本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 AWS SDKs IAM 程式碼範例
下列程式碼範例示範如何搭配 AWS 軟體開發套件 (SDK) 使用 IAM。
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
**Contents**
+ [IAM](service_code_examples_iam.md)
+ [基本概念](service_code_examples_iam_basics.md)
+ [Hello IAM](iam_example_iam_Hello_section.md)
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [動作](service_code_examples_iam_actions.md)
+ [`AddClientIdToOpenIdConnectProvider`](iam_example_iam_AddClientIdToOpenIdConnectProvider_section.md)
+ [`AddRoleToInstanceProfile`](iam_example_iam_AddRoleToInstanceProfile_section.md)
+ [`AddUserToGroup`](iam_example_iam_AddUserToGroup_section.md)
+ [`AttachGroupPolicy`](iam_example_iam_AttachGroupPolicy_section.md)
+ [`AttachRolePolicy`](iam_example_iam_AttachRolePolicy_section.md)
+ [`AttachUserPolicy`](iam_example_iam_AttachUserPolicy_section.md)
+ [`ChangePassword`](iam_example_iam_ChangePassword_section.md)
+ [`CreateAccessKey`](iam_example_iam_CreateAccessKey_section.md)
+ [`CreateAccountAlias`](iam_example_iam_CreateAccountAlias_section.md)
+ [`CreateGroup`](iam_example_iam_CreateGroup_section.md)
+ [`CreateInstanceProfile`](iam_example_iam_CreateInstanceProfile_section.md)
+ [`CreateLoginProfile`](iam_example_iam_CreateLoginProfile_section.md)
+ [`CreateOpenIdConnectProvider`](iam_example_iam_CreateOpenIdConnectProvider_section.md)
+ [`CreatePolicy`](iam_example_iam_CreatePolicy_section.md)
+ [`CreatePolicyVersion`](iam_example_iam_CreatePolicyVersion_section.md)
+ [`CreateRole`](iam_example_iam_CreateRole_section.md)
+ [`CreateSAMLProvider`](iam_example_iam_CreateSAMLProvider_section.md)
+ [`CreateServiceLinkedRole`](iam_example_iam_CreateServiceLinkedRole_section.md)
+ [`CreateUser`](iam_example_iam_CreateUser_section.md)
+ [`CreateVirtualMfaDevice`](iam_example_iam_CreateVirtualMfaDevice_section.md)
+ [`DeactivateMfaDevice`](iam_example_iam_DeactivateMfaDevice_section.md)
+ [`DeleteAccessKey`](iam_example_iam_DeleteAccessKey_section.md)
+ [`DeleteAccountAlias`](iam_example_iam_DeleteAccountAlias_section.md)
+ [`DeleteAccountPasswordPolicy`](iam_example_iam_DeleteAccountPasswordPolicy_section.md)
+ [`DeleteGroup`](iam_example_iam_DeleteGroup_section.md)
+ [`DeleteGroupPolicy`](iam_example_iam_DeleteGroupPolicy_section.md)
+ [`DeleteInstanceProfile`](iam_example_iam_DeleteInstanceProfile_section.md)
+ [`DeleteLoginProfile`](iam_example_iam_DeleteLoginProfile_section.md)
+ [`DeleteOpenIdConnectProvider`](iam_example_iam_DeleteOpenIdConnectProvider_section.md)
+ [`DeletePolicy`](iam_example_iam_DeletePolicy_section.md)
+ [`DeletePolicyVersion`](iam_example_iam_DeletePolicyVersion_section.md)
+ [`DeleteRole`](iam_example_iam_DeleteRole_section.md)
+ [`DeleteRolePermissionsBoundary`](iam_example_iam_DeleteRolePermissionsBoundary_section.md)
+ [`DeleteRolePolicy`](iam_example_iam_DeleteRolePolicy_section.md)
+ [`DeleteSAMLProvider`](iam_example_iam_DeleteSAMLProvider_section.md)
+ [`DeleteServerCertificate`](iam_example_iam_DeleteServerCertificate_section.md)
+ [`DeleteServiceLinkedRole`](iam_example_iam_DeleteServiceLinkedRole_section.md)
+ [`DeleteSigningCertificate`](iam_example_iam_DeleteSigningCertificate_section.md)
+ [`DeleteUser`](iam_example_iam_DeleteUser_section.md)
+ [`DeleteUserPermissionsBoundary`](iam_example_iam_DeleteUserPermissionsBoundary_section.md)
+ [`DeleteUserPolicy`](iam_example_iam_DeleteUserPolicy_section.md)
+ [`DeleteVirtualMfaDevice`](iam_example_iam_DeleteVirtualMfaDevice_section.md)
+ [`DetachGroupPolicy`](iam_example_iam_DetachGroupPolicy_section.md)
+ [`DetachRolePolicy`](iam_example_iam_DetachRolePolicy_section.md)
+ [`DetachUserPolicy`](iam_example_iam_DetachUserPolicy_section.md)
+ [`EnableMfaDevice`](iam_example_iam_EnableMfaDevice_section.md)
+ [`GenerateCredentialReport`](iam_example_iam_GenerateCredentialReport_section.md)
+ [`GenerateServiceLastAccessedDetails`](iam_example_iam_GenerateServiceLastAccessedDetails_section.md)
+ [`GetAccessKeyLastUsed`](iam_example_iam_GetAccessKeyLastUsed_section.md)
+ [`GetAccountAuthorizationDetails`](iam_example_iam_GetAccountAuthorizationDetails_section.md)
+ [`GetAccountPasswordPolicy`](iam_example_iam_GetAccountPasswordPolicy_section.md)
+ [`GetAccountSummary`](iam_example_iam_GetAccountSummary_section.md)
+ [`GetContextKeysForCustomPolicy`](iam_example_iam_GetContextKeysForCustomPolicy_section.md)
+ [`GetContextKeysForPrincipalPolicy`](iam_example_iam_GetContextKeysForPrincipalPolicy_section.md)
+ [`GetCredentialReport`](iam_example_iam_GetCredentialReport_section.md)
+ [`GetGroup`](iam_example_iam_GetGroup_section.md)
+ [`GetGroupPolicy`](iam_example_iam_GetGroupPolicy_section.md)
+ [`GetInstanceProfile`](iam_example_iam_GetInstanceProfile_section.md)
+ [`GetLoginProfile`](iam_example_iam_GetLoginProfile_section.md)
+ [`GetOpenIdConnectProvider`](iam_example_iam_GetOpenIdConnectProvider_section.md)
+ [`GetPolicy`](iam_example_iam_GetPolicy_section.md)
+ [`GetPolicyVersion`](iam_example_iam_GetPolicyVersion_section.md)
+ [`GetRole`](iam_example_iam_GetRole_section.md)
+ [`GetRolePolicy`](iam_example_iam_GetRolePolicy_section.md)
+ [`GetSamlProvider`](iam_example_iam_GetSamlProvider_section.md)
+ [`GetServerCertificate`](iam_example_iam_GetServerCertificate_section.md)
+ [`GetServiceLastAccessedDetails`](iam_example_iam_GetServiceLastAccessedDetails_section.md)
+ [`GetServiceLastAccessedDetailsWithEntities`](iam_example_iam_GetServiceLastAccessedDetailsWithEntities_section.md)
+ [`GetServiceLinkedRoleDeletionStatus`](iam_example_iam_GetServiceLinkedRoleDeletionStatus_section.md)
+ [`GetUser`](iam_example_iam_GetUser_section.md)
+ [`GetUserPolicy`](iam_example_iam_GetUserPolicy_section.md)
+ [`ListAccessKeys`](iam_example_iam_ListAccessKeys_section.md)
+ [`ListAccountAliases`](iam_example_iam_ListAccountAliases_section.md)
+ [`ListAttachedGroupPolicies`](iam_example_iam_ListAttachedGroupPolicies_section.md)
+ [`ListAttachedRolePolicies`](iam_example_iam_ListAttachedRolePolicies_section.md)
+ [`ListAttachedUserPolicies`](iam_example_iam_ListAttachedUserPolicies_section.md)
+ [`ListEntitiesForPolicy`](iam_example_iam_ListEntitiesForPolicy_section.md)
+ [`ListGroupPolicies`](iam_example_iam_ListGroupPolicies_section.md)
+ [`ListGroups`](iam_example_iam_ListGroups_section.md)
+ [`ListGroupsForUser`](iam_example_iam_ListGroupsForUser_section.md)
+ [`ListInstanceProfiles`](iam_example_iam_ListInstanceProfiles_section.md)
+ [`ListInstanceProfilesForRole`](iam_example_iam_ListInstanceProfilesForRole_section.md)
+ [`ListMfaDevices`](iam_example_iam_ListMfaDevices_section.md)
+ [`ListOpenIdConnectProviders`](iam_example_iam_ListOpenIdConnectProviders_section.md)
+ [`ListPolicies`](iam_example_iam_ListPolicies_section.md)
+ [`ListPolicyVersions`](iam_example_iam_ListPolicyVersions_section.md)
+ [`ListRolePolicies`](iam_example_iam_ListRolePolicies_section.md)
+ [`ListRoleTags`](iam_example_iam_ListRoleTags_section.md)
+ [`ListRoles`](iam_example_iam_ListRoles_section.md)
+ [`ListSAMLProviders`](iam_example_iam_ListSAMLProviders_section.md)
+ [`ListServerCertificates`](iam_example_iam_ListServerCertificates_section.md)
+ [`ListSigningCertificates`](iam_example_iam_ListSigningCertificates_section.md)
+ [`ListUserPolicies`](iam_example_iam_ListUserPolicies_section.md)
+ [`ListUserTags`](iam_example_iam_ListUserTags_section.md)
+ [`ListUsers`](iam_example_iam_ListUsers_section.md)
+ [`ListVirtualMfaDevices`](iam_example_iam_ListVirtualMfaDevices_section.md)
+ [`PutGroupPolicy`](iam_example_iam_PutGroupPolicy_section.md)
+ [`PutRolePermissionsBoundary`](iam_example_iam_PutRolePermissionsBoundary_section.md)
+ [`PutRolePolicy`](iam_example_iam_PutRolePolicy_section.md)
+ [`PutUserPermissionsBoundary`](iam_example_iam_PutUserPermissionsBoundary_section.md)
+ [`PutUserPolicy`](iam_example_iam_PutUserPolicy_section.md)
+ [`RemoveClientIdFromOpenIdConnectProvider`](iam_example_iam_RemoveClientIdFromOpenIdConnectProvider_section.md)
+ [`RemoveRoleFromInstanceProfile`](iam_example_iam_RemoveRoleFromInstanceProfile_section.md)
+ [`RemoveUserFromGroup`](iam_example_iam_RemoveUserFromGroup_section.md)
+ [`ResyncMfaDevice`](iam_example_iam_ResyncMfaDevice_section.md)
+ [`SetDefaultPolicyVersion`](iam_example_iam_SetDefaultPolicyVersion_section.md)
+ [`TagRole`](iam_example_iam_TagRole_section.md)
+ [`TagUser`](iam_example_iam_TagUser_section.md)
+ [`UntagRole`](iam_example_iam_UntagRole_section.md)
+ [`UntagUser`](iam_example_iam_UntagUser_section.md)
+ [`UpdateAccessKey`](iam_example_iam_UpdateAccessKey_section.md)
+ [`UpdateAccountPasswordPolicy`](iam_example_iam_UpdateAccountPasswordPolicy_section.md)
+ [`UpdateAssumeRolePolicy`](iam_example_iam_UpdateAssumeRolePolicy_section.md)
+ [`UpdateGroup`](iam_example_iam_UpdateGroup_section.md)
+ [`UpdateLoginProfile`](iam_example_iam_UpdateLoginProfile_section.md)
+ [`UpdateOpenIdConnectProviderThumbprint`](iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md)
+ [`UpdateRole`](iam_example_iam_UpdateRole_section.md)
+ [`UpdateRoleDescription`](iam_example_iam_UpdateRoleDescription_section.md)
+ [`UpdateSamlProvider`](iam_example_iam_UpdateSamlProvider_section.md)
+ [`UpdateServerCertificate`](iam_example_iam_UpdateServerCertificate_section.md)
+ [`UpdateSigningCertificate`](iam_example_iam_UpdateSigningCertificate_section.md)
+ [`UpdateUser`](iam_example_iam_UpdateUser_section.md)
+ [`UploadServerCertificate`](iam_example_iam_UploadServerCertificate_section.md)
+ [`UploadSigningCertificate`](iam_example_iam_UploadSigningCertificate_section.md)
+ [案例](service_code_examples_iam_scenarios.md)
+ [建置及管理彈性服務](iam_example_cross_ResilientService_section.md)
+ [設定 Amazon ECS Service Connect](iam_example_ecs_ServiceConnect_085_section.md)
+ [使用 Lambda 代理整合建立 REST API](iam_example_api_gateway_GettingStarted_087_section.md)
+ [為 Fargate 啟動類型建立 Amazon ECS Linux 任務](iam_example_ecs_GettingStarted_086_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
+ [使用函數名稱做為變數建立 CloudWatch 儀表板](iam_example_cloudwatch_GettingStarted_031_section.md)
+ [為 EC2 啟動類型建立 Amazon ECS 服務](iam_example_ecs_GettingStarted_018_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [建立您的第一個 Lambda 函數](iam_example_lambda_GettingStarted_019_section.md)
+ [開始使用 Redshift Serverless](iam_example_redshift_GettingStarted_038_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [Amazon EKS 入門](iam_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Amazon Redshift 佈建叢集入門](iam_example_redshift_GettingStarted_039_section.md)
+ [Amazon SageMaker Feature Store 入門](iam_example_iam_GettingStarted_028_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理存取金鑰](iam_example_iam_Scenario_ManageAccessKeys_section.md)
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [管理角色](iam_example_iam_Scenario_RoleManagement_section.md)
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
+ [將硬式編碼秘密移至 Secrets Manager](iam_example_secrets_manager_GettingStarted_073_section.md)
+ [許可政策允許 AWS Compute Optimizer 自動化套用建議的動作](iam_example_iam-policies.AWSMettleDocs.latest.userguide.managed-policies.xml.10_section.md)
+ [在整個組織中啟用自動化的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.2_section.md)
+ [為您的帳戶啟用自動化的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.1_section.md)
+ [授予組織管理帳戶 Compute Optimizer Automation 完整存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.5_section.md)
+ [授予獨立 AWS 帳戶 Compute Optimizer Automation 完整存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.3_section.md)
+ [授予組織管理帳戶 Compute Optimizer Automation 唯讀存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.6_section.md)
+ [授予獨立 AWS 帳戶 Compute Optimizer Automation 唯讀存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.4_section.md)
+ [授予運算最佳化自動化服務連結角色許可的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.slr-automation.xml.1_section.md)
+ [復原政策版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
+ [設定屬性型存取控制](iam_example_dynamodb_Scenario_ABACSetup_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
+ [在 CloudWatch 儀表板中使用屬性變數來監控多個 Lambda 函數](iam_example_iam_GettingStarted_032_section.md)
+ [使用串流和存留時間](iam_example_dynamodb_Scenario_StreamsAndTTL_section.md)
+ [使用 IAM 政策產生器 API](iam_example_iam_Scenario_IamPolicyBuilder_section.md)
+ [AWS STS](service_code_examples_sts.md)
+ [基本概念](service_code_examples_sts_basics.md)
+ [動作](service_code_examples_sts_actions.md)
+ [`AssumeRole`](sts_example_sts_AssumeRole_section.md)
+ [`AssumeRoleWithWebIdentity`](sts_example_sts_AssumeRoleWithWebIdentity_section.md)
+ [`DecodeAuthorizationMessage`](sts_example_sts_DecodeAuthorizationMessage_section.md)
+ [`GetFederationToken`](sts_example_sts_GetFederationToken_section.md)
+ [`GetSessionToken`](sts_example_sts_GetSessionToken_section.md)
+ [案例](service_code_examples_sts_scenarios.md)
+ [擔任需要 MFA 字符的 IAM 角色](sts_example_sts_Scenario_AssumeRoleMfa_section.md)
+ [設定 Amazon ECS Service Connect](sts_example_ecs_ServiceConnect_085_section.md)
+ [為聯合身分使用者建構 URL](sts_example_sts_Scenario_ConstructFederatedUrl_section.md)
+ [使用 Lambda 代理整合建立 REST API](sts_example_api_gateway_GettingStarted_087_section.md)
+ [為 Fargate 啟動類型建立 Amazon ECS Linux 任務](sts_example_ecs_GettingStarted_086_section.md)
+ [使用函數名稱做為變數建立 CloudWatch 儀表板](sts_example_cloudwatch_GettingStarted_031_section.md)
+ [為 EC2 啟動類型建立 Amazon ECS 服務](sts_example_ecs_GettingStarted_018_section.md)
+ [建立 Amazon Managed Grafana 工作區](sts_example_iam_GettingStarted_044_section.md)
+ [獲取需要 MFA 字符的工作階段字符](sts_example_sts_Scenario_SessionTokenMfa_section.md)
+ [Amazon ECR 入門](sts_example_ecr_GettingStarted_078_section.md)
+ [Amazon EKS 入門](sts_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](sts_example_ec2_GettingStarted_057_section.md)
+ [Amazon OpenSearch Service 入門](sts_example_opensearch_GettingStarted_016_section.md)
+ [Amazon SageMaker Feature Store 入門](sts_example_iam_GettingStarted_028_section.md)
+ [Config 入門](sts_example_config_service_GettingStarted_053_section.md)
+ [終端使用者傳訊推送入門](sts_example_pinpoint_GettingStarted_049_section.md)
+ [IoT Core 入門](sts_example_iot_GettingStarted_063_section.md)
+ [WAF 入門](sts_example_wafv2_GettingStarted_052_section.md)
+ [將硬式編碼秘密移至 Secrets Manager](sts_example_secrets_manager_GettingStarted_073_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](sts_example_iam_GettingStarted_069_section.md)
+ [設定 Systems Manager](sts_example_iam_GettingStarted_046_section.md)
# 使用 AWS SDKs IAM 程式碼範例
下列程式碼範例示範如何搭配 AWS 軟體開發套件 (SDK) 使用 IAM。
*基本概念*是程式碼範例,這些範例說明如何在服務內執行基本操作。
*Actions* 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境中查看內容中的動作。
*案例*是向您展示如何呼叫服務中的多個函數或與其他 AWS 服務組合來完成特定任務的程式碼範例。
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
**Contents**
+ [基本概念](service_code_examples_iam_basics.md)
+ [Hello IAM](iam_example_iam_Hello_section.md)
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [動作](service_code_examples_iam_actions.md)
+ [`AddClientIdToOpenIdConnectProvider`](iam_example_iam_AddClientIdToOpenIdConnectProvider_section.md)
+ [`AddRoleToInstanceProfile`](iam_example_iam_AddRoleToInstanceProfile_section.md)
+ [`AddUserToGroup`](iam_example_iam_AddUserToGroup_section.md)
+ [`AttachGroupPolicy`](iam_example_iam_AttachGroupPolicy_section.md)
+ [`AttachRolePolicy`](iam_example_iam_AttachRolePolicy_section.md)
+ [`AttachUserPolicy`](iam_example_iam_AttachUserPolicy_section.md)
+ [`ChangePassword`](iam_example_iam_ChangePassword_section.md)
+ [`CreateAccessKey`](iam_example_iam_CreateAccessKey_section.md)
+ [`CreateAccountAlias`](iam_example_iam_CreateAccountAlias_section.md)
+ [`CreateGroup`](iam_example_iam_CreateGroup_section.md)
+ [`CreateInstanceProfile`](iam_example_iam_CreateInstanceProfile_section.md)
+ [`CreateLoginProfile`](iam_example_iam_CreateLoginProfile_section.md)
+ [`CreateOpenIdConnectProvider`](iam_example_iam_CreateOpenIdConnectProvider_section.md)
+ [`CreatePolicy`](iam_example_iam_CreatePolicy_section.md)
+ [`CreatePolicyVersion`](iam_example_iam_CreatePolicyVersion_section.md)
+ [`CreateRole`](iam_example_iam_CreateRole_section.md)
+ [`CreateSAMLProvider`](iam_example_iam_CreateSAMLProvider_section.md)
+ [`CreateServiceLinkedRole`](iam_example_iam_CreateServiceLinkedRole_section.md)
+ [`CreateUser`](iam_example_iam_CreateUser_section.md)
+ [`CreateVirtualMfaDevice`](iam_example_iam_CreateVirtualMfaDevice_section.md)
+ [`DeactivateMfaDevice`](iam_example_iam_DeactivateMfaDevice_section.md)
+ [`DeleteAccessKey`](iam_example_iam_DeleteAccessKey_section.md)
+ [`DeleteAccountAlias`](iam_example_iam_DeleteAccountAlias_section.md)
+ [`DeleteAccountPasswordPolicy`](iam_example_iam_DeleteAccountPasswordPolicy_section.md)
+ [`DeleteGroup`](iam_example_iam_DeleteGroup_section.md)
+ [`DeleteGroupPolicy`](iam_example_iam_DeleteGroupPolicy_section.md)
+ [`DeleteInstanceProfile`](iam_example_iam_DeleteInstanceProfile_section.md)
+ [`DeleteLoginProfile`](iam_example_iam_DeleteLoginProfile_section.md)
+ [`DeleteOpenIdConnectProvider`](iam_example_iam_DeleteOpenIdConnectProvider_section.md)
+ [`DeletePolicy`](iam_example_iam_DeletePolicy_section.md)
+ [`DeletePolicyVersion`](iam_example_iam_DeletePolicyVersion_section.md)
+ [`DeleteRole`](iam_example_iam_DeleteRole_section.md)
+ [`DeleteRolePermissionsBoundary`](iam_example_iam_DeleteRolePermissionsBoundary_section.md)
+ [`DeleteRolePolicy`](iam_example_iam_DeleteRolePolicy_section.md)
+ [`DeleteSAMLProvider`](iam_example_iam_DeleteSAMLProvider_section.md)
+ [`DeleteServerCertificate`](iam_example_iam_DeleteServerCertificate_section.md)
+ [`DeleteServiceLinkedRole`](iam_example_iam_DeleteServiceLinkedRole_section.md)
+ [`DeleteSigningCertificate`](iam_example_iam_DeleteSigningCertificate_section.md)
+ [`DeleteUser`](iam_example_iam_DeleteUser_section.md)
+ [`DeleteUserPermissionsBoundary`](iam_example_iam_DeleteUserPermissionsBoundary_section.md)
+ [`DeleteUserPolicy`](iam_example_iam_DeleteUserPolicy_section.md)
+ [`DeleteVirtualMfaDevice`](iam_example_iam_DeleteVirtualMfaDevice_section.md)
+ [`DetachGroupPolicy`](iam_example_iam_DetachGroupPolicy_section.md)
+ [`DetachRolePolicy`](iam_example_iam_DetachRolePolicy_section.md)
+ [`DetachUserPolicy`](iam_example_iam_DetachUserPolicy_section.md)
+ [`EnableMfaDevice`](iam_example_iam_EnableMfaDevice_section.md)
+ [`GenerateCredentialReport`](iam_example_iam_GenerateCredentialReport_section.md)
+ [`GenerateServiceLastAccessedDetails`](iam_example_iam_GenerateServiceLastAccessedDetails_section.md)
+ [`GetAccessKeyLastUsed`](iam_example_iam_GetAccessKeyLastUsed_section.md)
+ [`GetAccountAuthorizationDetails`](iam_example_iam_GetAccountAuthorizationDetails_section.md)
+ [`GetAccountPasswordPolicy`](iam_example_iam_GetAccountPasswordPolicy_section.md)
+ [`GetAccountSummary`](iam_example_iam_GetAccountSummary_section.md)
+ [`GetContextKeysForCustomPolicy`](iam_example_iam_GetContextKeysForCustomPolicy_section.md)
+ [`GetContextKeysForPrincipalPolicy`](iam_example_iam_GetContextKeysForPrincipalPolicy_section.md)
+ [`GetCredentialReport`](iam_example_iam_GetCredentialReport_section.md)
+ [`GetGroup`](iam_example_iam_GetGroup_section.md)
+ [`GetGroupPolicy`](iam_example_iam_GetGroupPolicy_section.md)
+ [`GetInstanceProfile`](iam_example_iam_GetInstanceProfile_section.md)
+ [`GetLoginProfile`](iam_example_iam_GetLoginProfile_section.md)
+ [`GetOpenIdConnectProvider`](iam_example_iam_GetOpenIdConnectProvider_section.md)
+ [`GetPolicy`](iam_example_iam_GetPolicy_section.md)
+ [`GetPolicyVersion`](iam_example_iam_GetPolicyVersion_section.md)
+ [`GetRole`](iam_example_iam_GetRole_section.md)
+ [`GetRolePolicy`](iam_example_iam_GetRolePolicy_section.md)
+ [`GetSamlProvider`](iam_example_iam_GetSamlProvider_section.md)
+ [`GetServerCertificate`](iam_example_iam_GetServerCertificate_section.md)
+ [`GetServiceLastAccessedDetails`](iam_example_iam_GetServiceLastAccessedDetails_section.md)
+ [`GetServiceLastAccessedDetailsWithEntities`](iam_example_iam_GetServiceLastAccessedDetailsWithEntities_section.md)
+ [`GetServiceLinkedRoleDeletionStatus`](iam_example_iam_GetServiceLinkedRoleDeletionStatus_section.md)
+ [`GetUser`](iam_example_iam_GetUser_section.md)
+ [`GetUserPolicy`](iam_example_iam_GetUserPolicy_section.md)
+ [`ListAccessKeys`](iam_example_iam_ListAccessKeys_section.md)
+ [`ListAccountAliases`](iam_example_iam_ListAccountAliases_section.md)
+ [`ListAttachedGroupPolicies`](iam_example_iam_ListAttachedGroupPolicies_section.md)
+ [`ListAttachedRolePolicies`](iam_example_iam_ListAttachedRolePolicies_section.md)
+ [`ListAttachedUserPolicies`](iam_example_iam_ListAttachedUserPolicies_section.md)
+ [`ListEntitiesForPolicy`](iam_example_iam_ListEntitiesForPolicy_section.md)
+ [`ListGroupPolicies`](iam_example_iam_ListGroupPolicies_section.md)
+ [`ListGroups`](iam_example_iam_ListGroups_section.md)
+ [`ListGroupsForUser`](iam_example_iam_ListGroupsForUser_section.md)
+ [`ListInstanceProfiles`](iam_example_iam_ListInstanceProfiles_section.md)
+ [`ListInstanceProfilesForRole`](iam_example_iam_ListInstanceProfilesForRole_section.md)
+ [`ListMfaDevices`](iam_example_iam_ListMfaDevices_section.md)
+ [`ListOpenIdConnectProviders`](iam_example_iam_ListOpenIdConnectProviders_section.md)
+ [`ListPolicies`](iam_example_iam_ListPolicies_section.md)
+ [`ListPolicyVersions`](iam_example_iam_ListPolicyVersions_section.md)
+ [`ListRolePolicies`](iam_example_iam_ListRolePolicies_section.md)
+ [`ListRoleTags`](iam_example_iam_ListRoleTags_section.md)
+ [`ListRoles`](iam_example_iam_ListRoles_section.md)
+ [`ListSAMLProviders`](iam_example_iam_ListSAMLProviders_section.md)
+ [`ListServerCertificates`](iam_example_iam_ListServerCertificates_section.md)
+ [`ListSigningCertificates`](iam_example_iam_ListSigningCertificates_section.md)
+ [`ListUserPolicies`](iam_example_iam_ListUserPolicies_section.md)
+ [`ListUserTags`](iam_example_iam_ListUserTags_section.md)
+ [`ListUsers`](iam_example_iam_ListUsers_section.md)
+ [`ListVirtualMfaDevices`](iam_example_iam_ListVirtualMfaDevices_section.md)
+ [`PutGroupPolicy`](iam_example_iam_PutGroupPolicy_section.md)
+ [`PutRolePermissionsBoundary`](iam_example_iam_PutRolePermissionsBoundary_section.md)
+ [`PutRolePolicy`](iam_example_iam_PutRolePolicy_section.md)
+ [`PutUserPermissionsBoundary`](iam_example_iam_PutUserPermissionsBoundary_section.md)
+ [`PutUserPolicy`](iam_example_iam_PutUserPolicy_section.md)
+ [`RemoveClientIdFromOpenIdConnectProvider`](iam_example_iam_RemoveClientIdFromOpenIdConnectProvider_section.md)
+ [`RemoveRoleFromInstanceProfile`](iam_example_iam_RemoveRoleFromInstanceProfile_section.md)
+ [`RemoveUserFromGroup`](iam_example_iam_RemoveUserFromGroup_section.md)
+ [`ResyncMfaDevice`](iam_example_iam_ResyncMfaDevice_section.md)
+ [`SetDefaultPolicyVersion`](iam_example_iam_SetDefaultPolicyVersion_section.md)
+ [`TagRole`](iam_example_iam_TagRole_section.md)
+ [`TagUser`](iam_example_iam_TagUser_section.md)
+ [`UntagRole`](iam_example_iam_UntagRole_section.md)
+ [`UntagUser`](iam_example_iam_UntagUser_section.md)
+ [`UpdateAccessKey`](iam_example_iam_UpdateAccessKey_section.md)
+ [`UpdateAccountPasswordPolicy`](iam_example_iam_UpdateAccountPasswordPolicy_section.md)
+ [`UpdateAssumeRolePolicy`](iam_example_iam_UpdateAssumeRolePolicy_section.md)
+ [`UpdateGroup`](iam_example_iam_UpdateGroup_section.md)
+ [`UpdateLoginProfile`](iam_example_iam_UpdateLoginProfile_section.md)
+ [`UpdateOpenIdConnectProviderThumbprint`](iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md)
+ [`UpdateRole`](iam_example_iam_UpdateRole_section.md)
+ [`UpdateRoleDescription`](iam_example_iam_UpdateRoleDescription_section.md)
+ [`UpdateSamlProvider`](iam_example_iam_UpdateSamlProvider_section.md)
+ [`UpdateServerCertificate`](iam_example_iam_UpdateServerCertificate_section.md)
+ [`UpdateSigningCertificate`](iam_example_iam_UpdateSigningCertificate_section.md)
+ [`UpdateUser`](iam_example_iam_UpdateUser_section.md)
+ [`UploadServerCertificate`](iam_example_iam_UploadServerCertificate_section.md)
+ [`UploadSigningCertificate`](iam_example_iam_UploadSigningCertificate_section.md)
+ [案例](service_code_examples_iam_scenarios.md)
+ [建置及管理彈性服務](iam_example_cross_ResilientService_section.md)
+ [設定 Amazon ECS Service Connect](iam_example_ecs_ServiceConnect_085_section.md)
+ [使用 Lambda 代理整合建立 REST API](iam_example_api_gateway_GettingStarted_087_section.md)
+ [為 Fargate 啟動類型建立 Amazon ECS Linux 任務](iam_example_ecs_GettingStarted_086_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
+ [使用函數名稱做為變數建立 CloudWatch 儀表板](iam_example_cloudwatch_GettingStarted_031_section.md)
+ [為 EC2 啟動類型建立 Amazon ECS 服務](iam_example_ecs_GettingStarted_018_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [建立您的第一個 Lambda 函數](iam_example_lambda_GettingStarted_019_section.md)
+ [開始使用 Redshift Serverless](iam_example_redshift_GettingStarted_038_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [Amazon EKS 入門](iam_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Amazon Redshift 佈建叢集入門](iam_example_redshift_GettingStarted_039_section.md)
+ [Amazon SageMaker Feature Store 入門](iam_example_iam_GettingStarted_028_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理存取金鑰](iam_example_iam_Scenario_ManageAccessKeys_section.md)
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [管理角色](iam_example_iam_Scenario_RoleManagement_section.md)
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
+ [將硬式編碼秘密移至 Secrets Manager](iam_example_secrets_manager_GettingStarted_073_section.md)
+ [許可政策允許 AWS Compute Optimizer 自動化套用建議的動作](iam_example_iam-policies.AWSMettleDocs.latest.userguide.managed-policies.xml.10_section.md)
+ [在整個組織中啟用自動化的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.2_section.md)
+ [為您的帳戶啟用自動化的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.1_section.md)
+ [授予組織管理帳戶 Compute Optimizer Automation 完整存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.5_section.md)
+ [授予獨立 AWS 帳戶 Compute Optimizer Automation 完整存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.3_section.md)
+ [授予組織管理帳戶 Compute Optimizer Automation 唯讀存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.6_section.md)
+ [授予獨立 AWS 帳戶 Compute Optimizer Automation 唯讀存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.4_section.md)
+ [授予運算最佳化自動化服務連結角色許可的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.slr-automation.xml.1_section.md)
+ [復原政策版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
+ [設定屬性型存取控制](iam_example_dynamodb_Scenario_ABACSetup_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
