AWS time to propagate these new resources and connections."
sleep 10
echo_repeat "*" 88
echo
echo "Try to list buckets without the new user assuming the role."
echo_repeat "*" 88
echo
# Set the environment variables for the created user.
# bashsupport disable=BP2001
export AWS_ACCESS_KEY_ID=$key_name
# bashsupport disable=BP2001
export AWS_SECRET_ACCESS_KEY=$key_secret
local buckets
buckets=$(s3_list_buckets)
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
local bucket_count
bucket_count=$(echo "$buckets" | wc -w | xargs)
echo "There are $bucket_count buckets in the account. This should not have happened."
else
errecho "Because the role with permissions has not been assumed, listing buckets failed."
fi
echo
echo_repeat "*" 88
echo "Now assume the role $iam_role_name and list the buckets."
echo_repeat "*" 88
echo
local credentials
credentials=$(sts_assume_role -r "$role_arn" -n "AssumeRoleDemoSession")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Assumed role $iam_role_name"
else
errecho "Failed to assume role."
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
return 1
fi
IFS=$'\t ' read -r -a credentials <<<"$credentials"
export AWS_ACCESS_KEY_ID=${credentials[0]}
export AWS_SECRET_ACCESS_KEY=${credentials[1]}
# bashsupport disable=BP2001
export AWS_SESSION_TOKEN=${credentials[2]}
buckets=$(s3_list_buckets)
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
local bucket_count
bucket_count=$(echo "$buckets" | wc -w | xargs)
echo "There are $bucket_count buckets in the account. Listing buckets succeeded because of "
echo "the assumed role."
else
errecho "Failed to list buckets. This should not happen."
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_SESSION_TOKEN=""
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
return 1
fi
local result=0
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
echo
echo_repeat "*" 88
echo "The created resources will now be deleted."
echo_repeat "*" 88
echo
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
# shellcheck disable=SC2181
if [[ ${?} -ne 0 ]]; then
result=1
fi
return $result
}
```
此案例中使用的 IAM 函數。
```
###############################################################################
# function iam_user_exists
#
# This function checks to see if the specified AWS Identity and Access Management (IAM) user already exists.
#
# Parameters:
# $1 - The name of the IAM user to check.
#
# Returns:
# 0 - If the user already exists.
# 1 - If the user doesn't exist.
###############################################################################
function iam_user_exists() {
local user_name
user_name=$1
# Check whether the IAM user already exists.
# We suppress all output - we're interested only in the return code.
local errors
errors=$(aws iam get-user \
--user-name "$user_name" 2>&1 >/dev/null)
local error_code=${?}
if [[ $error_code -eq 0 ]]; then
return 0 # 0 in Bash script means true.
else
if [[ $errors != *"error"*"(NoSuchEntity)"* ]]; then
aws_cli_error_log $error_code
errecho "Error calling iam get-user $errors"
fi
return 1 # 1 in Bash script means false.
fi
}
###############################################################################
# function iam_create_user
#
# This function creates the specified IAM user, unless
# it already exists.
#
# Parameters:
# -u user_name -- The name of the user to create.
#
# Returns:
# The ARN of the user.
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_user() {
local user_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user"
echo "Creates an AWS Identity and Access Management (IAM) user. You must supply a username:"
echo " -u user_name The name of the user. It must be unique within the account."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " User name: $user_name"
iecho ""
# If the user already exists, we don't want to try to create it.
if (iam_user_exists "$user_name"); then
errecho "ERROR: A user with that name already exists in the account."
return 1
fi
response=$(aws iam create-user --user-name "$user_name" \
--output text \
--query 'User.Arn')
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-user operation failed.$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_create_user_access_key
#
# This function creates an IAM access key for the specified user.
#
# Parameters:
# -u user_name -- The name of the IAM user.
# [-f file_name] -- The optional file name for the access key output.
#
# Returns:
# [access_key_id access_key_secret]
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_user_access_key() {
local user_name file_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user_access_key"
echo "Creates an AWS Identity and Access Management (IAM) key pair."
echo " -u user_name The name of the IAM user."
echo " [-f file_name] Optional file name for the access key output."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:f:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
f) file_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
response=$(aws iam create-access-key \
--user-name "$user_name" \
--output text)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-access-key operation failed.$response"
return 1
fi
if [[ -n "$file_name" ]]; then
echo "$response" >"$file_name"
fi
local key_id key_secret
# shellcheck disable=SC2086
key_id=$(echo $response | cut -f 2 -d ' ')
# shellcheck disable=SC2086
key_secret=$(echo $response | cut -f 4 -d ' ')
echo "$key_id $key_secret"
return 0
}
###############################################################################
# function iam_create_role
#
# This function creates an IAM role.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_json -- The assume role policy document.
#
# Returns:
# The ARN of the role.
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_role() {
local role_name policy_document response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user_access_key"
echo "Creates an AWS Identity and Access Management (IAM) role."
echo " -n role_name The name of the IAM role."
echo " -p policy_json -- The assume role policy document."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_document="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_document" ]]; then
errecho "ERROR: You must provide a policy document with the -p parameter."
usage
return 1
fi
response=$(aws iam create-role \
--role-name "$role_name" \
--assume-role-policy-document "$policy_document" \
--output text \
--query Role.Arn)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-role operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_create_policy
#
# This function creates an IAM policy.
#
# Parameters:
# -n policy_name -- The name of the IAM policy.
# -p policy_json -- The policy document.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_policy() {
local policy_name policy_document response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_policy"
echo "Creates an AWS Identity and Access Management (IAM) policy."
echo " -n policy_name The name of the IAM policy."
echo " -p policy_json -- The policy document."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) policy_name="${OPTARG}" ;;
p) policy_document="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$policy_name" ]]; then
errecho "ERROR: You must provide a policy name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_document" ]]; then
errecho "ERROR: You must provide a policy document with the -p parameter."
usage
return 1
fi
response=$(aws iam create-policy \
--policy-name "$policy_name" \
--policy-document "$policy_document" \
--output text \
--query Policy.Arn)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-policy operation failed.\n$response"
return 1
fi
echo "$response"
}
###############################################################################
# function iam_attach_role_policy
#
# This function attaches an IAM policy to a tole.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_ARN -- The IAM policy document ARN..
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_attach_role_policy() {
local role_name policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_attach_role_policy"
echo "Attaches an AWS Identity and Access Management (IAM) policy to an IAM role."
echo " -n role_name The name of the IAM role."
echo " -p policy_ARN -- The IAM policy document ARN."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy ARN with the -p parameter."
usage
return 1
fi
response=$(aws iam attach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports attach-role-policy operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_detach_role_policy
#
# This function detaches an IAM policy to a tole.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_ARN -- The IAM policy document ARN..
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_detach_role_policy() {
local role_name policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_detach_role_policy"
echo "Detaches an AWS Identity and Access Management (IAM) policy to an IAM role."
echo " -n role_name The name of the IAM role."
echo " -p policy_ARN -- The IAM policy document ARN."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy ARN with the -p parameter."
usage
return 1
fi
response=$(aws iam detach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports detach-role-policy operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_delete_policy
#
# This function deletes an IAM policy.
#
# Parameters:
# -n policy_arn -- The name of the IAM policy arn.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_policy() {
local policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_policy"
echo "Deletes an AWS Identity and Access Management (IAM) policy"
echo " -n policy_arn -- The name of the IAM policy arn."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:h" option; do
case "${option}" in
n) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy arn with the -n parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Policy arn: $policy_arn"
iecho ""
response=$(aws iam delete-policy \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-policy operation failed.\n$response"
return 1
fi
iecho "delete-policy response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_role
#
# This function deletes an IAM role.
#
# Parameters:
# -n role_name -- The name of the IAM role.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_role() {
local role_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_role"
echo "Deletes an AWS Identity and Access Management (IAM) role"
echo " -n role_name -- The name of the IAM role."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
echo "role_name:$role_name"
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Role name: $role_name"
iecho ""
response=$(aws iam delete-role \
--role-name "$role_name")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-role operation failed.\n$response"
return 1
fi
iecho "delete-role response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_access_key
#
# This function deletes an IAM access key for the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user.
# -k access_key -- The access key to delete.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_access_key() {
local user_name access_key response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_access_key"
echo "Deletes an AWS Identity and Access Management (IAM) access key for the specified IAM user"
echo " -u user_name The name of the user."
echo " -k access_key The access key to delete."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:k:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
k) access_key="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
if [[ -z "$access_key" ]]; then
errecho "ERROR: You must provide an access key with the -k parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Username: $user_name"
iecho " Access key: $access_key"
iecho ""
response=$(aws iam delete-access-key \
--user-name "$user_name" \
--access-key-id "$access_key")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-access-key operation failed.\n$response"
return 1
fi
iecho "delete-access-key response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_user
#
# This function deletes the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user to create.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_user() {
local user_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_user"
echo "Deletes an AWS Identity and Access Management (IAM) user. You must supply a username:"
echo " -u user_name The name of the user."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " User name: $user_name"
iecho ""
# If the user does not exist, we don't want to try to delete it.
if (! iam_user_exists "$user_name"); then
errecho "ERROR: A user with that name does not exist in the account."
return 1
fi
response=$(aws iam delete-user \
--user-name "$user_name")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-user operation failed.$response"
return 1
fi
iecho "delete-user response:$response"
iecho
return 0
}
```
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutUserPolicy)
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
namespace AwsDoc {
namespace IAM {
//! Cleanup by deleting created entities.
/*!
\sa DeleteCreatedEntities
\param client: IAM client.
\param role: IAM role.
\param user: IAM user.
\param policy: IAM policy.
*/
static bool DeleteCreatedEntities(const Aws::IAM::IAMClient &client,
const Aws::IAM::Model::Role &role,
const Aws::IAM::Model::User &user,
const Aws::IAM::Model::Policy &policy);
}
static const int LIST_BUCKETS_WAIT_SEC = 20;
static const char ALLOCATION_TAG[] = "example_code";
}
//! Scenario to create an IAM user, create an IAM role, and apply the role to the user.
// "IAM access" permissions are needed to run this code.
// "STS assume role" permissions are needed to run this code. (Note: It might be necessary to
// create a custom policy).
/*!
\sa iamCreateUserAssumeRoleScenario
\param clientConfig: Aws client configuration.
\return bool: Successful completion.
*/
bool AwsDoc::IAM::iamCreateUserAssumeRoleScenario(
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient client(clientConfig);
Aws::IAM::Model::User user;
Aws::IAM::Model::Role role;
Aws::IAM::Model::Policy policy;
// 1. Create a user.
{
Aws::IAM::Model::CreateUserRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String userName = "iam-demo-user-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetUserName(userName);
Aws::IAM::Model::CreateUserOutcome outcome = client.CreateUser(request);
if (!outcome.IsSuccess()) {
std::cout << "Error creating IAM user " << userName << ":" <<
outcome.GetError().GetMessage() << std::endl;
return false;
}
else {
std::cout << "Successfully created IAM user " << userName << std::endl;
}
user = outcome.GetResult().GetUser();
}
// 2. Create a role.
{
// Get the IAM user for the current client in order to access its ARN.
Aws::String iamUserArn;
{
Aws::IAM::Model::GetUserRequest request;
Aws::IAM::Model::GetUserOutcome outcome = client.GetUser(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error getting Iam user. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully retrieved Iam user "
<< outcome.GetResult().GetUser().GetUserName()
<< std::endl;
}
iamUserArn = outcome.GetResult().GetUser().GetArn();
}
Aws::IAM::Model::CreateRoleRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String roleName = "iam-demo-role-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetRoleName(roleName);
// Build policy document for role.
Aws::Utils::Document jsonStatement;
jsonStatement.WithString("Effect", "Allow");
Aws::Utils::Document jsonPrincipal;
jsonPrincipal.WithString("AWS", iamUserArn);
jsonStatement.WithObject("Principal", jsonPrincipal);
jsonStatement.WithString("Action", "sts:AssumeRole");
jsonStatement.WithObject("Condition", Aws::Utils::Document());
Aws::Utils::Document policyDocument;
policyDocument.WithString("Version", "2012-10-17");
Aws::Utils::Array statements(1);
statements[0] = jsonStatement;
policyDocument.WithArray("Statement", statements);
std::cout << "Setting policy for role\n "
<< policyDocument.View().WriteCompact() << std::endl;
// Set role policy document as JSON string.
request.SetAssumeRolePolicyDocument(policyDocument.View().WriteCompact());
Aws::IAM::Model::CreateRoleOutcome outcome = client.CreateRole(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating role. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully created a role with name " << roleName
<< std::endl;
}
role = outcome.GetResult().GetRole();
}
// 3. Create an IAM policy.
{
Aws::IAM::Model::CreatePolicyRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String policyName = "iam-demo-policy-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetPolicyName(policyName);
// Build IAM policy document.
Aws::Utils::Document jsonStatement;
jsonStatement.WithString("Effect", "Allow");
jsonStatement.WithString("Action", "s3:ListAllMyBuckets");
jsonStatement.WithString("Resource", "arn:aws:s3:::*");
Aws::Utils::Document policyDocument;
policyDocument.WithString("Version", "2012-10-17");
Aws::Utils::Array statements(1);
statements[0] = jsonStatement;
policyDocument.WithArray("Statement", statements);
std::cout << "Creating a policy.\n " << policyDocument.View().WriteCompact()
<< std::endl;
// Set IAM policy document as JSON string.
request.SetPolicyDocument(policyDocument.View().WriteCompact());
Aws::IAM::Model::CreatePolicyOutcome outcome = client.CreatePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating policy. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully created a policy with name, " << policyName <<
"." << std::endl;
}
policy = outcome.GetResult().GetPolicy();
}
// 4. Assume the new role using the AWS Security Token Service (STS).