+ [在 CloudWatch 儀表板中使用屬性變數來監控多個 Lambda 函數](iam_example_iam_GettingStarted_032_section.md)
+ [使用串流和存留時間](iam_example_dynamodb_Scenario_StreamsAndTTL_section.md)
+ [使用 IAM 政策產生器 API](iam_example_iam_Scenario_IamPolicyBuilder_section.md)
# 使用 AWS SDKs的 IAM 基本範例
下列程式碼範例示範如何 AWS Identity and Access Management 搭配 AWS SDKs 使用 的基本概念。
**Contents**
+ [Hello IAM](iam_example_iam_Hello_section.md)
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [動作](service_code_examples_iam_actions.md)
+ [`AddClientIdToOpenIdConnectProvider`](iam_example_iam_AddClientIdToOpenIdConnectProvider_section.md)
+ [`AddRoleToInstanceProfile`](iam_example_iam_AddRoleToInstanceProfile_section.md)
+ [`AddUserToGroup`](iam_example_iam_AddUserToGroup_section.md)
+ [`AttachGroupPolicy`](iam_example_iam_AttachGroupPolicy_section.md)
+ [`AttachRolePolicy`](iam_example_iam_AttachRolePolicy_section.md)
+ [`AttachUserPolicy`](iam_example_iam_AttachUserPolicy_section.md)
+ [`ChangePassword`](iam_example_iam_ChangePassword_section.md)
+ [`CreateAccessKey`](iam_example_iam_CreateAccessKey_section.md)
+ [`CreateAccountAlias`](iam_example_iam_CreateAccountAlias_section.md)
+ [`CreateGroup`](iam_example_iam_CreateGroup_section.md)
+ [`CreateInstanceProfile`](iam_example_iam_CreateInstanceProfile_section.md)
+ [`CreateLoginProfile`](iam_example_iam_CreateLoginProfile_section.md)
+ [`CreateOpenIdConnectProvider`](iam_example_iam_CreateOpenIdConnectProvider_section.md)
+ [`CreatePolicy`](iam_example_iam_CreatePolicy_section.md)
+ [`CreatePolicyVersion`](iam_example_iam_CreatePolicyVersion_section.md)
+ [`CreateRole`](iam_example_iam_CreateRole_section.md)
+ [`CreateSAMLProvider`](iam_example_iam_CreateSAMLProvider_section.md)
+ [`CreateServiceLinkedRole`](iam_example_iam_CreateServiceLinkedRole_section.md)
+ [`CreateUser`](iam_example_iam_CreateUser_section.md)
+ [`CreateVirtualMfaDevice`](iam_example_iam_CreateVirtualMfaDevice_section.md)
+ [`DeactivateMfaDevice`](iam_example_iam_DeactivateMfaDevice_section.md)
+ [`DeleteAccessKey`](iam_example_iam_DeleteAccessKey_section.md)
+ [`DeleteAccountAlias`](iam_example_iam_DeleteAccountAlias_section.md)
+ [`DeleteAccountPasswordPolicy`](iam_example_iam_DeleteAccountPasswordPolicy_section.md)
+ [`DeleteGroup`](iam_example_iam_DeleteGroup_section.md)
+ [`DeleteGroupPolicy`](iam_example_iam_DeleteGroupPolicy_section.md)
+ [`DeleteInstanceProfile`](iam_example_iam_DeleteInstanceProfile_section.md)
+ [`DeleteLoginProfile`](iam_example_iam_DeleteLoginProfile_section.md)
+ [`DeleteOpenIdConnectProvider`](iam_example_iam_DeleteOpenIdConnectProvider_section.md)
+ [`DeletePolicy`](iam_example_iam_DeletePolicy_section.md)
+ [`DeletePolicyVersion`](iam_example_iam_DeletePolicyVersion_section.md)
+ [`DeleteRole`](iam_example_iam_DeleteRole_section.md)
+ [`DeleteRolePermissionsBoundary`](iam_example_iam_DeleteRolePermissionsBoundary_section.md)
+ [`DeleteRolePolicy`](iam_example_iam_DeleteRolePolicy_section.md)
+ [`DeleteSAMLProvider`](iam_example_iam_DeleteSAMLProvider_section.md)
+ [`DeleteServerCertificate`](iam_example_iam_DeleteServerCertificate_section.md)
+ [`DeleteServiceLinkedRole`](iam_example_iam_DeleteServiceLinkedRole_section.md)
+ [`DeleteSigningCertificate`](iam_example_iam_DeleteSigningCertificate_section.md)
+ [`DeleteUser`](iam_example_iam_DeleteUser_section.md)
+ [`DeleteUserPermissionsBoundary`](iam_example_iam_DeleteUserPermissionsBoundary_section.md)
+ [`DeleteUserPolicy`](iam_example_iam_DeleteUserPolicy_section.md)
+ [`DeleteVirtualMfaDevice`](iam_example_iam_DeleteVirtualMfaDevice_section.md)
+ [`DetachGroupPolicy`](iam_example_iam_DetachGroupPolicy_section.md)
+ [`DetachRolePolicy`](iam_example_iam_DetachRolePolicy_section.md)
+ [`DetachUserPolicy`](iam_example_iam_DetachUserPolicy_section.md)
+ [`EnableMfaDevice`](iam_example_iam_EnableMfaDevice_section.md)
+ [`GenerateCredentialReport`](iam_example_iam_GenerateCredentialReport_section.md)
+ [`GenerateServiceLastAccessedDetails`](iam_example_iam_GenerateServiceLastAccessedDetails_section.md)
+ [`GetAccessKeyLastUsed`](iam_example_iam_GetAccessKeyLastUsed_section.md)
+ [`GetAccountAuthorizationDetails`](iam_example_iam_GetAccountAuthorizationDetails_section.md)
+ [`GetAccountPasswordPolicy`](iam_example_iam_GetAccountPasswordPolicy_section.md)
+ [`GetAccountSummary`](iam_example_iam_GetAccountSummary_section.md)
+ [`GetContextKeysForCustomPolicy`](iam_example_iam_GetContextKeysForCustomPolicy_section.md)
+ [`GetContextKeysForPrincipalPolicy`](iam_example_iam_GetContextKeysForPrincipalPolicy_section.md)
+ [`GetCredentialReport`](iam_example_iam_GetCredentialReport_section.md)
+ [`GetGroup`](iam_example_iam_GetGroup_section.md)
+ [`GetGroupPolicy`](iam_example_iam_GetGroupPolicy_section.md)
+ [`GetInstanceProfile`](iam_example_iam_GetInstanceProfile_section.md)
+ [`GetLoginProfile`](iam_example_iam_GetLoginProfile_section.md)
+ [`GetOpenIdConnectProvider`](iam_example_iam_GetOpenIdConnectProvider_section.md)
+ [`GetPolicy`](iam_example_iam_GetPolicy_section.md)
+ [`GetPolicyVersion`](iam_example_iam_GetPolicyVersion_section.md)
+ [`GetRole`](iam_example_iam_GetRole_section.md)
+ [`GetRolePolicy`](iam_example_iam_GetRolePolicy_section.md)
+ [`GetSamlProvider`](iam_example_iam_GetSamlProvider_section.md)
+ [`GetServerCertificate`](iam_example_iam_GetServerCertificate_section.md)
+ [`GetServiceLastAccessedDetails`](iam_example_iam_GetServiceLastAccessedDetails_section.md)
+ [`GetServiceLastAccessedDetailsWithEntities`](iam_example_iam_GetServiceLastAccessedDetailsWithEntities_section.md)
+ [`GetServiceLinkedRoleDeletionStatus`](iam_example_iam_GetServiceLinkedRoleDeletionStatus_section.md)
+ [`GetUser`](iam_example_iam_GetUser_section.md)
+ [`GetUserPolicy`](iam_example_iam_GetUserPolicy_section.md)
+ [`ListAccessKeys`](iam_example_iam_ListAccessKeys_section.md)
+ [`ListAccountAliases`](iam_example_iam_ListAccountAliases_section.md)
+ [`ListAttachedGroupPolicies`](iam_example_iam_ListAttachedGroupPolicies_section.md)
+ [`ListAttachedRolePolicies`](iam_example_iam_ListAttachedRolePolicies_section.md)
+ [`ListAttachedUserPolicies`](iam_example_iam_ListAttachedUserPolicies_section.md)
+ [`ListEntitiesForPolicy`](iam_example_iam_ListEntitiesForPolicy_section.md)
+ [`ListGroupPolicies`](iam_example_iam_ListGroupPolicies_section.md)
+ [`ListGroups`](iam_example_iam_ListGroups_section.md)
+ [`ListGroupsForUser`](iam_example_iam_ListGroupsForUser_section.md)
+ [`ListInstanceProfiles`](iam_example_iam_ListInstanceProfiles_section.md)
+ [`ListInstanceProfilesForRole`](iam_example_iam_ListInstanceProfilesForRole_section.md)
+ [`ListMfaDevices`](iam_example_iam_ListMfaDevices_section.md)
+ [`ListOpenIdConnectProviders`](iam_example_iam_ListOpenIdConnectProviders_section.md)
+ [`ListPolicies`](iam_example_iam_ListPolicies_section.md)
+ [`ListPolicyVersions`](iam_example_iam_ListPolicyVersions_section.md)
+ [`ListRolePolicies`](iam_example_iam_ListRolePolicies_section.md)
+ [`ListRoleTags`](iam_example_iam_ListRoleTags_section.md)
+ [`ListRoles`](iam_example_iam_ListRoles_section.md)
+ [`ListSAMLProviders`](iam_example_iam_ListSAMLProviders_section.md)
+ [`ListServerCertificates`](iam_example_iam_ListServerCertificates_section.md)
+ [`ListSigningCertificates`](iam_example_iam_ListSigningCertificates_section.md)
+ [`ListUserPolicies`](iam_example_iam_ListUserPolicies_section.md)
+ [`ListUserTags`](iam_example_iam_ListUserTags_section.md)
+ [`ListUsers`](iam_example_iam_ListUsers_section.md)
+ [`ListVirtualMfaDevices`](iam_example_iam_ListVirtualMfaDevices_section.md)
+ [`PutGroupPolicy`](iam_example_iam_PutGroupPolicy_section.md)
+ [`PutRolePermissionsBoundary`](iam_example_iam_PutRolePermissionsBoundary_section.md)
+ [`PutRolePolicy`](iam_example_iam_PutRolePolicy_section.md)
+ [`PutUserPermissionsBoundary`](iam_example_iam_PutUserPermissionsBoundary_section.md)
+ [`PutUserPolicy`](iam_example_iam_PutUserPolicy_section.md)
+ [`RemoveClientIdFromOpenIdConnectProvider`](iam_example_iam_RemoveClientIdFromOpenIdConnectProvider_section.md)
+ [`RemoveRoleFromInstanceProfile`](iam_example_iam_RemoveRoleFromInstanceProfile_section.md)
+ [`RemoveUserFromGroup`](iam_example_iam_RemoveUserFromGroup_section.md)
+ [`ResyncMfaDevice`](iam_example_iam_ResyncMfaDevice_section.md)
+ [`SetDefaultPolicyVersion`](iam_example_iam_SetDefaultPolicyVersion_section.md)
+ [`TagRole`](iam_example_iam_TagRole_section.md)
+ [`TagUser`](iam_example_iam_TagUser_section.md)
+ [`UntagRole`](iam_example_iam_UntagRole_section.md)
+ [`UntagUser`](iam_example_iam_UntagUser_section.md)
+ [`UpdateAccessKey`](iam_example_iam_UpdateAccessKey_section.md)
+ [`UpdateAccountPasswordPolicy`](iam_example_iam_UpdateAccountPasswordPolicy_section.md)
+ [`UpdateAssumeRolePolicy`](iam_example_iam_UpdateAssumeRolePolicy_section.md)
+ [`UpdateGroup`](iam_example_iam_UpdateGroup_section.md)
+ [`UpdateLoginProfile`](iam_example_iam_UpdateLoginProfile_section.md)
+ [`UpdateOpenIdConnectProviderThumbprint`](iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md)
+ [`UpdateRole`](iam_example_iam_UpdateRole_section.md)
+ [`UpdateRoleDescription`](iam_example_iam_UpdateRoleDescription_section.md)
+ [`UpdateSamlProvider`](iam_example_iam_UpdateSamlProvider_section.md)
+ [`UpdateServerCertificate`](iam_example_iam_UpdateServerCertificate_section.md)
+ [`UpdateSigningCertificate`](iam_example_iam_UpdateSigningCertificate_section.md)
+ [`UpdateUser`](iam_example_iam_UpdateUser_section.md)
+ [`UploadServerCertificate`](iam_example_iam_UploadServerCertificate_section.md)
+ [`UploadSigningCertificate`](iam_example_iam_UploadSigningCertificate_section.md)
# Hello IAM
下列程式碼範例示範如何開始使用 IAM。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
namespace IAMActions;
public class HelloIAM
{
static async Task Main(string[] args)
{
// Getting started with AWS Identity and Access Management (IAM). List
// the policies for the account.
var iamClient = new AmazonIdentityManagementServiceClient();
var listPoliciesPaginator = iamClient.Paginators.ListPolicies(new ListPoliciesRequest());
var policies = new List();
await foreach (var response in listPoliciesPaginator.Responses)
{
policies.AddRange(response.Policies);
}
Console.WriteLine("Here are the policies defined for your account:\n");
policies.ForEach(policy =>
{
Console.WriteLine($"Created: {policy.CreateDate}\t{policy.PolicyName}\t{policy.Description}");
});
}
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListPolicies)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam/hello_iam#code-examples)中設定和執行。
CMakeLists.txt CMake 檔案的程式碼。
```
# Set the minimum required version of CMake for this project.
cmake_minimum_required(VERSION 3.13)
# Set the AWS service components used by this project.
set(SERVICE_COMPONENTS iam)
# Set this project's name.
project("hello_iam")
# Set the C++ standard to use to build this target.
# At least C++ 11 is required for the AWS SDK for C++.
set(CMAKE_CXX_STANDARD 11)
# Use the MSVC variable to determine if this is a Windows build.
set(WINDOWS_BUILD ${MSVC})
if (WINDOWS_BUILD) # Set the location where CMake can find the installed libraries for the AWS SDK.
string(REPLACE ";" "/aws-cpp-sdk-all;" SYSTEM_MODULE_PATH "${CMAKE_SYSTEM_PREFIX_PATH}/aws-cpp-sdk-all")
list(APPEND CMAKE_PREFIX_PATH ${SYSTEM_MODULE_PATH})
endif ()
# Find the AWS SDK for C++ package.
find_package(AWSSDK REQUIRED COMPONENTS ${SERVICE_COMPONENTS})
if (WINDOWS_BUILD AND AWSSDK_INSTALL_AS_SHARED_LIBS)
# Copy relevant AWS SDK for C++ libraries into the current binary directory for running and debugging.
# set(BIN_SUB_DIR "/Debug") # if you are building from the command line you may need to uncomment this
# and set the proper subdirectory to the executables' location.
AWSSDK_CPY_DYN_LIBS(SERVICE_COMPONENTS "" ${CMAKE_CURRENT_BINARY_DIR}${BIN_SUB_DIR})
endif ()
add_executable(${PROJECT_NAME}
hello_iam.cpp)
target_link_libraries(${PROJECT_NAME}
${AWSSDK_LINK_LIBRARIES})
```
iam.cpp 來源檔案的程式碼。
```
#include
#include
#include
#include
#include
/*
* A "Hello IAM" starter application which initializes an AWS Identity and Access Management (IAM) client
* and lists the IAM policies.
*
* main function
*
* Usage: 'hello_iam'
*
*/
int main(int argc, char **argv) {
Aws::SDKOptions options;
// Optionally change the log level for debugging.
// options.loggingOptions.logLevel = Utils::Logging::LogLevel::Debug;
Aws::InitAPI(options); // Should only be called once.
int result = 0;
{
const Aws::String DATE_FORMAT("%Y-%m-%d");
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::IAM::IAMClient iamClient(clientConfig);
Aws::IAM::Model::ListPoliciesRequest request;
bool done = false;
bool header = false;
while (!done) {
auto outcome = iamClient.ListPolicies(request);
if (!outcome.IsSuccess()) {
std::cerr << "Failed to list iam policies: " <<
outcome.GetError().GetMessage() << std::endl;
result = 1;
break;
}
if (!header) {
std::cout << std::left << std::setw(55) << "Name" <<
std::setw(30) << "ID" << std::setw(80) << "Arn" <<
std::setw(64) << "Description" << std::setw(12) <<
"CreateDate" << std::endl;
header = true;
}
const auto &policies = outcome.GetResult().GetPolicies();
for (const auto &policy: policies) {
std::cout << std::left << std::setw(55) <<
policy.GetPolicyName() << std::setw(30) <<
policy.GetPolicyId() << std::setw(80) << policy.GetArn() <<
std::setw(64) << policy.GetDescription() << std::setw(12) <<
policy.GetCreateDate().ToGmtString(DATE_FORMAT.c_str()) <<
std::endl;
}
if (outcome.GetResult().GetIsTruncated()) {
request.SetMarker(outcome.GetResult().GetMarker());
} else {
done = true;
}
}
}
Aws::ShutdownAPI(options); // Should only be called once.
return result;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API 參考*中的 [ListPolicies](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListPolicies)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
package main
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/iam"
)
// main uses the AWS SDK for Go (v2) to create an AWS Identity and Access Management (IAM)
// client and list up to 10 policies in your account.
// This example uses the default settings specified in your shared credentials
// and config files.
func main() {
ctx := context.Background()
sdkConfig, err := config.LoadDefaultConfig(ctx)
if err != nil {
fmt.Println("Couldn't load default configuration. Have you set up your AWS account?")
fmt.Println(err)
return
}
iamClient := iam.NewFromConfig(sdkConfig)
const maxPols = 10
fmt.Printf("Let's list up to %v policies for your account.\n", maxPols)
result, err := iamClient.ListPolicies(ctx, &iam.ListPoliciesInput{
MaxItems: aws.Int32(maxPols),
})
if err != nil {
fmt.Printf("Couldn't list policies for your account. Here's why: %v\n", err)
return
}
if len(result.Policies) == 0 {
fmt.Println("You don't have any policies!")
} else {
for _, policy := range result.Policies {
fmt.Printf("\t%v\n", *policy.PolicyName)
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListPolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListPolicies)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.ListPoliciesResponse;
import software.amazon.awssdk.services.iam.model.Policy;
import java.util.List;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class HelloIAM {
public static void main(String[] args) {
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
listPolicies(iam);
}
public static void listPolicies(IamClient iam) {
ListPoliciesResponse response = iam.listPolicies();
List polList = response.policies();
polList.forEach(policy -> {
System.out.println("Policy Name: " + policy.policyName());
});
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/ListPolicies)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { IAMClient, paginateListPolicies } from "@aws-sdk/client-iam";
const client = new IAMClient({});
export const listLocalPolicies = async () => {
/**
* In v3, the clients expose paginateOperationName APIs that are written using async generators so that you can use async iterators in a for await..of loop.
* https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators
*/
const paginator = paginateListPolicies(
{ client, pageSize: 10 },
// List only customer managed policies.
{ Scope: "Local" },
);
console.log("IAM policies defined in your account:");
let policyCount = 0;
for await (const page of paginator) {
if (page.Policies) {
for (const policy of page.Policies) {
console.log(`${policy.PolicyName}`);
policyCount++;
}
}
}
console.log(`Found ${policyCount} policies.`);
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListPoliciesCommand)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
import boto3
def main():
"""
Lists the managed policies in your AWS account using the AWS SDK for Python (Boto3).
"""
iam = boto3.client("iam")
try:
# Get a paginator for the list_policies operation
paginator = iam.get_paginator("list_policies")
# Iterate through the pages of results
for page in paginator.paginate(Scope="All", OnlyAttached=False):
for policy in page["Policies"]:
print(f"Policy name: {policy['PolicyName']}")
print(f" Policy ARN: {policy['Arn']}")
except boto3.exceptions.BotoCoreError as e:
print(f"Encountered an error while listing policies: {e}")
if __name__ == "__main__":
main()
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListPolicies)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
require 'aws-sdk-iam'
require 'logger'
# IAMManager is a class responsible for managing IAM operations
# such as listing all IAM policies in the current AWS account.
class IAMManager
def initialize(client)
@client = client
@logger = Logger.new($stdout)
end
# Lists and prints all IAM policies in the current AWS account.
def list_policies
@logger.info('Here are the IAM policies in your account:')
paginator = @client.list_policies
policies = []
paginator.each_page do |page|
policies.concat(page.policies)
end
if policies.empty?
@logger.info("You don't have any IAM policies.")
else
policies.each do |policy|
@logger.info("- #{policy.policy_name}")
end
end
end
end
if $PROGRAM_NAME == __FILE__
iam_client = Aws::IAM::Client.new
manager = IAMManager.new(iam_client)
manager.list_policies
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListPolicies)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
來自 src/bin/hello.rs。
```
use aws_sdk_iam::error::SdkError;
use aws_sdk_iam::operation::list_policies::ListPoliciesError;
use clap::Parser;
const PATH_PREFIX_HELP: &str = "The path prefix for filtering the results.";
#[derive(Debug, clap::Parser)]
#[command(about)]
struct HelloScenarioArgs {
#[arg(long, default_value="/", help=PATH_PREFIX_HELP)]
pub path_prefix: String,
}
#[tokio::main]
async fn main() -> Result<(), SdkError> {
let sdk_config = aws_config::load_from_env().await;
let client = aws_sdk_iam::Client::new(&sdk_config);
let args = HelloScenarioArgs::parse();
iam_service::list_policies(client, args.path_prefix).await?;
Ok(())
}
```
來自 src/iam-service-lib.rs。
```
pub async fn list_policies(
client: iamClient,
path_prefix: String,
) -> Result, SdkError> {
let list_policies = client
.list_policies()
.path_prefix(path_prefix)
.scope(PolicyScopeType::Local)
.into_paginator()
.items()
.send()
.try_collect()
.await?;
let policy_names = list_policies
.into_iter()
.map(|p| {
let name = p
.policy_name
.unwrap_or_else(|| "Missing Policy Name".to_string());
println!("{}", name);
name
})
.collect();
Ok(policy_names)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API 參考*中的 [ListPolicies](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_policies)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 AWS SDK 了解 IAM 的基本概念
下列程式碼範例示範如何建立使用者並擔任角色。
**警告**
為避免安全風險,在開發專用軟體或使用真實資料時,請勿使用 IAM 使用者進行身分驗證。相反地,搭配使用聯合功能和身分提供者,例如 [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)。
+ 建立沒有許可的使用者。
+ 建立一個可授予許可的角色,以列出帳戶的 Amazon S3 儲存貯體。
+ 新增政策,讓使用者擔任該角色。
+ 使用暫時憑證,擔任角色並列出 Amazon S3 儲存貯體,然後清理資源。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
global using Amazon.IdentityManagement;
global using Amazon.S3;
global using Amazon.SecurityToken;
global using IAMActions;
global using IamScenariosCommon;
global using Microsoft.Extensions.DependencyInjection;
global using Microsoft.Extensions.Hosting;
global using Microsoft.Extensions.Logging;
global using Microsoft.Extensions.Logging.Console;
global using Microsoft.Extensions.Logging.Debug;
namespace IAMActions;
public class IAMWrapper
{
private readonly IAmazonIdentityManagementService _IAMService;
///
/// Constructor for the IAMWrapper class.
///
/// An IAM client object.
public IAMWrapper(IAmazonIdentityManagementService IAMService)
{
_IAMService = IAMService;
}
///
/// Attach an IAM policy to a role.
///
/// The policy to attach.
/// The role that the policy will be attached to.
/// A Boolean value indicating the success of the action.
public async Task AttachRolePolicyAsync(string policyArn, string roleName)
{
var response = await _IAMService.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Create an IAM access key for a user.
///
/// The username for which to create the IAM access
/// key.
/// The AccessKey.
public async Task CreateAccessKeyAsync(string userName)
{
var response = await _IAMService.CreateAccessKeyAsync(new CreateAccessKeyRequest
{
UserName = userName,
});
return response.AccessKey;
}
///
/// Create an IAM policy.
///
/// The name to give the new IAM policy.
/// The policy document for the new policy.
/// The new IAM policy object.
public async Task CreatePolicyAsync(string policyName, string policyDocument)
{
var response = await _IAMService.CreatePolicyAsync(new CreatePolicyRequest
{
PolicyDocument = policyDocument,
PolicyName = policyName,
});
return response.Policy;
}
///
/// Create a new IAM role.
///
/// The name of the IAM role.
/// The name of the IAM policy document
/// for the new role.
/// The Amazon Resource Name (ARN) of the role.
public async Task CreateRoleAsync(string roleName, string rolePolicyDocument)
{
var request = new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = rolePolicyDocument,
};
var response = await _IAMService.CreateRoleAsync(request);
return response.Role.Arn;
}
///
/// Create an IAM service-linked role.
///
/// The name of the AWS Service.
/// A description of the IAM service-linked role.
/// The IAM role that was created.
public async Task CreateServiceLinkedRoleAsync(string serviceName, string description)
{
var request = new CreateServiceLinkedRoleRequest
{
AWSServiceName = serviceName,
Description = description
};
var response = await _IAMService.CreateServiceLinkedRoleAsync(request);
return response.Role;
}
///
/// Create an IAM user.
///
/// The username for the new IAM user.
/// The IAM user that was created.
public async Task CreateUserAsync(string userName)
{
var response = await _IAMService.CreateUserAsync(new CreateUserRequest { UserName = userName });
return response.User;
}
///
/// Delete an IAM user's access key.
///
/// The Id for the IAM access key.
/// The username of the user that owns the IAM
/// access key.
/// A Boolean value indicating the success of the action.
public async Task DeleteAccessKeyAsync(string accessKeyId, string userName)
{
var response = await _IAMService.DeleteAccessKeyAsync(new DeleteAccessKeyRequest
{
AccessKeyId = accessKeyId,
UserName = userName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM policy.
///
/// The Amazon Resource Name (ARN) of the policy to
/// delete.
/// A Boolean value indicating the success of the action.
public async Task DeletePolicyAsync(string policyArn)
{
var response = await _IAMService.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM role.
///
/// The name of the IAM role to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteRoleAsync(string roleName)
{
var response = await _IAMService.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM role policy.
///
/// The name of the IAM role.
/// The name of the IAM role policy to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteRolePolicyAsync(string roleName, string policyName)
{
var response = await _IAMService.DeleteRolePolicyAsync(new DeleteRolePolicyRequest
{
PolicyName = policyName,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM user.
///
/// The username of the IAM user to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteUserAsync(string userName)
{
var response = await _IAMService.DeleteUserAsync(new DeleteUserRequest { UserName = userName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM user policy.
///
/// The name of the IAM policy to delete.
/// The username of the IAM user.
/// A Boolean value indicating the success of the action.
public async Task DeleteUserPolicyAsync(string policyName, string userName)
{
var response = await _IAMService.DeleteUserPolicyAsync(new DeleteUserPolicyRequest { PolicyName = policyName, UserName = userName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Detach an IAM policy from an IAM role.
///
/// The Amazon Resource Name (ARN) of the IAM policy.
/// The name of the IAM role.
/// A Boolean value indicating the success of the action.
public async Task DetachRolePolicyAsync(string policyArn, string roleName)
{
var response = await _IAMService.DetachRolePolicyAsync(new DetachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Gets the IAM password policy for an AWS account.
///
/// The PasswordPolicy for the AWS account.
public async Task GetAccountPasswordPolicyAsync()
{
var response = await _IAMService.GetAccountPasswordPolicyAsync(new GetAccountPasswordPolicyRequest());
return response.PasswordPolicy;
}
///
/// Get information about an IAM policy.
///
/// The IAM policy to retrieve information for.
/// The IAM policy.
public async Task GetPolicyAsync(string policyArn)
{
var response = await _IAMService.GetPolicyAsync(new GetPolicyRequest { PolicyArn = policyArn });
return response.Policy;
}
///
/// Get information about an IAM role.
///
/// The name of the IAM role to retrieve information
/// for.
/// The IAM role that was retrieved.
public async Task GetRoleAsync(string roleName)
{
var response = await _IAMService.GetRoleAsync(new GetRoleRequest
{
RoleName = roleName,
});
return response.Role;
}
///
/// Get information about an IAM user.
///
/// The username of the user.
/// An IAM user object.
public async Task GetUserAsync(string userName)
{
var response = await _IAMService.GetUserAsync(new GetUserRequest { UserName = userName });
return response.User;
}
///
/// List the IAM role policies that are attached to an IAM role.
///
/// The IAM role to list IAM policies for.