Aws::STS::Model::Credentials credentials;
{
Aws::STS::STSClient stsClient(clientConfig);
Aws::STS::Model::AssumeRoleRequest request;
request.SetRoleArn(role.GetArn());
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String roleSessionName = "iam-demo-role-session-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetRoleSessionName(roleSessionName);
Aws::STS::Model::AssumeRoleOutcome assumeRoleOutcome;
// Repeatedly call AssumeRole, because there is often a delay
// before the role is available to be assumed.
// Repeat at most 20 times when access is denied.
int count = 0;
while (true) {
assumeRoleOutcome = stsClient.AssumeRole(request);
if (!assumeRoleOutcome.IsSuccess()) {
if (count > 20 ||
assumeRoleOutcome.GetError().GetErrorType() !=
Aws::STS::STSErrors::ACCESS_DENIED) {
std::cerr << "Error assuming role after 20 tries. " <<
assumeRoleOutcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
std::this_thread::sleep_for(std::chrono::seconds(1));
}
else {
std::cout << "Successfully assumed the role after " << count
<< " seconds." << std::endl;
break;
}
count++;
}
credentials = assumeRoleOutcome.GetResult().GetCredentials();
}
// 5. List objects in the bucket (This should fail).
{
Aws::S3::S3Client s3Client(
Aws::Auth::AWSCredentials(credentials.GetAccessKeyId(),
credentials.GetSecretAccessKey(),
credentials.GetSessionToken()),
Aws::MakeShared(ALLOCATION_TAG),
clientConfig);
Aws::S3::Model::ListBucketsOutcome listBucketsOutcome = s3Client.ListBuckets();
if (!listBucketsOutcome.IsSuccess()) {
if (listBucketsOutcome.GetError().GetErrorType() !=
Aws::S3::S3Errors::ACCESS_DENIED) {
std::cerr << "Could not lists buckets. " <<
listBucketsOutcome.GetError().GetMessage() << std::endl;
}
else {
std::cout
<< "Access to list buckets denied because privileges have not been applied."
<< std::endl;
}
}
else {
std::cerr
<< "Successfully retrieved bucket lists when this should not happen."
<< std::endl;
}
}
// 6. Attach the policy to the role.
{
Aws::IAM::Model::AttachRolePolicyRequest request;
request.SetRoleName(role.GetRoleName());
request.WithPolicyArn(policy.GetArn());
Aws::IAM::Model::AttachRolePolicyOutcome outcome = client.AttachRolePolicy(
request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating policy. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully attached the policy with name, "
<< policy.GetPolicyName() <<
", to the role, " << role.GetRoleName() << "." << std::endl;
}
}
int count = 0;
// 7. List objects in the bucket (this should succeed).
// Repeatedly call ListBuckets, because there is often a delay
// before the policy with ListBucket permissions has been applied to the role.
// Repeat at most LIST_BUCKETS_WAIT_SEC times when access is denied.
while (true) {
Aws::S3::S3Client s3Client(
Aws::Auth::AWSCredentials(credentials.GetAccessKeyId(),
credentials.GetSecretAccessKey(),
credentials.GetSessionToken()),
Aws::MakeShared(ALLOCATION_TAG),
clientConfig);
Aws::S3::Model::ListBucketsOutcome listBucketsOutcome = s3Client.ListBuckets();
if (!listBucketsOutcome.IsSuccess()) {
if ((count > LIST_BUCKETS_WAIT_SEC) ||
listBucketsOutcome.GetError().GetErrorType() !=
Aws::S3::S3Errors::ACCESS_DENIED) {
std::cerr << "Could not lists buckets after " << LIST_BUCKETS_WAIT_SEC << " seconds. " <<
listBucketsOutcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
std::this_thread::sleep_for(std::chrono::seconds(1));
}
else {
std::cout << "Successfully retrieved bucket lists after " << count
<< " seconds." << std::endl;
break;
}
count++;
}
// 8. Delete all the created resources.
return DeleteCreatedEntities(client, role, user, policy);
}
bool AwsDoc::IAM::DeleteCreatedEntities(const Aws::IAM::IAMClient &client,
const Aws::IAM::Model::Role &role,
const Aws::IAM::Model::User &user,
const Aws::IAM::Model::Policy &policy) {
bool result = true;
if (policy.ArnHasBeenSet()) {
// Detach the policy from the role.
{
Aws::IAM::Model::DetachRolePolicyRequest request;
request.SetPolicyArn(policy.GetArn());
request.SetRoleName(role.GetRoleName());
Aws::IAM::Model::DetachRolePolicyOutcome outcome = client.DetachRolePolicy(
request);
if (!outcome.IsSuccess()) {
std::cerr << "Error Detaching policy from roles. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully detached the policy with arn "
<< policy.GetArn()
<< " from role " << role.GetRoleName() << "." << std::endl;
}
}
// Delete the policy.
{
Aws::IAM::Model::DeletePolicyRequest request;
request.WithPolicyArn(policy.GetArn());
Aws::IAM::Model::DeletePolicyOutcome outcome = client.DeletePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting policy. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the policy with arn "
<< policy.GetArn() << std::endl;
}
}
}
if (role.RoleIdHasBeenSet()) {
// Delete the role.
Aws::IAM::Model::DeleteRoleRequest request;
request.SetRoleName(role.GetRoleName());
Aws::IAM::Model::DeleteRoleOutcome outcome = client.DeleteRole(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting role. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the role with name "
<< role.GetRoleName() << std::endl;
}
}
if (user.ArnHasBeenSet()) {
// Delete the user.
Aws::IAM::Model::DeleteUserRequest request;
request.WithUserName(user.GetUserName());
Aws::IAM::Model::DeleteUserOutcome outcome = client.DeleteUser(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting user. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the user with name "
<< user.GetUserName() << std::endl;
}
}
return result;
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 C\$1\$1 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/PutUserPolicy)
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
在命令提示中執行互動式案例。
```
import (
"context"
"errors"
"fmt"
"log"
"math/rand"
"strings"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/aws/smithy-go"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/iam/actions"
)
// AssumeRoleScenario shows you how to use the AWS Identity and Access Management (IAM)
// service to perform the following actions:
//
// 1. Create a user who has no permissions.
// 2. Create a role that grants permission to list Amazon Simple Storage Service
// (Amazon S3) buckets for the account.
// 3. Add a policy to let the user assume the role.
// 4. Try and fail to list buckets without permissions.
// 5. Assume the role and list S3 buckets using temporary credentials.
// 6. Delete the policy, role, and user.
type AssumeRoleScenario struct {
sdkConfig aws.Config
accountWrapper actions.AccountWrapper
policyWrapper actions.PolicyWrapper
roleWrapper actions.RoleWrapper
userWrapper actions.UserWrapper
questioner demotools.IQuestioner
helper IScenarioHelper
isTestRun bool
}
// NewAssumeRoleScenario constructs an AssumeRoleScenario instance from a configuration.
// It uses the specified config to get an IAM client and create wrappers for the actions
// used in the scenario.
func NewAssumeRoleScenario(sdkConfig aws.Config, questioner demotools.IQuestioner,
helper IScenarioHelper) AssumeRoleScenario {
iamClient := iam.NewFromConfig(sdkConfig)
return AssumeRoleScenario{
sdkConfig: sdkConfig,
accountWrapper: actions.AccountWrapper{IamClient: iamClient},
policyWrapper: actions.PolicyWrapper{IamClient: iamClient},
roleWrapper: actions.RoleWrapper{IamClient: iamClient},
userWrapper: actions.UserWrapper{IamClient: iamClient},
questioner: questioner,
helper: helper,
}
}
// addTestOptions appends the API options specified in the original configuration to
// another configuration. This is used to attach the middleware stubber to clients
// that are constructed during the scenario, which is needed for unit testing.
func (scenario AssumeRoleScenario) addTestOptions(scenarioConfig *aws.Config) {
if scenario.isTestRun {
scenarioConfig.APIOptions = append(scenarioConfig.APIOptions, scenario.sdkConfig.APIOptions...)
}
}
// Run runs the interactive scenario.
func (scenario AssumeRoleScenario) Run(ctx context.Context) {
defer func() {
if r := recover(); r != nil {
log.Printf("Something went wrong with the demo.\n")
log.Println(r)
}
}()
log.Println(strings.Repeat("-", 88))
log.Println("Welcome to the AWS Identity and Access Management (IAM) assume role demo.")
log.Println(strings.Repeat("-", 88))
user := scenario.CreateUser(ctx)
accessKey := scenario.CreateAccessKey(ctx, user)
role := scenario.CreateRoleAndPolicies(ctx, user)
noPermsConfig := scenario.ListBucketsWithoutPermissions(ctx, accessKey)
scenario.ListBucketsWithAssumedRole(ctx, noPermsConfig, role)
scenario.Cleanup(ctx, user, role)
log.Println(strings.Repeat("-", 88))
log.Println("Thanks for watching!")
log.Println(strings.Repeat("-", 88))
}
// CreateUser creates a new IAM user. This user has no permissions.
func (scenario AssumeRoleScenario) CreateUser(ctx context.Context) *types.User {
log.Println("Let's create an example user with no permissions.")
userName := scenario.questioner.Ask("Enter a name for the example user:", demotools.NotEmpty{})
user, err := scenario.userWrapper.GetUser(ctx, userName)
if err != nil {
panic(err)
}
if user == nil {
user, err = scenario.userWrapper.CreateUser(ctx, userName)
if err != nil {
panic(err)
}
log.Printf("Created user %v.\n", *user.UserName)
} else {
log.Printf("User %v already exists.\n", *user.UserName)
}
log.Println(strings.Repeat("-", 88))
return user
}
// CreateAccessKey creates an access key for the user.
func (scenario AssumeRoleScenario) CreateAccessKey(ctx context.Context, user *types.User) *types.AccessKey {
accessKey, err := scenario.userWrapper.CreateAccessKeyPair(ctx, *user.UserName)
if err != nil {
panic(err)
}
log.Printf("Created access key %v for your user.", *accessKey.AccessKeyId)
log.Println("Waiting a few seconds for your user to be ready...")
scenario.helper.Pause(10)
log.Println(strings.Repeat("-", 88))
return accessKey
}
// CreateRoleAndPolicies creates a policy that grants permission to list S3 buckets for
// the current account and attaches the policy to a newly created role. It also adds an
// inline policy to the specified user that grants the user permission to assume the role.
func (scenario AssumeRoleScenario) CreateRoleAndPolicies(ctx context.Context, user *types.User) *types.Role {
log.Println("Let's create a role and policy that grant permission to list S3 buckets.")
scenario.questioner.Ask("Press Enter when you're ready.")
listBucketsRole, err := scenario.roleWrapper.CreateRole(ctx, scenario.helper.GetName(), *user.Arn)
if err != nil {
panic(err)
}
log.Printf("Created role %v.\n", *listBucketsRole.RoleName)
listBucketsPolicy, err := scenario.policyWrapper.CreatePolicy(
ctx, scenario.helper.GetName(), []string{"s3:ListAllMyBuckets"}, "arn:aws:s3:::*")
if err != nil {
panic(err)
}
log.Printf("Created policy %v.\n", *listBucketsPolicy.PolicyName)
err = scenario.roleWrapper.AttachRolePolicy(ctx, *listBucketsPolicy.Arn, *listBucketsRole.RoleName)
if err != nil {
panic(err)
}
log.Printf("Attached policy %v to role %v.\n", *listBucketsPolicy.PolicyName,
*listBucketsRole.RoleName)
err = scenario.userWrapper.CreateUserPolicy(ctx, *user.UserName, scenario.helper.GetName(),
[]string{"sts:AssumeRole"}, *listBucketsRole.Arn)
if err != nil {
panic(err)
}
log.Printf("Created an inline policy for user %v that lets the user assume the role.\n",
*user.UserName)
log.Println("Let's give AWS a few seconds to propagate these new resources and connections...")
scenario.helper.Pause(10)
log.Println(strings.Repeat("-", 88))
return listBucketsRole
}
// ListBucketsWithoutPermissions creates an Amazon S3 client from the user's access key
// credentials and tries to list buckets for the account. Because the user does not have
// permission to perform this action, the action fails.
func (scenario AssumeRoleScenario) ListBucketsWithoutPermissions(ctx context.Context, accessKey *types.AccessKey) *aws.Config {
log.Println("Let's try to list buckets without permissions. This should return an AccessDenied error.")
scenario.questioner.Ask("Press Enter when you're ready.")
noPermsConfig, err := config.LoadDefaultConfig(ctx,
config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
*accessKey.AccessKeyId, *accessKey.SecretAccessKey, ""),
))
if err != nil {
panic(err)
}
// Add test options if this is a test run. This is needed only for testing purposes.
scenario.addTestOptions(&noPermsConfig)
s3Client := s3.NewFromConfig(noPermsConfig)
_, err = s3Client.ListBuckets(ctx, &s3.ListBucketsInput{})
if err != nil {
// The SDK for Go does not model the AccessDenied error, so check ErrorCode directly.
var ae smithy.APIError
if errors.As(err, &ae) {
switch ae.ErrorCode() {
case "AccessDenied":
log.Println("Got AccessDenied error, which is the expected result because\n" +
"the ListBuckets call was made without permissions.")
default:
log.Println("Expected AccessDenied, got something else.")
panic(err)
}
}
} else {
log.Println("Expected AccessDenied error when calling ListBuckets without permissions,\n" +
"but the call succeeded. Continuing the example anyway...")
}
log.Println(strings.Repeat("-", 88))
return &noPermsConfig
}
// ListBucketsWithAssumedRole performs the following actions:
//
// 1. Creates an AWS Security Token Service (AWS STS) client from the config created from
// the user's access key credentials.
// 2. Gets temporary credentials by assuming the role that grants permission to list the
// buckets.
// 3. Creates an Amazon S3 client from the temporary credentials.
// 4. Lists buckets for the account. Because the temporary credentials are generated by
// assuming the role that grants permission, the action succeeds.
func (scenario AssumeRoleScenario) ListBucketsWithAssumedRole(ctx context.Context, noPermsConfig *aws.Config, role *types.Role) {
log.Println("Let's assume the role that grants permission to list buckets and try again.")
scenario.questioner.Ask("Press Enter when you're ready.")
stsClient := sts.NewFromConfig(*noPermsConfig)
tempCredentials, err := stsClient.AssumeRole(ctx, &sts.AssumeRoleInput{
RoleArn: role.Arn,
RoleSessionName: aws.String("AssumeRoleExampleSession"),
DurationSeconds: aws.Int32(900),
})
if err != nil {
log.Printf("Couldn't assume role %v.\n", *role.RoleName)
panic(err)
}
log.Printf("Assumed role %v, got temporary credentials.\n", *role.RoleName)
assumeRoleConfig, err := config.LoadDefaultConfig(ctx,
config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
*tempCredentials.Credentials.AccessKeyId,
*tempCredentials.Credentials.SecretAccessKey,
*tempCredentials.Credentials.SessionToken),
),
)
if err != nil {
panic(err)
}
// Add test options if this is a test run. This is needed only for testing purposes.
scenario.addTestOptions(&assumeRoleConfig)
s3Client := s3.NewFromConfig(assumeRoleConfig)
result, err := s3Client.ListBuckets(ctx, &s3.ListBucketsInput{})
if err != nil {
log.Println("Couldn't list buckets with assumed role credentials.")
panic(err)
}
log.Println("Successfully called ListBuckets with assumed role credentials, \n" +
"here are some of them:")
for i := 0; i < len(result.Buckets) && i < 5; i++ {
log.Printf("\t%v\n", *result.Buckets[i].Name)
}
log.Println(strings.Repeat("-", 88))
}
// Cleanup deletes all resources created for the scenario.
func (scenario AssumeRoleScenario) Cleanup(ctx context.Context, user *types.User, role *types.Role) {
if scenario.questioner.AskBool(
"Do you want to delete the resources created for this example? (y/n)", "y",
) {
policies, err := scenario.roleWrapper.ListAttachedRolePolicies(ctx, *role.RoleName)
if err != nil {
panic(err)
}
for _, policy := range policies {
err = scenario.roleWrapper.DetachRolePolicy(ctx, *role.RoleName, *policy.PolicyArn)
if err != nil {
panic(err)
}
err = scenario.policyWrapper.DeletePolicy(ctx, *policy.PolicyArn)
if err != nil {
panic(err)
}
log.Printf("Detached policy %v from role %v and deleted the policy.\n",
*policy.PolicyName, *role.RoleName)
}
err = scenario.roleWrapper.DeleteRole(ctx, *role.RoleName)
if err != nil {
panic(err)
}
log.Printf("Deleted role %v.\n", *role.RoleName)
userPols, err := scenario.userWrapper.ListUserPolicies(ctx, *user.UserName)
if err != nil {
panic(err)
}
for _, userPol := range userPols {
err = scenario.userWrapper.DeleteUserPolicy(ctx, *user.UserName, userPol)
if err != nil {
panic(err)
}
log.Printf("Deleted policy %v from user %v.\n", userPol, *user.UserName)
}
keys, err := scenario.userWrapper.ListAccessKeys(ctx, *user.UserName)
if err != nil {
panic(err)
}
for _, key := range keys {
err = scenario.userWrapper.DeleteAccessKey(ctx, *user.UserName, *key.AccessKeyId)
if err != nil {
panic(err)
}
log.Printf("Deleted access key %v from user %v.\n", *key.AccessKeyId, *user.UserName)
}
err = scenario.userWrapper.DeleteUser(ctx, *user.UserName)
if err != nil {
panic(err)
}
log.Printf("Deleted user %v.\n", *user.UserName)
log.Println(strings.Repeat("-", 88))
}
}
// IScenarioHelper abstracts input and wait functions from a scenario so that they
// can be mocked for unit testing.
type IScenarioHelper interface {
GetName() string
Pause(secs int)
}
const rMax = 100000
type ScenarioHelper struct {
Prefix string
Random *rand.Rand
}
// GetName returns a unique name formed of a prefix and a random number.
func (helper *ScenarioHelper) GetName() string {
return fmt.Sprintf("%v%v", helper.Prefix, helper.Random.Intn(rMax))
}
// Pause waits for the specified number of seconds.
func (helper ScenarioHelper) Pause(secs int) {
time.Sleep(time.Duration(secs) * time.Second)
}
```
定義包裝帳號動作的結構。
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// AccountWrapper encapsulates AWS Identity and Access Management (IAM) account actions
// used in the examples.
// It contains an IAM service client that is used to perform account actions.
type AccountWrapper struct {
IamClient *iam.Client
}
// GetAccountPasswordPolicy gets the account password policy for the current account.
// If no policy has been set, a NoSuchEntityException is error is returned.
func (wrapper AccountWrapper) GetAccountPasswordPolicy(ctx context.Context) (*types.PasswordPolicy, error) {
var pwPolicy *types.PasswordPolicy
result, err := wrapper.IamClient.GetAccountPasswordPolicy(ctx,
&iam.GetAccountPasswordPolicyInput{})
if err != nil {
log.Printf("Couldn't get account password policy. Here's why: %v\n", err)
} else {
pwPolicy = result.PasswordPolicy
}
return pwPolicy, err
}
// ListSAMLProviders gets the SAML providers for the account.
func (wrapper AccountWrapper) ListSAMLProviders(ctx context.Context) ([]types.SAMLProviderListEntry, error) {
var providers []types.SAMLProviderListEntry
result, err := wrapper.IamClient.ListSAMLProviders(ctx, &iam.ListSAMLProvidersInput{})
if err != nil {
log.Printf("Couldn't list SAML providers. Here's why: %v\n", err)
} else {
providers = result.SAMLProviderList
}
return providers, err
}
```
定義包裝政策動作的結構。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions
// used in the examples.
// It contains an IAM service client that is used to perform policy actions.
type PolicyWrapper struct {
IamClient *iam.Client
}
// ListPolicies gets up to maxPolicies policies.
func (wrapper PolicyWrapper) ListPolicies(ctx context.Context, maxPolicies int32) ([]types.Policy, error) {
var policies []types.Policy
result, err := wrapper.IamClient.ListPolicies(ctx, &iam.ListPoliciesInput{
MaxItems: aws.Int32(maxPolicies),
})
if err != nil {
log.Printf("Couldn't list policies. Here's why: %v\n", err)
} else {
policies = result.Policies
}
return policies, err
}
// PolicyDocument defines a policy document as a Go struct that can be serialized
// to JSON.
type PolicyDocument struct {
Version string
Statement []PolicyStatement
}
// PolicyStatement defines a statement in a policy document.
type PolicyStatement struct {
Effect string
Action []string
Principal map[string]string `json:",omitempty"`
Resource *string `json:",omitempty"`
}
// CreatePolicy creates a policy that grants a list of actions to the specified resource.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper PolicyWrapper) CreatePolicy(ctx context.Context, policyName string, actions []string,
resourceArn string) (*types.Policy, error) {
var policy *types.Policy
policyDoc := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Action: actions,
Resource: aws.String(resourceArn),
}},
}
policyBytes, err := json.Marshal(policyDoc)
if err != nil {
log.Printf("Couldn't create policy document for %v. Here's why: %v\n", resourceArn, err)
return nil, err
}
result, err := wrapper.IamClient.CreatePolicy(ctx, &iam.CreatePolicyInput{
PolicyDocument: aws.String(string(policyBytes)),
PolicyName: aws.String(policyName),
})
if err != nil {
log.Printf("Couldn't create policy %v. Here's why: %v\n", policyName, err)
} else {
policy = result.Policy
}
return policy, err
}
// GetPolicy gets data about a policy.
func (wrapper PolicyWrapper) GetPolicy(ctx context.Context, policyArn string) (*types.Policy, error) {
var policy *types.Policy
result, err := wrapper.IamClient.GetPolicy(ctx, &iam.GetPolicyInput{
PolicyArn: aws.String(policyArn),
})
if err != nil {
log.Printf("Couldn't get policy %v. Here's why: %v\n", policyArn, err)
} else {
policy = result.Policy
}
return policy, err
}
// DeletePolicy deletes a policy.
func (wrapper PolicyWrapper) DeletePolicy(ctx context.Context, policyArn string) error {
_, err := wrapper.IamClient.DeletePolicy(ctx, &iam.DeletePolicyInput{
PolicyArn: aws.String(policyArn),
})
if err != nil {
log.Printf("Couldn't delete policy %v. Here's why: %v\n", policyArn, err)
}
return err
}
```
定義包裝角色動作的結構。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// ListRoles gets up to maxRoles roles.
func (wrapper RoleWrapper) ListRoles(ctx context.Context, maxRoles int32) ([]types.Role, error) {
var roles []types.Role
result, err := wrapper.IamClient.ListRoles(ctx,
&iam.ListRolesInput{MaxItems: aws.Int32(maxRoles)},
)
if err != nil {
log.Printf("Couldn't list roles. Here's why: %v\n", err)
} else {
roles = result.Roles
}
return roles, err
}
// CreateRole creates a role that trusts a specified user. The trusted user can assume
// the role to acquire its permissions.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper RoleWrapper) CreateRole(ctx context.Context, roleName string, trustedUserArn string) (*types.Role, error) {
var role *types.Role
trustPolicy := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Principal: map[string]string{"AWS": trustedUserArn},
Action: []string{"sts:AssumeRole"},
}},
}
policyBytes, err := json.Marshal(trustPolicy)
if err != nil {
log.Printf("Couldn't create trust policy for %v. Here's why: %v\n", trustedUserArn, err)
return nil, err
}
result, err := wrapper.IamClient.CreateRole(ctx, &iam.CreateRoleInput{
AssumeRolePolicyDocument: aws.String(string(policyBytes)),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't create role %v. Here's why: %v\n", roleName, err)
} else {
role = result.Role
}
return role, err
}
// GetRole gets data about a role.
func (wrapper RoleWrapper) GetRole(ctx context.Context, roleName string) (*types.Role, error) {
var role *types.Role
result, err := wrapper.IamClient.GetRole(ctx,
&iam.GetRoleInput{RoleName: aws.String(roleName)})
if err != nil {
log.Printf("Couldn't get role %v. Here's why: %v\n", roleName, err)
} else {
role = result.Role
}
return role, err
}
// CreateServiceLinkedRole creates a service-linked role that is owned by the specified service.
func (wrapper RoleWrapper) CreateServiceLinkedRole(ctx context.Context, serviceName string, description string) (
*types.Role, error) {
var role *types.Role
result, err := wrapper.IamClient.CreateServiceLinkedRole(ctx, &iam.CreateServiceLinkedRoleInput{
AWSServiceName: aws.String(serviceName),
Description: aws.String(description),
})
if err != nil {
log.Printf("Couldn't create service-linked role %v. Here's why: %v\n", serviceName, err)
} else {
role = result.Role
}
return role, err
}
// DeleteServiceLinkedRole deletes a service-linked role.
func (wrapper RoleWrapper) DeleteServiceLinkedRole(ctx context.Context, roleName string) error {
_, err := wrapper.IamClient.DeleteServiceLinkedRole(ctx, &iam.DeleteServiceLinkedRoleInput{
RoleName: aws.String(roleName)},
)
if err != nil {
log.Printf("Couldn't delete service-linked role %v. Here's why: %v\n", roleName, err)
}
return err
}
// AttachRolePolicy attaches a policy to a role.
func (wrapper RoleWrapper) AttachRolePolicy(ctx context.Context, policyArn string, roleName string) error {
_, err := wrapper.IamClient.AttachRolePolicy(ctx, &iam.AttachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't attach policy %v to role %v. Here's why: %v\n", policyArn, roleName, err)
}
return err
}
// ListAttachedRolePolicies lists the policies that are attached to the specified role.
func (wrapper RoleWrapper) ListAttachedRolePolicies(ctx context.Context, roleName string) ([]types.AttachedPolicy, error) {
var policies []types.AttachedPolicy
result, err := wrapper.IamClient.ListAttachedRolePolicies(ctx, &iam.ListAttachedRolePoliciesInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't list attached policies for role %v. Here's why: %v\n", roleName, err)
} else {
policies = result.AttachedPolicies
}
return policies, err
}
// DetachRolePolicy detaches a policy from a role.
func (wrapper RoleWrapper) DetachRolePolicy(ctx context.Context, roleName string, policyArn string) error {
_, err := wrapper.IamClient.DetachRolePolicy(ctx, &iam.DetachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't detach policy from role %v. Here's why: %v\n", roleName, err)
}
return err
}
// ListRolePolicies lists the inline policies for a role.
func (wrapper RoleWrapper) ListRolePolicies(ctx context.Context, roleName string) ([]string, error) {
var policies []string
result, err := wrapper.IamClient.ListRolePolicies(ctx, &iam.ListRolePoliciesInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't list policies for role %v. Here's why: %v\n", roleName, err)
} else {
policies = result.PolicyNames
}
return policies, err
}
// DeleteRole deletes a role. All attached policies must be detached before a
// role can be deleted.
func (wrapper RoleWrapper) DeleteRole(ctx context.Context, roleName string) error {
_, err := wrapper.IamClient.DeleteRole(ctx, &iam.DeleteRoleInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't delete role %v. Here's why: %v\n", roleName, err)
}
return err
}
```
定義包裝使用者動作的結構。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// ListUsers gets up to maxUsers number of users.