/// A list of the IAM policies attached to the IAM role.
public async Task> ListAttachedRolePoliciesAsync(string roleName)
{
var attachedPolicies = new List();
var attachedRolePoliciesPaginator = _IAMService.Paginators.ListAttachedRolePolicies(new ListAttachedRolePoliciesRequest { RoleName = roleName });
await foreach (var response in attachedRolePoliciesPaginator.Responses)
{
attachedPolicies.AddRange(response.AttachedPolicies);
}
return attachedPolicies;
}
///
/// List IAM groups.
///
/// A list of IAM groups.
public async Task> ListGroupsAsync()
{
var groupsPaginator = _IAMService.Paginators.ListGroups(new ListGroupsRequest());
var groups = new List();
await foreach (var response in groupsPaginator.Responses)
{
groups.AddRange(response.Groups);
}
return groups;
}
///
/// List IAM policies.
///
/// A list of the IAM policies.
public async Task> ListPoliciesAsync()
{
var listPoliciesPaginator = _IAMService.Paginators.ListPolicies(new ListPoliciesRequest());
var policies = new List();
await foreach (var response in listPoliciesPaginator.Responses)
{
policies.AddRange(response.Policies);
}
return policies;
}
///
/// List IAM role policies.
///
/// The IAM role for which to list IAM policies.
/// A list of IAM policy names.
public async Task> ListRolePoliciesAsync(string roleName)
{
var listRolePoliciesPaginator = _IAMService.Paginators.ListRolePolicies(new ListRolePoliciesRequest { RoleName = roleName });
var policyNames = new List();
await foreach (var response in listRolePoliciesPaginator.Responses)
{
policyNames.AddRange(response.PolicyNames);
}
return policyNames;
}
///
/// List IAM roles.
///
/// A list of IAM roles.
public async Task> ListRolesAsync()
{
var listRolesPaginator = _IAMService.Paginators.ListRoles(new ListRolesRequest());
var roles = new List();
await foreach (var response in listRolesPaginator.Responses)
{
roles.AddRange(response.Roles);
}
return roles;
}
///
/// List SAML authentication providers.
///
/// A list of SAML providers.
public async Task> ListSAMLProvidersAsync()
{
var response = await _IAMService.ListSAMLProvidersAsync(new ListSAMLProvidersRequest());
return response.SAMLProviderList;
}
///
/// List IAM users.
///
/// A list of IAM users.
public async Task> ListUsersAsync()
{
var listUsersPaginator = _IAMService.Paginators.ListUsers(new ListUsersRequest());
var users = new List();
await foreach (var response in listUsersPaginator.Responses)
{
users.AddRange(response.Users);
}
return users;
}
///
/// Update the inline policy document embedded in a role.
///
/// The name of the policy to embed.
/// The name of the role to update.
/// The policy document that defines the role.
/// A Boolean value indicating the success of the action.
public async Task PutRolePolicyAsync(string policyName, string roleName, string policyDocument)
{
var request = new PutRolePolicyRequest
{
PolicyName = policyName,
RoleName = roleName,
PolicyDocument = policyDocument
};
var response = await _IAMService.PutRolePolicyAsync(request);
return response.HttpStatusCode == HttpStatusCode.OK;
}
///
/// Add or update an inline policy document that is embedded in an IAM user.
///
/// The name of the IAM user.
/// The name of the IAM policy.
/// The policy document defining the IAM policy.
/// A Boolean value indicating the success of the action.
public async Task PutUserPolicyAsync(string userName, string policyName, string policyDocument)
{
var request = new PutUserPolicyRequest
{
UserName = userName,
PolicyName = policyName,
PolicyDocument = policyDocument
};
var response = await _IAMService.PutUserPolicyAsync(request);
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Wait for a new access key to be ready to use.
///
/// The Id of the access key.
/// A boolean value indicating the success of the action.
public async Task WaitUntilAccessKeyIsReady(string accessKeyId)
{
var keyReady = false;
do
{
try
{
var response = await _IAMService.GetAccessKeyLastUsedAsync(
new GetAccessKeyLastUsedRequest { AccessKeyId = accessKeyId });
if (response.UserName is not null)
{
keyReady = true;
}
}
catch (NoSuchEntityException)
{
keyReady = false;
}
} while (!keyReady);
return keyReady;
}
}
using Microsoft.Extensions.Configuration;
namespace IAMBasics;
public class IAMBasics
{
private static ILogger logger = null!;
static async Task Main(string[] args)
{
// Set up dependency injection for the AWS service.
using var host = Host.CreateDefaultBuilder(args)
.ConfigureLogging(logging =>
logging.AddFilter("System", LogLevel.Debug)
.AddFilter("Microsoft", LogLevel.Information)
.AddFilter("Microsoft", LogLevel.Trace))
.ConfigureServices((_, services) =>
services.AddAWSService()
.AddTransient()
.AddTransient()
)
.Build();
logger = LoggerFactory.Create(builder => { builder.AddConsole(); })
.CreateLogger();
IConfiguration configuration = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("settings.json") // Load test settings from .json file.
.AddJsonFile("settings.local.json",
true) // Optionally load local settings.
.Build();
// Values needed for user, role, and policies.
string userName = configuration["UserName"]!;
string s3PolicyName = configuration["S3PolicyName"]!;
string roleName = configuration["RoleName"]!;
var iamWrapper = host.Services.GetRequiredService();
var uiWrapper = host.Services.GetRequiredService();
uiWrapper.DisplayBasicsOverview();
uiWrapper.PressEnter();
// First create a user. By default, the new user has
// no permissions.
uiWrapper.DisplayTitle("Create User");
Console.WriteLine($"Creating a new user with user name: {userName}.");
var user = await iamWrapper.CreateUserAsync(userName);
var userArn = user.Arn;
Console.WriteLine($"Successfully created user: {userName} with ARN: {userArn}.");
uiWrapper.WaitABit(15, "Now let's wait for the user to be ready for use.");
// Define a role policy document that allows the new user
// to assume the role.
string assumeRolePolicyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
$" \"AWS\": \"{userArn}\"" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
// Permissions to list all buckets.
string policyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
" \"Statement\" : [{" +
" \"Action\" : [\"s3:ListAllMyBuckets\"]," +
" \"Effect\" : \"Allow\"," +
" \"Resource\" : \"*\"" +
"}]" +
"}";
// Create an AccessKey for the user.
uiWrapper.DisplayTitle("Create access key");
Console.WriteLine("Now let's create an access key for the new user.");
var accessKey = await iamWrapper.CreateAccessKeyAsync(userName);
var accessKeyId = accessKey.AccessKeyId;
var secretAccessKey = accessKey.SecretAccessKey;
Console.WriteLine($"We have created the access key with Access key id: {accessKeyId}.");
Console.WriteLine("Now let's wait until the IAM access key is ready to use.");
var keyReady = await iamWrapper.WaitUntilAccessKeyIsReady(accessKeyId);
// Now try listing the Amazon Simple Storage Service (Amazon S3)
// buckets. This should fail at this point because the user doesn't
// have permissions to perform this task.
uiWrapper.DisplayTitle("Try to display Amazon S3 buckets");
Console.WriteLine("Now let's try to display a list of the user's Amazon S3 buckets.");
var s3Client1 = new AmazonS3Client(accessKeyId, secretAccessKey);
var stsClient1 = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey);
var s3Wrapper = new S3Wrapper(s3Client1, stsClient1);
var buckets = await s3Wrapper.ListMyBucketsAsync();
Console.WriteLine(buckets is null
? "As expected, the call to list the buckets has returned a null list."
: "Something went wrong. This shouldn't have worked.");
uiWrapper.PressEnter();
uiWrapper.DisplayTitle("Create IAM role");
Console.WriteLine($"Creating the role: {roleName}");
// Creating an IAM role to allow listing the S3 buckets. A role name
// is not case sensitive and must be unique to the account for which it
// is created.
var roleArn = await iamWrapper.CreateRoleAsync(roleName, assumeRolePolicyDocument);
uiWrapper.PressEnter();
// Create a policy with permissions to list S3 buckets.
uiWrapper.DisplayTitle("Create IAM policy");
Console.WriteLine($"Creating the policy: {s3PolicyName}");
Console.WriteLine("with permissions to list the Amazon S3 buckets for the account.");
var policy = await iamWrapper.CreatePolicyAsync(s3PolicyName, policyDocument);
// Wait 15 seconds for the IAM policy to be available.
uiWrapper.WaitABit(15, "Waiting for the policy to be available.");
// Attach the policy to the role you created earlier.
uiWrapper.DisplayTitle("Attach new IAM policy");
Console.WriteLine("Now let's attach the policy to the role.");
await iamWrapper.AttachRolePolicyAsync(policy.Arn, roleName);
// Wait 15 seconds for the role to be updated.
Console.WriteLine();
uiWrapper.WaitABit(15, "Waiting for the policy to be attached.");
// Use the AWS Security Token Service (AWS STS) to have the user
// assume the role we created.
var stsClient2 = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey);
// Wait for the new credentials to become valid.
uiWrapper.WaitABit(10, "Waiting for the credentials to be valid.");
var assumedRoleCredentials = await s3Wrapper.AssumeS3RoleAsync("temporary-session", roleArn);
// Try again to list the buckets using the client created with
// the new user's credentials. This time, it should work.
var s3Client2 = new AmazonS3Client(assumedRoleCredentials);
s3Wrapper.UpdateClients(s3Client2, stsClient2);
buckets = await s3Wrapper.ListMyBucketsAsync();
uiWrapper.DisplayTitle("List Amazon S3 buckets");
Console.WriteLine("This time we should have buckets to list.");
if (buckets is not null)
{
buckets.ForEach(bucket =>
{
Console.WriteLine($"{bucket.BucketName} created: {bucket.CreationDate}");
});
}
uiWrapper.PressEnter();
// Now clean up all the resources used in the example.
uiWrapper.DisplayTitle("Clean up resources");
Console.WriteLine("Thank you for watching. The IAM Basics demo is complete.");
Console.WriteLine("Please wait while we clean up the resources we created.");
await iamWrapper.DetachRolePolicyAsync(policy.Arn, roleName);
await iamWrapper.DeletePolicyAsync(policy.Arn);
await iamWrapper.DeleteRoleAsync(roleName);
await iamWrapper.DeleteAccessKeyAsync(accessKeyId, userName);
await iamWrapper.DeleteUserAsync(userName);
uiWrapper.PressEnter();
Console.WriteLine("All done cleaning up our resources. Thank you for your patience.");
}
}
namespace IamScenariosCommon;
using System.Net;
///
/// A class to perform Amazon Simple Storage Service (Amazon S3) actions for
/// the IAM Basics scenario.
///
public class S3Wrapper
{
private IAmazonS3 _s3Service;
private IAmazonSecurityTokenService _stsService;
///
/// Constructor for the S3Wrapper class.
///
/// An Amazon S3 client object.
/// An AWS Security Token Service (AWS STS)
/// client object.
public S3Wrapper(IAmazonS3 s3Service, IAmazonSecurityTokenService stsService)
{
_s3Service = s3Service;
_stsService = stsService;
}
///
/// Assumes an AWS Identity and Access Management (IAM) role that allows
/// Amazon S3 access for the current session.
///
/// A string representing the current session.
/// The name of the IAM role to assume.
/// Credentials for the newly assumed IAM role.
public async Task AssumeS3RoleAsync(string roleSession, string roleToAssume)
{
// Create the request to use with the AssumeRoleAsync call.
var request = new AssumeRoleRequest()
{
RoleSessionName = roleSession,
RoleArn = roleToAssume,
};
var response = await _stsService.AssumeRoleAsync(request);
return response.Credentials;
}
///
/// Delete an S3 bucket.
///
/// Name of the S3 bucket to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteBucketAsync(string bucketName)
{
var result = await _s3Service.DeleteBucketAsync(new DeleteBucketRequest { BucketName = bucketName });
return result.HttpStatusCode == HttpStatusCode.OK;
}
///
/// List the buckets that are owned by the user's account.
///
/// Async Task.
public async Task?> ListMyBucketsAsync()
{
try
{
// Get the list of buckets accessible by the new user.
var response = await _s3Service.ListBucketsAsync();
return response.Buckets;
}
catch (AmazonS3Exception ex)
{
// Something else went wrong. Display the error message.
Console.WriteLine($"Error: {ex.Message}");
return null;
}
}
///
/// Create a new S3 bucket.
///
/// The name for the new bucket.
/// A Boolean value indicating whether the action completed
/// successfully.
public async Task PutBucketAsync(string bucketName)
{
var response = await _s3Service.PutBucketAsync(new PutBucketRequest { BucketName = bucketName });
return response.HttpStatusCode == HttpStatusCode.OK;
}
///
/// Update the client objects with new client objects. This is available
/// because the scenario uses the methods of this class without and then
/// with the proper permissions to list S3 buckets.
///
/// The Amazon S3 client object.
/// The AWS STS client object.
public void UpdateClients(IAmazonS3 s3Service, IAmazonSecurityTokenService stsService)
{
_s3Service = s3Service;
_stsService = stsService;
}
}
namespace IamScenariosCommon;
public class UIWrapper
{
public readonly string SepBar = new('-', Console.WindowWidth);
///
/// Show information about the IAM Groups scenario.
///
public void DisplayGroupsOverview()
{
Console.Clear();
DisplayTitle("Welcome to the IAM Groups Demo");
Console.WriteLine("This example application does the following:");
Console.WriteLine("\t1. Creates an Amazon Identity and Access Management (IAM) group.");
Console.WriteLine("\t2. Adds an IAM policy to the IAM group giving it full access to Amazon S3.");
Console.WriteLine("\t3. Creates a new IAM user.");
Console.WriteLine("\t4. Creates an IAM access key for the user.");
Console.WriteLine("\t5. Adds the user to the IAM group.");
Console.WriteLine("\t6. Lists the buckets on the account.");
Console.WriteLine("\t7. Proves that the user has full Amazon S3 access by creating a bucket.");
Console.WriteLine("\t8. List the buckets again to show the new bucket.");
Console.WriteLine("\t9. Cleans up all the resources created.");
}
///
/// Show information about the IAM Basics scenario.
///
public void DisplayBasicsOverview()
{
Console.Clear();
DisplayTitle("Welcome to IAM Basics");
Console.WriteLine("This example application does the following:");
Console.WriteLine("\t1. Creates a user with no permissions.");
Console.WriteLine("\t2. Creates a role and policy that grant s3:ListAllMyBuckets permission.");
Console.WriteLine("\t3. Grants the user permission to assume the role.");
Console.WriteLine("\t4. Creates an S3 client object as the user and tries to list buckets (this will fail).");
Console.WriteLine("\t5. Gets temporary credentials by assuming the role.");
Console.WriteLine("\t6. Creates a new S3 client object with the temporary credentials and lists the buckets (this will succeed).");
Console.WriteLine("\t7. Deletes all the resources.");
}
///
/// Display a message and wait until the user presses enter.
///
public void PressEnter()
{
Console.Write("\nPress to continue. ");
_ = Console.ReadLine();
Console.WriteLine();
}
///
/// Pad a string with spaces to center it on the console display.
///
/// The string to be centered.
/// The padded string.
public string CenterString(string strToCenter)
{
var padAmount = (Console.WindowWidth - strToCenter.Length) / 2;
var leftPad = new string(' ', padAmount);
return $"{leftPad}{strToCenter}";
}
///
/// Display a line of hyphens, the centered text of the title, and another
/// line of hyphens.
///
/// The string to be displayed.
public void DisplayTitle(string strTitle)
{
Console.WriteLine(SepBar);
Console.WriteLine(CenterString(strTitle));
Console.WriteLine(SepBar);
}
///
/// Display a countdown and wait for a number of seconds.
///
/// The number of seconds to wait.
public void WaitABit(int numSeconds, string msg)
{
Console.WriteLine(msg);
// Wait for the requested number of seconds.
for (int i = numSeconds; i > 0; i--)
{
System.Threading.Thread.Sleep(1000);
Console.Write($"{i}...");
}
PressEnter();
}
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 .NET 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function iam_create_user_assume_role
#
# Scenario to create an IAM user, create an IAM role, and apply the role to the user.
#
# "IAM access" permissions are needed to run this code.
# "STS assume role" permissions are needed to run this code. (Note: It might be necessary to
# create a custom policy).
#
# Returns:
# 0 - If successful.
# 1 - If an error occurred.
###############################################################################
function iam_create_user_assume_role() {
{
if [ "$IAM_OPERATIONS_SOURCED" != "True" ]; then
source ./iam_operations.sh
fi
}
echo_repeat "*" 88
echo "Welcome to the IAM create user and assume role demo."
echo
echo "This demo will create an IAM user, create an IAM role, and apply the role to the user."
echo_repeat "*" 88
echo
echo -n "Enter a name for a new IAM user: "
get_input
user_name=$get_input_result
local user_arn
user_arn=$(iam_create_user -u "$user_name")
# shellcheck disable=SC2181
if [[ ${?} == 0 ]]; then
echo "Created demo IAM user named $user_name"
else
errecho "$user_arn"
errecho "The user failed to create. This demo will exit."
return 1
fi
local access_key_response
access_key_response=$(iam_create_user_access_key -u "$user_name")
# shellcheck disable=SC2181
if [[ ${?} != 0 ]]; then
errecho "The access key failed to create. This demo will exit."
clean_up "$user_name"
return 1
fi
IFS=$'\t ' read -r -a access_key_values <<<"$access_key_response"
local key_name=${access_key_values[0]}
local key_secret=${access_key_values[1]}
echo "Created access key named $key_name"
echo "Wait 10 seconds for the user to be ready."
sleep 10
echo_repeat "*" 88
echo
local iam_role_name
iam_role_name=$(generate_random_name "test-role")
echo "Creating a role named $iam_role_name with user $user_name as the principal."
local assume_role_policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"$user_arn\"},
\"Action\": \"sts:AssumeRole\"
}]
}"
local role_arn
role_arn=$(iam_create_role -n "$iam_role_name" -p "$assume_role_policy_document")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Created IAM role named $iam_role_name"
else
errecho "The role failed to create. This demo will exit."
clean_up "$user_name" "$key_name"
return 1
fi
local policy_name
policy_name=$(generate_random_name "test-policy")
local policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]}"
local policy_arn
policy_arn=$(iam_create_policy -n "$policy_name" -p "$policy_document")
# shellcheck disable=SC2181
if [[ ${?} == 0 ]]; then
echo "Created IAM policy named $policy_name"
else
errecho "The policy failed to create."
clean_up "$user_name" "$key_name" "$iam_role_name"
return 1
fi
if (iam_attach_role_policy -n "$iam_role_name" -p "$policy_arn"); then
echo "Attached policy $policy_arn to role $iam_role_name"
else
errecho "The policy failed to attach."
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn"
return 1
fi
local assume_role_policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"$role_arn\"}]}"
local assume_role_policy_name
assume_role_policy_name=$(generate_random_name "test-assume-role-")
# shellcheck disable=SC2181
local assume_role_policy_arn
assume_role_policy_arn=$(iam_create_policy -n "$assume_role_policy_name" -p "$assume_role_policy_document")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Created IAM policy named $assume_role_policy_name for sts assume role"
else
errecho "The policy failed to create."
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn"
return 1
fi
echo "Wait 10 seconds to give AWS time to propagate these new resources and connections."
sleep 10
echo_repeat "*" 88
echo
echo "Try to list buckets without the new user assuming the role."
echo_repeat "*" 88
echo
# Set the environment variables for the created user.
# bashsupport disable=BP2001
export AWS_ACCESS_KEY_ID=$key_name
# bashsupport disable=BP2001
export AWS_SECRET_ACCESS_KEY=$key_secret
local buckets
buckets=$(s3_list_buckets)
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
local bucket_count
bucket_count=$(echo "$buckets" | wc -w | xargs)
echo "There are $bucket_count buckets in the account. This should not have happened."
else
errecho "Because the role with permissions has not been assumed, listing buckets failed."
fi
echo
echo_repeat "*" 88
echo "Now assume the role $iam_role_name and list the buckets."
echo_repeat "*" 88
echo
local credentials
credentials=$(sts_assume_role -r "$role_arn" -n "AssumeRoleDemoSession")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Assumed role $iam_role_name"
else
errecho "Failed to assume role."
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
return 1
fi
IFS=$'\t ' read -r -a credentials <<<"$credentials"
export AWS_ACCESS_KEY_ID=${credentials[0]}
export AWS_SECRET_ACCESS_KEY=${credentials[1]}
# bashsupport disable=BP2001
export AWS_SESSION_TOKEN=${credentials[2]}
buckets=$(s3_list_buckets)
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
local bucket_count
bucket_count=$(echo "$buckets" | wc -w | xargs)
echo "There are $bucket_count buckets in the account. Listing buckets succeeded because of "
echo "the assumed role."
else
errecho "Failed to list buckets. This should not happen."
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_SESSION_TOKEN=""
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
return 1
fi
local result=0
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
echo
echo_repeat "*" 88
echo "The created resources will now be deleted."
echo_repeat "*" 88
echo
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
# shellcheck disable=SC2181
if [[ ${?} -ne 0 ]]; then
result=1
fi
return $result
}
```
此案例中使用的 IAM 函數。
```
###############################################################################
# function iam_user_exists
#
# This function checks to see if the specified AWS Identity and Access Management (IAM) user already exists.
#
# Parameters:
# $1 - The name of the IAM user to check.
#
# Returns:
# 0 - If the user already exists.
# 1 - If the user doesn't exist.
###############################################################################
function iam_user_exists() {
local user_name
user_name=$1
# Check whether the IAM user already exists.
# We suppress all output - we're interested only in the return code.
local errors
errors=$(aws iam get-user \
--user-name "$user_name" 2>&1 >/dev/null)
local error_code=${?}
if [[ $error_code -eq 0 ]]; then
return 0 # 0 in Bash script means true.
else
if [[ $errors != *"error"*"(NoSuchEntity)"* ]]; then
aws_cli_error_log $error_code
errecho "Error calling iam get-user $errors"
fi
return 1 # 1 in Bash script means false.
fi
}
###############################################################################
# function iam_create_user
#
# This function creates the specified IAM user, unless
# it already exists.
#
# Parameters:
# -u user_name -- The name of the user to create.
#
# Returns:
# The ARN of the user.
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_user() {
local user_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user"
echo "Creates an AWS Identity and Access Management (IAM) user. You must supply a username:"
echo " -u user_name The name of the user. It must be unique within the account."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " User name: $user_name"
iecho ""
# If the user already exists, we don't want to try to create it.
if (iam_user_exists "$user_name"); then
errecho "ERROR: A user with that name already exists in the account."
return 1
fi
response=$(aws iam create-user --user-name "$user_name" \
--output text \
--query 'User.Arn')
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-user operation failed.$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_create_user_access_key
#
# This function creates an IAM access key for the specified user.
#
# Parameters:
# -u user_name -- The name of the IAM user.
# [-f file_name] -- The optional file name for the access key output.
#
# Returns:
# [access_key_id access_key_secret]
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_user_access_key() {
local user_name file_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user_access_key"
echo "Creates an AWS Identity and Access Management (IAM) key pair."
echo " -u user_name The name of the IAM user."
echo " [-f file_name] Optional file name for the access key output."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:f:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
f) file_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
response=$(aws iam create-access-key \
--user-name "$user_name" \
--output text)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-access-key operation failed.$response"
return 1
fi
if [[ -n "$file_name" ]]; then
echo "$response" >"$file_name"
fi
local key_id key_secret
# shellcheck disable=SC2086
key_id=$(echo $response | cut -f 2 -d ' ')
# shellcheck disable=SC2086
key_secret=$(echo $response | cut -f 4 -d ' ')
echo "$key_id $key_secret"
return 0
}
###############################################################################
# function iam_create_role
#
# This function creates an IAM role.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_json -- The assume role policy document.
#
# Returns:
# The ARN of the role.
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_role() {
local role_name policy_document response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user_access_key"
echo "Creates an AWS Identity and Access Management (IAM) role."
echo " -n role_name The name of the IAM role."
echo " -p policy_json -- The assume role policy document."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_document="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_document" ]]; then
errecho "ERROR: You must provide a policy document with the -p parameter."
usage
return 1
fi
response=$(aws iam create-role \
--role-name "$role_name" \
--assume-role-policy-document "$policy_document" \
--output text \
--query Role.Arn)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-role operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_create_policy
#
# This function creates an IAM policy.
#
# Parameters:
# -n policy_name -- The name of the IAM policy.
# -p policy_json -- The policy document.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_policy() {
local policy_name policy_document response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_policy"
echo "Creates an AWS Identity and Access Management (IAM) policy."
echo " -n policy_name The name of the IAM policy."
echo " -p policy_json -- The policy document."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) policy_name="${OPTARG}" ;;
p) policy_document="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$policy_name" ]]; then
errecho "ERROR: You must provide a policy name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_document" ]]; then
errecho "ERROR: You must provide a policy document with the -p parameter."
usage
return 1
fi
response=$(aws iam create-policy \
--policy-name "$policy_name" \
--policy-document "$policy_document" \
--output text \
--query Policy.Arn)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-policy operation failed.\n$response"
return 1
fi
echo "$response"
}
###############################################################################
# function iam_attach_role_policy
#
# This function attaches an IAM policy to a tole.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_ARN -- The IAM policy document ARN..
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_attach_role_policy() {
local role_name policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_attach_role_policy"
echo "Attaches an AWS Identity and Access Management (IAM) policy to an IAM role."
echo " -n role_name The name of the IAM role."
echo " -p policy_ARN -- The IAM policy document ARN."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy ARN with the -p parameter."
usage
return 1
fi
response=$(aws iam attach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports attach-role-policy operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_detach_role_policy
#
# This function detaches an IAM policy to a tole.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_ARN -- The IAM policy document ARN..
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_detach_role_policy() {
local role_name policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_detach_role_policy"
echo "Detaches an AWS Identity and Access Management (IAM) policy to an IAM role."
echo " -n role_name The name of the IAM role."
echo " -p policy_ARN -- The IAM policy document ARN."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy ARN with the -p parameter."
usage
return 1
fi
response=$(aws iam detach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports detach-role-policy operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_delete_policy
#
# This function deletes an IAM policy.
#
# Parameters:
# -n policy_arn -- The name of the IAM policy arn.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_policy() {
local policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_policy"
echo "Deletes an AWS Identity and Access Management (IAM) policy"
echo " -n policy_arn -- The name of the IAM policy arn."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:h" option; do
case "${option}" in
n) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy arn with the -n parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Policy arn: $policy_arn"
iecho ""
response=$(aws iam delete-policy \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-policy operation failed.\n$response"
return 1
fi
iecho "delete-policy response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_role
#
# This function deletes an IAM role.
#
# Parameters:
# -n role_name -- The name of the IAM role.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_role() {
local role_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_role"
echo "Deletes an AWS Identity and Access Management (IAM) role"
echo " -n role_name -- The name of the IAM role."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
echo "role_name:$role_name"
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Role name: $role_name"
iecho ""
response=$(aws iam delete-role \
--role-name "$role_name")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-role operation failed.\n$response"
return 1
fi
iecho "delete-role response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_access_key
#
# This function deletes an IAM access key for the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user.
# -k access_key -- The access key to delete.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_access_key() {
local user_name access_key response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_access_key"
echo "Deletes an AWS Identity and Access Management (IAM) access key for the specified IAM user"
echo " -u user_name The name of the user."
echo " -k access_key The access key to delete."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:k:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
k) access_key="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
if [[ -z "$access_key" ]]; then
errecho "ERROR: You must provide an access key with the -k parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Username: $user_name"
iecho " Access key: $access_key"
iecho ""
response=$(aws iam delete-access-key \
--user-name "$user_name" \
--access-key-id "$access_key")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-access-key operation failed.\n$response"
return 1
fi
iecho "delete-access-key response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_user
#
# This function deletes the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user to create.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_user() {
local user_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_user"
echo "Deletes an AWS Identity and Access Management (IAM) user. You must supply a username:"
echo " -u user_name The name of the user."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " User name: $user_name"
iecho ""
# If the user does not exist, we don't want to try to delete it.
if (! iam_user_exists "$user_name"); then
errecho "ERROR: A user with that name does not exist in the account."
return 1
fi
response=$(aws iam delete-user \
--user-name "$user_name")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-user operation failed.$response"
return 1
fi
iecho "delete-user response:$response"
iecho
return 0
}
```
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutUserPolicy)
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
namespace AwsDoc {
namespace IAM {
//! Cleanup by deleting created entities.
/*!
\sa DeleteCreatedEntities
\param client: IAM client.
\param role: IAM role.
\param user: IAM user.
\param policy: IAM policy.
*/
static bool DeleteCreatedEntities(const Aws::IAM::IAMClient &client,
const Aws::IAM::Model::Role &role,
const Aws::IAM::Model::User &user,
const Aws::IAM::Model::Policy &policy);
}
static const int LIST_BUCKETS_WAIT_SEC = 20;
static const char ALLOCATION_TAG[] = "example_code";
}
//! Scenario to create an IAM user, create an IAM role, and apply the role to the user.
// "IAM access" permissions are needed to run this code.
// "STS assume role" permissions are needed to run this code. (Note: It might be necessary to
// create a custom policy).
/*!
\sa iamCreateUserAssumeRoleScenario
\param clientConfig: Aws client configuration.
\return bool: Successful completion.
*/
bool AwsDoc::IAM::iamCreateUserAssumeRoleScenario(
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient client(clientConfig);
Aws::IAM::Model::User user;
Aws::IAM::Model::Role role;
Aws::IAM::Model::Policy policy;
// 1. Create a user.
{
Aws::IAM::Model::CreateUserRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String userName = "iam-demo-user-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetUserName(userName);
Aws::IAM::Model::CreateUserOutcome outcome = client.CreateUser(request);
if (!outcome.IsSuccess()) {
std::cout << "Error creating IAM user " << userName << ":" <<
outcome.GetError().GetMessage() << std::endl;
return false;
}
else {
std::cout << "Successfully created IAM user " << userName << std::endl;
}
user = outcome.GetResult().GetUser();
}
// 2. Create a role.
{
// Get the IAM user for the current client in order to access its ARN.
Aws::String iamUserArn;
{
Aws::IAM::Model::GetUserRequest request;
Aws::IAM::Model::GetUserOutcome outcome = client.GetUser(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error getting Iam user. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully retrieved Iam user "
<< outcome.GetResult().GetUser().GetUserName()
<< std::endl;
}
iamUserArn = outcome.GetResult().GetUser().GetArn();
}
Aws::IAM::Model::CreateRoleRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String roleName = "iam-demo-role-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetRoleName(roleName);
// Build policy document for role.