func (wrapper UserWrapper) ListUsers(ctx context.Context, maxUsers int32) ([]types.User, error) {
var users []types.User
result, err := wrapper.IamClient.ListUsers(ctx, &iam.ListUsersInput{
MaxItems: aws.Int32(maxUsers),
})
if err != nil {
log.Printf("Couldn't list users. Here's why: %v\n", err)
} else {
users = result.Users
}
return users, err
}
// GetUser gets data about a user.
func (wrapper UserWrapper) GetUser(ctx context.Context, userName string) (*types.User, error) {
var user *types.User
result, err := wrapper.IamClient.GetUser(ctx, &iam.GetUserInput{
UserName: aws.String(userName),
})
if err != nil {
var apiError smithy.APIError
if errors.As(err, &apiError) {
switch apiError.(type) {
case *types.NoSuchEntityException:
log.Printf("User %v does not exist.\n", userName)
err = nil
default:
log.Printf("Couldn't get user %v. Here's why: %v\n", userName, err)
}
}
} else {
user = result.User
}
return user, err
}
// CreateUser creates a new user with the specified name.
func (wrapper UserWrapper) CreateUser(ctx context.Context, userName string) (*types.User, error) {
var user *types.User
result, err := wrapper.IamClient.CreateUser(ctx, &iam.CreateUserInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err)
} else {
user = result.User
}
return user, err
}
// CreateUserPolicy adds an inline policy to a user. This example creates a policy that
// grants a list of actions on a specified role.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper UserWrapper) CreateUserPolicy(ctx context.Context, userName string, policyName string, actions []string,
roleArn string) error {
policyDoc := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Action: actions,
Resource: aws.String(roleArn),
}},
}
policyBytes, err := json.Marshal(policyDoc)
if err != nil {
log.Printf("Couldn't create policy document for %v. Here's why: %v\n", roleArn, err)
return err
}
_, err = wrapper.IamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{
PolicyDocument: aws.String(string(policyBytes)),
PolicyName: aws.String(policyName),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't create policy for user %v. Here's why: %v\n", userName, err)
}
return err
}
// ListUserPolicies lists the inline policies for the specified user.
func (wrapper UserWrapper) ListUserPolicies(ctx context.Context, userName string) ([]string, error) {
var policies []string
result, err := wrapper.IamClient.ListUserPolicies(ctx, &iam.ListUserPoliciesInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't list policies for user %v. Here's why: %v\n", userName, err)
} else {
policies = result.PolicyNames
}
return policies, err
}
// DeleteUserPolicy deletes an inline policy from a user.
func (wrapper UserWrapper) DeleteUserPolicy(ctx context.Context, userName string, policyName string) error {
_, err := wrapper.IamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{
PolicyName: aws.String(policyName),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete policy from user %v. Here's why: %v\n", userName, err)
}
return err
}
// DeleteUser deletes a user.
func (wrapper UserWrapper) DeleteUser(ctx context.Context, userName string) error {
_, err := wrapper.IamClient.DeleteUser(ctx, &iam.DeleteUserInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete user %v. Here's why: %v\n", userName, err)
}
return err
}
// CreateAccessKeyPair creates an access key for a user. The returned access key contains
// the ID and secret credentials needed to use the key.
func (wrapper UserWrapper) CreateAccessKeyPair(ctx context.Context, userName string) (*types.AccessKey, error) {
var key *types.AccessKey
result, err := wrapper.IamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
UserName: aws.String(userName)})
if err != nil {
log.Printf("Couldn't create access key pair for user %v. Here's why: %v\n", userName, err)
} else {
key = result.AccessKey
}
return key, err
}
// DeleteAccessKey deletes an access key from a user.
func (wrapper UserWrapper) DeleteAccessKey(ctx context.Context, userName string, keyId string) error {
_, err := wrapper.IamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
AccessKeyId: aws.String(keyId),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete access key %v. Here's why: %v\n", keyId, err)
}
return err
}
// ListAccessKeys lists the access keys for the specified user.
func (wrapper UserWrapper) ListAccessKeys(ctx context.Context, userName string) ([]types.AccessKeyMetadata, error) {
var keys []types.AccessKeyMetadata
result, err := wrapper.IamClient.ListAccessKeys(ctx, &iam.ListAccessKeysInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't list access keys for user %v. Here's why: %v\n", userName, err)
} else {
keys = result.AccessKeyMetadata
}
return keys, err
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 Go 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.AttachRolePolicy)
+ [CreateAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateAccessKey)
+ [CreatePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreatePolicy)
+ [CreateRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateRole)
+ [CreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateUser)
+ [DeleteAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteAccessKey)
+ [DeletePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeletePolicy)
+ [DeleteRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteRole)
+ [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUser)
+ [DeleteUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUserPolicy)
+ [DetachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DetachRolePolicy)
+ [PutUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.PutUserPolicy)
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
建立可包裝 IAM 使用者動作的函數。
```
/*
To run this Java V2 code example, set up your development environment, including your credentials.
For information, see this documentation topic:
https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
This example performs these operations:
1. Creates a user that has no permissions.
2. Creates a role and policy that grants Amazon S3 permissions.
3. Creates a role.
4. Grants the user permissions.
5. Gets temporary credentials by assuming the role. Creates an Amazon S3 Service client object with the temporary credentials.
6. Deletes the resources.
*/
public class IAMScenario {
public static final String DASHES = new String(new char[80]).replace("\0", "-");
public static final String PolicyDocument = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": [" +
" \"s3:*\"" +
" ]," +
" \"Resource\": \"*\"" +
" }" +
" ]" +
"}";
public static String userArn;
public static void main(String[] args) throws Exception {
final String usage = """
Usage:
\s
Where:
username - The name of the IAM user to create.\s
policyName - The name of the policy to create.\s
roleName - The name of the role to create.\s
roleSessionName - The name of the session required for the assumeRole operation.\s
bucketName - The name of the Amazon S3 bucket from which objects are read.\s
""";
if (args.length != 5) {
System.out.println(usage);
System.exit(1);
}
String userName = args[0];
String policyName = args[1];
String roleName = args[2];
String roleSessionName = args[3];
String bucketName = args[4];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
System.out.println(DASHES);
System.out.println("Welcome to the AWS IAM example scenario.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println(" 1. Create the IAM user.");
User createUser = createIAMUser(iam, userName);
System.out.println(DASHES);
userArn = createUser.arn();
AccessKey myKey = createIAMAccessKey(iam, userName);
String accessKey = myKey.accessKeyId();
String secretKey = myKey.secretAccessKey();
String assumeRolePolicyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
" \"AWS\": \"" + userArn + "\"" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
System.out.println(assumeRolePolicyDocument);
System.out.println(userName + " was successfully created.");
System.out.println(DASHES);
System.out.println("2. Creates a policy.");
String polArn = createIAMPolicy(iam, policyName);
System.out.println("The policy " + polArn + " was successfully created.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("3. Creates a role.");
TimeUnit.SECONDS.sleep(30);
String roleArn = createIAMRole(iam, roleName, assumeRolePolicyDocument);
System.out.println(roleArn + " was successfully created.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("4. Grants the user permissions.");
attachIAMRolePolicy(iam, roleName, polArn);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("*** Wait for 30 secs so the resource is available");
TimeUnit.SECONDS.sleep(30);
System.out.println("5. Gets temporary credentials by assuming the role.");
System.out.println("Perform an Amazon S3 Service operation using the temporary credentials.");
assumeRole(roleArn, roleSessionName, bucketName, accessKey, secretKey);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("6 Getting ready to delete the AWS resources");
deleteKey(iam, userName, accessKey);
deleteRole(iam, roleName, polArn);
deleteIAMUser(iam, userName);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("This IAM Scenario has successfully completed");
System.out.println(DASHES);
}
public static AccessKey createIAMAccessKey(IamClient iam, String user) {
try {
CreateAccessKeyRequest request = CreateAccessKeyRequest.builder()
.userName(user)
.build();
CreateAccessKeyResponse response = iam.createAccessKey(request);
return response.accessKey();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return null;
}
public static User createIAMUser(IamClient iam, String username) {
try {
// Create an IamWaiter object
IamWaiter iamWaiter = iam.waiter();
CreateUserRequest request = CreateUserRequest.builder()
.userName(username)
.build();
// Wait until the user is created.
CreateUserResponse response = iam.createUser(request);
GetUserRequest userRequest = GetUserRequest.builder()
.userName(response.user().userName())
.build();
WaiterResponse waitUntilUserExists = iamWaiter.waitUntilUserExists(userRequest);
waitUntilUserExists.matched().response().ifPresent(System.out::println);
return response.user();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return null;
}
public static String createIAMRole(IamClient iam, String rolename, String json) {
try {
CreateRoleRequest request = CreateRoleRequest.builder()
.roleName(rolename)
.assumeRolePolicyDocument(json)
.description("Created using the AWS SDK for Java")
.build();
CreateRoleResponse response = iam.createRole(request);
System.out.println("The ARN of the role is " + response.role().arn());
return response.role().arn();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
public static String createIAMPolicy(IamClient iam, String policyName) {
try {
// Create an IamWaiter object.
IamWaiter iamWaiter = iam.waiter();
CreatePolicyRequest request = CreatePolicyRequest.builder()
.policyName(policyName)
.policyDocument(PolicyDocument).build();
CreatePolicyResponse response = iam.createPolicy(request);
GetPolicyRequest polRequest = GetPolicyRequest.builder()
.policyArn(response.policy().arn())
.build();
WaiterResponse waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest);
waitUntilPolicyExists.matched().response().ifPresent(System.out::println);
return response.policy().arn();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn) {
try {
ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder()
.roleName(roleName)
.build();
ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request);
List attachedPolicies = response.attachedPolicies();
String polArn;
for (AttachedPolicy policy : attachedPolicies) {
polArn = policy.policyArn();
if (polArn.compareTo(policyArn) == 0) {
System.out.println(roleName + " policy is already attached to this role.");
return;
}
}
AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(policyArn)
.build();
iam.attachRolePolicy(attachRequest);
System.out.println("Successfully attached policy " + policyArn + " to role " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
// Invoke an Amazon S3 operation using the Assumed Role.
public static void assumeRole(String roleArn, String roleSessionName, String bucketName, String keyVal,
String keySecret) {
// Use the creds of the new IAM user that was created in this code example.
AwsBasicCredentials credentials = AwsBasicCredentials.create(keyVal, keySecret);
StsClient stsClient = StsClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(StaticCredentialsProvider.create(credentials))
.build();
try {
AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName(roleSessionName)
.build();
AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
Credentials myCreds = roleResponse.credentials();
String key = myCreds.accessKeyId();
String secKey = myCreds.secretAccessKey();
String secToken = myCreds.sessionToken();
// List all objects in an Amazon S3 bucket using the temp creds retrieved by
// invoking assumeRole.
Region region = Region.US_EAST_1;
S3Client s3 = S3Client.builder()
.credentialsProvider(
StaticCredentialsProvider.create(AwsSessionCredentials.create(key, secKey, secToken)))
.region(region)
.build();
System.out.println("Created a S3Client using temp credentials.");
System.out.println("Listing objects in " + bucketName);
ListObjectsRequest listObjects = ListObjectsRequest.builder()
.bucket(bucketName)
.build();
ListObjectsResponse res = s3.listObjects(listObjects);
List objects = res.contents();
for (S3Object myValue : objects) {
System.out.println("The name of the key is " + myValue.key());
System.out.println("The owner is " + myValue.owner());
}
} catch (StsException e) {
System.err.println(e.getMessage());
System.exit(1);
}
}
public static void deleteRole(IamClient iam, String roleName, String polArn) {
try {
// First the policy needs to be detached.
DetachRolePolicyRequest rolePolicyRequest = DetachRolePolicyRequest.builder()
.policyArn(polArn)
.roleName(roleName)
.build();
iam.detachRolePolicy(rolePolicyRequest);
// Delete the policy.
DeletePolicyRequest request = DeletePolicyRequest.builder()
.policyArn(polArn)
.build();
iam.deletePolicy(request);
System.out.println("*** Successfully deleted " + polArn);
// Delete the role.
DeleteRoleRequest roleRequest = DeleteRoleRequest.builder()
.roleName(roleName)
.build();
iam.deleteRole(roleRequest);
System.out.println("*** Successfully deleted " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void deleteKey(IamClient iam, String username, String accessKey) {
try {
DeleteAccessKeyRequest request = DeleteAccessKeyRequest.builder()
.accessKeyId(accessKey)
.userName(username)
.build();
iam.deleteAccessKey(request);
System.out.println("Successfully deleted access key " + accessKey +
" from user " + username);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void deleteIAMUser(IamClient iam, String userName) {
try {
DeleteUserRequest request = DeleteUserRequest.builder()
.userName(userName)
.build();
iam.deleteUser(request);
System.out.println("*** Successfully deleted " + userName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱《*AWS SDK for Java 2.x API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/PutUserPolicy)
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
建立一個可授予許可的 IAM 使用者和角色,以列出 Amazon S3 儲存貯體。使用者只有擔任該角色的權利。擔任角色後,請使用暫時性憑證列出該帳戶的儲存貯體。
```
import {
CreateUserCommand,
GetUserCommand,
CreateAccessKeyCommand,
CreatePolicyCommand,
CreateRoleCommand,
AttachRolePolicyCommand,
DeleteAccessKeyCommand,
DeleteUserCommand,
DeleteRoleCommand,
DeletePolicyCommand,
DetachRolePolicyCommand,
IAMClient,
} from "@aws-sdk/client-iam";
import { ListBucketsCommand, S3Client } from "@aws-sdk/client-s3";
import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
import { retry } from "@aws-doc-sdk-examples/lib/utils/util-timers.js";
import { ScenarioInput } from "@aws-doc-sdk-examples/lib/scenario/index.js";
// Set the parameters.
const iamClient = new IAMClient({});
const userName = "iam_basic_test_username";
const policyName = "iam_basic_test_policy";
const roleName = "iam_basic_test_role";
/**
* Create a new IAM user. If the user already exists, give
* the option to delete and re-create it.
* @param {string} name
*/
export const createUser = async (name, confirmAll = false) => {
try {
const { User } = await iamClient.send(
new GetUserCommand({ UserName: name }),
);
const input = new ScenarioInput(
"deleteUser",
"Do you want to delete and remake this user?",
{ type: "confirm" },
);
const deleteUser = await input.handle({}, { confirmAll });
// If the user exists, and you want to delete it, delete the user
// and then create it again.
if (deleteUser) {
await iamClient.send(new DeleteUserCommand({ UserName: User.UserName }));
await iamClient.send(new CreateUserCommand({ UserName: name }));
} else {
console.warn(
`${name} already exists. The scenario may not work as expected.`,
);
return User;
}
} catch (caught) {
// If there is no user by that name, create one.
if (caught instanceof Error && caught.name === "NoSuchEntityException") {
const { User } = await iamClient.send(
new CreateUserCommand({ UserName: name }),
);
return User;
}
throw caught;
}
};
export const main = async (confirmAll = false) => {
// Create a user. The user has no permissions by default.
const User = await createUser(userName, confirmAll);
if (!User) {
throw new Error("User not created");
}
// Create an access key. This key is used to authenticate the new user to
// Amazon Simple Storage Service (Amazon S3) and AWS Security Token Service (AWS STS).
// It's not best practice to use access keys. For more information, see https://aws.amazon.com/iam/resources/best-practices/.
const createAccessKeyResponse = await iamClient.send(
new CreateAccessKeyCommand({ UserName: userName }),
);
if (
!createAccessKeyResponse.AccessKey?.AccessKeyId ||
!createAccessKeyResponse.AccessKey?.SecretAccessKey
) {
throw new Error("Access key not created");
}
const {
AccessKey: { AccessKeyId, SecretAccessKey },
} = createAccessKeyResponse;
let s3Client = new S3Client({
credentials: {
accessKeyId: AccessKeyId,
secretAccessKey: SecretAccessKey,
},
});
// Retry the list buckets operation until it succeeds. InvalidAccessKeyId is
// thrown while the user and access keys are still stabilizing.
await retry({ intervalInMs: 1000, maxRetries: 300 }, async () => {
try {
return await listBuckets(s3Client);
} catch (err) {
if (err instanceof Error && err.name === "InvalidAccessKeyId") {
throw err;
}
}
});
// Retry the create role operation until it succeeds. A MalformedPolicyDocument error
// is thrown while the user and access keys are still stabilizing.
const { Role } = await retry(
{
intervalInMs: 2000,
maxRetries: 60,
},
() =>
iamClient.send(
new CreateRoleCommand({
AssumeRolePolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: {
// Allow the previously created user to assume this role.
AWS: User.Arn,
},
Action: "sts:AssumeRole",
},
],
}),
RoleName: roleName,
}),
),
);
if (!Role) {
throw new Error("Role not created");
}
// Create a policy that allows the user to list S3 buckets.
const { Policy: listBucketPolicy } = await iamClient.send(
new CreatePolicyCommand({
PolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: ["s3:ListAllMyBuckets"],
Resource: "*",
},
],
}),
PolicyName: policyName,
}),
);
if (!listBucketPolicy) {
throw new Error("Policy not created");
}
// Attach the policy granting the 's3:ListAllMyBuckets' action to the role.
await iamClient.send(
new AttachRolePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
RoleName: Role.RoleName,
}),
);
// Assume the role.
const stsClient = new STSClient({
credentials: {
accessKeyId: AccessKeyId,
secretAccessKey: SecretAccessKey,
},
});
// Retry the assume role operation until it succeeds.
const { Credentials } = await retry(
{ intervalInMs: 2000, maxRetries: 60 },
() =>
stsClient.send(
new AssumeRoleCommand({
RoleArn: Role.Arn,
RoleSessionName: `iamBasicScenarioSession-${Math.floor(
Math.random() * 1000000,
)}`,
DurationSeconds: 900,
}),
),
);
if (!Credentials?.AccessKeyId || !Credentials?.SecretAccessKey) {
throw new Error("Credentials not created");
}
s3Client = new S3Client({
credentials: {
accessKeyId: Credentials.AccessKeyId,
secretAccessKey: Credentials.SecretAccessKey,
sessionToken: Credentials.SessionToken,
},
});
// List the S3 buckets again.
// Retry the list buckets operation until it succeeds. AccessDenied might
// be thrown while the role policy is still stabilizing.
await retry({ intervalInMs: 2000, maxRetries: 120 }, () =>
listBuckets(s3Client),
);
// Clean up.
await iamClient.send(
new DetachRolePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
RoleName: Role.RoleName,
}),
);
await iamClient.send(
new DeletePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
}),
);
await iamClient.send(
new DeleteRoleCommand({
RoleName: Role.RoleName,
}),
);
await iamClient.send(
new DeleteAccessKeyCommand({
UserName: userName,
AccessKeyId,
}),
);
await iamClient.send(
new DeleteUserCommand({
UserName: userName,
}),
);
};
/**
*
* @param {S3Client} s3Client
*/
const listBuckets = async (s3Client) => {
const { Buckets } = await s3Client.send(new ListBucketsCommand({}));
if (!Buckets) {
throw new Error("Buckets not listed");
}
console.log(Buckets.map((bucket) => bucket.Name).join("\n"));
};
```
+ 如需 API 詳細資訊,請參閱《*適用於 JavaScript 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/AttachRolePolicyCommand)
+ [CreateAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateAccessKeyCommand)
+ [CreatePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreatePolicyCommand)
+ [CreateRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateRoleCommand)
+ [CreateUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateUserCommand)
+ [DeleteAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteAccessKeyCommand)
+ [DeletePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeletePolicyCommand)
+ [DeleteRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteRoleCommand)
+ [DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserCommand)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserPolicyCommand)
+ [DetachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DetachRolePolicyCommand)
+ [PutUserPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/PutUserPolicyCommand)
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
建立可包裝 IAM 使用者動作的函數。
```
suspend fun main(args: Array) {
val usage = """
Usage:
Where:
username - The name of the IAM user to create.
policyName - The name of the policy to create.
roleName - The name of the role to create.
roleSessionName - The name of the session required for the assumeRole operation.
fileLocation - The file location to the JSON required to create the role (see Readme).
bucketName - The name of the Amazon S3 bucket from which objects are read.
"""
if (args.size != 6) {
println(usage)
exitProcess(1)
}
val userName = args[0]
val policyName = args[1]
val roleName = args[2]
val roleSessionName = args[3]
val fileLocation = args[4]
val bucketName = args[5]
createUser(userName)
println("$userName was successfully created.")
val polArn = createPolicy(policyName)
println("The policy $polArn was successfully created.")
val roleArn = createRole(roleName, fileLocation)
println("$roleArn was successfully created.")
attachRolePolicy(roleName, polArn)
println("*** Wait for 1 MIN so the resource is available.")
delay(60000)
assumeGivenRole(roleArn, roleSessionName, bucketName)
println("*** Getting ready to delete the AWS resources.")
deleteRole(roleName, polArn)
deleteUser(userName)
println("This IAM Scenario has successfully completed.")
}
suspend fun createUser(usernameVal: String?): String? {
val request =
CreateUserRequest {
userName = usernameVal
}
IamClient { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createUser(request)
return response.user?.userName
}
}
suspend fun createPolicy(policyNameVal: String?): String {
val policyDocumentValue = """
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
""".trimIndent()
val request =
CreatePolicyRequest {
policyName = policyNameVal
policyDocument = policyDocumentValue
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createPolicy(request)
return response.policy?.arn.toString()
}
}
suspend fun createRole(
rolenameVal: String?,
fileLocation: String?,
): String? {
val jsonObject = fileLocation?.let { readJsonSimpleDemo(it) } as JSONObject
val request =
CreateRoleRequest {
roleName = rolenameVal
assumeRolePolicyDocument = jsonObject.toJSONString()
description = "Created using the AWS SDK for Kotlin"
}
IamClient { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createRole(request)
return response.role?.arn
}
}
suspend fun attachRolePolicy(
roleNameVal: String,
policyArnVal: String,
) {
val request =
ListAttachedRolePoliciesRequest {
roleName = roleNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAttachedRolePolicies(request)
val attachedPolicies = response.attachedPolicies
// Ensure that the policy is not attached to this role.
val checkStatus: Int
if (attachedPolicies != null) {
checkStatus = checkMyList(attachedPolicies, policyArnVal)
if (checkStatus == -1) {
return
}
}
val policyRequest =
AttachRolePolicyRequest {
roleName = roleNameVal
policyArn = policyArnVal
}
iamClient.attachRolePolicy(policyRequest)
println("Successfully attached policy $policyArnVal to role $roleNameVal")
}
}
fun checkMyList(
attachedPolicies: List,
policyArnVal: String,
): Int {
for (policy in attachedPolicies) {
val polArn = policy.policyArn.toString()
if (polArn.compareTo(policyArnVal) == 0) {
println("The policy is already attached to this role.")
return -1
}
}
return 0
}
suspend fun assumeGivenRole(
roleArnVal: String?,
roleSessionNameVal: String?,
bucketName: String,
) {
val stsClient = StsClient.fromEnvironment { region = "us-east-1" }
val roleRequest =
AssumeRoleRequest {
roleArn = roleArnVal
roleSessionName = roleSessionNameVal
}
val roleResponse = stsClient.assumeRole(roleRequest)
val myCreds = roleResponse.credentials
val key = myCreds?.accessKeyId
val secKey = myCreds?.secretAccessKey
val secToken = myCreds?.sessionToken
val staticCredentials = StaticCredentialsProvider {
accessKeyId = key
secretAccessKey = secKey
sessionToken = secToken
}
// List all objects in an Amazon S3 bucket using the temp creds.
val s3 = S3Client.fromEnvironment {
region = "us-east-1"
credentialsProvider = staticCredentials
}
println("Created a S3Client using temp credentials.")
println("Listing objects in $bucketName")
val listObjects =
ListObjectsRequest {
bucket = bucketName
}
val response = s3.listObjects(listObjects)
response.contents?.forEach { myObject ->
println("The name of the key is ${myObject.key}")
println("The owner is ${myObject.owner}")
}
}
suspend fun deleteRole(
roleNameVal: String,
polArn: String,
) {
val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" }
// First the policy needs to be detached.
val rolePolicyRequest =
DetachRolePolicyRequest {
policyArn = polArn
roleName = roleNameVal
}
iam.detachRolePolicy(rolePolicyRequest)
// Delete the policy.
val request =
DeletePolicyRequest {
policyArn = polArn
}
iam.deletePolicy(request)
println("*** Successfully deleted $polArn")
// Delete the role.
val roleRequest =
DeleteRoleRequest {
roleName = roleNameVal
}
iam.deleteRole(roleRequest)
println("*** Successfully deleted $roleNameVal")
}
suspend fun deleteUser(userNameVal: String) {
val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" }
val request =
DeleteUserRequest {
userName = userNameVal
}
iam.deleteUser(request)
println("*** Successfully deleted $userNameVal")
}
@Throws(java.lang.Exception::class)
fun readJsonSimpleDemo(filename: String): Any? {
val reader = FileReader(filename)
val jsonParser = JSONParser()
return jsonParser.parse(reader)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的下列主題。
+ [AttachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreatePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeletePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DetachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [PutUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
namespace Iam\Basics;
require 'vendor/autoload.php';
use Aws\Credentials\Credentials;
use Aws\S3\Exception\S3Exception;
use Aws\S3\S3Client;
use Aws\Sts\StsClient;
use Iam\IAMService;
echo("\n");
echo("--------------------------------------\n");
print("Welcome to the IAM getting started demo using PHP!\n");
echo("--------------------------------------\n");
$uuid = uniqid();
$service = new IAMService();
$user = $service->createUser("iam_demo_user_$uuid");
echo "Created user with the arn: {$user['Arn']}\n";
$key = $service->createAccessKey($user['UserName']);
$assumeRolePolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"{$user['Arn']}\"},
\"Action\": \"sts:AssumeRole\"
}]
}";
$assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument);
echo "Created role: {$assumeRoleRole['RoleName']}\n";
$listAllBucketsPolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]
}";
$listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument);
echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n";
$service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']);
$inlinePolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"{$assumeRoleRole['Arn']}\"}]
}";
$inlinePolicy = $service->createUserPolicy("iam_demo_inline_policy_$uuid", $inlinePolicyDocument, $user['UserName']);
//First, fail to list the buckets with the user
$credentials = new Credentials($key['AccessKeyId'], $key['SecretAccessKey']);
$s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]);
try {
$s3Client->listBuckets([
]);
echo "this should not run";
} catch (S3Exception $exception) {
echo "successfully failed!\n";
}
$stsClient = new StsClient(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]);
sleep(10);
$assumedRole = $stsClient->assumeRole([
'RoleArn' => $assumeRoleRole['Arn'],
'RoleSessionName' => "DemoAssumeRoleSession_$uuid",
]);
$assumedCredentials = [
'key' => $assumedRole['Credentials']['AccessKeyId'],
'secret' => $assumedRole['Credentials']['SecretAccessKey'],
'token' => $assumedRole['Credentials']['SessionToken'],
];
$s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $assumedCredentials]);
try {
$s3Client->listBuckets([]);
echo "this should now run!\n";
} catch (S3Exception $exception) {
echo "this should now not fail\n";
}
$service->detachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']);
$deletePolicy = $service->deletePolicy($listAllBucketsPolicy['Arn']);
echo "Delete policy: {$listAllBucketsPolicy['PolicyName']}\n";
$deletedRole = $service->deleteRole($assumeRoleRole['Arn']);
echo "Deleted role: {$assumeRoleRole['RoleName']}\n";
$deletedKey = $service->deleteAccessKey($key['AccessKeyId'], $user['UserName']);
$deletedUser = $service->deleteUser($user['UserName']);
echo "Delete user: {$user['UserName']}\n";
```
+ 如需 API 詳細資訊,請參閱《*適用於 PHP 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Python ]
**SDK for Python (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
建立一個可授予許可的 IAM 使用者和角色,以列出 Amazon S3 儲存貯體。使用者只有擔任該角色的權利。擔任角色後,請使用暫時性憑證列出該帳戶的儲存貯體。
```
import json
import sys
import time
from uuid import uuid4
import boto3
from botocore.exceptions import ClientError
def progress_bar(seconds):
"""Shows a simple progress bar in the command window."""
for _ in range(seconds):
time.sleep(1)
print(".", end="")
sys.stdout.flush()
print()
def setup(iam_resource):
"""
Creates a new user with no permissions.