Aws::Utils::Document jsonStatement;
jsonStatement.WithString("Effect", "Allow");
Aws::Utils::Document jsonPrincipal;
jsonPrincipal.WithString("AWS", iamUserArn);
jsonStatement.WithObject("Principal", jsonPrincipal);
jsonStatement.WithString("Action", "sts:AssumeRole");
jsonStatement.WithObject("Condition", Aws::Utils::Document());
Aws::Utils::Document policyDocument;
policyDocument.WithString("Version", "2012-10-17");
Aws::Utils::Array statements(1);
statements[0] = jsonStatement;
policyDocument.WithArray("Statement", statements);
std::cout << "Setting policy for role\n "
<< policyDocument.View().WriteCompact() << std::endl;
// Set role policy document as JSON string.
request.SetAssumeRolePolicyDocument(policyDocument.View().WriteCompact());
Aws::IAM::Model::CreateRoleOutcome outcome = client.CreateRole(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating role. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully created a role with name " << roleName
<< std::endl;
}
role = outcome.GetResult().GetRole();
}
// 3. Create an IAM policy.
{
Aws::IAM::Model::CreatePolicyRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String policyName = "iam-demo-policy-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetPolicyName(policyName);
// Build IAM policy document.
Aws::Utils::Document jsonStatement;
jsonStatement.WithString("Effect", "Allow");
jsonStatement.WithString("Action", "s3:ListAllMyBuckets");
jsonStatement.WithString("Resource", "arn:aws:s3:::*");
Aws::Utils::Document policyDocument;
policyDocument.WithString("Version", "2012-10-17");
Aws::Utils::Array statements(1);
statements[0] = jsonStatement;
policyDocument.WithArray("Statement", statements);
std::cout << "Creating a policy.\n " << policyDocument.View().WriteCompact()
<< std::endl;
// Set IAM policy document as JSON string.
request.SetPolicyDocument(policyDocument.View().WriteCompact());
Aws::IAM::Model::CreatePolicyOutcome outcome = client.CreatePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating policy. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully created a policy with name, " << policyName <<
"." << std::endl;
}
policy = outcome.GetResult().GetPolicy();
}
// 4. Assume the new role using the AWS Security Token Service (STS).
Aws::STS::Model::Credentials credentials;
{
Aws::STS::STSClient stsClient(clientConfig);
Aws::STS::Model::AssumeRoleRequest request;
request.SetRoleArn(role.GetArn());
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String roleSessionName = "iam-demo-role-session-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetRoleSessionName(roleSessionName);
Aws::STS::Model::AssumeRoleOutcome assumeRoleOutcome;
// Repeatedly call AssumeRole, because there is often a delay
// before the role is available to be assumed.
// Repeat at most 20 times when access is denied.
int count = 0;
while (true) {
assumeRoleOutcome = stsClient.AssumeRole(request);
if (!assumeRoleOutcome.IsSuccess()) {
if (count > 20 ||
assumeRoleOutcome.GetError().GetErrorType() !=
Aws::STS::STSErrors::ACCESS_DENIED) {
std::cerr << "Error assuming role after 20 tries. " <<
assumeRoleOutcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
std::this_thread::sleep_for(std::chrono::seconds(1));
}
else {
std::cout << "Successfully assumed the role after " << count
<< " seconds." << std::endl;
break;
}
count++;
}
credentials = assumeRoleOutcome.GetResult().GetCredentials();
}
// 5. List objects in the bucket (This should fail).
{
Aws::S3::S3Client s3Client(
Aws::Auth::AWSCredentials(credentials.GetAccessKeyId(),
credentials.GetSecretAccessKey(),
credentials.GetSessionToken()),
Aws::MakeShared(ALLOCATION_TAG),
clientConfig);
Aws::S3::Model::ListBucketsOutcome listBucketsOutcome = s3Client.ListBuckets();
if (!listBucketsOutcome.IsSuccess()) {
if (listBucketsOutcome.GetError().GetErrorType() !=
Aws::S3::S3Errors::ACCESS_DENIED) {
std::cerr << "Could not lists buckets. " <<
listBucketsOutcome.GetError().GetMessage() << std::endl;
}
else {
std::cout
<< "Access to list buckets denied because privileges have not been applied."
<< std::endl;
}
}
else {
std::cerr
<< "Successfully retrieved bucket lists when this should not happen."
<< std::endl;
}
}
// 6. Attach the policy to the role.
{
Aws::IAM::Model::AttachRolePolicyRequest request;
request.SetRoleName(role.GetRoleName());
request.WithPolicyArn(policy.GetArn());
Aws::IAM::Model::AttachRolePolicyOutcome outcome = client.AttachRolePolicy(
request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating policy. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully attached the policy with name, "
<< policy.GetPolicyName() <<
", to the role, " << role.GetRoleName() << "." << std::endl;
}
}
int count = 0;
// 7. List objects in the bucket (this should succeed).
// Repeatedly call ListBuckets, because there is often a delay
// before the policy with ListBucket permissions has been applied to the role.
// Repeat at most LIST_BUCKETS_WAIT_SEC times when access is denied.
while (true) {
Aws::S3::S3Client s3Client(
Aws::Auth::AWSCredentials(credentials.GetAccessKeyId(),
credentials.GetSecretAccessKey(),
credentials.GetSessionToken()),
Aws::MakeShared(ALLOCATION_TAG),
clientConfig);
Aws::S3::Model::ListBucketsOutcome listBucketsOutcome = s3Client.ListBuckets();
if (!listBucketsOutcome.IsSuccess()) {
if ((count > LIST_BUCKETS_WAIT_SEC) ||
listBucketsOutcome.GetError().GetErrorType() !=
Aws::S3::S3Errors::ACCESS_DENIED) {
std::cerr << "Could not lists buckets after " << LIST_BUCKETS_WAIT_SEC << " seconds. " <<
listBucketsOutcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
std::this_thread::sleep_for(std::chrono::seconds(1));
}
else {
std::cout << "Successfully retrieved bucket lists after " << count
<< " seconds." << std::endl;
break;
}
count++;
}
// 8. Delete all the created resources.
return DeleteCreatedEntities(client, role, user, policy);
}
bool AwsDoc::IAM::DeleteCreatedEntities(const Aws::IAM::IAMClient &client,
const Aws::IAM::Model::Role &role,
const Aws::IAM::Model::User &user,
const Aws::IAM::Model::Policy &policy) {
bool result = true;
if (policy.ArnHasBeenSet()) {
// Detach the policy from the role.
{
Aws::IAM::Model::DetachRolePolicyRequest request;
request.SetPolicyArn(policy.GetArn());
request.SetRoleName(role.GetRoleName());
Aws::IAM::Model::DetachRolePolicyOutcome outcome = client.DetachRolePolicy(
request);
if (!outcome.IsSuccess()) {
std::cerr << "Error Detaching policy from roles. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully detached the policy with arn "
<< policy.GetArn()
<< " from role " << role.GetRoleName() << "." << std::endl;
}
}
// Delete the policy.
{
Aws::IAM::Model::DeletePolicyRequest request;
request.WithPolicyArn(policy.GetArn());
Aws::IAM::Model::DeletePolicyOutcome outcome = client.DeletePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting policy. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the policy with arn "
<< policy.GetArn() << std::endl;
}
}
}
if (role.RoleIdHasBeenSet()) {
// Delete the role.
Aws::IAM::Model::DeleteRoleRequest request;
request.SetRoleName(role.GetRoleName());
Aws::IAM::Model::DeleteRoleOutcome outcome = client.DeleteRole(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting role. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the role with name "
<< role.GetRoleName() << std::endl;
}
}
if (user.ArnHasBeenSet()) {
// Delete the user.
Aws::IAM::Model::DeleteUserRequest request;
request.WithUserName(user.GetUserName());
Aws::IAM::Model::DeleteUserOutcome outcome = client.DeleteUser(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting user. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the user with name "
<< user.GetUserName() << std::endl;
}
}
return result;
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 C\$1\$1 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/PutUserPolicy)
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
在命令提示中執行互動式案例。
```
import (
"context"
"errors"
"fmt"
"log"
"math/rand"
"strings"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/aws/smithy-go"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/iam/actions"
)
// AssumeRoleScenario shows you how to use the AWS Identity and Access Management (IAM)
// service to perform the following actions:
//
// 1. Create a user who has no permissions.
// 2. Create a role that grants permission to list Amazon Simple Storage Service
// (Amazon S3) buckets for the account.
// 3. Add a policy to let the user assume the role.
// 4. Try and fail to list buckets without permissions.
// 5. Assume the role and list S3 buckets using temporary credentials.
// 6. Delete the policy, role, and user.
type AssumeRoleScenario struct {
sdkConfig aws.Config
accountWrapper actions.AccountWrapper
policyWrapper actions.PolicyWrapper
roleWrapper actions.RoleWrapper
userWrapper actions.UserWrapper
questioner demotools.IQuestioner
helper IScenarioHelper
isTestRun bool
}
// NewAssumeRoleScenario constructs an AssumeRoleScenario instance from a configuration.
// It uses the specified config to get an IAM client and create wrappers for the actions
// used in the scenario.
func NewAssumeRoleScenario(sdkConfig aws.Config, questioner demotools.IQuestioner,
helper IScenarioHelper) AssumeRoleScenario {
iamClient := iam.NewFromConfig(sdkConfig)
return AssumeRoleScenario{
sdkConfig: sdkConfig,
accountWrapper: actions.AccountWrapper{IamClient: iamClient},
policyWrapper: actions.PolicyWrapper{IamClient: iamClient},
roleWrapper: actions.RoleWrapper{IamClient: iamClient},
userWrapper: actions.UserWrapper{IamClient: iamClient},
questioner: questioner,
helper: helper,
}
}
// addTestOptions appends the API options specified in the original configuration to
// another configuration. This is used to attach the middleware stubber to clients
// that are constructed during the scenario, which is needed for unit testing.
func (scenario AssumeRoleScenario) addTestOptions(scenarioConfig *aws.Config) {
if scenario.isTestRun {
scenarioConfig.APIOptions = append(scenarioConfig.APIOptions, scenario.sdkConfig.APIOptions...)
}
}
// Run runs the interactive scenario.
func (scenario AssumeRoleScenario) Run(ctx context.Context) {
defer func() {
if r := recover(); r != nil {
log.Printf("Something went wrong with the demo.\n")
log.Println(r)
}
}()
log.Println(strings.Repeat("-", 88))
log.Println("Welcome to the AWS Identity and Access Management (IAM) assume role demo.")
log.Println(strings.Repeat("-", 88))
user := scenario.CreateUser(ctx)
accessKey := scenario.CreateAccessKey(ctx, user)
role := scenario.CreateRoleAndPolicies(ctx, user)
noPermsConfig := scenario.ListBucketsWithoutPermissions(ctx, accessKey)
scenario.ListBucketsWithAssumedRole(ctx, noPermsConfig, role)
scenario.Cleanup(ctx, user, role)
log.Println(strings.Repeat("-", 88))
log.Println("Thanks for watching!")
log.Println(strings.Repeat("-", 88))
}
// CreateUser creates a new IAM user. This user has no permissions.
func (scenario AssumeRoleScenario) CreateUser(ctx context.Context) *types.User {
log.Println("Let's create an example user with no permissions.")
userName := scenario.questioner.Ask("Enter a name for the example user:", demotools.NotEmpty{})
user, err := scenario.userWrapper.GetUser(ctx, userName)
if err != nil {
panic(err)
}
if user == nil {
user, err = scenario.userWrapper.CreateUser(ctx, userName)
if err != nil {
panic(err)
}
log.Printf("Created user %v.\n", *user.UserName)
} else {
log.Printf("User %v already exists.\n", *user.UserName)
}
log.Println(strings.Repeat("-", 88))
return user
}
// CreateAccessKey creates an access key for the user.
func (scenario AssumeRoleScenario) CreateAccessKey(ctx context.Context, user *types.User) *types.AccessKey {
accessKey, err := scenario.userWrapper.CreateAccessKeyPair(ctx, *user.UserName)
if err != nil {
panic(err)
}
log.Printf("Created access key %v for your user.", *accessKey.AccessKeyId)
log.Println("Waiting a few seconds for your user to be ready...")
scenario.helper.Pause(10)
log.Println(strings.Repeat("-", 88))
return accessKey
}
// CreateRoleAndPolicies creates a policy that grants permission to list S3 buckets for
// the current account and attaches the policy to a newly created role. It also adds an
// inline policy to the specified user that grants the user permission to assume the role.
func (scenario AssumeRoleScenario) CreateRoleAndPolicies(ctx context.Context, user *types.User) *types.Role {
log.Println("Let's create a role and policy that grant permission to list S3 buckets.")
scenario.questioner.Ask("Press Enter when you're ready.")
listBucketsRole, err := scenario.roleWrapper.CreateRole(ctx, scenario.helper.GetName(), *user.Arn)
if err != nil {
panic(err)
}
log.Printf("Created role %v.\n", *listBucketsRole.RoleName)
listBucketsPolicy, err := scenario.policyWrapper.CreatePolicy(
ctx, scenario.helper.GetName(), []string{"s3:ListAllMyBuckets"}, "arn:aws:s3:::*")
if err != nil {
panic(err)
}
log.Printf("Created policy %v.\n", *listBucketsPolicy.PolicyName)
err = scenario.roleWrapper.AttachRolePolicy(ctx, *listBucketsPolicy.Arn, *listBucketsRole.RoleName)
if err != nil {
panic(err)
}
log.Printf("Attached policy %v to role %v.\n", *listBucketsPolicy.PolicyName,
*listBucketsRole.RoleName)
err = scenario.userWrapper.CreateUserPolicy(ctx, *user.UserName, scenario.helper.GetName(),
[]string{"sts:AssumeRole"}, *listBucketsRole.Arn)
if err != nil {
panic(err)
}
log.Printf("Created an inline policy for user %v that lets the user assume the role.\n",
*user.UserName)
log.Println("Let's give AWS a few seconds to propagate these new resources and connections...")
scenario.helper.Pause(10)
log.Println(strings.Repeat("-", 88))
return listBucketsRole
}
// ListBucketsWithoutPermissions creates an Amazon S3 client from the user's access key
// credentials and tries to list buckets for the account. Because the user does not have
// permission to perform this action, the action fails.
func (scenario AssumeRoleScenario) ListBucketsWithoutPermissions(ctx context.Context, accessKey *types.AccessKey) *aws.Config {
log.Println("Let's try to list buckets without permissions. This should return an AccessDenied error.")
scenario.questioner.Ask("Press Enter when you're ready.")
noPermsConfig, err := config.LoadDefaultConfig(ctx,
config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
*accessKey.AccessKeyId, *accessKey.SecretAccessKey, ""),
))
if err != nil {
panic(err)
}
// Add test options if this is a test run. This is needed only for testing purposes.
scenario.addTestOptions(&noPermsConfig)
s3Client := s3.NewFromConfig(noPermsConfig)
_, err = s3Client.ListBuckets(ctx, &s3.ListBucketsInput{})
if err != nil {
// The SDK for Go does not model the AccessDenied error, so check ErrorCode directly.
var ae smithy.APIError
if errors.As(err, &ae) {
switch ae.ErrorCode() {
case "AccessDenied":
log.Println("Got AccessDenied error, which is the expected result because\n" +
"the ListBuckets call was made without permissions.")
default:
log.Println("Expected AccessDenied, got something else.")
panic(err)
}
}
} else {
log.Println("Expected AccessDenied error when calling ListBuckets without permissions,\n" +
"but the call succeeded. Continuing the example anyway...")
}
log.Println(strings.Repeat("-", 88))
return &noPermsConfig
}
// ListBucketsWithAssumedRole performs the following actions:
//
// 1. Creates an AWS Security Token Service (AWS STS) client from the config created from
// the user's access key credentials.
// 2. Gets temporary credentials by assuming the role that grants permission to list the
// buckets.
// 3. Creates an Amazon S3 client from the temporary credentials.
// 4. Lists buckets for the account. Because the temporary credentials are generated by
// assuming the role that grants permission, the action succeeds.
func (scenario AssumeRoleScenario) ListBucketsWithAssumedRole(ctx context.Context, noPermsConfig *aws.Config, role *types.Role) {
log.Println("Let's assume the role that grants permission to list buckets and try again.")
scenario.questioner.Ask("Press Enter when you're ready.")
stsClient := sts.NewFromConfig(*noPermsConfig)
tempCredentials, err := stsClient.AssumeRole(ctx, &sts.AssumeRoleInput{
RoleArn: role.Arn,
RoleSessionName: aws.String("AssumeRoleExampleSession"),
DurationSeconds: aws.Int32(900),
})
if err != nil {
log.Printf("Couldn't assume role %v.\n", *role.RoleName)
panic(err)
}
log.Printf("Assumed role %v, got temporary credentials.\n", *role.RoleName)
assumeRoleConfig, err := config.LoadDefaultConfig(ctx,
config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
*tempCredentials.Credentials.AccessKeyId,
*tempCredentials.Credentials.SecretAccessKey,
*tempCredentials.Credentials.SessionToken),
),
)
if err != nil {
panic(err)
}
// Add test options if this is a test run. This is needed only for testing purposes.
scenario.addTestOptions(&assumeRoleConfig)
s3Client := s3.NewFromConfig(assumeRoleConfig)
result, err := s3Client.ListBuckets(ctx, &s3.ListBucketsInput{})
if err != nil {
log.Println("Couldn't list buckets with assumed role credentials.")
panic(err)
}
log.Println("Successfully called ListBuckets with assumed role credentials, \n" +
"here are some of them:")
for i := 0; i < len(result.Buckets) && i < 5; i++ {
log.Printf("\t%v\n", *result.Buckets[i].Name)
}
log.Println(strings.Repeat("-", 88))
}
// Cleanup deletes all resources created for the scenario.
func (scenario AssumeRoleScenario) Cleanup(ctx context.Context, user *types.User, role *types.Role) {
if scenario.questioner.AskBool(
"Do you want to delete the resources created for this example? (y/n)", "y",
) {
policies, err := scenario.roleWrapper.ListAttachedRolePolicies(ctx, *role.RoleName)
if err != nil {
panic(err)
}
for _, policy := range policies {
err = scenario.roleWrapper.DetachRolePolicy(ctx, *role.RoleName, *policy.PolicyArn)
if err != nil {
panic(err)
}
err = scenario.policyWrapper.DeletePolicy(ctx, *policy.PolicyArn)
if err != nil {
panic(err)
}
log.Printf("Detached policy %v from role %v and deleted the policy.\n",
*policy.PolicyName, *role.RoleName)
}
err = scenario.roleWrapper.DeleteRole(ctx, *role.RoleName)
if err != nil {
panic(err)
}
log.Printf("Deleted role %v.\n", *role.RoleName)
userPols, err := scenario.userWrapper.ListUserPolicies(ctx, *user.UserName)
if err != nil {
panic(err)
}
for _, userPol := range userPols {
err = scenario.userWrapper.DeleteUserPolicy(ctx, *user.UserName, userPol)
if err != nil {
panic(err)
}
log.Printf("Deleted policy %v from user %v.\n", userPol, *user.UserName)
}
keys, err := scenario.userWrapper.ListAccessKeys(ctx, *user.UserName)
if err != nil {
panic(err)
}
for _, key := range keys {
err = scenario.userWrapper.DeleteAccessKey(ctx, *user.UserName, *key.AccessKeyId)
if err != nil {
panic(err)
}
log.Printf("Deleted access key %v from user %v.\n", *key.AccessKeyId, *user.UserName)
}
err = scenario.userWrapper.DeleteUser(ctx, *user.UserName)
if err != nil {
panic(err)
}
log.Printf("Deleted user %v.\n", *user.UserName)
log.Println(strings.Repeat("-", 88))
}
}
// IScenarioHelper abstracts input and wait functions from a scenario so that they
// can be mocked for unit testing.
type IScenarioHelper interface {
GetName() string
Pause(secs int)
}
const rMax = 100000
type ScenarioHelper struct {
Prefix string
Random *rand.Rand
}
// GetName returns a unique name formed of a prefix and a random number.
func (helper *ScenarioHelper) GetName() string {
return fmt.Sprintf("%v%v", helper.Prefix, helper.Random.Intn(rMax))
}
// Pause waits for the specified number of seconds.
func (helper ScenarioHelper) Pause(secs int) {
time.Sleep(time.Duration(secs) * time.Second)
}
```
定義包裝帳號動作的結構。
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// AccountWrapper encapsulates AWS Identity and Access Management (IAM) account actions
// used in the examples.
// It contains an IAM service client that is used to perform account actions.
type AccountWrapper struct {
IamClient *iam.Client
}
// GetAccountPasswordPolicy gets the account password policy for the current account.
// If no policy has been set, a NoSuchEntityException is error is returned.
func (wrapper AccountWrapper) GetAccountPasswordPolicy(ctx context.Context) (*types.PasswordPolicy, error) {
var pwPolicy *types.PasswordPolicy
result, err := wrapper.IamClient.GetAccountPasswordPolicy(ctx,
&iam.GetAccountPasswordPolicyInput{})
if err != nil {
log.Printf("Couldn't get account password policy. Here's why: %v\n", err)
} else {
pwPolicy = result.PasswordPolicy
}
return pwPolicy, err
}
// ListSAMLProviders gets the SAML providers for the account.
func (wrapper AccountWrapper) ListSAMLProviders(ctx context.Context) ([]types.SAMLProviderListEntry, error) {
var providers []types.SAMLProviderListEntry
result, err := wrapper.IamClient.ListSAMLProviders(ctx, &iam.ListSAMLProvidersInput{})
if err != nil {
log.Printf("Couldn't list SAML providers. Here's why: %v\n", err)
} else {
providers = result.SAMLProviderList
}
return providers, err
}
```
定義包裝政策動作的結構。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions
// used in the examples.
// It contains an IAM service client that is used to perform policy actions.
type PolicyWrapper struct {
IamClient *iam.Client
}
// ListPolicies gets up to maxPolicies policies.
func (wrapper PolicyWrapper) ListPolicies(ctx context.Context, maxPolicies int32) ([]types.Policy, error) {
var policies []types.Policy
result, err := wrapper.IamClient.ListPolicies(ctx, &iam.ListPoliciesInput{
MaxItems: aws.Int32(maxPolicies),
})
if err != nil {
log.Printf("Couldn't list policies. Here's why: %v\n", err)
} else {
policies = result.Policies
}
return policies, err
}
// PolicyDocument defines a policy document as a Go struct that can be serialized
// to JSON.
type PolicyDocument struct {
Version string
Statement []PolicyStatement
}
// PolicyStatement defines a statement in a policy document.
type PolicyStatement struct {
Effect string
Action []string
Principal map[string]string `json:",omitempty"`
Resource *string `json:",omitempty"`
}
// CreatePolicy creates a policy that grants a list of actions to the specified resource.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper PolicyWrapper) CreatePolicy(ctx context.Context, policyName string, actions []string,
resourceArn string) (*types.Policy, error) {
var policy *types.Policy
policyDoc := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Action: actions,
Resource: aws.String(resourceArn),
}},
}
policyBytes, err := json.Marshal(policyDoc)
if err != nil {
log.Printf("Couldn't create policy document for %v. Here's why: %v\n", resourceArn, err)
return nil, err
}
result, err := wrapper.IamClient.CreatePolicy(ctx, &iam.CreatePolicyInput{
PolicyDocument: aws.String(string(policyBytes)),
PolicyName: aws.String(policyName),
})
if err != nil {
log.Printf("Couldn't create policy %v. Here's why: %v\n", policyName, err)
} else {
policy = result.Policy
}
return policy, err
}
// GetPolicy gets data about a policy.
func (wrapper PolicyWrapper) GetPolicy(ctx context.Context, policyArn string) (*types.Policy, error) {
var policy *types.Policy
result, err := wrapper.IamClient.GetPolicy(ctx, &iam.GetPolicyInput{
PolicyArn: aws.String(policyArn),
})
if err != nil {
log.Printf("Couldn't get policy %v. Here's why: %v\n", policyArn, err)
} else {
policy = result.Policy
}
return policy, err
}
// DeletePolicy deletes a policy.
func (wrapper PolicyWrapper) DeletePolicy(ctx context.Context, policyArn string) error {
_, err := wrapper.IamClient.DeletePolicy(ctx, &iam.DeletePolicyInput{
PolicyArn: aws.String(policyArn),
})
if err != nil {
log.Printf("Couldn't delete policy %v. Here's why: %v\n", policyArn, err)
}
return err
}
```
定義包裝角色動作的結構。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// ListRoles gets up to maxRoles roles.
func (wrapper RoleWrapper) ListRoles(ctx context.Context, maxRoles int32) ([]types.Role, error) {
var roles []types.Role
result, err := wrapper.IamClient.ListRoles(ctx,
&iam.ListRolesInput{MaxItems: aws.Int32(maxRoles)},
)
if err != nil {
log.Printf("Couldn't list roles. Here's why: %v\n", err)
} else {
roles = result.Roles
}
return roles, err
}
// CreateRole creates a role that trusts a specified user. The trusted user can assume
// the role to acquire its permissions.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper RoleWrapper) CreateRole(ctx context.Context, roleName string, trustedUserArn string) (*types.Role, error) {
var role *types.Role
trustPolicy := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Principal: map[string]string{"AWS": trustedUserArn},
Action: []string{"sts:AssumeRole"},
}},
}
policyBytes, err := json.Marshal(trustPolicy)
if err != nil {
log.Printf("Couldn't create trust policy for %v. Here's why: %v\n", trustedUserArn, err)
return nil, err
}
result, err := wrapper.IamClient.CreateRole(ctx, &iam.CreateRoleInput{
AssumeRolePolicyDocument: aws.String(string(policyBytes)),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't create role %v. Here's why: %v\n", roleName, err)
} else {
role = result.Role
}
return role, err
}
// GetRole gets data about a role.
func (wrapper RoleWrapper) GetRole(ctx context.Context, roleName string) (*types.Role, error) {
var role *types.Role
result, err := wrapper.IamClient.GetRole(ctx,
&iam.GetRoleInput{RoleName: aws.String(roleName)})
if err != nil {
log.Printf("Couldn't get role %v. Here's why: %v\n", roleName, err)
} else {
role = result.Role
}
return role, err
}
// CreateServiceLinkedRole creates a service-linked role that is owned by the specified service.
func (wrapper RoleWrapper) CreateServiceLinkedRole(ctx context.Context, serviceName string, description string) (
*types.Role, error) {
var role *types.Role
result, err := wrapper.IamClient.CreateServiceLinkedRole(ctx, &iam.CreateServiceLinkedRoleInput{
AWSServiceName: aws.String(serviceName),
Description: aws.String(description),
})
if err != nil {
log.Printf("Couldn't create service-linked role %v. Here's why: %v\n", serviceName, err)
} else {
role = result.Role
}
return role, err
}
// DeleteServiceLinkedRole deletes a service-linked role.
func (wrapper RoleWrapper) DeleteServiceLinkedRole(ctx context.Context, roleName string) error {
_, err := wrapper.IamClient.DeleteServiceLinkedRole(ctx, &iam.DeleteServiceLinkedRoleInput{
RoleName: aws.String(roleName)},
)
if err != nil {
log.Printf("Couldn't delete service-linked role %v. Here's why: %v\n", roleName, err)
}
return err
}
// AttachRolePolicy attaches a policy to a role.
func (wrapper RoleWrapper) AttachRolePolicy(ctx context.Context, policyArn string, roleName string) error {
_, err := wrapper.IamClient.AttachRolePolicy(ctx, &iam.AttachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't attach policy %v to role %v. Here's why: %v\n", policyArn, roleName, err)
}
return err
}
// ListAttachedRolePolicies lists the policies that are attached to the specified role.
func (wrapper RoleWrapper) ListAttachedRolePolicies(ctx context.Context, roleName string) ([]types.AttachedPolicy, error) {
var policies []types.AttachedPolicy
result, err := wrapper.IamClient.ListAttachedRolePolicies(ctx, &iam.ListAttachedRolePoliciesInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't list attached policies for role %v. Here's why: %v\n", roleName, err)
} else {
policies = result.AttachedPolicies
}
return policies, err
}
// DetachRolePolicy detaches a policy from a role.
func (wrapper RoleWrapper) DetachRolePolicy(ctx context.Context, roleName string, policyArn string) error {
_, err := wrapper.IamClient.DetachRolePolicy(ctx, &iam.DetachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't detach policy from role %v. Here's why: %v\n", roleName, err)
}
return err
}
// ListRolePolicies lists the inline policies for a role.
func (wrapper RoleWrapper) ListRolePolicies(ctx context.Context, roleName string) ([]string, error) {
var policies []string
result, err := wrapper.IamClient.ListRolePolicies(ctx, &iam.ListRolePoliciesInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't list policies for role %v. Here's why: %v\n", roleName, err)
} else {
policies = result.PolicyNames
}
return policies, err
}
// DeleteRole deletes a role. All attached policies must be detached before a
// role can be deleted.
func (wrapper RoleWrapper) DeleteRole(ctx context.Context, roleName string) error {
_, err := wrapper.IamClient.DeleteRole(ctx, &iam.DeleteRoleInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't delete role %v. Here's why: %v\n", roleName, err)
}
return err
}
```
定義包裝使用者動作的結構。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// ListUsers gets up to maxUsers number of users.
func (wrapper UserWrapper) ListUsers(ctx context.Context, maxUsers int32) ([]types.User, error) {
var users []types.User
result, err := wrapper.IamClient.ListUsers(ctx, &iam.ListUsersInput{
MaxItems: aws.Int32(maxUsers),
})
if err != nil {
log.Printf("Couldn't list users. Here's why: %v\n", err)
} else {
users = result.Users
}
return users, err
}
// GetUser gets data about a user.
func (wrapper UserWrapper) GetUser(ctx context.Context, userName string) (*types.User, error) {
var user *types.User
result, err := wrapper.IamClient.GetUser(ctx, &iam.GetUserInput{
UserName: aws.String(userName),
})
if err != nil {
var apiError smithy.APIError
if errors.As(err, &apiError) {
switch apiError.(type) {
case *types.NoSuchEntityException:
log.Printf("User %v does not exist.\n", userName)
err = nil
default:
log.Printf("Couldn't get user %v. Here's why: %v\n", userName, err)
}
}
} else {
user = result.User
}
return user, err
}
// CreateUser creates a new user with the specified name.
func (wrapper UserWrapper) CreateUser(ctx context.Context, userName string) (*types.User, error) {
var user *types.User
result, err := wrapper.IamClient.CreateUser(ctx, &iam.CreateUserInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err)
} else {
user = result.User
}
return user, err
}
// CreateUserPolicy adds an inline policy to a user. This example creates a policy that
// grants a list of actions on a specified role.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper UserWrapper) CreateUserPolicy(ctx context.Context, userName string, policyName string, actions []string,
roleArn string) error {
policyDoc := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Action: actions,
Resource: aws.String(roleArn),
}},
}
policyBytes, err := json.Marshal(policyDoc)
if err != nil {
log.Printf("Couldn't create policy document for %v. Here's why: %v\n", roleArn, err)
return err
}
_, err = wrapper.IamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{
PolicyDocument: aws.String(string(policyBytes)),
PolicyName: aws.String(policyName),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't create policy for user %v. Here's why: %v\n", userName, err)
}
return err
}
// ListUserPolicies lists the inline policies for the specified user.
func (wrapper UserWrapper) ListUserPolicies(ctx context.Context, userName string) ([]string, error) {
var policies []string
result, err := wrapper.IamClient.ListUserPolicies(ctx, &iam.ListUserPoliciesInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't list policies for user %v. Here's why: %v\n", userName, err)
} else {
policies = result.PolicyNames
}
return policies, err
}
// DeleteUserPolicy deletes an inline policy from a user.
func (wrapper UserWrapper) DeleteUserPolicy(ctx context.Context, userName string, policyName string) error {
_, err := wrapper.IamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{
PolicyName: aws.String(policyName),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete policy from user %v. Here's why: %v\n", userName, err)
}
return err
}
// DeleteUser deletes a user.
func (wrapper UserWrapper) DeleteUser(ctx context.Context, userName string) error {
_, err := wrapper.IamClient.DeleteUser(ctx, &iam.DeleteUserInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete user %v. Here's why: %v\n", userName, err)
}
return err
}
// CreateAccessKeyPair creates an access key for a user. The returned access key contains
// the ID and secret credentials needed to use the key.
func (wrapper UserWrapper) CreateAccessKeyPair(ctx context.Context, userName string) (*types.AccessKey, error) {
var key *types.AccessKey
result, err := wrapper.IamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
UserName: aws.String(userName)})
if err != nil {
log.Printf("Couldn't create access key pair for user %v. Here's why: %v\n", userName, err)
} else {
key = result.AccessKey
}
return key, err
}
// DeleteAccessKey deletes an access key from a user.
func (wrapper UserWrapper) DeleteAccessKey(ctx context.Context, userName string, keyId string) error {
_, err := wrapper.IamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
AccessKeyId: aws.String(keyId),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete access key %v. Here's why: %v\n", keyId, err)
}
return err
}
// ListAccessKeys lists the access keys for the specified user.
func (wrapper UserWrapper) ListAccessKeys(ctx context.Context, userName string) ([]types.AccessKeyMetadata, error) {
var keys []types.AccessKeyMetadata
result, err := wrapper.IamClient.ListAccessKeys(ctx, &iam.ListAccessKeysInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't list access keys for user %v. Here's why: %v\n", userName, err)
} else {
keys = result.AccessKeyMetadata
}
return keys, err
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 Go 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.AttachRolePolicy)
+ [CreateAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateAccessKey)
+ [CreatePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreatePolicy)
+ [CreateRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateRole)
+ [CreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateUser)
+ [DeleteAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteAccessKey)
+ [DeletePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeletePolicy)
+ [DeleteRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteRole)
+ [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUser)
+ [DeleteUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUserPolicy)
+ [DetachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DetachRolePolicy)
+ [PutUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.PutUserPolicy)
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
建立可包裝 IAM 使用者動作的函數。
```
/*
To run this Java V2 code example, set up your development environment, including your credentials.
For information, see this documentation topic:
https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
This example performs these operations:
1. Creates a user that has no permissions.
2. Creates a role and policy that grants Amazon S3 permissions.
3. Creates a role.
4. Grants the user permissions.
5. Gets temporary credentials by assuming the role. Creates an Amazon S3 Service client object with the temporary credentials.
6. Deletes the resources.
*/
public class IAMScenario {
public static final String DASHES = new String(new char[80]).replace("\0", "-");
public static final String PolicyDocument = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": [" +
" \"s3:*\"" +
" ]," +
" \"Resource\": \"*\"" +
" }" +
" ]" +
"}";
public static String userArn;
public static void main(String[] args) throws Exception {
final String usage = """
Usage:
\s
Where:
username - The name of the IAM user to create.\s
policyName - The name of the policy to create.\s
roleName - The name of the role to create.\s
roleSessionName - The name of the session required for the assumeRole operation.\s
bucketName - The name of the Amazon S3 bucket from which objects are read.\s
""";
if (args.length != 5) {
System.out.println(usage);
System.exit(1);
}
String userName = args[0];
String policyName = args[1];
String roleName = args[2];
String roleSessionName = args[3];
String bucketName = args[4];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
System.out.println(DASHES);
System.out.println("Welcome to the AWS IAM example scenario.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println(" 1. Create the IAM user.");
User createUser = createIAMUser(iam, userName);
System.out.println(DASHES);
userArn = createUser.arn();
AccessKey myKey = createIAMAccessKey(iam, userName);
String accessKey = myKey.accessKeyId();
String secretKey = myKey.secretAccessKey();
String assumeRolePolicyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
" \"AWS\": \"" + userArn + "\"" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
System.out.println(assumeRolePolicyDocument);
System.out.println(userName + " was successfully created.");
System.out.println(DASHES);
System.out.println("2. Creates a policy.");
String polArn = createIAMPolicy(iam, policyName);
System.out.println("The policy " + polArn + " was successfully created.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("3. Creates a role.");
TimeUnit.SECONDS.sleep(30);
String roleArn = createIAMRole(iam, roleName, assumeRolePolicyDocument);
System.out.println(roleArn + " was successfully created.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("4. Grants the user permissions.");
attachIAMRolePolicy(iam, roleName, polArn);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("*** Wait for 30 secs so the resource is available");
TimeUnit.SECONDS.sleep(30);
System.out.println("5. Gets temporary credentials by assuming the role.");
System.out.println("Perform an Amazon S3 Service operation using the temporary credentials.");
assumeRole(roleArn, roleSessionName, bucketName, accessKey, secretKey);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("6 Getting ready to delete the AWS resources");
deleteKey(iam, userName, accessKey);
deleteRole(iam, roleName, polArn);
deleteIAMUser(iam, userName);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("This IAM Scenario has successfully completed");
System.out.println(DASHES);
}
public static AccessKey createIAMAccessKey(IamClient iam, String user) {
try {
CreateAccessKeyRequest request = CreateAccessKeyRequest.builder()
.userName(user)
.build();
CreateAccessKeyResponse response = iam.createAccessKey(request);
return response.accessKey();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return null;
}
public static User createIAMUser(IamClient iam, String username) {
try {
// Create an IamWaiter object
IamWaiter iamWaiter = iam.waiter();
CreateUserRequest request = CreateUserRequest.builder()
.userName(username)
.build();
// Wait until the user is created.
CreateUserResponse response = iam.createUser(request);
GetUserRequest userRequest = GetUserRequest.builder()
.userName(response.user().userName())
.build();
WaiterResponse waitUntilUserExists = iamWaiter.waitUntilUserExists(userRequest);
waitUntilUserExists.matched().response().ifPresent(System.out::println);
return response.user();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return null;
}
public static String createIAMRole(IamClient iam, String rolename, String json) {
try {
CreateRoleRequest request = CreateRoleRequest.builder()
.roleName(rolename)
.assumeRolePolicyDocument(json)
.description("Created using the AWS SDK for Java")
.build();
CreateRoleResponse response = iam.createRole(request);
System.out.println("The ARN of the role is " + response.role().arn());
return response.role().arn();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
public static String createIAMPolicy(IamClient iam, String policyName) {
try {
// Create an IamWaiter object.
IamWaiter iamWaiter = iam.waiter();
CreatePolicyRequest request = CreatePolicyRequest.builder()
.policyName(policyName)
.policyDocument(PolicyDocument).build();
CreatePolicyResponse response = iam.createPolicy(request);
GetPolicyRequest polRequest = GetPolicyRequest.builder()
.policyArn(response.policy().arn())
.build();
WaiterResponse waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest);
waitUntilPolicyExists.matched().response().ifPresent(System.out::println);
return response.policy().arn();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn) {
try {
ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder()
.roleName(roleName)
.build();
ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request);
List attachedPolicies = response.attachedPolicies();
String polArn;
for (AttachedPolicy policy : attachedPolicies) {
polArn = policy.policyArn();
if (polArn.compareTo(policyArn) == 0) {
System.out.println(roleName + " policy is already attached to this role.");
return;
}
}
AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(policyArn)
.build();
iam.attachRolePolicy(attachRequest);
System.out.println("Successfully attached policy " + policyArn + " to role " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
// Invoke an Amazon S3 operation using the Assumed Role.
public static void assumeRole(String roleArn, String roleSessionName, String bucketName, String keyVal,
String keySecret) {
// Use the creds of the new IAM user that was created in this code example.
AwsBasicCredentials credentials = AwsBasicCredentials.create(keyVal, keySecret);
StsClient stsClient = StsClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(StaticCredentialsProvider.create(credentials))
.build();
try {
AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName(roleSessionName)
.build();
AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
Credentials myCreds = roleResponse.credentials();
String key = myCreds.accessKeyId();
String secKey = myCreds.secretAccessKey();
String secToken = myCreds.sessionToken();
// List all objects in an Amazon S3 bucket using the temp creds retrieved by
// invoking assumeRole.
Region region = Region.US_EAST_1;
S3Client s3 = S3Client.builder()
.credentialsProvider(
StaticCredentialsProvider.create(AwsSessionCredentials.create(key, secKey, secToken)))
.region(region)
.build();
System.out.println("Created a S3Client using temp credentials.");
System.out.println("Listing objects in " + bucketName);
ListObjectsRequest listObjects = ListObjectsRequest.builder()
.bucket(bucketName)
.build();
ListObjectsResponse res = s3.listObjects(listObjects);
List objects = res.contents();
for (S3Object myValue : objects) {
System.out.println("The name of the key is " + myValue.key());
System.out.println("The owner is " + myValue.owner());
}
} catch (StsException e) {
System.err.println(e.getMessage());
System.exit(1);
}
}
public static void deleteRole(IamClient iam, String roleName, String polArn) {
try {
// First the policy needs to be detached.
DetachRolePolicyRequest rolePolicyRequest = DetachRolePolicyRequest.builder()
.policyArn(polArn)
.roleName(roleName)
.build();
iam.detachRolePolicy(rolePolicyRequest);
// Delete the policy.
DeletePolicyRequest request = DeletePolicyRequest.builder()
.policyArn(polArn)
.build();
iam.deletePolicy(request);
System.out.println("*** Successfully deleted " + polArn);
// Delete the role.
DeleteRoleRequest roleRequest = DeleteRoleRequest.builder()
.roleName(roleName)
.build();
iam.deleteRole(roleRequest);
System.out.println("*** Successfully deleted " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void deleteKey(IamClient iam, String username, String accessKey) {
try {
DeleteAccessKeyRequest request = DeleteAccessKeyRequest.builder()
.accessKeyId(accessKey)
.userName(username)
.build();
iam.deleteAccessKey(request);
System.out.println("Successfully deleted access key " + accessKey +
" from user " + username);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void deleteIAMUser(IamClient iam, String userName) {
try {
DeleteUserRequest request = DeleteUserRequest.builder()
.userName(userName)
.build();
iam.deleteUser(request);
System.out.println("*** Successfully deleted " + userName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱《*AWS SDK for Java 2.x API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/PutUserPolicy)
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
建立一個可授予許可的 IAM 使用者和角色,以列出 Amazon S3 儲存貯體。使用者只有擔任該角色的權利。擔任角色後,請使用暫時性憑證列出該帳戶的儲存貯體。
```
import {
CreateUserCommand,
GetUserCommand,
CreateAccessKeyCommand,
CreatePolicyCommand,
CreateRoleCommand,
AttachRolePolicyCommand,
DeleteAccessKeyCommand,
DeleteUserCommand,
DeleteRoleCommand,
DeletePolicyCommand,
DetachRolePolicyCommand,
IAMClient,
} from "@aws-sdk/client-iam";
import { ListBucketsCommand, S3Client } from "@aws-sdk/client-s3";
import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
import { retry } from "@aws-doc-sdk-examples/lib/utils/util-timers.js";
import { ScenarioInput } from "@aws-doc-sdk-examples/lib/scenario/index.js";
// Set the parameters.
const iamClient = new IAMClient({});
const userName = "iam_basic_test_username";
const policyName = "iam_basic_test_policy";
const roleName = "iam_basic_test_role";
/**
* Create a new IAM user. If the user already exists, give
* the option to delete and re-create it.
* @param {string} name
*/
export const createUser = async (name, confirmAll = false) => {
try {
const { User } = await iamClient.send(
new GetUserCommand({ UserName: name }),
);
const input = new ScenarioInput(
"deleteUser",
"Do you want to delete and remake this user?",
{ type: "confirm" },
);
const deleteUser = await input.handle({}, { confirmAll });
// If the user exists, and you want to delete it, delete the user
// and then create it again.
if (deleteUser) {
await iamClient.send(new DeleteUserCommand({ UserName: User.UserName }));
await iamClient.send(new CreateUserCommand({ UserName: name }));
} else {
console.warn(
`${name} already exists. The scenario may not work as expected.`,
);
return User;
}
} catch (caught) {
// If there is no user by that name, create one.
if (caught instanceof Error && caught.name === "NoSuchEntityException") {
const { User } = await iamClient.send(
new CreateUserCommand({ UserName: name }),
);
return User;
}
throw caught;
}
};
export const main = async (confirmAll = false) => {
// Create a user. The user has no permissions by default.
const User = await createUser(userName, confirmAll);
if (!User) {
throw new Error("User not created");
}
// Create an access key. This key is used to authenticate the new user to
// Amazon Simple Storage Service (Amazon S3) and AWS Security Token Service (AWS STS).
// It's not best practice to use access keys. For more information, see https://aws.amazon.com/iam/resources/best-practices/.
const createAccessKeyResponse = await iamClient.send(
new CreateAccessKeyCommand({ UserName: userName }),
);
if (
!createAccessKeyResponse.AccessKey?.AccessKeyId ||
!createAccessKeyResponse.AccessKey?.SecretAccessKey
) {
throw new Error("Access key not created");
}
const {
AccessKey: { AccessKeyId, SecretAccessKey },
} = createAccessKeyResponse;
let s3Client = new S3Client({
credentials: {
accessKeyId: AccessKeyId,
secretAccessKey: SecretAccessKey,
},
});
// Retry the list buckets operation until it succeeds. InvalidAccessKeyId is
// thrown while the user and access keys are still stabilizing.
await retry({ intervalInMs: 1000, maxRetries: 300 }, async () => {
try {
return await listBuckets(s3Client);
} catch (err) {
if (err instanceof Error && err.name === "InvalidAccessKeyId") {
throw err;
}
}
});
// Retry the create role operation until it succeeds. A MalformedPolicyDocument error
// is thrown while the user and access keys are still stabilizing.
const { Role } = await retry(
{
intervalInMs: 2000,
maxRetries: 60,
},
() =>
iamClient.send(
new CreateRoleCommand({
AssumeRolePolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: {
// Allow the previously created user to assume this role.
AWS: User.Arn,
},
Action: "sts:AssumeRole",
},
],
}),
RoleName: roleName,
}),
),
);
if (!Role) {
throw new Error("Role not created");
}
// Create a policy that allows the user to list S3 buckets.
const { Policy: listBucketPolicy } = await iamClient.send(
new CreatePolicyCommand({
PolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: ["s3:ListAllMyBuckets"],
Resource: "*",
},
],
}),
PolicyName: policyName,
}),
);
if (!listBucketPolicy) {
throw new Error("Policy not created");
}
// Attach the policy granting the 's3:ListAllMyBuckets' action to the role.
await iamClient.send(
new AttachRolePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
RoleName: Role.RoleName,
}),
);
// Assume the role.
const stsClient = new STSClient({
credentials: {
accessKeyId: AccessKeyId,
secretAccessKey: SecretAccessKey,
},
});
// Retry the assume role operation until it succeeds.
const { Credentials } = await retry(
{ intervalInMs: 2000, maxRetries: 60 },
() =>
stsClient.send(
new AssumeRoleCommand({
RoleArn: Role.Arn,
RoleSessionName: `iamBasicScenarioSession-${Math.floor(
Math.random() * 1000000,
)}`,
DurationSeconds: 900,
}),
),
);
if (!Credentials?.AccessKeyId || !Credentials?.SecretAccessKey) {
throw new Error("Credentials not created");
}
s3Client = new S3Client({
credentials: {
accessKeyId: Credentials.AccessKeyId,
secretAccessKey: Credentials.SecretAccessKey,
sessionToken: Credentials.SessionToken,
},
});
// List the S3 buckets again.
// Retry the list buckets operation until it succeeds. AccessDenied might
// be thrown while the role policy is still stabilizing.
await retry({ intervalInMs: 2000, maxRetries: 120 }, () =>
listBuckets(s3Client),
);
// Clean up.
await iamClient.send(
new DetachRolePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
RoleName: Role.RoleName,
}),
);
await iamClient.send(
new DeletePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
}),
);
await iamClient.send(
new DeleteRoleCommand({
RoleName: Role.RoleName,
}),
);
await iamClient.send(
new DeleteAccessKeyCommand({
UserName: userName,
AccessKeyId,
}),
);
await iamClient.send(
new DeleteUserCommand({
UserName: userName,
}),
);
};
/**
*
* @param {S3Client} s3Client
*/
const listBuckets = async (s3Client) => {
const { Buckets } = await s3Client.send(new ListBucketsCommand({}));
if (!Buckets) {
throw new Error("Buckets not listed");
}
console.log(Buckets.map((bucket) => bucket.Name).join("\n"));
};
```
+ 如需 API 詳細資訊,請參閱《*適用於 JavaScript 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/AttachRolePolicyCommand)
+ [CreateAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateAccessKeyCommand)
+ [CreatePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreatePolicyCommand)
+ [CreateRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateRoleCommand)
+ [CreateUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateUserCommand)
+ [DeleteAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteAccessKeyCommand)
+ [DeletePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeletePolicyCommand)
+ [DeleteRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteRoleCommand)
+ [DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserCommand)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserPolicyCommand)
+ [DetachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DetachRolePolicyCommand)
+ [PutUserPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/PutUserPolicyCommand)
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
建立可包裝 IAM 使用者動作的函數。
```
suspend fun main(args: Array) {
val usage = """
Usage:
Where:
username - The name of the IAM user to create.
policyName - The name of the policy to create.
roleName - The name of the role to create.
roleSessionName - The name of the session required for the assumeRole operation.
fileLocation - The file location to the JSON required to create the role (see Readme).
bucketName - The name of the Amazon S3 bucket from which objects are read.
"""
if (args.size != 6) {
println(usage)
exitProcess(1)
}
val userName = args[0]
val policyName = args[1]
val roleName = args[2]
val roleSessionName = args[3]
val fileLocation = args[4]
val bucketName = args[5]
createUser(userName)
println("$userName was successfully created.")
val polArn = createPolicy(policyName)
println("The policy $polArn was successfully created.")
val roleArn = createRole(roleName, fileLocation)
println("$roleArn was successfully created.")
attachRolePolicy(roleName, polArn)
println("*** Wait for 1 MIN so the resource is available.")
delay(60000)
assumeGivenRole(roleArn, roleSessionName, bucketName)
println("*** Getting ready to delete the AWS resources.")
deleteRole(roleName, polArn)
deleteUser(userName)
println("This IAM Scenario has successfully completed.")
}
suspend fun createUser(usernameVal: String?): String? {
val request =
CreateUserRequest {
userName = usernameVal
}
IamClient { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createUser(request)
return response.user?.userName
}
}
suspend fun createPolicy(policyNameVal: String?): String {
val policyDocumentValue = """
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
""".trimIndent()
val request =
CreatePolicyRequest {
policyName = policyNameVal
policyDocument = policyDocumentValue
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createPolicy(request)
return response.policy?.arn.toString()
}
}
suspend fun createRole(
rolenameVal: String?,
fileLocation: String?,
): String? {
val jsonObject = fileLocation?.let { readJsonSimpleDemo(it) } as JSONObject
val request =
CreateRoleRequest {
roleName = rolenameVal
assumeRolePolicyDocument = jsonObject.toJSONString()
description = "Created using the AWS SDK for Kotlin"
}
IamClient { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createRole(request)
return response.role?.arn
}
}
suspend fun attachRolePolicy(
roleNameVal: String,
policyArnVal: String,
) {
val request =
ListAttachedRolePoliciesRequest {
roleName = roleNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAttachedRolePolicies(request)
val attachedPolicies = response.attachedPolicies
// Ensure that the policy is not attached to this role.
val checkStatus: Int
if (attachedPolicies != null) {
checkStatus = checkMyList(attachedPolicies, policyArnVal)
if (checkStatus == -1) {
return
}
}
val policyRequest =
AttachRolePolicyRequest {
roleName = roleNameVal
policyArn = policyArnVal
}
iamClient.attachRolePolicy(policyRequest)
println("Successfully attached policy $policyArnVal to role $roleNameVal")
}
}
fun checkMyList(
attachedPolicies: List,
policyArnVal: String,
): Int {
for (policy in attachedPolicies) {
val polArn = policy.policyArn.toString()
if (polArn.compareTo(policyArnVal) == 0) {
println("The policy is already attached to this role.")
return -1
}
}
return 0
}
suspend fun assumeGivenRole(
roleArnVal: String?,
roleSessionNameVal: String?,
bucketName: String,
) {
val stsClient = StsClient.fromEnvironment { region = "us-east-1" }
val roleRequest =
AssumeRoleRequest {
roleArn = roleArnVal
roleSessionName = roleSessionNameVal
}
val roleResponse = stsClient.assumeRole(roleRequest)
val myCreds = roleResponse.credentials
val key = myCreds?.accessKeyId
val secKey = myCreds?.secretAccessKey
val secToken = myCreds?.sessionToken
val staticCredentials = StaticCredentialsProvider {
accessKeyId = key
secretAccessKey = secKey
sessionToken = secToken
}
// List all objects in an Amazon S3 bucket using the temp creds.
val s3 = S3Client.fromEnvironment {
region = "us-east-1"
credentialsProvider = staticCredentials
}
println("Created a S3Client using temp credentials.")
println("Listing objects in $bucketName")
val listObjects =
ListObjectsRequest {
bucket = bucketName
}
val response = s3.listObjects(listObjects)
response.contents?.forEach { myObject ->
println("The name of the key is ${myObject.key}")
println("The owner is ${myObject.owner}")
}
}
suspend fun deleteRole(
roleNameVal: String,
polArn: String,
) {
val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" }
// First the policy needs to be detached.
val rolePolicyRequest =
DetachRolePolicyRequest {
policyArn = polArn
roleName = roleNameVal
}
iam.detachRolePolicy(rolePolicyRequest)
// Delete the policy.
val request =
DeletePolicyRequest {
policyArn = polArn
}
iam.deletePolicy(request)
println("*** Successfully deleted $polArn")
// Delete the role.
val roleRequest =
DeleteRoleRequest {
roleName = roleNameVal
}
iam.deleteRole(roleRequest)
println("*** Successfully deleted $roleNameVal")
}
suspend fun deleteUser(userNameVal: String) {
val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" }
val request =
DeleteUserRequest {
userName = userNameVal
}
iam.deleteUser(request)
println("*** Successfully deleted $userNameVal")
}
@Throws(java.lang.Exception::class)
fun readJsonSimpleDemo(filename: String): Any? {
val reader = FileReader(filename)
val jsonParser = JSONParser()
return jsonParser.parse(reader)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的下列主題。
+ [AttachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreatePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeletePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DetachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [PutUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
namespace Iam\Basics;
require 'vendor/autoload.php';
use Aws\Credentials\Credentials;
use Aws\S3\Exception\S3Exception;
use Aws\S3\S3Client;
use Aws\Sts\StsClient;
use Iam\IAMService;
echo("\n");
echo("--------------------------------------\n");
print("Welcome to the IAM getting started demo using PHP!\n");
echo("--------------------------------------\n");
$uuid = uniqid();
$service = new IAMService();
$user = $service->createUser("iam_demo_user_$uuid");
echo "Created user with the arn: {$user['Arn']}\n";
$key = $service->createAccessKey($user['UserName']);
$assumeRolePolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"{$user['Arn']}\"},
\"Action\": \"sts:AssumeRole\"
}]
}";
$assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument);
echo "Created role: {$assumeRoleRole['RoleName']}\n";
$listAllBucketsPolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]
}";
$listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument);
echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n";
$service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']);
$inlinePolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"{$assumeRoleRole['Arn']}\"}]
}";
$inlinePolicy = $service->createUserPolicy("iam_demo_inline_policy_$uuid", $inlinePolicyDocument, $user['UserName']);
//First, fail to list the buckets with the user
$credentials = new Credentials($key['AccessKeyId'], $key['SecretAccessKey']);
$s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]);
try {
$s3Client->listBuckets([
]);
echo "this should not run";
} catch (S3Exception $exception) {
echo "successfully failed!\n";
}
$stsClient = new StsClient(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]);
sleep(10);
$assumedRole = $stsClient->assumeRole([
'RoleArn' => $assumeRoleRole['Arn'],
'RoleSessionName' => "DemoAssumeRoleSession_$uuid",
]);
$assumedCredentials = [
'key' => $assumedRole['Credentials']['AccessKeyId'],
'secret' => $assumedRole['Credentials']['SecretAccessKey'],
'token' => $assumedRole['Credentials']['SessionToken'],
];
$s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $assumedCredentials]);
try {
$s3Client->listBuckets([]);
echo "this should now run!\n";
} catch (S3Exception $exception) {
echo "this should now not fail\n";
}
$service->detachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']);
$deletePolicy = $service->deletePolicy($listAllBucketsPolicy['Arn']);
echo "Delete policy: {$listAllBucketsPolicy['PolicyName']}\n";
$deletedRole = $service->deleteRole($assumeRoleRole['Arn']);
echo "Deleted role: {$assumeRoleRole['RoleName']}\n";
$deletedKey = $service->deleteAccessKey($key['AccessKeyId'], $user['UserName']);
$deletedUser = $service->deleteUser($user['UserName']);
echo "Delete user: {$user['UserName']}\n";
```
+ 如需 API 詳細資訊,請參閱《*適用於 PHP 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Python ]
**SDK for Python (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
建立一個可授予許可的 IAM 使用者和角色,以列出 Amazon S3 儲存貯體。使用者只有擔任該角色的權利。擔任角色後,請使用暫時性憑證列出該帳戶的儲存貯體。
```
import json
import sys
import time
from uuid import uuid4
import boto3
from botocore.exceptions import ClientError
def progress_bar(seconds):
"""Shows a simple progress bar in the command window."""
for _ in range(seconds):
time.sleep(1)
print(".", end="")
sys.stdout.flush()
print()
def setup(iam_resource):
"""
Creates a new user with no permissions.
Creates an access key pair for the user.
Creates a role with a policy that lets the user assume the role.
Creates a policy that allows listing Amazon S3 buckets.
Attaches the policy to the role.
Creates an inline policy for the user that lets the user assume the role.
:param iam_resource: A Boto3 AWS Identity and Access Management (IAM) resource
that has permissions to create users, roles, and policies
in the account.
:return: The newly created user, user key, and role.
"""
try:
user = iam_resource.create_user(UserName=f"demo-user-{uuid4()}")
print(f"Created user {user.name}.")
except ClientError as error:
print(
f"Couldn't create a user for the demo. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
user_key = user.create_access_key_pair()
print(f"Created access key pair for user.")
except ClientError as error:
print(
f"Couldn't create access keys for user {user.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
print(f"Wait for user to be ready.", end="")
progress_bar(10)
try:
role = iam_resource.create_role(
RoleName=f"demo-role-{uuid4()}",
AssumeRolePolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": user.arn},
"Action": "sts:AssumeRole",
}
],
}
),
)
print(f"Created role {role.name}.")
except ClientError as error:
print(
f"Couldn't create a role for the demo. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
policy = iam_resource.create_policy(
PolicyName=f"demo-policy-{uuid4()}",
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
}
],
}
),
)
role.attach_policy(PolicyArn=policy.arn)
print(f"Created policy {policy.policy_name} and attached it to the role.")
except ClientError as error:
print(
f"Couldn't create a policy and attach it to role {role.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
user.create_policy(
PolicyName=f"demo-user-policy-{uuid4()}",
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": role.arn,
}
],
}
),
)
print(
f"Created an inline policy for {user.name} that lets the user assume "
f"the role."
)
except ClientError as error:
print(
f"Couldn't create an inline policy for user {user.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
print("Give AWS time to propagate these new resources and connections.", end="")
progress_bar(10)
return user, user_key, role
def show_access_denied_without_role(user_key):
"""
Shows that listing buckets without first assuming the role is not allowed.
:param user_key: The key of the user created during setup. This user does not
have permission to list buckets in the account.
"""
print(f"Try to list buckets without first assuming the role.")
s3_denied_resource = boto3.resource(
"s3", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret
)
try:
for bucket in s3_denied_resource.buckets.all():
print(bucket.name)
raise RuntimeError("Expected to get AccessDenied error when listing buckets!")
except ClientError as error:
if error.response["Error"]["Code"] == "AccessDenied":
print("Attempt to list buckets with no permissions: AccessDenied.")
else:
raise
def list_buckets_from_assumed_role(user_key, assume_role_arn, session_name):
"""
Assumes a role that grants permission to list the Amazon S3 buckets in the account.
Uses the temporary credentials from the role to list the buckets that are owned
by the assumed role's account.
:param user_key: The access key of a user that has permission to assume the role.
:param assume_role_arn: The Amazon Resource Name (ARN) of the role that
grants access to list the other account's buckets.
:param session_name: The name of the STS session.
"""
sts_client = boto3.client(
"sts", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret
)
try:
response = sts_client.assume_role(
RoleArn=assume_role_arn, RoleSessionName=session_name
)
temp_credentials = response["Credentials"]
print(f"Assumed role {assume_role_arn} and got temporary credentials.")
except ClientError as error:
print(
f"Couldn't assume role {assume_role_arn}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
# Create an S3 resource that can access the account with the temporary credentials.
s3_resource = boto3.resource(
"s3",
aws_access_key_id=temp_credentials["AccessKeyId"],
aws_secret_access_key=temp_credentials["SecretAccessKey"],
aws_session_token=temp_credentials["SessionToken"],
)
print(f"Listing buckets for the assumed role's account:")
try:
for bucket in s3_resource.buckets.all():
print(bucket.name)
except ClientError as error:
print(
f"Couldn't list buckets for the account. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
def teardown(user, role):
"""
Removes all resources created during setup.
:param user: The demo user.
:param role: The demo role.