Creates an access key pair for the user.
Creates a role with a policy that lets the user assume the role.
Creates a policy that allows listing Amazon S3 buckets.
Attaches the policy to the role.
Creates an inline policy for the user that lets the user assume the role.
:param iam_resource: A Boto3 AWS Identity and Access Management (IAM) resource
that has permissions to create users, roles, and policies
in the account.
:return: The newly created user, user key, and role.
"""
try:
user = iam_resource.create_user(UserName=f"demo-user-{uuid4()}")
print(f"Created user {user.name}.")
except ClientError as error:
print(
f"Couldn't create a user for the demo. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
user_key = user.create_access_key_pair()
print(f"Created access key pair for user.")
except ClientError as error:
print(
f"Couldn't create access keys for user {user.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
print(f"Wait for user to be ready.", end="")
progress_bar(10)
try:
role = iam_resource.create_role(
RoleName=f"demo-role-{uuid4()}",
AssumeRolePolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": user.arn},
"Action": "sts:AssumeRole",
}
],
}
),
)
print(f"Created role {role.name}.")
except ClientError as error:
print(
f"Couldn't create a role for the demo. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
policy = iam_resource.create_policy(
PolicyName=f"demo-policy-{uuid4()}",
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
}
],
}
),
)
role.attach_policy(PolicyArn=policy.arn)
print(f"Created policy {policy.policy_name} and attached it to the role.")
except ClientError as error:
print(
f"Couldn't create a policy and attach it to role {role.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
user.create_policy(
PolicyName=f"demo-user-policy-{uuid4()}",
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": role.arn,
}
],
}
),
)
print(
f"Created an inline policy for {user.name} that lets the user assume "
f"the role."
)
except ClientError as error:
print(
f"Couldn't create an inline policy for user {user.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
print("Give AWS time to propagate these new resources and connections.", end="")
progress_bar(10)
return user, user_key, role
def show_access_denied_without_role(user_key):
"""
Shows that listing buckets without first assuming the role is not allowed.
:param user_key: The key of the user created during setup. This user does not
have permission to list buckets in the account.
"""
print(f"Try to list buckets without first assuming the role.")
s3_denied_resource = boto3.resource(
"s3", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret
)
try:
for bucket in s3_denied_resource.buckets.all():
print(bucket.name)
raise RuntimeError("Expected to get AccessDenied error when listing buckets!")
except ClientError as error:
if error.response["Error"]["Code"] == "AccessDenied":
print("Attempt to list buckets with no permissions: AccessDenied.")
else:
raise
def list_buckets_from_assumed_role(user_key, assume_role_arn, session_name):
"""
Assumes a role that grants permission to list the Amazon S3 buckets in the account.
Uses the temporary credentials from the role to list the buckets that are owned
by the assumed role's account.
:param user_key: The access key of a user that has permission to assume the role.
:param assume_role_arn: The Amazon Resource Name (ARN) of the role that
grants access to list the other account's buckets.
:param session_name: The name of the STS session.
"""
sts_client = boto3.client(
"sts", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret
)
try:
response = sts_client.assume_role(
RoleArn=assume_role_arn, RoleSessionName=session_name
)
temp_credentials = response["Credentials"]
print(f"Assumed role {assume_role_arn} and got temporary credentials.")
except ClientError as error:
print(
f"Couldn't assume role {assume_role_arn}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
# Create an S3 resource that can access the account with the temporary credentials.
s3_resource = boto3.resource(
"s3",
aws_access_key_id=temp_credentials["AccessKeyId"],
aws_secret_access_key=temp_credentials["SecretAccessKey"],
aws_session_token=temp_credentials["SessionToken"],
)
print(f"Listing buckets for the assumed role's account:")
try:
for bucket in s3_resource.buckets.all():
print(bucket.name)
except ClientError as error:
print(
f"Couldn't list buckets for the account. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
def teardown(user, role):
"""
Removes all resources created during setup.
:param user: The demo user.
:param role: The demo role.
"""
try:
for attached in role.attached_policies.all():
policy_name = attached.policy_name
role.detach_policy(PolicyArn=attached.arn)
attached.delete()
print(f"Detached and deleted {policy_name}.")
role.delete()
print(f"Deleted {role.name}.")
except ClientError as error:
print(
"Couldn't detach policy, delete policy, or delete role. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
for user_pol in user.policies.all():
user_pol.delete()
print("Deleted inline user policy.")
for key in user.access_keys.all():
key.delete()
print("Deleted user's access key.")
user.delete()
print(f"Deleted {user.name}.")
except ClientError as error:
print(
"Couldn't delete user policy or delete user. Here's why: "
f"{error.response['Error']['Message']}"
)
def usage_demo():
"""Drives the demonstration."""
print("-" * 88)
print(f"Welcome to the IAM create user and assume role demo.")
print("-" * 88)
iam_resource = boto3.resource("iam")
user = None
role = None
try:
user, user_key, role = setup(iam_resource)
print(f"Created {user.name} and {role.name}.")
show_access_denied_without_role(user_key)
list_buckets_from_assumed_role(user_key, role.arn, "AssumeRoleDemoSession")
except Exception:
print("Something went wrong!")
finally:
if user is not None and role is not None:
teardown(user, role)
print("Thanks for watching!")
if __name__ == "__main__":
usage_demo()
```
+ 如需 API 的詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/PutUserPolicy)
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
建立一個可授予許可的 IAM 使用者和角色,以列出 Amazon S3 儲存貯體。使用者只有擔任該角色的權利。擔任角色後,請使用暫時性憑證列出該帳戶的儲存貯體。
```
# Wraps the scenario actions.
class ScenarioCreateUserAssumeRole
attr_reader :iam_client
# @param [Aws::IAM::Client] iam_client: The AWS IAM client.
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
end
# Waits for the specified number of seconds.
#
# @param duration [Integer] The number of seconds to wait.
def wait(duration)
puts('Give AWS time to propagate resources...')
sleep(duration)
end
# Creates a user.
#
# @param user_name [String] The name to give the user.
# @return [Aws::IAM::User] The newly created user.
def create_user(user_name)
user = @iam_client.create_user(user_name: user_name).user
@logger.info("Created demo user named #{user.user_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info('Tried and failed to create demo user.')
@logger.info("\t#{e.code}: #{e.message}")
@logger.info("\nCan't continue the demo without a user!")
raise
else
user
end
# Creates an access key for a user.
#
# @param user [Aws::IAM::User] The user that owns the key.
# @return [Aws::IAM::AccessKeyPair] The newly created access key.
def create_access_key_pair(user)
user_key = @iam_client.create_access_key(user_name: user.user_name).access_key
@logger.info("Created accesskey pair for user #{user.user_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create access keys for user #{user.user_name}.")
@logger.info("\t#{e.code}: #{e.message}")
raise
else
user_key
end
# Creates a role that can be assumed by a user.
#
# @param role_name [String] The name to give the role.
# @param user [Aws::IAM::User] The user who is granted permission to assume the role.
# @return [Aws::IAM::Role] The newly created role.
def create_role(role_name, user)
trust_policy = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Principal: { 'AWS': user.arn },
Action: 'sts:AssumeRole'
}]
}.to_json
role = @iam_client.create_role(
role_name: role_name,
assume_role_policy_document: trust_policy
).role
@logger.info("Created role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create a role for the demo. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
else
role
end
# Creates a policy that grants permission to list S3 buckets in the account, and
# then attaches the policy to a role.
#
# @param policy_name [String] The name to give the policy.
# @param role [Aws::IAM::Role] The role that the policy is attached to.
# @return [Aws::IAM::Policy] The newly created policy.
def create_and_attach_role_policy(policy_name, role)
policy_document = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Action: 's3:ListAllMyBuckets',
Resource: 'arn:aws:s3:::*'
}]
}.to_json
policy = @iam_client.create_policy(
policy_name: policy_name,
policy_document: policy_document
).policy
@iam_client.attach_role_policy(
role_name: role.role_name,
policy_arn: policy.arn
)
@logger.info("Created policy #{policy.policy_name} and attached it to role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create a policy and attach it to role #{role.role_name}. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Creates an inline policy for a user that lets the user assume a role.
#
# @param policy_name [String] The name to give the policy.
# @param user [Aws::IAM::User] The user that owns the policy.
# @param role [Aws::IAM::Role] The role that can be assumed.
# @return [Aws::IAM::UserPolicy] The newly created policy.
def create_user_policy(policy_name, user, role)
policy_document = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Action: 'sts:AssumeRole',
Resource: role.arn
}]
}.to_json
@iam_client.put_user_policy(
user_name: user.user_name,
policy_name: policy_name,
policy_document: policy_document
)
puts("Created an inline policy for #{user.user_name} that lets the user assume role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create an inline policy for user #{user.user_name}. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Creates an Amazon S3 resource with specified credentials. This is separated into a
# factory function so that it can be mocked for unit testing.
#
# @param credentials [Aws::Credentials] The credentials used by the Amazon S3 resource.
def create_s3_resource(credentials)
Aws::S3::Resource.new(client: Aws::S3::Client.new(credentials: credentials))
end
# Lists the S3 buckets for the account, using the specified Amazon S3 resource.
# Because the resource uses credentials with limited access, it may not be able to
# list the S3 buckets.
#
# @param s3_resource [Aws::S3::Resource] An Amazon S3 resource.
def list_buckets(s3_resource)
count = 10
s3_resource.buckets.each do |bucket|
@logger.info "\t#{bucket.name}"
count -= 1
break if count.zero?
end
rescue Aws::Errors::ServiceError => e
if e.code == 'AccessDenied'
puts('Attempt to list buckets with no permissions: AccessDenied.')
else
@logger.info("Couldn't list buckets for the account. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
end
# Creates an AWS Security Token Service (AWS STS) client with specified credentials.
# This is separated into a factory function so that it can be mocked for unit testing.
#
# @param key_id [String] The ID of the access key used by the STS client.
# @param key_secret [String] The secret part of the access key used by the STS client.
def create_sts_client(key_id, key_secret)
Aws::STS::Client.new(access_key_id: key_id, secret_access_key: key_secret)
end
# Gets temporary credentials that can be used to assume a role.
#
# @param role_arn [String] The ARN of the role that is assumed when these credentials
# are used.
# @param sts_client [AWS::STS::Client] An AWS STS client.
# @return [Aws::AssumeRoleCredentials] The credentials that can be used to assume the role.
def assume_role(role_arn, sts_client)
credentials = Aws::AssumeRoleCredentials.new(
client: sts_client,
role_arn: role_arn,
role_session_name: 'create-use-assume-role-scenario'
)
@logger.info("Assumed role '#{role_arn}', got temporary credentials.")
credentials
end
# Deletes a role. If the role has policies attached, they are detached and
# deleted before the role is deleted.
#
# @param role_name [String] The name of the role to delete.
def delete_role(role_name)
@iam_client.list_attached_role_policies(role_name: role_name).attached_policies.each do |policy|
@iam_client.detach_role_policy(role_name: role_name, policy_arn: policy.policy_arn)
@iam_client.delete_policy(policy_arn: policy.policy_arn)
@logger.info("Detached and deleted policy #{policy.policy_name}.")
end
@iam_client.delete_role({ role_name: role_name })
@logger.info("Role deleted: #{role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't detach policies and delete role #{role.name}. Here's why:")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Deletes a user. If the user has inline policies or access keys, they are deleted
# before the user is deleted.
#
# @param user [Aws::IAM::User] The user to delete.
def delete_user(user_name)
user = @iam_client.list_access_keys(user_name: user_name).access_key_metadata
user.each do |key|
@iam_client.delete_access_key({ access_key_id: key.access_key_id, user_name: user_name })
@logger.info("Deleted access key #{key.access_key_id} for user '#{user_name}'.")
end
@iam_client.delete_user(user_name: user_name)
@logger.info("Deleted user '#{user_name}'.")