"""
try:
for attached in role.attached_policies.all():
policy_name = attached.policy_name
role.detach_policy(PolicyArn=attached.arn)
attached.delete()
print(f"Detached and deleted {policy_name}.")
role.delete()
print(f"Deleted {role.name}.")
except ClientError as error:
print(
"Couldn't detach policy, delete policy, or delete role. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
for user_pol in user.policies.all():
user_pol.delete()
print("Deleted inline user policy.")
for key in user.access_keys.all():
key.delete()
print("Deleted user's access key.")
user.delete()
print(f"Deleted {user.name}.")
except ClientError as error:
print(
"Couldn't delete user policy or delete user. Here's why: "
f"{error.response['Error']['Message']}"
)
def usage_demo():
"""Drives the demonstration."""
print("-" * 88)
print(f"Welcome to the IAM create user and assume role demo.")
print("-" * 88)
iam_resource = boto3.resource("iam")
user = None
role = None
try:
user, user_key, role = setup(iam_resource)
print(f"Created {user.name} and {role.name}.")
show_access_denied_without_role(user_key)
list_buckets_from_assumed_role(user_key, role.arn, "AssumeRoleDemoSession")
except Exception:
print("Something went wrong!")
finally:
if user is not None and role is not None:
teardown(user, role)
print("Thanks for watching!")
if __name__ == "__main__":
usage_demo()
```
+ 如需 API 的詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/PutUserPolicy)
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
建立一個可授予許可的 IAM 使用者和角色,以列出 Amazon S3 儲存貯體。使用者只有擔任該角色的權利。擔任角色後,請使用暫時性憑證列出該帳戶的儲存貯體。
```
# Wraps the scenario actions.
class ScenarioCreateUserAssumeRole
attr_reader :iam_client
# @param [Aws::IAM::Client] iam_client: The AWS IAM client.
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
end
# Waits for the specified number of seconds.
#
# @param duration [Integer] The number of seconds to wait.
def wait(duration)
puts('Give AWS time to propagate resources...')
sleep(duration)
end
# Creates a user.
#
# @param user_name [String] The name to give the user.
# @return [Aws::IAM::User] The newly created user.
def create_user(user_name)
user = @iam_client.create_user(user_name: user_name).user
@logger.info("Created demo user named #{user.user_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info('Tried and failed to create demo user.')
@logger.info("\t#{e.code}: #{e.message}")
@logger.info("\nCan't continue the demo without a user!")
raise
else
user
end
# Creates an access key for a user.
#
# @param user [Aws::IAM::User] The user that owns the key.
# @return [Aws::IAM::AccessKeyPair] The newly created access key.
def create_access_key_pair(user)
user_key = @iam_client.create_access_key(user_name: user.user_name).access_key
@logger.info("Created accesskey pair for user #{user.user_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create access keys for user #{user.user_name}.")
@logger.info("\t#{e.code}: #{e.message}")
raise
else
user_key
end
# Creates a role that can be assumed by a user.
#
# @param role_name [String] The name to give the role.
# @param user [Aws::IAM::User] The user who is granted permission to assume the role.
# @return [Aws::IAM::Role] The newly created role.
def create_role(role_name, user)
trust_policy = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Principal: { 'AWS': user.arn },
Action: 'sts:AssumeRole'
}]
}.to_json
role = @iam_client.create_role(
role_name: role_name,
assume_role_policy_document: trust_policy
).role
@logger.info("Created role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create a role for the demo. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
else
role
end
# Creates a policy that grants permission to list S3 buckets in the account, and
# then attaches the policy to a role.
#
# @param policy_name [String] The name to give the policy.
# @param role [Aws::IAM::Role] The role that the policy is attached to.
# @return [Aws::IAM::Policy] The newly created policy.
def create_and_attach_role_policy(policy_name, role)
policy_document = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Action: 's3:ListAllMyBuckets',
Resource: 'arn:aws:s3:::*'
}]
}.to_json
policy = @iam_client.create_policy(
policy_name: policy_name,
policy_document: policy_document
).policy
@iam_client.attach_role_policy(
role_name: role.role_name,
policy_arn: policy.arn
)
@logger.info("Created policy #{policy.policy_name} and attached it to role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create a policy and attach it to role #{role.role_name}. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Creates an inline policy for a user that lets the user assume a role.
#
# @param policy_name [String] The name to give the policy.
# @param user [Aws::IAM::User] The user that owns the policy.
# @param role [Aws::IAM::Role] The role that can be assumed.
# @return [Aws::IAM::UserPolicy] The newly created policy.
def create_user_policy(policy_name, user, role)
policy_document = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Action: 'sts:AssumeRole',
Resource: role.arn
}]
}.to_json
@iam_client.put_user_policy(
user_name: user.user_name,
policy_name: policy_name,
policy_document: policy_document
)
puts("Created an inline policy for #{user.user_name} that lets the user assume role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create an inline policy for user #{user.user_name}. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Creates an Amazon S3 resource with specified credentials. This is separated into a
# factory function so that it can be mocked for unit testing.
#
# @param credentials [Aws::Credentials] The credentials used by the Amazon S3 resource.
def create_s3_resource(credentials)
Aws::S3::Resource.new(client: Aws::S3::Client.new(credentials: credentials))
end
# Lists the S3 buckets for the account, using the specified Amazon S3 resource.
# Because the resource uses credentials with limited access, it may not be able to
# list the S3 buckets.
#
# @param s3_resource [Aws::S3::Resource] An Amazon S3 resource.
def list_buckets(s3_resource)
count = 10
s3_resource.buckets.each do |bucket|
@logger.info "\t#{bucket.name}"
count -= 1
break if count.zero?
end
rescue Aws::Errors::ServiceError => e
if e.code == 'AccessDenied'
puts('Attempt to list buckets with no permissions: AccessDenied.')
else
@logger.info("Couldn't list buckets for the account. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
end
# Creates an AWS Security Token Service (AWS STS) client with specified credentials.
# This is separated into a factory function so that it can be mocked for unit testing.
#
# @param key_id [String] The ID of the access key used by the STS client.
# @param key_secret [String] The secret part of the access key used by the STS client.
def create_sts_client(key_id, key_secret)
Aws::STS::Client.new(access_key_id: key_id, secret_access_key: key_secret)
end
# Gets temporary credentials that can be used to assume a role.
#
# @param role_arn [String] The ARN of the role that is assumed when these credentials
# are used.
# @param sts_client [AWS::STS::Client] An AWS STS client.
# @return [Aws::AssumeRoleCredentials] The credentials that can be used to assume the role.
def assume_role(role_arn, sts_client)
credentials = Aws::AssumeRoleCredentials.new(
client: sts_client,
role_arn: role_arn,
role_session_name: 'create-use-assume-role-scenario'
)
@logger.info("Assumed role '#{role_arn}', got temporary credentials.")
credentials
end
# Deletes a role. If the role has policies attached, they are detached and
# deleted before the role is deleted.
#
# @param role_name [String] The name of the role to delete.
def delete_role(role_name)
@iam_client.list_attached_role_policies(role_name: role_name).attached_policies.each do |policy|
@iam_client.detach_role_policy(role_name: role_name, policy_arn: policy.policy_arn)
@iam_client.delete_policy(policy_arn: policy.policy_arn)
@logger.info("Detached and deleted policy #{policy.policy_name}.")
end
@iam_client.delete_role({ role_name: role_name })
@logger.info("Role deleted: #{role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't detach policies and delete role #{role.name}. Here's why:")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Deletes a user. If the user has inline policies or access keys, they are deleted
# before the user is deleted.
#
# @param user [Aws::IAM::User] The user to delete.
def delete_user(user_name)
user = @iam_client.list_access_keys(user_name: user_name).access_key_metadata
user.each do |key|
@iam_client.delete_access_key({ access_key_id: key.access_key_id, user_name: user_name })
@logger.info("Deleted access key #{key.access_key_id} for user '#{user_name}'.")
end
@iam_client.delete_user(user_name: user_name)
@logger.info("Deleted user '#{user_name}'.")
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting user '#{user_name}': #{e.message}")
end
end
# Runs the IAM create a user and assume a role scenario.
def run_scenario(scenario)
puts('-' * 88)
puts('Welcome to the IAM create a user and assume a role demo!')
puts('-' * 88)
user = scenario.create_user("doc-example-user-#{Random.uuid}")
user_key = scenario.create_access_key_pair(user)
scenario.wait(10)
role = scenario.create_role("doc-example-role-#{Random.uuid}", user)
scenario.create_and_attach_role_policy("doc-example-role-policy-#{Random.uuid}", role)
scenario.create_user_policy("doc-example-user-policy-#{Random.uuid}", user, role)
scenario.wait(10)
puts('Try to list buckets with credentials for a user who has no permissions.')
puts('Expect AccessDenied from this call.')
scenario.list_buckets(
scenario.create_s3_resource(Aws::Credentials.new(user_key.access_key_id, user_key.secret_access_key))
)
puts('Now, assume the role that grants permission.')
temp_credentials = scenario.assume_role(
role.arn, scenario.create_sts_client(user_key.access_key_id, user_key.secret_access_key)
)
puts('Here are your buckets:')
scenario.list_buckets(scenario.create_s3_resource(temp_credentials))
puts("Deleting role '#{role.role_name}' and attached policies.")
scenario.delete_role(role.role_name)
puts("Deleting user '#{user.user_name}', policies, and keys.")
scenario.delete_user(user.user_name)
puts('Thanks for watching!')
puts('-' * 88)
rescue Aws::Errors::ServiceError => e
puts('Something went wrong with the demo.')
puts("\t#{e.code}: #{e.message}")
end
run_scenario(ScenarioCreateUserAssumeRole.new(Aws::IAM::Client.new)) if $PROGRAM_NAME == __FILE__
```
+ 如需 API 詳細資訊,請參閱《*適用於 Ruby 的 AWS SDK API 參考*》中的下列主題。
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
use aws_config::meta::region::RegionProviderChain;
use aws_sdk_iam::Error as iamError;
use aws_sdk_iam::{config::Credentials as iamCredentials, config::Region, Client as iamClient};
use aws_sdk_s3::Client as s3Client;
use aws_sdk_sts::Client as stsClient;
use tokio::time::{sleep, Duration};
use uuid::Uuid;
#[tokio::main]
async fn main() -> Result<(), iamError> {
let (client, uuid, list_all_buckets_policy_document, inline_policy_document) =
initialize_variables().await;
if let Err(e) = run_iam_operations(
client,
uuid,
list_all_buckets_policy_document,
inline_policy_document,
)
.await
{
println!("{:?}", e);
};
Ok(())
}
async fn initialize_variables() -> (iamClient, String, String, String) {
let region_provider = RegionProviderChain::first_try(Region::new("us-west-2"));
let shared_config = aws_config::from_env().region(region_provider).load().await;
let client = iamClient::new(&shared_config);
let uuid = Uuid::new_v4().to_string();
let list_all_buckets_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]
}"
.to_string();
let inline_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"{}\"}]
}"
.to_string();
(
client,
uuid,
list_all_buckets_policy_document,
inline_policy_document,
)
}
async fn run_iam_operations(
client: iamClient,
uuid: String,
list_all_buckets_policy_document: String,
inline_policy_document: String,
) -> Result<(), iamError> {
let user = iam_service::create_user(&client, &format!("{}{}", "iam_demo_user_", uuid)).await?;
println!("Created the user with the name: {}", user.user_name());
let key = iam_service::create_access_key(&client, user.user_name()).await?;
let assume_role_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"{}\"},
\"Action\": \"sts:AssumeRole\"
}]
}"
.to_string()
.replace("{}", user.arn());
let assume_role_role = iam_service::create_role(
&client,
&format!("{}{}", "iam_demo_role_", uuid),
&assume_role_policy_document,
)
.await?;
println!("Created the role with the ARN: {}", assume_role_role.arn());
let list_all_buckets_policy = iam_service::create_policy(
&client,
&format!("{}{}", "iam_demo_policy_", uuid),
&list_all_buckets_policy_document,
)
.await?;
println!(
"Created policy: {}",
list_all_buckets_policy.policy_name.as_ref().unwrap()
);
let attach_role_policy_result =
iam_service::attach_role_policy(&client, &assume_role_role, &list_all_buckets_policy)
.await?;
println!(
"Attached the policy to the role: {:?}",
attach_role_policy_result
);
let inline_policy_name = format!("{}{}", "iam_demo_inline_policy_", uuid);
let inline_policy_document = inline_policy_document.replace("{}", assume_role_role.arn());
iam_service::create_user_policy(&client, &user, &inline_policy_name, &inline_policy_document)
.await?;
println!("Created inline policy.");
//First, fail to list the buckets with the user.
let creds = iamCredentials::from_keys(key.access_key_id(), key.secret_access_key(), None);
let fail_config = aws_config::from_env()
.credentials_provider(creds.clone())
.load()
.await;
println!("Fail config: {:?}", fail_config);
let fail_client: s3Client = s3Client::new(&fail_config);
match fail_client.list_buckets().send().await {
Ok(e) => {
println!("This should not run. {:?}", e);
}
Err(e) => {
println!("Successfully failed with error: {:?}", e)
}
}
let sts_config = aws_config::from_env()
.credentials_provider(creds.clone())
.load()
.await;
let sts_client: stsClient = stsClient::new(&sts_config);
sleep(Duration::from_secs(10)).await;
let assumed_role = sts_client
.assume_role()
.role_arn(assume_role_role.arn())
.role_session_name(format!("iam_demo_assumerole_session_{uuid}"))
.send()
.await;
println!("Assumed role: {:?}", assumed_role);
sleep(Duration::from_secs(10)).await;
let assumed_credentials = iamCredentials::from_keys(
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.access_key_id(),
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.secret_access_key(),
Some(
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.session_token
.clone(),
),
);
let succeed_config = aws_config::from_env()
.credentials_provider(assumed_credentials)
.load()
.await;
println!("succeed config: {:?}", succeed_config);
let succeed_client: s3Client = s3Client::new(&succeed_config);
sleep(Duration::from_secs(10)).await;
match succeed_client.list_buckets().send().await {
Ok(_) => {
println!("This should now run successfully.")
}
Err(e) => {
println!("This should not run. {:?}", e);
panic!()
}
}
//Clean up.
iam_service::detach_role_policy(
&client,
assume_role_role.role_name(),
list_all_buckets_policy.arn().unwrap_or_default(),
)
.await?;
iam_service::delete_policy(&client, list_all_buckets_policy).await?;
iam_service::delete_role(&client, &assume_role_role).await?;
println!("Deleted role {}", assume_role_role.role_name());
iam_service::delete_access_key(&client, &user, &key).await?;
println!("Deleted key for {}", key.user_name());
iam_service::delete_user_policy(&client, &user, &inline_policy_name).await?;
println!("Deleted inline user policy: {}", inline_policy_name);
iam_service::delete_user(&client, &user).await?;
println!("Deleted user {}", user.user_name());
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的下列主題。
+ [AttachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.attach_role_policy)
+ [CreateAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_access_key)
+ [CreatePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_policy)
+ [CreateRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_role)
+ [CreateUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_user)
+ [DeleteAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_access_key)
+ [DeletePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_policy)
+ [DeleteRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_role)
+ [DeleteUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user)
+ [DeleteUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user_policy)
+ [DetachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.detach_role_policy)
+ [PutUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.put_user_policy)
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 AWS SDKs的 IAM 動作
下列程式碼範例示範如何使用 AWS SDKs 執行個別 IAM 動作。每個範例均包含 GitHub 的連結,您可以在連結中找到設定和執行程式碼的相關說明。
這些摘錄會呼叫 IAM API,是必須在內容中執行之大型程式的程式碼摘錄。您可以在 [使用 AWS SDKs IAM 案例](service_code_examples_iam_scenarios.md) 中查看內容中的動作。
下列範例僅包含最常使用的動作。如需完整清單,請參閱《[AWS Identity and Access Management API 參考](https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html)》。
**Topics**
+ [`AddClientIdToOpenIdConnectProvider`](iam_example_iam_AddClientIdToOpenIdConnectProvider_section.md)
+ [`AddRoleToInstanceProfile`](iam_example_iam_AddRoleToInstanceProfile_section.md)
+ [`AddUserToGroup`](iam_example_iam_AddUserToGroup_section.md)
+ [`AttachGroupPolicy`](iam_example_iam_AttachGroupPolicy_section.md)
+ [`AttachRolePolicy`](iam_example_iam_AttachRolePolicy_section.md)
+ [`AttachUserPolicy`](iam_example_iam_AttachUserPolicy_section.md)
+ [`ChangePassword`](iam_example_iam_ChangePassword_section.md)
+ [`CreateAccessKey`](iam_example_iam_CreateAccessKey_section.md)
+ [`CreateAccountAlias`](iam_example_iam_CreateAccountAlias_section.md)
+ [`CreateGroup`](iam_example_iam_CreateGroup_section.md)
+ [`CreateInstanceProfile`](iam_example_iam_CreateInstanceProfile_section.md)
+ [`CreateLoginProfile`](iam_example_iam_CreateLoginProfile_section.md)
+ [`CreateOpenIdConnectProvider`](iam_example_iam_CreateOpenIdConnectProvider_section.md)
+ [`CreatePolicy`](iam_example_iam_CreatePolicy_section.md)
+ [`CreatePolicyVersion`](iam_example_iam_CreatePolicyVersion_section.md)
+ [`CreateRole`](iam_example_iam_CreateRole_section.md)
+ [`CreateSAMLProvider`](iam_example_iam_CreateSAMLProvider_section.md)
+ [`CreateServiceLinkedRole`](iam_example_iam_CreateServiceLinkedRole_section.md)
+ [`CreateUser`](iam_example_iam_CreateUser_section.md)
+ [`CreateVirtualMfaDevice`](iam_example_iam_CreateVirtualMfaDevice_section.md)
+ [`DeactivateMfaDevice`](iam_example_iam_DeactivateMfaDevice_section.md)
+ [`DeleteAccessKey`](iam_example_iam_DeleteAccessKey_section.md)
+ [`DeleteAccountAlias`](iam_example_iam_DeleteAccountAlias_section.md)
+ [`DeleteAccountPasswordPolicy`](iam_example_iam_DeleteAccountPasswordPolicy_section.md)
+ [`DeleteGroup`](iam_example_iam_DeleteGroup_section.md)
+ [`DeleteGroupPolicy`](iam_example_iam_DeleteGroupPolicy_section.md)
+ [`DeleteInstanceProfile`](iam_example_iam_DeleteInstanceProfile_section.md)
+ [`DeleteLoginProfile`](iam_example_iam_DeleteLoginProfile_section.md)
+ [`DeleteOpenIdConnectProvider`](iam_example_iam_DeleteOpenIdConnectProvider_section.md)
+ [`DeletePolicy`](iam_example_iam_DeletePolicy_section.md)
+ [`DeletePolicyVersion`](iam_example_iam_DeletePolicyVersion_section.md)
+ [`DeleteRole`](iam_example_iam_DeleteRole_section.md)
+ [`DeleteRolePermissionsBoundary`](iam_example_iam_DeleteRolePermissionsBoundary_section.md)
+ [`DeleteRolePolicy`](iam_example_iam_DeleteRolePolicy_section.md)
+ [`DeleteSAMLProvider`](iam_example_iam_DeleteSAMLProvider_section.md)
+ [`DeleteServerCertificate`](iam_example_iam_DeleteServerCertificate_section.md)
+ [`DeleteServiceLinkedRole`](iam_example_iam_DeleteServiceLinkedRole_section.md)
+ [`DeleteSigningCertificate`](iam_example_iam_DeleteSigningCertificate_section.md)
+ [`DeleteUser`](iam_example_iam_DeleteUser_section.md)
+ [`DeleteUserPermissionsBoundary`](iam_example_iam_DeleteUserPermissionsBoundary_section.md)
+ [`DeleteUserPolicy`](iam_example_iam_DeleteUserPolicy_section.md)
+ [`DeleteVirtualMfaDevice`](iam_example_iam_DeleteVirtualMfaDevice_section.md)
+ [`DetachGroupPolicy`](iam_example_iam_DetachGroupPolicy_section.md)
+ [`DetachRolePolicy`](iam_example_iam_DetachRolePolicy_section.md)
+ [`DetachUserPolicy`](iam_example_iam_DetachUserPolicy_section.md)
+ [`EnableMfaDevice`](iam_example_iam_EnableMfaDevice_section.md)
+ [`GenerateCredentialReport`](iam_example_iam_GenerateCredentialReport_section.md)
+ [`GenerateServiceLastAccessedDetails`](iam_example_iam_GenerateServiceLastAccessedDetails_section.md)
+ [`GetAccessKeyLastUsed`](iam_example_iam_GetAccessKeyLastUsed_section.md)
+ [`GetAccountAuthorizationDetails`](iam_example_iam_GetAccountAuthorizationDetails_section.md)
+ [`GetAccountPasswordPolicy`](iam_example_iam_GetAccountPasswordPolicy_section.md)
+ [`GetAccountSummary`](iam_example_iam_GetAccountSummary_section.md)
+ [`GetContextKeysForCustomPolicy`](iam_example_iam_GetContextKeysForCustomPolicy_section.md)
+ [`GetContextKeysForPrincipalPolicy`](iam_example_iam_GetContextKeysForPrincipalPolicy_section.md)
+ [`GetCredentialReport`](iam_example_iam_GetCredentialReport_section.md)
+ [`GetGroup`](iam_example_iam_GetGroup_section.md)
+ [`GetGroupPolicy`](iam_example_iam_GetGroupPolicy_section.md)
+ [`GetInstanceProfile`](iam_example_iam_GetInstanceProfile_section.md)
+ [`GetLoginProfile`](iam_example_iam_GetLoginProfile_section.md)
+ [`GetOpenIdConnectProvider`](iam_example_iam_GetOpenIdConnectProvider_section.md)
+ [`GetPolicy`](iam_example_iam_GetPolicy_section.md)
+ [`GetPolicyVersion`](iam_example_iam_GetPolicyVersion_section.md)
+ [`GetRole`](iam_example_iam_GetRole_section.md)
+ [`GetRolePolicy`](iam_example_iam_GetRolePolicy_section.md)
+ [`GetSamlProvider`](iam_example_iam_GetSamlProvider_section.md)
+ [`GetServerCertificate`](iam_example_iam_GetServerCertificate_section.md)
+ [`GetServiceLastAccessedDetails`](iam_example_iam_GetServiceLastAccessedDetails_section.md)
+ [`GetServiceLastAccessedDetailsWithEntities`](iam_example_iam_GetServiceLastAccessedDetailsWithEntities_section.md)
+ [`GetServiceLinkedRoleDeletionStatus`](iam_example_iam_GetServiceLinkedRoleDeletionStatus_section.md)
+ [`GetUser`](iam_example_iam_GetUser_section.md)
+ [`GetUserPolicy`](iam_example_iam_GetUserPolicy_section.md)
+ [`ListAccessKeys`](iam_example_iam_ListAccessKeys_section.md)
+ [`ListAccountAliases`](iam_example_iam_ListAccountAliases_section.md)
+ [`ListAttachedGroupPolicies`](iam_example_iam_ListAttachedGroupPolicies_section.md)
+ [`ListAttachedRolePolicies`](iam_example_iam_ListAttachedRolePolicies_section.md)
+ [`ListAttachedUserPolicies`](iam_example_iam_ListAttachedUserPolicies_section.md)
+ [`ListEntitiesForPolicy`](iam_example_iam_ListEntitiesForPolicy_section.md)
+ [`ListGroupPolicies`](iam_example_iam_ListGroupPolicies_section.md)
+ [`ListGroups`](iam_example_iam_ListGroups_section.md)
+ [`ListGroupsForUser`](iam_example_iam_ListGroupsForUser_section.md)
+ [`ListInstanceProfiles`](iam_example_iam_ListInstanceProfiles_section.md)
+ [`ListInstanceProfilesForRole`](iam_example_iam_ListInstanceProfilesForRole_section.md)
+ [`ListMfaDevices`](iam_example_iam_ListMfaDevices_section.md)
+ [`ListOpenIdConnectProviders`](iam_example_iam_ListOpenIdConnectProviders_section.md)
+ [`ListPolicies`](iam_example_iam_ListPolicies_section.md)
+ [`ListPolicyVersions`](iam_example_iam_ListPolicyVersions_section.md)
+ [`ListRolePolicies`](iam_example_iam_ListRolePolicies_section.md)
+ [`ListRoleTags`](iam_example_iam_ListRoleTags_section.md)
+ [`ListRoles`](iam_example_iam_ListRoles_section.md)
+ [`ListSAMLProviders`](iam_example_iam_ListSAMLProviders_section.md)
+ [`ListServerCertificates`](iam_example_iam_ListServerCertificates_section.md)
+ [`ListSigningCertificates`](iam_example_iam_ListSigningCertificates_section.md)
+ [`ListUserPolicies`](iam_example_iam_ListUserPolicies_section.md)
+ [`ListUserTags`](iam_example_iam_ListUserTags_section.md)
+ [`ListUsers`](iam_example_iam_ListUsers_section.md)
+ [`ListVirtualMfaDevices`](iam_example_iam_ListVirtualMfaDevices_section.md)
+ [`PutGroupPolicy`](iam_example_iam_PutGroupPolicy_section.md)
+ [`PutRolePermissionsBoundary`](iam_example_iam_PutRolePermissionsBoundary_section.md)
+ [`PutRolePolicy`](iam_example_iam_PutRolePolicy_section.md)
+ [`PutUserPermissionsBoundary`](iam_example_iam_PutUserPermissionsBoundary_section.md)
+ [`PutUserPolicy`](iam_example_iam_PutUserPolicy_section.md)
+ [`RemoveClientIdFromOpenIdConnectProvider`](iam_example_iam_RemoveClientIdFromOpenIdConnectProvider_section.md)
+ [`RemoveRoleFromInstanceProfile`](iam_example_iam_RemoveRoleFromInstanceProfile_section.md)
+ [`RemoveUserFromGroup`](iam_example_iam_RemoveUserFromGroup_section.md)
+ [`ResyncMfaDevice`](iam_example_iam_ResyncMfaDevice_section.md)
+ [`SetDefaultPolicyVersion`](iam_example_iam_SetDefaultPolicyVersion_section.md)
+ [`TagRole`](iam_example_iam_TagRole_section.md)
+ [`TagUser`](iam_example_iam_TagUser_section.md)
+ [`UntagRole`](iam_example_iam_UntagRole_section.md)
+ [`UntagUser`](iam_example_iam_UntagUser_section.md)
+ [`UpdateAccessKey`](iam_example_iam_UpdateAccessKey_section.md)
+ [`UpdateAccountPasswordPolicy`](iam_example_iam_UpdateAccountPasswordPolicy_section.md)
+ [`UpdateAssumeRolePolicy`](iam_example_iam_UpdateAssumeRolePolicy_section.md)
+ [`UpdateGroup`](iam_example_iam_UpdateGroup_section.md)
+ [`UpdateLoginProfile`](iam_example_iam_UpdateLoginProfile_section.md)
+ [`UpdateOpenIdConnectProviderThumbprint`](iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md)
+ [`UpdateRole`](iam_example_iam_UpdateRole_section.md)
+ [`UpdateRoleDescription`](iam_example_iam_UpdateRoleDescription_section.md)
+ [`UpdateSamlProvider`](iam_example_iam_UpdateSamlProvider_section.md)
+ [`UpdateServerCertificate`](iam_example_iam_UpdateServerCertificate_section.md)
+ [`UpdateSigningCertificate`](iam_example_iam_UpdateSigningCertificate_section.md)
+ [`UpdateUser`](iam_example_iam_UpdateUser_section.md)
+ [`UploadServerCertificate`](iam_example_iam_UploadServerCertificate_section.md)
+ [`UploadSigningCertificate`](iam_example_iam_UploadSigningCertificate_section.md)
# 搭配使用 `AddClientIdToOpenIdConnectProvider` 與 CLI
下列程式碼範例示範如何使用 `AddClientIdToOpenIdConnectProvider`。
------
#### [ CLI ]
**AWS CLI**
**若要將用戶端 ID (對象) 新增至 Open-ID Connect (OIDC) 提供者**
下列 `add-client-id-to-open-id-connect-provider` 命令會將用戶端 ID `my-application-ID` 新增至名為 `server.example.com` 的 OIDC 提供者。
```
aws iam add-client-id-to-open-id-connect-provider \
--client-id my-application-ID \
--open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/server.example.com
```
此命令不會產生輸出。
若要建立 OIDC 提供者,請使用 `create-open-id-connect-provider` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [AddClientIdToOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/add-client-id-to-open-id-connect-provider.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會將用戶端 ID (或對象) `my-application-ID` 新增至名為 `server.example.com` 的現有 OIDC 提供者。**
```
Add-IAMClientIDToOpenIDConnectProvider -ClientID "my-application-ID" -OpenIDConnectProviderARN "arn:aws:iam::123456789012:oidc-provider/server.example.com"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [AddClientIdToOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會將用戶端 ID (或對象) `my-application-ID` 新增至名為 `server.example.com` 的現有 OIDC 提供者。**
```
Add-IAMClientIDToOpenIDConnectProvider -ClientID "my-application-ID" -OpenIDConnectProviderARN "arn:aws:iam::123456789012:oidc-provider/server.example.com"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [AddClientIdToOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `AddRoleToInstanceProfile` 與 CLI
下列程式碼範例示範如何使用 `AddRoleToInstanceProfile`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [為 EC2 啟動類型建立 Amazon ECS 服務](iam_example_ecs_GettingStarted_018_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
------
#### [ CLI ]
**AWS CLI**
**若要將角色新增至執行個體設定檔**
下列 `add-role-to-instance-profile` 命令會將名為 `S3Access` 的角色新增至名為 `Webserver` 的執行個體設定檔。
```
aws iam add-role-to-instance-profile \
--role-name S3Access \
--instance-profile-name Webserver
```
此命令不會產生輸出。
若要建立執行個體設定檔,請使用 `create-instance-profile` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用 IAM 角色為在 Amazon EC2 執行個體上執行的應用程式授予許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [AddRoleToInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/add-role-to-instance-profile.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會將名為 `S3Access` 的角色新增至名為 `webserver` 的現有執行個體設定檔。若要建立執行個體設定檔,請使用 `New-IAMInstanceProfile` 命令。使用此命令建立執行個體設定檔並將其與角色關聯起來之後,可以將其連接至 EC2 執行個體。為此,請使用 `New-EC2Instance` cmdlet 搭配 `InstanceProfile_Arn` 或 `InstanceProfile-Name` 參數啟動新的執行個體。**
```
Add-IAMRoleToInstanceProfile -RoleName "S3Access" -InstanceProfileName "webserver"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [AddRoleToInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會將名為 `S3Access` 的角色新增至名為 `webserver` 的現有執行個體設定檔。若要建立執行個體設定檔,請使用 `New-IAMInstanceProfile` 命令。使用此命令建立執行個體設定檔並將其與角色關聯起來之後,可以將其連接至 EC2 執行個體。為此,請使用 `New-EC2Instance` cmdlet 搭配 `InstanceProfile_Arn` 或 `InstanceProfile-Name` 參數啟動新的執行個體。**
```
Add-IAMRoleToInstanceProfile -RoleName "S3Access" -InstanceProfileName "webserver"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [AddRoleToInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `AddUserToGroup` 與 CLI
下列程式碼範例示範如何使用 `AddUserToGroup`。
------
#### [ CLI ]
**AWS CLI**
**將使用者新增至 IAM 群組**
下列 `add-user-to-group` 命令會將名為 `Bob` 的 IAM 使用者新增至名為 `Admins` 的 IAM 群組。
```
aws iam add-user-to-group \
--user-name Bob \
--group-name Admins
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 IAM 使用者群組中新增和移除使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AddUserToGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/add-user-to-group.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會將名為 `Bob` 的使用者新增至名為 `Admins` 的群組。**
```
Add-IAMUserToGroup -UserName "Bob" -GroupName "Admins"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [AddUserToGroup](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會將名為 `Bob` 的使用者新增至名為 `Admins` 的群組。**
```
Add-IAMUserToGroup -UserName "Bob" -GroupName "Admins"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [AddUserToGroup](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `AttachGroupPolicy` 與 CLI
下列程式碼範例示範如何使用 `AttachGroupPolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要將受管政策連接至 IAM 群組**
下列`attach-group-policy`命令會將名為 的 AWS 受管政策連接至名為 `ReadOnlyAccess`的 IAM 群組`Finance`。
```
aws iam attach-group-policy \
--policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess \
--group-name Finance
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[受管政策和內嵌政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [AttachGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-group-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將名為 `TesterPolicy` 的客戶管理政策連接到 IAM 群組 `Testers`。該群組中的使用者會立即受到該政策預設版本中定義之許可影響。**
```
Register-IAMGroupPolicy -GroupName Testers -PolicyArn arn:aws:iam::123456789012:policy/TesterPolicy
```
**範例 2:此範例會將名為 的 AWS 受管政策連接至 `AdministratorAccess` IAM 群組 `Admins`。該群組中的使用者會立即受到該政策最新版本中定義之許可影響。**
```
Register-IAMGroupPolicy -GroupName Admins -PolicyArn arn:aws:iam::aws:policy/AdministratorAccess
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [AttachGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將名為 `TesterPolicy` 的客戶管理政策連接到 IAM 群組 `Testers`。該群組中的使用者會立即受到該政策預設版本中定義之許可影響。**
```
Register-IAMGroupPolicy -GroupName Testers -PolicyArn arn:aws:iam::123456789012:policy/TesterPolicy
```
**範例 2:此範例會將名為 的 AWS 受管政策連接至 `AdministratorAccess` IAM 群組 `Admins`。該群組中的使用者會立即受到該政策最新版本中定義之許可影響。**
```
Register-IAMGroupPolicy -GroupName Admins -PolicyArn arn:aws:iam::aws:policy/AdministratorAccess
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [AttachGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `AttachRolePolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `AttachRolePolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [設定 Amazon ECS Service Connect](iam_example_ecs_ServiceConnect_085_section.md)
+ [使用 Lambda 代理整合建立 REST API](iam_example_api_gateway_GettingStarted_087_section.md)
+ [為 Fargate 啟動類型建立 Amazon ECS Linux 任務](iam_example_ecs_GettingStarted_086_section.md)
+ [使用函數名稱做為變數建立 CloudWatch 儀表板](iam_example_cloudwatch_GettingStarted_031_section.md)
+ [為 EC2 啟動類型建立 Amazon ECS 服務](iam_example_ecs_GettingStarted_018_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [建立您的第一個 Lambda 函數](iam_example_lambda_GettingStarted_019_section.md)
+ [Amazon EKS 入門](iam_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Amazon SageMaker Feature Store 入門](iam_example_iam_GettingStarted_028_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理角色](iam_example_iam_Scenario_RoleManagement_section.md)
+ [將硬式編碼秘密移至 Secrets Manager](iam_example_secrets_manager_GettingStarted_073_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
+ [在 CloudWatch 儀表板中使用屬性變數來監控多個 Lambda 函數](iam_example_iam_GettingStarted_032_section.md)
+ [使用串流和存留時間](iam_example_dynamodb_Scenario_StreamsAndTTL_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Attach an IAM policy to a role.
///
/// The policy to attach.
/// The role that the policy will be attached to.
/// A Boolean value indicating the success of the action.
public async Task AttachRolePolicyAsync(string policyArn, string roleName)
{
var response = await _IAMService.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [AttachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/AttachRolePolicy)。
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_attach_role_policy
#
# This function attaches an IAM policy to a tole.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_ARN -- The IAM policy document ARN..
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_attach_role_policy() {
local role_name policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_attach_role_policy"
echo "Attaches an AWS Identity and Access Management (IAM) policy to an IAM role."
echo " -n role_name The name of the IAM role."
echo " -p policy_ARN -- The IAM policy document ARN."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy ARN with the -p parameter."
usage
return 1
fi
response=$(aws iam attach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports attach-role-policy operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::attachRolePolicy(const Aws::String &roleName,
const Aws::String &policyArn,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::ListAttachedRolePoliciesRequest list_request;
list_request.SetRoleName(roleName);
bool done = false;
while (!done) {
auto list_outcome = iam.ListAttachedRolePolicies(list_request);
if (!list_outcome.IsSuccess()) {
std::cerr << "Failed to list attached policies of role " <<
roleName << ": " << list_outcome.GetError().GetMessage() <<
std::endl;
return false;
}
const auto &policies = list_outcome.GetResult().GetAttachedPolicies();
if (std::any_of(policies.cbegin(), policies.cend(),
[=](const Aws::IAM::Model::AttachedPolicy &policy) {
return policy.GetPolicyArn() == policyArn;
})) {
std::cout << "Policy " << policyArn <<
" is already attached to role " << roleName << std::endl;
return true;
}
done = !list_outcome.GetResult().GetIsTruncated();
list_request.SetMarker(list_outcome.GetResult().GetMarker());
}
Aws::IAM::Model::AttachRolePolicyRequest request;
request.SetRoleName(roleName);
request.SetPolicyArn(policyArn);
Aws::IAM::Model::AttachRolePolicyOutcome outcome = iam.AttachRolePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Failed to attach policy " << policyArn << " to role " <<
roleName << ": " << outcome.GetError().GetMessage() << std::endl;
}
else {
std::cout << "Successfully attached policy " << policyArn << " to role " <<
roleName << std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/AttachRolePolicy)。
------
#### [ CLI ]
**AWS CLI**
**將受管政策連接至 IAM 角色**
下列`attach-role-policy`命令會將名為 的 AWS 受管政策連接至名為 `ReadOnlyAccess`的 IAM 角色`ReadOnlyRole`。
```
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess \
--role-name ReadOnlyRole
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[受管政策和內嵌政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AttachRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// AttachRolePolicy attaches a policy to a role.
func (wrapper RoleWrapper) AttachRolePolicy(ctx context.Context, policyArn string, roleName string) error {
_, err := wrapper.IamClient.AttachRolePolicy(ctx, &iam.AttachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't attach policy %v to role %v. Here's why: %v\n", policyArn, roleName, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [AttachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.AttachRolePolicy)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest;
import software.amazon.awssdk.services.iam.model.AttachedPolicy;
import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest;
import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse;
import java.util.List;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class AttachRolePolicy {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
roleName - A role name that you can obtain from the AWS Management Console.\s
policyArn - A policy ARN that you can obtain from the AWS Management Console.\s
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String roleName = args[0];
String policyArn = args[1];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
attachIAMRolePolicy(iam, roleName, policyArn);
iam.close();
}
public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn) {
try {
ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder()
.roleName(roleName)
.build();
ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request);
List attachedPolicies = response.attachedPolicies();
// Ensure that the policy is not attached to this role
String polArn = "";
for (AttachedPolicy policy : attachedPolicies) {
polArn = policy.policyArn();
if (polArn.compareTo(policyArn) == 0) {
System.out.println(roleName + " policy is already attached to this role.");
return;
}
}
AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(policyArn)
.build();
iam.attachRolePolicy(attachRequest);
System.out.println("Successfully attached policy " + policyArn +
" to role " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
System.out.println("Done");
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/AttachRolePolicy)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
連接政策。
```
import { AttachRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} policyArn
* @param {string} roleName
*/
export const attachRolePolicy = (policyArn, roleName) => {
const command = new AttachRolePolicyCommand({
PolicyArn: policyArn,
RoleName: roleName,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-attaching-role-policy)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [AttachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/AttachRolePolicyCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var paramsRoleList = {
RoleName: process.argv[2],
};
iam.listAttachedRolePolicies(paramsRoleList, function (err, data) {
if (err) {
console.log("Error", err);
} else {
var myRolePolicies = data.AttachedPolicies;
myRolePolicies.forEach(function (val, index, array) {
if (myRolePolicies[index].PolicyName === "AmazonDynamoDBFullAccess") {
console.log(
"AmazonDynamoDBFullAccess is already attached to this role."
);
process.exit();
}
});
var params = {
PolicyArn: "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
RoleName: process.argv[2],
};
iam.attachRolePolicy(params, function (err, data) {
if (err) {
console.log("Unable to attach policy to role", err);
} else {
console.log("Role attached successfully");
}
});
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-attaching-role-policy)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [AttachRolePolicy](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/AttachRolePolicy)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun attachIAMRolePolicy(
roleNameVal: String,
policyArnVal: String,
) {
val request =
ListAttachedRolePoliciesRequest {
roleName = roleNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAttachedRolePolicies(request)
val attachedPolicies = response.attachedPolicies
// Ensure that the policy is not attached to this role.
val checkStatus: Int
if (attachedPolicies != null) {
checkStatus = checkList(attachedPolicies, policyArnVal)
if (checkStatus == -1) {
return
}
}
val policyRequest =
AttachRolePolicyRequest {
roleName = roleNameVal
policyArn = policyArnVal
}
iamClient.attachRolePolicy(policyRequest)
println("Successfully attached policy $policyArnVal to role $roleNameVal")
}
}
fun checkList(
attachedPolicies: List,
policyArnVal: String,
): Int {
for (policy in attachedPolicies) {
val polArn = policy.policyArn.toString()
if (polArn.compareTo(policyArnVal) == 0) {
println("The policy is already attached to this role.")
return -1
}
}
return 0
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [AttachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
$assumeRolePolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"{$user['Arn']}\"},
\"Action\": \"sts:AssumeRole\"
}]
}";
$assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument);
echo "Created role: {$assumeRoleRole['RoleName']}\n";
$listAllBucketsPolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]
}";
$listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument);
echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n";
$service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']);
public function attachRolePolicy($roleName, $policyArn)
{
return $this->customWaiter(function () use ($roleName, $policyArn) {
$this->iamClient->attachRolePolicy([
'PolicyArn' => $policyArn,
'RoleName' => $roleName,
]);
});
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/AttachRolePolicy)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將名為 的 AWS 受管政策連接至 `SecurityAudit` IAM 角色 `CoSecurityAuditors`。該最新版本政策中所定義的許可會立即影響擔任該角色的使用者。**
```
Register-IAMRolePolicy -RoleName CoSecurityAuditors -PolicyArn arn:aws:iam::aws:policy/SecurityAudit
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [AttachRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將名為 的 AWS 受管政策連接至 `SecurityAudit` IAM 角色 `CoSecurityAuditors`。該最新版本政策中所定義的許可會立即影響擔任該角色的使用者。**
```
Register-IAMRolePolicy -RoleName CoSecurityAuditors -PolicyArn arn:aws:iam::aws:policy/SecurityAudit
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [AttachRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
使用 Boto3 Policy 物件將政策連接至角色。
```
def attach_to_role(role_name, policy_arn):
"""
Attaches a policy to a role.
:param role_name: The name of the role. **Note** this is the name, not the ARN.
:param policy_arn: The ARN of the policy.
"""
try:
iam.Policy(policy_arn).attach_role(RoleName=role_name)
logger.info("Attached policy %s to role %s.", policy_arn, role_name)
except ClientError:
logger.exception("Couldn't attach policy %s to role %s.", policy_arn, role_name)
raise
```
使用 Boto3 Role 物件將政策連接至角色。
```
def attach_policy(role_name, policy_arn):
"""
Attaches a policy to a role.
:param role_name: The name of the role. **Note** this is the name, not the ARN.
:param policy_arn: The ARN of the policy.
"""
try:
iam.Role(role_name).attach_policy(PolicyArn=policy_arn)
logger.info("Attached policy %s to role %s.", policy_arn, role_name)
except ClientError:
logger.exception("Couldn't attach policy %s to role %s.", policy_arn, role_name)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [AttachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachRolePolicy)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
此範例模組會列出、建立、連接和分離角色政策。
```
# Manages policies in AWS Identity and Access Management (IAM)
class RolePolicyManager
# Initialize with an AWS IAM client
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'PolicyManager'
end
# Creates a policy
#
# @param policy_name [String] The name of the policy
# @param policy_document [Hash] The policy document
# @return [String] The policy ARN if successful, otherwise nil
def create_policy(policy_name, policy_document)
response = @iam_client.create_policy(
policy_name: policy_name,
policy_document: policy_document.to_json
)
response.policy.arn
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating policy: #{e.message}")
nil
end
# Fetches an IAM policy by its ARN
# @param policy_arn [String] the ARN of the IAM policy to retrieve
# @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found
def get_policy(policy_arn)
response = @iam_client.get_policy(policy_arn: policy_arn)
policy = response.policy
@logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.")
policy
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.")
raise
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}")
raise
end
# Attaches a policy to a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def attach_policy_to_role(role_name, policy_arn)
@iam_client.attach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error attaching policy to role: #{e.message}")
false
end
# Lists policy ARNs attached to a role
#
# @param role_name [String] The name of the role
# @return [Array] List of policy ARNs
def list_attached_policy_arns(role_name)
response = @iam_client.list_attached_role_policies(role_name: role_name)
response.attached_policies.map(&:policy_arn)
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing policies attached to role: #{e.message}")
[]
end
# Detaches a policy from a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def detach_policy_from_role(role_name, policy_arn)
@iam_client.detach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error detaching policy from role: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》中的 [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/AttachRolePolicy)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn attach_role_policy(
client: &iamClient,
role: &Role,
policy: &Policy,
) -> Result> {
client
.attach_role_policy()
.role_name(role.role_name())
.policy_arn(policy.arn().unwrap_or_default())
.send()
.await
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [AttachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.attach_role_policy)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->attachrolepolicy(
iv_rolename = iv_role_name
iv_policyarn = iv_policy_arn ).
MESSAGE 'Policy attached to role successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Role or policy does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Policy attachment limit exceeded.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [AttachRolePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func attachRolePolicy(role: String, policyArn: String) async throws {
let input = AttachRolePolicyInput(
policyArn: policyArn,
roleName: role
)
do {
_ = try await client.attachRolePolicy(input: input)
} catch {
print("ERROR: Attaching a role policy:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [AttachRolePolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/attachrolepolicy(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `AttachUserPolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `AttachUserPolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
------
#### [ CLI ]
**AWS CLI**
**將受管政策連接至 IAM 使用者**
下列`attach-user-policy`命令會將名為 的 AWS 受管政策連接至名為 `AdministratorAccess`的 IAM 使用者`Alice`。
```
aws iam attach-user-policy \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess \
--user-name Alice
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[受管政策和內嵌政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AttachUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-user-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將名為 `AmazonCognitoPowerUser`的 AWS 受管政策連接至 IAM 使用者 `Bob`。該最新版本政策中所定義的許可會立即影響使用者。**
```
Register-IAMUserPolicy -UserName Bob -PolicyArn arn:aws:iam::aws:policy/AmazonCognitoPowerUser
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [AttachUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將名為 `AmazonCognitoPowerUser`的 AWS 受管政策連接至 IAM 使用者 `Bob`。該最新版本政策中所定義的許可會立即影響使用者。**
```
Register-IAMUserPolicy -UserName Bob -PolicyArn arn:aws:iam::aws:policy/AmazonCognitoPowerUser
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [AttachUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def attach_policy(user_name, policy_arn):
"""
Attaches a policy to a user.
:param user_name: The name of the user.
:param policy_arn: The Amazon Resource Name (ARN) of the policy.
"""
try:
iam.User(user_name).attach_policy(PolicyArn=policy_arn)
logger.info("Attached policy %s to user %s.", policy_arn, user_name)
except ClientError:
logger.exception("Couldn't attach policy %s to user %s.", policy_arn, user_name)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [AttachUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachUserPolicy)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Attaches a policy to a user
#
# @param user_name [String] The name of the user
# @param policy_arn [String] The Amazon Resource Name (ARN) of the policy
# @return [Boolean] true if successful, false otherwise
def attach_policy_to_user(user_name, policy_arn)
@iam_client.attach_user_policy(
user_name: user_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error attaching policy to user: #{e.message}")
false
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [AttachUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/AttachUserPolicy)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn attach_user_policy(
client: &iamClient,
user_name: &str,
policy_arn: &str,
) -> Result<(), iamError> {
client
.attach_user_policy()
.user_name(user_name)
.policy_arn(policy_arn)
.send()
.await?;
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [AttachUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.attach_user_policy)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->attachuserpolicy(
iv_username = iv_user_name
iv_policyarn = iv_policy_arn ).
MESSAGE 'Policy attached to user successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'User or policy does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Policy attachment limit exceeded.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [AttachUserPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ChangePassword` 搭配 CLI 使用
下列程式碼範例示範如何使用 `ChangePassword`。
------
#### [ CLI ]
**AWS CLI**
**若要變更您的 IAM 使用者的密碼**
若要變更 IAM 使用者的密碼,建議使用 `--cli-input-json` 參數來傳遞包含舊密碼和新密碼的 JSON 檔案。採用此方法時,可以使用含非英數字元的高保護性密碼。當您以命令列參數形式傳遞密碼時,使用含非英數字元的密碼可能會有困難。若要使用 `--cli-input-json` 參數,請先從使用含 `--generate-cli-skeleton` 參數的 `change-password` 命令開始,範例如下所示。
```
aws iam change-password \
--generate-cli-skeleton > change-password.json
```
先前的命令會建立名為 change-password.json 的 JSON 檔案,可用來填入舊密碼與新密碼。例如,此檔案可能如下所示:
```
{
"OldPassword": "3s0K_;xh4~8XXI",
"NewPassword": "]35d/{pB9Fo9wJ"
}
```
接下來,若要變更密碼,請再次使用 `change-password` 命令,這次傳遞 `--cli-input-json` 參數以指定 JSON 檔案。下列 `change-password` 命令會將 `--cli-input-json` 參數與名為 change-password.json 的 JSON 檔案搭配使用。
```
aws iam change-password \
--cli-input-json file://change-password.json
```
此命令不會產生輸出。
此命令只能由 IAM 使用者呼叫。如果使用 AWS 帳戶 (根) 登入資料呼叫此命令,則命令會傳回`InvalidUserType`錯誤。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 使用者如何變更自己的密碼](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_user-change-own.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ChangePassword](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/change-password.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會變更執行命令的使用者密碼。此命令只能由 IAM 使用者呼叫。如果您在使用 AWS 帳戶 (根) 登入資料登入時呼叫此命令,命令會傳回`InvalidUserType`錯誤。**
```
Edit-IAMPassword -OldPassword "MyOldP@ssw0rd" -NewPassword "MyNewP@ssw0rd"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ChangePassword](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會變更執行命令的使用者密碼。此命令只能由 IAM 使用者呼叫。如果您在使用 AWS 帳戶 (根) 登入資料登入時呼叫此命令,命令會傳回`InvalidUserType`錯誤。**
```
Edit-IAMPassword -OldPassword "MyOldP@ssw0rd" -NewPassword "MyNewP@ssw0rd"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ChangePassword](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateAccessKey` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateAccessKey`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
+ [管理存取金鑰](iam_example_iam_Scenario_ManageAccessKeys_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Create an IAM access key for a user.
///
/// The username for which to create the IAM access
/// key.
/// The AccessKey.
public async Task CreateAccessKeyAsync(string userName)
{
var response = await _IAMService.CreateAccessKeyAsync(new CreateAccessKeyRequest
{
UserName = userName,
});
return response.AccessKey;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [CreateAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateAccessKey)。
------
#### [ Bash ]
**AWS CLI 使用 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_create_user_access_key
#
# This function creates an IAM access key for the specified user.
#
# Parameters:
# -u user_name -- The name of the IAM user.
# [-f file_name] -- The optional file name for the access key output.
#
# Returns:
# [access_key_id access_key_secret]
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_user_access_key() {
local user_name file_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user_access_key"
echo "Creates an AWS Identity and Access Management (IAM) key pair."
echo " -u user_name The name of the IAM user."
echo " [-f file_name] Optional file name for the access key output."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:f:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
f) file_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
response=$(aws iam create-access-key \
--user-name "$user_name" \
--output text)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-access-key operation failed.$response"
return 1
fi
if [[ -n "$file_name" ]]; then
echo "$response" >"$file_name"
fi
local key_id key_secret
# shellcheck disable=SC2086
key_id=$(echo $response | cut -f 2 -d ' ')
# shellcheck disable=SC2086
key_secret=$(echo $response | cut -f 4 -d ' ')
echo "$key_id $key_secret"
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateAccessKey)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
Aws::String AwsDoc::IAM::createAccessKey(const Aws::String &userName,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::CreateAccessKeyRequest request;
request.SetUserName(userName);
Aws::String result;
Aws::IAM::Model::CreateAccessKeyOutcome outcome = iam.CreateAccessKey(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating access key for IAM user " << userName
<< ":" << outcome.GetError().GetMessage() << std::endl;
}
else {
const auto &accessKey = outcome.GetResult().GetAccessKey();
std::cout << "Successfully created access key for IAM user " <<
userName << std::endl << " aws_access_key_id = " <<
accessKey.GetAccessKeyId() << std::endl <<
" aws_secret_access_key = " << accessKey.GetSecretAccessKey() <<
std::endl;
result = accessKey.GetAccessKeyId();
}
return result;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateAccessKey)。
------
#### [ CLI ]
**AWS CLI**
**為 IAM 使用者建立存取金鑰**
下列 `create-access-key` 命令會為名為 `Bob` 的 IAM 使用者建立存取金鑰 (存取金鑰 ID 與私密存取金鑰)。
```
aws iam create-access-key \
--user-name Bob
```
輸出:
```
{
"AccessKey": {
"UserName": "Bob",
"Status": "Active",
"CreateDate": "2015-03-09T18:39:23.411Z",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE"
}
}
```
請將私密存取金鑰存放在安全之處。遺失的金鑰無法復原,您必須建立新的存取金鑰。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的存取金鑰](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateAccessKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-access-key.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// CreateAccessKeyPair creates an access key for a user. The returned access key contains
// the ID and secret credentials needed to use the key.
func (wrapper UserWrapper) CreateAccessKeyPair(ctx context.Context, userName string) (*types.AccessKey, error) {
var key *types.AccessKey
result, err := wrapper.IamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
UserName: aws.String(userName)})
if err != nil {
log.Printf("Couldn't create access key pair for user %v. Here's why: %v\n", userName, err)
} else {
key = result.AccessKey
}
return key, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [CreateAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateAccessKey)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.CreateAccessKeyRequest;
import software.amazon.awssdk.services.iam.model.CreateAccessKeyResponse;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class CreateAccessKey {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
user - An AWS IAM user that you can obtain from the AWS Management Console.
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String user = args[0];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
String keyId = createIAMAccessKey(iam, user);
System.out.println("The Key Id is " + keyId);
iam.close();
}
public static String createIAMAccessKey(IamClient iam, String user) {
try {
CreateAccessKeyRequest request = CreateAccessKeyRequest.builder()
.userName(user)
.build();
CreateAccessKeyResponse response = iam.createAccessKey(request);
return response.accessKey().accessKeyId();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateAccessKey)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
建立存取金鑰。
```
import { CreateAccessKeyCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} userName
*/
export const createAccessKey = (userName) => {
const command = new CreateAccessKeyCommand({ UserName: userName });
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-creating)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreateAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateAccessKeyCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
iam.createAccessKey({ UserName: "IAM_USER_NAME" }, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data.AccessKey);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-creating)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreateAccessKey](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/CreateAccessKey)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun createIAMAccessKey(user: String?): String {
val request =
CreateAccessKeyRequest {
userName = user
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createAccessKey(request)
return response.accessKey?.accessKeyId.toString()
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [CreateAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立新的存取金鑰和私密存取金鑰對,並將其指派給使用者 `David`。請確定將 `AccessKeyId` 和 `SecretAccessKey` 值儲存到檔案中,因為這是唯一可以取得 `SecretAccessKey` 的時機。您稍後便無法擷取它。若您遺失了密碼金鑰,必須建立新的存取金鑰對。**
```
New-IAMAccessKey -UserName David
```
**輸出:**
```
AccessKeyId : AKIAIOSFODNN7EXAMPLE
CreateDate : 4/13/2015 1:00:42 PM
SecretAccessKey : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Status : Active
UserName : David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateAccessKey](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立新的存取金鑰和私密存取金鑰對,並將其指派給使用者 `David`。請確定將 `AccessKeyId` 和 `SecretAccessKey` 值儲存到檔案中,因為這是唯一可以取得 `SecretAccessKey` 的時機。您稍後便無法擷取它。若您遺失了密碼金鑰,必須建立新的存取金鑰對。**
```
New-IAMAccessKey -UserName David
```
**輸出:**
```
AccessKeyId : AKIAIOSFODNN7EXAMPLE
CreateDate : 4/13/2015 1:00:42 PM
SecretAccessKey : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Status : Active
UserName : David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateAccessKey](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def create_key(user_name):
"""
Creates an access key for the specified user. Each user can have a
maximum of two keys.
:param user_name: The name of the user.
:return: The created access key.
"""
try:
key_pair = iam.User(user_name).create_access_key_pair()
logger.info(
"Created access key pair for %s. Key ID is %s.",
key_pair.user_name,
key_pair.id,
)
except ClientError:
logger.exception("Couldn't create access key pair for %s.", user_name)
raise
else:
return key_pair
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
此範例模組會列出、建立、停用和刪除存取金鑰。
```
# Manages access keys for IAM users
class AccessKeyManager
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'AccessKeyManager'
end
# Lists access keys for a user
#
# @param user_name [String] The name of the user.
def list_access_keys(user_name)
response = @iam_client.list_access_keys(user_name: user_name)
if response.access_key_metadata.empty?
@logger.info("No access keys found for user '#{user_name}'.")
else
response.access_key_metadata.map(&:access_key_id)
end
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Error listing access keys: cannot find user '#{user_name}'.")
[]
rescue StandardError => e
@logger.error("Error listing access keys: #{e.message}")
[]
end
# Creates an access key for a user
#
# @param user_name [String] The name of the user.
# @return [Boolean]
def create_access_key(user_name)
response = @iam_client.create_access_key(user_name: user_name)
access_key = response.access_key
@logger.info("Access key created for user '#{user_name}': #{access_key.access_key_id}")
access_key
rescue Aws::IAM::Errors::LimitExceeded
@logger.error('Error creating access key: limit exceeded. Cannot create more.')
nil
rescue StandardError => e
@logger.error("Error creating access key: #{e.message}")
nil
end
# Deactivates an access key
#
# @param user_name [String] The name of the user.
# @param access_key_id [String] The ID for the access key.
# @return [Boolean]
def deactivate_access_key(user_name, access_key_id)
@iam_client.update_access_key(
user_name: user_name,
access_key_id: access_key_id,
status: 'Inactive'
)
true
rescue StandardError => e
@logger.error("Error deactivating access key: #{e.message}")
false
end
# Deletes an access key
#
# @param user_name [String] The name of the user.
# @param access_key_id [String] The ID for the access key.
# @return [Boolean]
def delete_access_key(user_name, access_key_id)
@iam_client.delete_access_key(
user_name: user_name,
access_key_id: access_key_id
)
true
rescue StandardError => e
@logger.error("Error deleting access key: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》中的 [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateAccessKey)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn create_access_key(client: &iamClient, user_name: &str) -> Result {
let mut tries: i32 = 0;
let max_tries: i32 = 10;
let response: Result> = loop {
match client.create_access_key().user_name(user_name).send().await {
Ok(inner_response) => {
break Ok(inner_response);
}
Err(e) => {
tries += 1;
if tries > max_tries {
break Err(e);
}
sleep(Duration::from_secs(2)).await;
}
}
};
Ok(response.unwrap().access_key.unwrap())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [CreateAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_access_key)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->createaccesskey(
iv_username = iv_user_name ).
MESSAGE 'Access key created successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'User does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Maximum number of access keys reached.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreateAccessKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func createAccessKey(userName: String) async throws -> IAMClientTypes.AccessKey {
let input = CreateAccessKeyInput(
userName: userName
)
do {
let output = try await iamClient.createAccessKey(input: input)
guard let accessKey = output.accessKey else {
throw ServiceHandlerError.keyError
}
return accessKey
} catch {
print("ERROR: createAccessKey:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [CreateAccessKey](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createaccesskey(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateAccountAlias` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateAccountAlias`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::createAccountAlias(const Aws::String &aliasName,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::CreateAccountAliasRequest request;
request.SetAccountAlias(aliasName);
Aws::IAM::Model::CreateAccountAliasOutcome outcome = iam.CreateAccountAlias(
request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating account alias " << aliasName << ": "
<< outcome.GetError().GetMessage() << std::endl;
}
else {
std::cout << "Successfully created account alias " << aliasName <<
std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [CreateAccountAlias](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateAccountAlias)。
------
#### [ CLI ]
**AWS CLI**
**建立帳戶別名**
下列`create-account-alias`命令會`examplecorp`為您的 AWS 帳戶建立別名。
```
aws iam create-account-alias \
--account-alias examplecorp
```
此命令不會產生輸出。
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[AWS 您的帳戶 ID 及其別名](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateAccountAlias](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-account-alias.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.CreateAccountAliasRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class CreateAccountAlias {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
alias - The account alias to create (for example, myawsaccount).\s
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String alias = args[0];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
createIAMAccountAlias(iam, alias);
iam.close();
System.out.println("Done");
}
public static void createIAMAccountAlias(IamClient iam, String alias) {
try {
CreateAccountAliasRequest request = CreateAccountAliasRequest.builder()
.accountAlias(alias)
.build();
iam.createAccountAlias(request);
System.out.println("Successfully created account alias: " + alias);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [CreateAccountAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateAccountAlias)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
建立帳戶別名。
```
import { CreateAccountAliasCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} alias - A unique name for the account alias.