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting user '#{user_name}': #{e.message}")
end
end
# Runs the IAM create a user and assume a role scenario.
def run_scenario(scenario)
puts('-' * 88)
puts('Welcome to the IAM create a user and assume a role demo!')
puts('-' * 88)
user = scenario.create_user("doc-example-user-#{Random.uuid}")
user_key = scenario.create_access_key_pair(user)
scenario.wait(10)
role = scenario.create_role("doc-example-role-#{Random.uuid}", user)
scenario.create_and_attach_role_policy("doc-example-role-policy-#{Random.uuid}", role)
scenario.create_user_policy("doc-example-user-policy-#{Random.uuid}", user, role)
scenario.wait(10)
puts('Try to list buckets with credentials for a user who has no permissions.')
puts('Expect AccessDenied from this call.')
scenario.list_buckets(
scenario.create_s3_resource(Aws::Credentials.new(user_key.access_key_id, user_key.secret_access_key))
)
puts('Now, assume the role that grants permission.')
temp_credentials = scenario.assume_role(
role.arn, scenario.create_sts_client(user_key.access_key_id, user_key.secret_access_key)
)
puts('Here are your buckets:')
scenario.list_buckets(scenario.create_s3_resource(temp_credentials))
puts("Deleting role '#{role.role_name}' and attached policies.")
scenario.delete_role(role.role_name)
puts("Deleting user '#{user.user_name}', policies, and keys.")
scenario.delete_user(user.user_name)
puts('Thanks for watching!')
puts('-' * 88)
rescue Aws::Errors::ServiceError => e
puts('Something went wrong with the demo.')
puts("\t#{e.code}: #{e.message}")
end
run_scenario(ScenarioCreateUserAssumeRole.new(Aws::IAM::Client.new)) if $PROGRAM_NAME == __FILE__
```
+ 如需 API 詳細資訊,請參閱《*適用於 Ruby 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
use aws_config::meta::region::RegionProviderChain;
use aws_sdk_iam::Error as iamError;
use aws_sdk_iam::{config::Credentials as iamCredentials, config::Region, Client as iamClient};
use aws_sdk_s3::Client as s3Client;
use aws_sdk_sts::Client as stsClient;
use tokio::time::{sleep, Duration};
use uuid::Uuid;
#[tokio::main]
async fn main() -> Result<(), iamError> {
let (client, uuid, list_all_buckets_policy_document, inline_policy_document) =
initialize_variables().await;
if let Err(e) = run_iam_operations(
client,
uuid,
list_all_buckets_policy_document,
inline_policy_document,
)
.await
{
println!("{:?}", e);
};
Ok(())
}
async fn initialize_variables() -> (iamClient, String, String, String) {
let region_provider = RegionProviderChain::first_try(Region::new("us-west-2"));
let shared_config = aws_config::from_env().region(region_provider).load().await;
let client = iamClient::new(&shared_config);
let uuid = Uuid::new_v4().to_string();
let list_all_buckets_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]
}"
.to_string();
let inline_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"{}\"}]
}"
.to_string();
(
client,
uuid,
list_all_buckets_policy_document,
inline_policy_document,
)
}
async fn run_iam_operations(
client: iamClient,
uuid: String,
list_all_buckets_policy_document: String,
inline_policy_document: String,
) -> Result<(), iamError> {
let user = iam_service::create_user(&client, &format!("{}{}", "iam_demo_user_", uuid)).await?;
println!("Created the user with the name: {}", user.user_name());
let key = iam_service::create_access_key(&client, user.user_name()).await?;
let assume_role_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"{}\"},
\"Action\": \"sts:AssumeRole\"
}]
}"
.to_string()
.replace("{}", user.arn());
let assume_role_role = iam_service::create_role(
&client,
&format!("{}{}", "iam_demo_role_", uuid),
&assume_role_policy_document,
)
.await?;
println!("Created the role with the ARN: {}", assume_role_role.arn());
let list_all_buckets_policy = iam_service::create_policy(
&client,
&format!("{}{}", "iam_demo_policy_", uuid),
&list_all_buckets_policy_document,
)
.await?;
println!(
"Created policy: {}",
list_all_buckets_policy.policy_name.as_ref().unwrap()
);
let attach_role_policy_result =
iam_service::attach_role_policy(&client, &assume_role_role, &list_all_buckets_policy)
.await?;
println!(
"Attached the policy to the role: {:?}",
attach_role_policy_result
);
let inline_policy_name = format!("{}{}", "iam_demo_inline_policy_", uuid);
let inline_policy_document = inline_policy_document.replace("{}", assume_role_role.arn());
iam_service::create_user_policy(&client, &user, &inline_policy_name, &inline_policy_document)
.await?;
println!("Created inline policy.");
//First, fail to list the buckets with the user.
let creds = iamCredentials::from_keys(key.access_key_id(), key.secret_access_key(), None);
let fail_config = aws_config::from_env()
.credentials_provider(creds.clone())
.load()
.await;
println!("Fail config: {:?}", fail_config);
let fail_client: s3Client = s3Client::new(&fail_config);
match fail_client.list_buckets().send().await {
Ok(e) => {
println!("This should not run. {:?}", e);
}
Err(e) => {
println!("Successfully failed with error: {:?}", e)
}
}
let sts_config = aws_config::from_env()
.credentials_provider(creds.clone())
.load()
.await;
let sts_client: stsClient = stsClient::new(&sts_config);
sleep(Duration::from_secs(10)).await;
let assumed_role = sts_client
.assume_role()
.role_arn(assume_role_role.arn())
.role_session_name(format!("iam_demo_assumerole_session_{uuid}"))
.send()
.await;
println!("Assumed role: {:?}", assumed_role);
sleep(Duration::from_secs(10)).await;
let assumed_credentials = iamCredentials::from_keys(
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.access_key_id(),
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.secret_access_key(),
Some(
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.session_token
.clone(),
),
);
let succeed_config = aws_config::from_env()
.credentials_provider(assumed_credentials)
.load()
.await;
println!("succeed config: {:?}", succeed_config);
let succeed_client: s3Client = s3Client::new(&succeed_config);
sleep(Duration::from_secs(10)).await;
match succeed_client.list_buckets().send().await {
Ok(_) => {
println!("This should now run successfully.")
}
Err(e) => {
println!("This should not run. {:?}", e);
panic!()
}
}
//Clean up.
iam_service::detach_role_policy(
&client,
assume_role_role.role_name(),
list_all_buckets_policy.arn().unwrap_or_default(),
)
.await?;
iam_service::delete_policy(&client, list_all_buckets_policy).await?;
iam_service::delete_role(&client, &assume_role_role).await?;
println!("Deleted role {}", assume_role_role.role_name());
iam_service::delete_access_key(&client, &user, &key).await?;
println!("Deleted key for {}", key.user_name());
iam_service::delete_user_policy(&client, &user, &inline_policy_name).await?;
println!("Deleted inline user policy: {}", inline_policy_name);
iam_service::delete_user(&client, &user).await?;
println!("Deleted user {}", user.user_name());
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的下列主題。
+ [AttachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.attach_role_policy)
+ [CreateAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_access_key)
+ [CreatePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_policy)
+ [CreateRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_role)
+ [CreateUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_user)
+ [DeleteAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_access_key)
+ [DeletePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_policy)
+ [DeleteRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_role)
+ [DeleteUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user)
+ [DeleteUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user_policy)
+ [DetachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.detach_role_policy)
+ [PutUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.put_user_policy)
------
# 使用 IAM 角色為在 Amazon EC2 執行個體上執行的應用程式授予許可
在 Amazon EC2 執行個體上執行的應用程式必須在 AWS API 請求中包含 AWS 登入資料。您可以讓您的開發人員直接將 AWS 登入資料存放在 Amazon EC2 執行個體中,並允許該執行個體中的應用程式使用這些登入資料。不過,開發人員將必須管理憑證,並確實將憑證安全地傳遞給每個執行個體,並在需要更新憑證時更新每個 Amazon EC2 執行個體。這是許多額外的工作。
與其這麼做,您可以 (也應該) 使用 IAM 角色來管理 Amazon EC2 執行個體上所執行應用程式的*臨時*憑證。使用角色時,您不必將長期憑證 (例如登入憑證或存取金鑰) 分發給 Amazon EC2 執行個體。相反地,該角色會提供暫時許可,供應用程式在呼叫其他 AWS 資源時使用。啟動 Amazon EC2 執行個體時,指定要與執行個體相關聯的 IAM 角色。然後,在執行個體上執行的應用程式可以使用角色提供的暫時憑證來簽署 API 請求。
如要透過角色為 Amazon EC2 執行個體上執行的應用程式授予許可,需搭配一些額外的組態。在 Amazon EC2 執行個體上執行的應用程式是由 AWS 虛擬化作業系統從 抽象化。由於此額外區隔,您需要額外的步驟,才能將 AWS 角色及其相關許可指派給 Amazon EC2 執行個體,並將其提供給其應用程式。此額外步驟是建立連接到執行個體的*[執行個體設定檔](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)*。執行個體描述檔包含角色,可以將角色的臨時憑證提供給在執行個體上執行的應用程式。然後,可以在應用程式的 API 呼叫中使用這些臨時憑證來存取資源,並限制僅存取角色指定的那些資源。
**注意**
一次只能指派一個角色給 Amazon EC2 執行個體,執行個體上的所有應用程式會共用相同的角色和許可。當您利用 Amazon ECS 來管理 Amazon EC2 執行個體時,您可以向 Amazon ECS 任務指派角色,這些角色和執行 Amazon EC2 執行個體所使用的角色有所區別。為每項任務指派一個角色的做法符合最低權限存取原則,並且允許對動作和資源進行更精細的控制。
如需詳細資訊,請參閱《Amazon Elastic Container Service 最佳實務指南》**中的[對 Amazon ECS 任務使用 IAM 角色](https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-iam-roles.html)。
以這種方式使用角色有幾個好處。由於角色憑證是臨時的並且是自動更新的,因此您不需要管理憑證,也不必擔心長期的安全風險。此外,如果對多個執行個體使用單一角色,則可以對該角色進行變更,並將變更自動傳播到所有執行個體。
**注意**
雖然在啟動角色時通常就會將角色指派給 Amazon EC2 執行個體,但角色也可以與目前執行的 Amazon EC2 執行個體連接。若要了解如何將角色連接到正在執行的執行個體,請參閱 [Amazon EC2 的 IAM 角色](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role)。
**Topics**
+ [適用於 Amazon EC2 執行個體的角色如何運作?](#roles-usingrole-ec2instance-roles)
+ [使用 Amazon EC2 角色所需的許可](#roles-usingrole-ec2instance-permissions)
+ [我該如何開始?](#roles-usingrole-ec2instance-get-started)
+ [相關資訊](#roles-usingrole-ec2instance-related-info)
## 適用於 Amazon EC2 執行個體的角色如何運作?
下圖中,開發人員在 Amazon EC2 執行個體上執行應用程式,該應用程式需要存取名為 `amzn-s3-demo-bucket-photos` 的 S3 儲存貯體。管理員建立 `Get-pics` 服務角色,並將角色連接到 Amazon EC2 執行個體。該角色包括許可政策,該政策授予對指定的 S3 儲存貯體的唯讀存取許可。角色還包含信任政策,該政策可允許 Amazon EC2 執行個體擔任角色並擷取臨時憑證。當應用程式在執行個體上執行時,它可以使用角色的臨時憑證來存取照片儲存貯體。管理員不必授予開發人員存取照片儲存貯體的許可,開發人員也不必共用或管理憑證。
![\[存取 AWS 資源的 Amazon EC2 執行個體上的應用程式\]](http://docs.aws.amazon.com/zh_tw/IAM/latest/UserGuide/images/roles-usingrole-ec2roleinstance.png)
1. 管理員使用 IAM 建立 **Get-pics** 角色。在角色的信任政策中,管理員指定只有 Amazon EC2 執行個體可以擔任該角色。在角色的許可政策中,管理員為 `amzn-s3-demo-bucket-photos` 儲存貯體指定唯讀許可。
1. 開發人員啟動 Amazon EC2 執行個體,並將 `Get-pics` 角色指派給該執行個體。
**注意**
如果您使用 IAM 主控台,則會為您管理執行個體描述檔,並且對您來說幾乎是透明的。不過,如果您使用 AWS CLI 或 API 來建立和管理角色和 Amazon EC2 執行個體,則必須建立執行個體描述檔,並將角色指派為個別步驟。然後,當您啟動執行個體時,必須指定執行個體設定檔名稱,而不是角色名稱。
1. 應用程式執行時,會從 Amazon EC2 [執行個體中繼資料](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)中取得暫時安全憑證,如[從執行個體中繼資料中擷取安全憑證](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials)中所述。這些是代表角色的[暫時安全憑證](id_credentials_temp.md),並且在有限的時間段內有效。
透過一些 [AWS 開發套件](https://aws.amazon.com/tools/),開發人員可以使用透明地管理暫時安全憑證的提供者。( AWS SDKs的文件說明該 SDK 支援用於管理登入資料的功能。)
或者,應用程式可以直接從 Amazon EC2 執行個體的執行個體中繼資料中取得臨時憑證。您可以從中繼資料的 `iam/security-credentials/role-name` 類別 (在本例中為 `iam/security-credentials/Get-pics`) 中取得憑證和相關的值。如果應用程式從執行個體中繼資料取得憑證,則可以快取憑證。
1. 使用擷取到的臨時憑證,應用程式存取照片儲存貯體。基於連接至 **Get-pics** 角色的政策,應用程式具有唯讀許可。
在執行個體上提供的臨時安全憑證在到期之前會自動更新,以便有效設定為永久可用。應用程式只需要確保在目前中繼資料到期之前,它從執行個體中繼資料中取得一組新的憑證。您可以使用 AWS SDK 來管理登入資料,因此應用程式不需要包含額外的邏輯來重新整理登入資料。例如,使用執行個體描述檔憑證提供者建立用戶端。不過,如果應用程式從執行個體中繼資料取得臨時安全憑證並快取它們,則應每小時或在目前設定過期之前至少 15 分鐘取得重新整理的憑證集。過期時間包含在 `iam/security-credentials/role-name` 類別中所傳回的資訊。
## 使用 Amazon EC2 角色所需的許可
若要使用角色啟動執行個體,開發人員必須具有啟動 Amazon EC2 執行個體的許可,以及傳遞 IAM 角色的許可。
下列範例政策允許使用者使用 AWS 管理主控台 來啟動具有 角色的執行個體。此政策包含萬用字元 (`*`),以允許使用者傳遞任何角色,並執行列出的 Amazon EC2 動作。`ListInstanceProfiles` 動作讓使用者查看 AWS 帳戶中可用的所有角色。
**Example 範例政策,授予使用者使用 Amazon EC2 主控台啟動具有任何角色的執行個體的許可**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "IamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "ListEc2AndListInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"ec2:Describe*",
"ec2:Search*",
"ec2:Get*"
],
"Resource": "*"
}
]
}
```
### 限制哪些角色可以傳遞給 Amazon EC2 執行個體 (使用 PassRole)
您可以使用 `PassRole` 許可,限制使用者在啟動執行個體時可以將哪個角色傳遞給 Amazon EC2 執行個體。這有助於防止使用者執行具有比授予使用者更多許可的應用程式,也就是說,能夠獲得更高的許可。例如,假設使用者 Alice 只擁有啟動 Amazon EC2 執行個體以及使用 Amazon S3 儲存貯體的許可,但她傳遞給 Amazon EC2 執行個體的角色具有使用 IAM 和 Amazon DynamoDB 的許可。在這種情況下,Alice 或許可以啟動執行個體、登入執行個體、取得暫時安全憑證,然後執行她未授權的 IAM 或 DynamoDB 動作。
若要限制使用者可以將哪些角色傳遞給 Amazon EC2 執行個體,則要建立允許 `PassRole` 動作的政策。然後,您需要將政策連接到預計啟動 Amazon EC2 執行個體的使用者 (或使用者所屬的 IAM 群組)。在政策的 `Resource` 元素中,您需列出允許使用者傳遞給 Amazon EC2 執行個體的角色。當使用者啟動執行個體並將角色與其關聯時,Amazon EC2 檢查是否允許使用者傳送該角色。當然,您也應當確保使用者可以傳遞的角色不包含比使用者應具有的許可更多的許可。
**注意**
`PassRole` 不是與`RunInstances` 或 `ListInstanceProfiles` 相同的 API 動作。反之,它是一種許可,每當角色 ARN 做為參數傳遞至 API 時 (或主控台會代表使用者執行此操作),就會進行 AWS 檢查。它可協助管理員控制哪些使用者可以傳遞哪些角色。在這種情況下,它確保允許使用者將特定角色連接到 Amazon EC2 執行個體。
**Example 此範例政策授予使用者許可,使其可以啟動具有特定角色的 Amazon EC2 執行個體**
以下範例政策可允許使用者使用 Amazon EC2 API 來啟動具有角色的執行個體。`Resource` 元素指定角色的 Amazon Resource Name (ARN)。透過指定 ARN,政策授予使用者僅傳遞 `Get-pics` 角色的許可。如果使用者在啟動執行個體時嘗試指定不同的角色,則動作會失敗。使用者沒有執行任何執行個體的許可,無論其是否有傳遞角色。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/Get-pics"
}
]
}
```
### 允許執行個體設定檔角色切換到另一個帳戶中的角色
您可以允許在 Amazon EC2 執行個體上執行的應用程式在另一個帳戶中執行命令。若要執行此操作,您必須允許將第一個帳戶中的 Amazon EC2 執行個體角色切換到第二個帳戶中的角色。
假設您使用兩個 , AWS 帳戶 而且您想要允許在 Amazon EC2 執行個體上執行的應用程式在兩個帳戶中執行[AWS CLI](https://aws.amazon.com/cli/)命令。假設 Amazon EC2 執行個體存在於帳戶 `111111111111`。該執行個體包含 `abcd` 執行個體描述檔角色,該角色會允許應用程式在相同 `111111111111` 帳戶中對 `amzn-s3-demo-bucket1` 儲存貯體執行唯讀 Amazon S3 任務。不過,也必須允許應用程式擔任 `efgh` 跨帳戶角色來在帳戶 `222222222222` 中存取 `amzn-s3-demo-bucket2`Amazon S3 儲存貯體。
![\[此圖表顯示開發人員如何啟動具有該角色的 Amazon EC2 執行個體,以存取 Amazon S3 儲存貯體中的相片。\]](http://docs.aws.amazon.com/zh_tw/IAM/latest/UserGuide/images/roles-instance-profile-cross-account.png)
`abcd` Amazon EC2 執行個體設定檔角色必須具有以下許可政策,以允許應用程式存取 `amzn-s3-demo-bucket1` Amazon S3 儲存貯體:
***帳戶 111111111111 `abcd` 角色許可政策***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountLevelS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowListAndReadS3ActionOnMyBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1/*",
"arn:aws:s3:::amzn-s3-demo-bucket1"
]
},
{
"Sid": "AllowIPToAssumeCrossAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222222222:role/efgh"
}
]
}
```
------
`abcd` 角色必須信任 Amazon EC2 服務擔任該角色。若要執行此操作,`abcd` 角色必須有以下信任政策:
***帳戶 111111111111 `abcd` 角色信任政策***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "abcdTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"}
}
]
}
```
------
假設 `efgh` 跨帳戶角色允許在相同 `222222222222` 帳戶中對 `amzn-s3-demo-bucket2` 儲存貯體的唯讀 Amazon S3 任務。若要執行此操作,`efgh` 跨帳戶角色必須有以下許可政策:
***帳戶 222222222222 `efgh` 角色許可政策***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountLevelS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowListAndReadS3ActionOnMyBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket2/*",
"arn:aws:s3:::amzn-s3-demo-bucket2"
]
}
]
}
```
------
`efgh` 角色必須信任 `abcd` 執行個體設定檔角色擔任該角色。若要執行此操作,`efgh` 角色必須有以下信任政策:
***帳戶 222222222222 `efgh` 角色信任政策***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "efghTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::111111111111:role/abcd"}
}
]
}
```
------
## 我該如何開始?
若要了解角色如何使用 Amazon EC2 執行個體,您需要使用 IAM 主控台建立角色,啟動使用該角色的 Amazon EC2 執行個體,然後檢查正在執行的執行個體。您可以檢查[執行個體中繼資料](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)以查看角色的暫時憑證如何可用於執行個體。您還可以查看在執行個體上執行的應用程式如何使用該角色。使用以下資源以進一步了解。
+ [「在 Amazon EC2 執行個體上使用 IAM 角色」教學課程](https://www.youtube.com/watch?v=TlCuOjviOhk)。連結的影片會說明如何將 IAM 角色與 Amazon EC2 執行個體一起使用,以控制應用程式在執行個體上執行時可以執行的操作。影片顯示應用程式 (在 AWS SDK 中撰寫) 如何透過 角色取得臨時安全登入資料。
+ SDK 演練。軟體 AWS 開發套件文件包含逐步解說,顯示在 Amazon EC2 執行個體上執行的應用程式,該執行個體使用角色的臨時登入資料來讀取 Amazon S3 儲存貯體。以下每個演練都使用不同的程式設計語言提供類似的步驟:
+ 《適用於 Java 的 AWS SDK 開發人員指南》**中的[使用 SDK for Java 設定 Amazon EC2 的 IAM 角色](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/java-dg-roles.html)
+ *《適用於 .NET 的 AWS SDK 開發人員指南》*中的[使用適用於 .NET 的開發套件啟動 Amazon EC2 執行個體](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/run-instance.html)
+ 《適用於 Ruby 的 AWS SDK 開發人員指南》**中的[使用 SDK for Ruby 建立 Amazon EC2 執行個體](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/ec2-example-create-instance.html)
## 相關資訊
如需建立角色或為 Amazon EC2 執行個體建立角色的詳細資訊,請參閱以下資訊:
+ 如需有關[搭配 Amazon EC2 執行個體使用 IAM 角色](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) 的詳細資訊,請前往《Amazon EC2 使用者指南》**。
+ 若要建立角色,請參閱 [IAM 角色建立](id_roles_create.md)
+ 如需有關使用暫時安全憑證的詳細資訊,請參閱 [IAM 中的暫時安全憑證](id_credentials_temp.md)。
+ 如果使用 IAM API 或 CLI,則必須建立和管理 IAM 執行個體描述檔。如需有關執行個體設定檔的詳細資訊,請參閱 [使用執行個體設定檔](id_roles_use_switch-role-ec2_instance-profiles.md)。
+ 如需有關執行個體中繼資料中角色之臨時安全憑證的詳細資訊,請參閱《Amazon EC2 使用者指南》**中的 [Retrieving Security Credentials from Instance Metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials)。
# 使用執行個體設定檔
使用執行個體描述檔將 IAM 角色傳遞給 EC2 執行個體。如需詳細資訊,請參閱 *Amazon EC2 User Guide* 中的 [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)。
## 管理執行個體設定檔 (主控台)
如果您使用 AWS 管理主控台 為 Amazon EC2 建立角色,主控台會自動建立執行個體描述檔,並為其提供與該角色相同的名稱。然後,當您使用 Amazon EC2 主控台啟動具有 IAM 角色的執行個體時,可以選擇要與執行個體關聯的角色。在主控台中,顯示的清單實際上是執行個體設定檔名稱的清單。主控台不會為與 Amazon EC2 無關的角色建立執行個體描述檔。
如果角色和執行個體描述檔具有相同的名稱,您可以使用 AWS 管理主控台 刪除 Amazon EC2 的 IAM 角色和執行個體描述檔。若要進一步了解刪除執行個體描述檔,請參閱 [刪除角色或執行個體設定檔](id_roles_manage_delete.md)。
**注意**
若要更新執行個體的許可,請取代其執行個體設定檔。不建議從執行個體設定檔中移除角色,因為最多需要延遲一小時,此變更才生效。
## 管理執行個體描述檔 (AWS CLI 或 AWS API)
如果您從 AWS CLI 或 AWS API 管理您的角色,您可以將角色和執行個體描述檔建立為個別動作。由於角色和執行個體描述檔可以有不同的名稱,因此您必須知道執行個體描述檔的名稱以及它們包含的角色的名稱。這樣,您可以在啟動 EC2 執行個體時選擇正確的執行個體描述檔。
您可以將標籤連接至 IAM 資源 (包括執行個體描述檔),以識別、整理和控制其存取。您只能在使用 AWS CLI 或 AWS API 時標記執行個體描述檔。
**注意**
執行個體描述檔只能包含一個 IAM 角色,但角色可以包含在多個執行個體描述檔中。每個執行個體設定檔的一個角色的限制無法增加。您可以移除現有角色,然後將不同角色新增到執行個體描述檔。然後 AWS ,由於[最終一致性](https://en.wikipedia.org/wiki/Eventual_consistency),您必須等待變更出現在所有 中。若要強制變更,必須[取消關聯執行個體描述檔](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html),然後[關聯執行個體描述檔](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html),或者可以停止執行個體,然後重新啟動它。
### 管理執行個體設定檔 (AWS CLI)
您可以使用下列 AWS CLI 命令來使用 帳戶中的 AWS 執行個體描述檔。
+ 建立執行個體描述檔: [https://docs.aws.amazon.com/cli/latest/reference/iam/create-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/create-instance-profile.html)
+ 標記執行個體描述檔:[https://docs.aws.amazon.com/cli/latest/reference/iam/tag-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/tag-instance-profile.html)
+ 列出執行個體描述檔的標籤:[https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profile-tags.html](https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profile-tags.html)
+ 取消標記執行個體描述檔:[https://docs.aws.amazon.com/cli/latest/reference/iam/untag-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/untag-instance-profile.html)
+ 將角色新增至執行個體描述檔: [https://docs.aws.amazon.com/cli/latest/reference/iam/add-role-to-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/add-role-to-instance-profile.html)
+ 列出執行個體描述檔: [https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles.html](https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles.html), [https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles-for-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles-for-role.html)
+ 取得有關執行個體描述檔的資訊: [https://docs.aws.amazon.com/cli/latest/reference/iam/get-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-instance-profile.html)
+ 從執行個體描述檔中移除角色: [https://docs.aws.amazon.com/cli/latest/reference/iam/remove-role-from-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/remove-role-from-instance-profile.html)
+ 刪除執行個體描述檔: [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-instance-profile.html)
您還可以使用以下命令將角色連接到已在執行的 EC2 執行個體。如需詳細資訊,請參閱 [Amazon EC2 的 IAM 角色](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role)。
+ 將具有角色的執行個體描述檔連接至已停止或正在執行的 EC2 執行個體: [https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-iam-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-iam-instance-profile.html)
+ 取得有關連接至 EC2 執行個體的執行個體描述檔的資訊: [https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-iam-instance-profile-associations.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-iam-instance-profile-associations.html)
+ 使用已停止或正在執行的 EC2 執行個體中的角色分開執行個體描述檔:[https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-iam-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-iam-instance-profile.html)
### 管理執行個體描述檔 (AWS API)
您可以呼叫下列 AWS API 操作,以在 中使用執行個體描述檔 AWS 帳戶。
+ 建立執行個體描述檔: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateInstanceProfile.html)
+ 標記執行個體描述檔:[https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html)
+ 列出執行個體描述檔的標籤:[https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html)
+ 取消標記執行個體描述檔:[https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html)
+ 將角色新增至執行個體描述檔: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html)
+ 列出執行個體描述檔: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfiles.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfiles.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfilesForRole.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfilesForRole.html)
+ 取得有關執行個體描述檔的資訊: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetInstanceProfile.html)
+ 從執行個體描述檔中移除角色: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveRoleFromInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveRoleFromInstanceProfile.html)
+ 刪除執行個體描述檔: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteInstanceProfile.html)
您還可以呼叫以下操作將角色連接到已在執行的 EC2 執行個體。如需詳細資訊,請參閱 [Amazon EC2 的 IAM 角色](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role)。
+ 將具有角色的執行個體描述檔連接至已停止或正在執行的 EC2 執行個體: [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html)
+ 取得有關連接至 EC2 執行個體的執行個體描述檔的資訊: [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIamInstanceProfileAssociations.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIamInstanceProfileAssociations.html)
+ 使用已停止或正在執行的 EC2 執行個體中的角色分開執行個體描述檔:[https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html)