* @returns
*/
export const createAccountAlias = (alias) => {
const command = new CreateAccountAliasCommand({
AccountAlias: alias,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-creating)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreateAccountAlias](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateAccountAliasCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
iam.createAccountAlias({ AccountAlias: process.argv[2] }, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-creating)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreateAccountAlias](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/CreateAccountAlias)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun createIAMAccountAlias(alias: String) {
val request =
CreateAccountAliasRequest {
accountAlias = alias
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.createAccountAlias(request)
println("Successfully created account alias named $alias")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [CreateAccountAlias](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將 AWS 您帳戶的帳戶別名變更為 `mycompanyaws`。使用者登入頁面的網址會變更為 https://mycompanyaws.signin.aws.amazon.com/console。使用您的帳戶 ID 號碼而非別名的原始 URL (https://.signin.aws.amazon.com/console) 繼續有效。但是,任何先前定義的別名型 URL 已失效。**
```
New-IAMAccountAlias -AccountAlias mycompanyaws
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateAccountAlias](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將 AWS 您帳戶的帳戶別名變更為 `mycompanyaws`。使用者登入頁面的網址會變更為 https://mycompanyaws.signin.aws.amazon.com/console。使用您的帳戶 ID 號碼而非別名的原始 URL (https://.signin.aws.amazon.com/console) 繼續有效。但是,任何先前定義的別名型 URL 已失效。**
```
New-IAMAccountAlias -AccountAlias mycompanyaws
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateAccountAlias](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def create_alias(alias):
"""
Creates an alias for the current account. The alias can be used in place of the
account ID in the sign-in URL. An account can have only one alias. When a new
alias is created, it replaces any existing alias.
:param alias: The alias to assign to the account.
"""
try:
iam.create_account_alias(AccountAlias=alias)
logger.info("Created an alias '%s' for your account.", alias)
except ClientError:
logger.exception("Couldn't create alias '%s' for your account.", alias)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [CreateAccountAlias](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccountAlias)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
列出、建立和刪除帳戶別名。
```
class IAMAliasManager
# Initializes the IAM client and logger
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client.
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
end
# Lists available AWS account aliases.
def list_aliases
response = @iam_client.list_account_aliases
if response.account_aliases.count.positive?
@logger.info('Account aliases are:')
response.account_aliases.each { |account_alias| @logger.info(" #{account_alias}") }
else
@logger.info('No account aliases found.')
end
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing account aliases: #{e.message}")
end
# Creates an AWS account alias.
#
# @param account_alias [String] The name of the account alias to create.
# @return [Boolean] true if the account alias was created; otherwise, false.
def create_account_alias(account_alias)
@iam_client.create_account_alias(account_alias: account_alias)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating account alias: #{e.message}")
false
end
# Deletes an AWS account alias.
#
# @param account_alias [String] The name of the account alias to delete.
# @return [Boolean] true if the account alias was deleted; otherwise, false.
def delete_account_alias(account_alias)
@iam_client.delete_account_alias(account_alias: account_alias)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting account alias: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [CreateAccountAlias](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateAccountAlias)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->createaccountalias(
iv_accountalias = iv_account_alias ).
MESSAGE 'Account alias created successfully.' TYPE 'I'.
CATCH /aws1/cx_iamentityalrdyexex.
MESSAGE 'Account alias already exists.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Account alias limit exceeded.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreateAccountAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateGroup` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateGroup`。
------
#### [ CLI ]
**AWS CLI**
**建立 IAM 群組**
下列 `create-group` 命令會建立名為 `Admins` 的 IAM 群組。
```
aws iam create-group \
--group-name Admins
```
輸出:
```
{
"Group": {
"Path": "/",
"CreateDate": "2015-03-09T20:30:24.940Z",
"GroupId": "AIDGPMS9RO4H3FEXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/Admins",
"GroupName": "Admins"
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM 使用者群組](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { CreateGroupCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} groupName
*/
export const createGroup = async (groupName) => {
const command = new CreateGroupCommand({ GroupName: groupName });
const response = await client.send(command);
console.log(response);
return response;
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [CreateGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateGroupCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立名為 `Developers` 的新 IAM 群組。**
```
New-IAMGroup -GroupName Developers
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:group/Developers
CreateDate : 4/14/2015 11:21:31 AM
GroupId : QNEJ5PM4NFSQCEXAMPLE1
GroupName : Developers
Path : /
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateGroup](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立名為 `Developers` 的新 IAM 群組。**
```
New-IAMGroup -GroupName Developers
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:group/Developers
CreateDate : 4/14/2015 11:21:31 AM
GroupId : QNEJ5PM4NFSQCEXAMPLE1
GroupName : Developers
Path : /
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateGroup](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateInstanceProfile` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateInstanceProfile`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [建置及管理彈性服務](iam_example_cross_ResilientService_section.md)
+ [為 EC2 啟動類型建立 Amazon ECS 服務](iam_example_ecs_GettingStarted_018_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/cross-service/ResilientService/AutoScalerActions#code-examples)中設定和執行。
```
///
/// Create a policy, role, and profile that is associated with instances with a specified name.
/// An instance's associated profile defines a role that is assumed by the
/// instance.The role has attached policies that specify the AWS permissions granted to
/// clients that run on the instance.
///
/// Name to use for the policy.
/// Name to use for the role.
/// Name to use for the profile.
/// Path to a policy file for SSM.
/// AWS Managed policies to be attached to the role.
/// The Arn of the profile.
public async Task CreateInstanceProfileWithName(
string policyName,
string roleName,
string profileName,
string ssmOnlyPolicyFile,
List? awsManagedPolicies = null)
{
var assumeRoleDoc = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
"\"Service\": [" +
"\"ec2.amazonaws.com\"" +
"]" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
var policyDocument = await File.ReadAllTextAsync(ssmOnlyPolicyFile);
var policyArn = "";
try
{
var createPolicyResult = await _amazonIam.CreatePolicyAsync(
new CreatePolicyRequest
{
PolicyName = policyName,
PolicyDocument = policyDocument
});
policyArn = createPolicyResult.Policy.Arn;
}
catch (EntityAlreadyExistsException)
{
// The policy already exists, so we look it up to get the Arn.
var policiesPaginator = _amazonIam.Paginators.ListPolicies(
new ListPoliciesRequest()
{
Scope = PolicyScopeType.Local
});
// Get the entire list using the paginator.
await foreach (var policy in policiesPaginator.Policies)
{
if (policy.PolicyName.Equals(policyName))
{
policyArn = policy.Arn;
}
}
if (policyArn == null)
{
throw new InvalidOperationException("Policy not found");
}
}
try
{
await _amazonIam.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = roleName,
AssumeRolePolicyDocument = assumeRoleDoc,
});
await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
RoleName = roleName,
PolicyArn = policyArn
});
if (awsManagedPolicies != null)
{
foreach (var awsPolicy in awsManagedPolicies)
{
await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
PolicyArn = $"arn:aws:iam::aws:policy/{awsPolicy}",
RoleName = roleName
});
}
}
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine("Role already exists.");
}
string profileArn = "";
try
{
var profileCreateResponse = await _amazonIam.CreateInstanceProfileAsync(
new CreateInstanceProfileRequest()
{
InstanceProfileName = profileName
});
// Allow time for the profile to be ready.
profileArn = profileCreateResponse.InstanceProfile.Arn;
Thread.Sleep(10000);
await _amazonIam.AddRoleToInstanceProfileAsync(
new AddRoleToInstanceProfileRequest()
{
InstanceProfileName = profileName,
RoleName = roleName
});
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine("Policy already exists.");
var profileGetResponse = await _amazonIam.GetInstanceProfileAsync(
new GetInstanceProfileRequest()
{
InstanceProfileName = profileName
});
profileArn = profileGetResponse.InstanceProfile.Arn;
}
return profileArn;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [CreateInstanceProfile](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateInstanceProfile)。
------
#### [ CLI ]
**AWS CLI**
**建立執行個體設定檔**
下列 `create-instance-profile` 命令會建立名為 `Webserver` 的執行個體設定檔。
```
aws iam create-instance-profile \
--instance-profile-name Webserver
```
輸出:
```
{
"InstanceProfile": {
"InstanceProfileId": "AIPAJMBYC7DLSPEXAMPLE",
"Roles": [],
"CreateDate": "2015-03-09T20:33:19.626Z",
"InstanceProfileName": "Webserver",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:instance-profile/Webserver"
}
}
```
若要將角色新增至執行個體設定檔,請使用 `add-role-to-instance-profile` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用 IAM 角色為在 Amazon EC2 執行個體上執行的應用程式授予許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-instance-profile.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-resilient-service#code-examples)中設定和執行。
```
const { InstanceProfile } = await iamClient.send(
new CreateInstanceProfileCommand({
InstanceProfileName: NAMES.ssmOnlyInstanceProfileName,
}),
);
await waitUntilInstanceProfileExists(
{ client: iamClient },
{ InstanceProfileName: NAMES.ssmOnlyInstanceProfileName },
);
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [CreateInstanceProfile](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateInstanceProfileCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立名為 `ProfileForDevEC2Instance` 的新 IAM 執行個體設定檔。必須單獨執行 `Add-IAMRoleToInstanceProfile` 命令,將執行個體設定檔與為執行個體提供許可的現有 IAM 角色關聯起來。最後,在啟動執行個體時,將執行個體設定檔連接到 EC2 執行個體。為此,請使用含 `InstanceProfile_Arn` 或 `InstanceProfile_Name` 參數的 `New-EC2Instance` cmdlet。**
```
New-IAMInstanceProfile -InstanceProfileName ProfileForDevEC2Instance
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ProfileForDevEC2Instance
CreateDate : 4/14/2015 11:31:39 AM
InstanceProfileId : DYMFXL556EY46EXAMPLE1
InstanceProfileName : ProfileForDevEC2Instance
Path : /
Roles : {}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立名為 `ProfileForDevEC2Instance` 的新 IAM 執行個體設定檔。必須單獨執行 `Add-IAMRoleToInstanceProfile` 命令,將執行個體設定檔與為執行個體提供許可的現有 IAM 角色關聯起來。最後,在啟動執行個體時,將執行個體設定檔連接到 EC2 執行個體。為此,請使用含 `InstanceProfile_Arn` 或 `InstanceProfile_Name` 參數的 `New-EC2Instance` cmdlet。**
```
New-IAMInstanceProfile -InstanceProfileName ProfileForDevEC2Instance
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ProfileForDevEC2Instance
CreateDate : 4/14/2015 11:31:39 AM
InstanceProfileId : DYMFXL556EY46EXAMPLE1
InstanceProfileName : ProfileForDevEC2Instance
Path : /
Roles : {}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
此範例會建立政策、角色和執行個體設定檔,並將它們全部連結在一起。
```
class AutoScalingWrapper:
"""
Encapsulates Amazon EC2 Auto Scaling and EC2 management actions.
"""
def __init__(
self,
resource_prefix: str,
inst_type: str,
ami_param: str,
autoscaling_client: boto3.client,
ec2_client: boto3.client,
ssm_client: boto3.client,
iam_client: boto3.client,
):
"""
Initializes the AutoScaler class with the necessary parameters.
:param resource_prefix: The prefix for naming AWS resources that are created by this class.
:param inst_type: The type of EC2 instance to create, such as t3.micro.
:param ami_param: The Systems Manager parameter used to look up the AMI that is created.
:param autoscaling_client: A Boto3 EC2 Auto Scaling client.
:param ec2_client: A Boto3 EC2 client.
:param ssm_client: A Boto3 Systems Manager client.
:param iam_client: A Boto3 IAM client.
"""
self.inst_type = inst_type
self.ami_param = ami_param
self.autoscaling_client = autoscaling_client
self.ec2_client = ec2_client
self.ssm_client = ssm_client
self.iam_client = iam_client
sts_client = boto3.client("sts")
self.account_id = sts_client.get_caller_identity()["Account"]
self.key_pair_name = f"{resource_prefix}-key-pair"
self.launch_template_name = f"{resource_prefix}-template-"
self.group_name = f"{resource_prefix}-group"
# Happy path
self.instance_policy_name = f"{resource_prefix}-pol"
self.instance_role_name = f"{resource_prefix}-role"
self.instance_profile_name = f"{resource_prefix}-prof"
# Failure mode
self.bad_creds_policy_name = f"{resource_prefix}-bc-pol"
self.bad_creds_role_name = f"{resource_prefix}-bc-role"
self.bad_creds_profile_name = f"{resource_prefix}-bc-prof"
def create_instance_profile(
self,
policy_file: str,
policy_name: str,
role_name: str,
profile_name: str,
aws_managed_policies: Tuple[str, ...] = (),
) -> str:
"""
Creates a policy, role, and profile that is associated with instances created by
this class. An instance's associated profile defines a role that is assumed by the
instance. The role has attached policies that specify the AWS permissions granted to
clients that run on the instance.
:param policy_file: The name of a JSON file that contains the policy definition to
create and attach to the role.
:param policy_name: The name to give the created policy.
:param role_name: The name to give the created role.
:param profile_name: The name to the created profile.
:param aws_managed_policies: Additional AWS-managed policies that are attached to
the role, such as AmazonSSMManagedInstanceCore to grant
use of Systems Manager to send commands to the instance.
:return: The ARN of the profile that is created.
"""
assume_role_doc = {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole",
}
],
}
policy_arn = self.create_policy(policy_file, policy_name)
self.create_role(role_name, assume_role_doc)
self.attach_policy(role_name, policy_arn, aws_managed_policies)
try:
profile_response = self.iam_client.create_instance_profile(
InstanceProfileName=profile_name
)
waiter = self.iam_client.get_waiter("instance_profile_exists")
waiter.wait(InstanceProfileName=profile_name)
time.sleep(10) # wait a little longer
profile_arn = profile_response["InstanceProfile"]["Arn"]
self.iam_client.add_role_to_instance_profile(
InstanceProfileName=profile_name, RoleName=role_name
)
log.info("Created profile %s and added role %s.", profile_name, role_name)
except ClientError as err:
if err.response["Error"]["Code"] == "EntityAlreadyExists":
prof_response = self.iam_client.get_instance_profile(
InstanceProfileName=profile_name
)
profile_arn = prof_response["InstanceProfile"]["Arn"]
log.info(
"Instance profile %s already exists, nothing to do.", profile_name
)
log.error(f"Full error:\n\t{err}")
return profile_arn
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [CreateInstanceProfile](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateInstanceProfile)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateLoginProfile` 搭配 CLI 使用
下列程式碼範例示範如何使用 `CreateLoginProfile`。
------
#### [ CLI ]
**AWS CLI**
**為 IAM 使用者建立密碼**
若要為 IAM 使用者建立密碼,建議使用 `--cli-input-json` 參數傳遞包含密碼的 JSON 檔案。採用此方法時,可以建立含非英數字元的強式密碼。當您以命令列參數形式傳遞密碼時,建立含非英數字元的密碼可能會很困難。
若要使用 `--cli-input-json` 參數,請先使用 `create-login-profile` 命令搭配 `--generate-cli-skeleton` 參數,如下列範例中所示。
```
aws iam create-login-profile \
--generate-cli-skeleton > create-login-profile.json
```
先前的命令會建立名為 create-login-profile.json 的 JSON 檔案,可用來填入後續 `create-login-profile` 命令的資訊。例如:
```
{
"UserName": "Bob",
"Password": "&1-3a6u:RA0djs",
"PasswordResetRequired": true
}
```
接下來,若要為 IAM 使用者建立密碼,請再次使用 `create-login-profile` 命令,這次傳遞 `--cli-input-json` 參數來指定 JSON 檔案。下列 `create-login-profile` 命令會將 `--cli-input-json` 參數搭配名為 create-login-profile.json 的 JSON 檔案使用。
```
aws iam create-login-profile \
--cli-input-json file://create-login-profile.json
```
輸出:
```
{
"LoginProfile": {
"UserName": "Bob",
"CreateDate": "2015-03-10T20:55:40.274Z",
"PasswordResetRequired": true
}
}
```
如果新密碼違反帳戶密碼政策,則命令會傳回 `PasswordPolicyViolation` 錯誤。
若要為已有密碼的使用者變更密碼,請使用 `update-login-profile`。若要設定帳戶的密碼政策,請使用 `update-account-password-policy` 命令。
如果帳戶密碼政策允許,IAM 使用者可以使用 `change-password` 命令變更自己的密碼。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的密碼](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [CreateLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-login-profile.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會為名為 Bob 的 IAM 使用者建立 (臨時) 密碼並設定在 `Bob` 下次登入時要求使用者變更密碼的旗標。**
```
New-IAMLoginProfile -UserName Bob -Password P@ssw0rd -PasswordResetRequired $true
```
**輸出:**
```
CreateDate PasswordResetRequired UserName
---------- --------------------- --------
4/14/2015 12:26:30 PM True Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateLoginProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會為名為 Bob 的 IAM 使用者建立 (臨時) 密碼並設定在 `Bob` 下次登入時要求使用者變更密碼的旗標。**
```
New-IAMLoginProfile -UserName Bob -Password P@ssw0rd -PasswordResetRequired $true
```
**輸出:**
```
CreateDate PasswordResetRequired UserName
---------- --------------------- --------
4/14/2015 12:26:30 PM True Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateLoginProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateOpenIdConnectProvider` 搭配 CLI 使用
下列程式碼範例示範如何使用 `CreateOpenIdConnectProvider`。
------
#### [ CLI ]
**AWS CLI**
**若要建立 IAM OpenID Connect (OIDC) 提供者**
若要建立 OpenID Connect (OIDC) 提供者,建議使用 `--cli-input-json` 參數來傳遞包含必要參數的 JSON 檔案。建立 OIDC 提供者時,必須傳遞提供者的 URL,且 URL 必須以 `https://` 開頭。以命令列參數形式傳遞 URL 可能會很困難,因為在某些命令列環境中,冒號 (:) 和正斜線 (/) 字元有特殊含義。使用 `--cli-input-json` 參數可以避開這個限制。
若要使用 `--cli-input-json` 參數,請先使用 `create-open-id-connect-provider` 命令搭配 `--generate-cli-skeleton` 參數,如下列範例中所示。
```
aws iam create-open-id-connect-provider \
--generate-cli-skeleton > create-open-id-connect-provider.json
```
上一個命令會建立名為 create-open-id-connect-provider.json 的 JSON 檔案,用來填入後續 `create-open-id-connect-provider` 命令的資訊。例如:
```
{
"Url": "https://server.example.com",
"ClientIDList": [
"example-application-ID"
],
"ThumbprintList": [
"c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE"
]
}
```
接下來,若要建立 OpenID Connect (OIDC) 提供者,請再次使用 `create-open-id-connect-provider` 命令,這次傳遞 `--cli-input-json` 參數來指定 JSON 檔案。下列 `create-open-id-connect-provider` 命令會將 `--cli-input-json` 參數與名為 create-open-id-connect-provider.json 的 JSON 檔案搭配使用。
```
aws iam create-open-id-connect-provider \
--cli-input-json file://create-open-id-connect-provider.json
```
輸出:
```
{
"OpenIDConnectProviderArn": "arn:aws:iam::123456789012:oidc-provider/server.example.com"
}
```
如需有關 OIDC 提供者的詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 OpenID Connect (OIDC) 身分提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。
如需如何取得 OIDC 提供者指紋的詳細資訊,請參閱*《AWS IAM 使用者指南》*中的[取得 OpenID Connect 身分提供者的指紋](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [CreateOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-open-id-connect-provider.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立與 URL `https://example.oidcprovider.com` 和用戶端 ID `my-testapp-1` 中的 OIDC 相容提供者服務關聯的 IAM OIDC 提供者。OIDC 提供者會提供指紋。若要驗證指紋,請依照 http://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-oidc-obtain-thumbprint.html 中的步驟進行。**
```
New-IAMOpenIDConnectProvider -Url https://example.oidcprovider.com -ClientIDList my-testapp-1 -ThumbprintList 990F419EXAMPLEECF12DDEDA5EXAMPLE52F20D9E
```
**輸出:**
```
arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立與 URL `https://example.oidcprovider.com` 和用戶端 ID `my-testapp-1` 中的 OIDC 相容提供者服務關聯的 IAM OIDC 提供者。OIDC 提供者會提供指紋。若要驗證指紋,請依照 http://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-oidc-obtain-thumbprint.html 中的步驟進行。**
```
New-IAMOpenIDConnectProvider -Url https://example.oidcprovider.com -ClientIDList my-testapp-1 -ThumbprintList 990F419EXAMPLEECF12DDEDA5EXAMPLE52F20D9E
```
**輸出:**
```
arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreatePolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreatePolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [設定屬性型存取控制](iam_example_dynamodb_Scenario_ABACSetup_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
+ [使用 IAM 政策產生器 API](iam_example_iam_Scenario_IamPolicyBuilder_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Create an IAM policy.
///
/// The name to give the new IAM policy.
/// The policy document for the new policy.
/// The new IAM policy object.
public async Task CreatePolicyAsync(string policyName, string policyDocument)
{
var response = await _IAMService.CreatePolicyAsync(new CreatePolicyRequest
{
PolicyDocument = policyDocument,
PolicyName = policyName,
});
return response.Policy;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [CreatePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreatePolicy)。
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_create_policy
#
# This function creates an IAM policy.
#
# Parameters:
# -n policy_name -- The name of the IAM policy.
# -p policy_json -- The policy document.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_policy() {
local policy_name policy_document response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_policy"
echo "Creates an AWS Identity and Access Management (IAM) policy."
echo " -n policy_name The name of the IAM policy."
echo " -p policy_json -- The policy document."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) policy_name="${OPTARG}" ;;
p) policy_document="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$policy_name" ]]; then
errecho "ERROR: You must provide a policy name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_document" ]]; then
errecho "ERROR: You must provide a policy document with the -p parameter."
usage
return 1
fi
response=$(aws iam create-policy \
--policy-name "$policy_name" \
--policy-document "$policy_document" \
--output text \
--query Policy.Arn)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-policy operation failed.\n$response"
return 1
fi
echo "$response"
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
Aws::String AwsDoc::IAM::createPolicy(const Aws::String &policyName,
const Aws::String &rsrcArn,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::CreatePolicyRequest request;
request.SetPolicyName(policyName);
request.SetPolicyDocument(BuildSamplePolicyDocument(rsrcArn));
Aws::IAM::Model::CreatePolicyOutcome outcome = iam.CreatePolicy(request);
Aws::String result;
if (!outcome.IsSuccess()) {
std::cerr << "Error creating policy " << policyName << ": " <<
outcome.GetError().GetMessage() << std::endl;
}
else {
result = outcome.GetResult().GetPolicy().GetArn();
std::cout << "Successfully created policy " << policyName <<
std::endl;
}
return result;
}
Aws::String AwsDoc::IAM::BuildSamplePolicyDocument(const Aws::String &rsrc_arn) {
std::stringstream stringStream;
stringStream << "{"
<< " \"Version\": \"2012-10-17\","
<< " \"Statement\": ["
<< " {"
<< " \"Effect\": \"Allow\","
<< " \"Action\": \"logs:CreateLogGroup\","
<< " \"Resource\": \""
<< rsrc_arn
<< "\""
<< " },"
<< " {"
<< " \"Effect\": \"Allow\","
<< " \"Action\": ["
<< " \"dynamodb:DeleteItem\","
<< " \"dynamodb:GetItem\","
<< " \"dynamodb:PutItem\","
<< " \"dynamodb:Scan\","
<< " \"dynamodb:UpdateItem\""
<< " ],"
<< " \"Resource\": \""
<< rsrc_arn
<< "\""
<< " }"
<< " ]"
<< "}";
return stringStream.str();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreatePolicy)。
------
#### [ CLI ]
**AWS CLI**
**範例 1:建立客戶管理政策**
下列命令會建立名為 `my-policy` 的客戶管理政策。檔案 `policy.json` 是目前資料夾中的 JSON 文件,在名為 `amzn-s3-demo-bucket` 的 Amazon S3 儲存貯體中授予 `shared` 資料夾的唯讀存取權限。
```
aws iam create-policy \
--policy-name my-policy \
--policy-document file://policy.json
```
policy.json 的內容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/shared/*"
]
}
]
}
```
輸出:
```
{
"Policy": {
"PolicyName": "my-policy",
"CreateDate": "2015-06-01T19:31:18.620Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "ZXR6A36LTYANPAI7NJ5UV",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::0123456789012:policy/my-policy",
"UpdateDate": "2015-06-01T19:31:18.620Z"
}
}
```
如需使用檔案做為字串參數輸入的詳細資訊,請參閱《[CLI AWS 使用者指南》中的指定 CLI 的參數值](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html)。 *AWS *
**範例 2:建立內含描述的客戶管理政策**
下列命令會建立名為 `my-policy` 的客戶管理政策,其中包含不可變的描述。
檔案 `policy.json` 是目前資料夾中的 JSON 文件,可針對名為 `amzn-s3-demo-bucket` 的 Amazon S3 儲存貯體,授予所有 Put、List 和 Get 動作的存取權限。
```
aws iam create-policy \
--policy-name my-policy \
--policy-document file://policy.json \
--description "This policy grants access to all Put, Get, and List actions for amzn-s3-demo-bucket"
```
policy.json 的內容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket*",
"s3:PutBucket*",
"s3:GetBucket*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}
```
輸出:
```
{
"Policy": {
"PolicyName": "my-policy",
"PolicyId": "ANPAWGSUGIDPEXAMPLE",
"Arn": "arn:aws:iam::123456789012:policy/my-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-05-24T22:38:47+00:00",
"UpdateDate": "2023-05-24T22:38:47+00:00"
}
}
```
如需有關以身分為基礎之政策的詳細資訊,請參閱《AWS IAM 使用者指南》**中的[以身分為基礎和以資源為基礎的政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html)。
**範例 3:建立內含標籤的客戶管理政策**
下列命令會建立名為 `my-policy` 的客戶管理政策,其中包含標籤。此範例使用具有下列 JSON 格式標籤的 `--tags` 參數:`'{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'`。或者,`--tags` 旗標可以與速記格式的標籤一起使用:`'Key=Department,Value=Accounting Key=Location,Value=Seattle'`。
檔案 `policy.json` 是目前資料夾中的 JSON 文件,可針對名為 `amzn-s3-demo-bucket` 的 Amazon S3 儲存貯體,授予所有 Put、List 和 Get 動作的存取權限。
```
aws iam create-policy \
--policy-name my-policy \
--policy-document file://policy.json \
--tags '{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'
```
policy.json 的內容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket*",
"s3:PutBucket*",
"s3:GetBucket*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}
```
輸出:
```
{
"Policy": {
"PolicyName": "my-policy",
"PolicyId": "ANPAWGSUGIDPEXAMPLE",
"Arn": "arn:aws:iam::12345678012:policy/my-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-05-24T23:16:39+00:00",
"UpdateDate": "2023-05-24T23:16:39+00:00",
"Tags": [
{
"Key": "Department",
"Value": "Accounting"
},
"Key": "Location",
"Value": "Seattle"
{
]
}
}
```
如需有關標記政策的詳細資訊,請參閱《AWS IAM 使用者指南》**中的[標記客戶管理政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_customer-managed-policies.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreatePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions
// used in the examples.
// It contains an IAM service client that is used to perform policy actions.
type PolicyWrapper struct {
IamClient *iam.Client
}
// PolicyDocument defines a policy document as a Go struct that can be serialized
// to JSON.
type PolicyDocument struct {
Version string
Statement []PolicyStatement
}
// PolicyStatement defines a statement in a policy document.
type PolicyStatement struct {
Effect string
Action []string
Principal map[string]string `json:",omitempty"`
Resource *string `json:",omitempty"`
}
// CreatePolicy creates a policy that grants a list of actions to the specified resource.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper PolicyWrapper) CreatePolicy(ctx context.Context, policyName string, actions []string,
resourceArn string) (*types.Policy, error) {
var policy *types.Policy
policyDoc := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Action: actions,
Resource: aws.String(resourceArn),
}},
}
policyBytes, err := json.Marshal(policyDoc)
if err != nil {
log.Printf("Couldn't create policy document for %v. Here's why: %v\n", resourceArn, err)
return nil, err
}
result, err := wrapper.IamClient.CreatePolicy(ctx, &iam.CreatePolicyInput{
PolicyDocument: aws.String(string(policyBytes)),
PolicyName: aws.String(policyName),
})
if err != nil {
log.Printf("Couldn't create policy %v. Here's why: %v\n", policyName, err)
} else {
policy = result.Policy
}
return policy, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [CreatePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreatePolicy)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.core.waiters.WaiterResponse;
import software.amazon.awssdk.services.iam.model.CreatePolicyRequest;
import software.amazon.awssdk.services.iam.model.CreatePolicyResponse;
import software.amazon.awssdk.services.iam.model.GetPolicyRequest;
import software.amazon.awssdk.services.iam.model.GetPolicyResponse;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.waiters.IamWaiter;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class CreatePolicy {
public static final String PolicyDocument = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": [" +
" \"dynamodb:DeleteItem\"," +
" \"dynamodb:GetItem\"," +
" \"dynamodb:PutItem\"," +
" \"dynamodb:Scan\"," +
" \"dynamodb:UpdateItem\"" +
" ]," +
" \"Resource\": \"*\"" +
" }" +
" ]" +
"}";
public static void main(String[] args) {
final String usage = """
Usage:
CreatePolicy \s
Where:
policyName - A unique policy name.\s
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String policyName = args[0];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
String result = createIAMPolicy(iam, policyName);
System.out.println("Successfully created a policy with this ARN value: " + result);
iam.close();
}
public static String createIAMPolicy(IamClient iam, String policyName) {
try {
// Create an IamWaiter object.
IamWaiter iamWaiter = iam.waiter();
CreatePolicyRequest request = CreatePolicyRequest.builder()
.policyName(policyName)
.policyDocument(PolicyDocument)
.build();
CreatePolicyResponse response = iam.createPolicy(request);
// Wait until the policy is created.
GetPolicyRequest polRequest = GetPolicyRequest.builder()
.policyArn(response.policy().arn())
.build();
WaiterResponse waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest);
waitUntilPolicyExists.matched().response().ifPresent(System.out::println);
return response.policy().arn();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreatePolicy)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
建立政策。
```
import { CreatePolicyCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} policyName
*/
export const createPolicy = (policyName) => {
const command = new CreatePolicyCommand({
PolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: "*",
Resource: "*",
},
],
}),
PolicyName: policyName,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-creating)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreatePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreatePolicyCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var myManagedPolicy = {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: "logs:CreateLogGroup",
Resource: "RESOURCE_ARN",
},
{
Effect: "Allow",
Action: [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:UpdateItem",
],
Resource: "RESOURCE_ARN",
},
],
};
var params = {
PolicyDocument: JSON.stringify(myManagedPolicy),
PolicyName: "myDynamoDBPolicy",
};
iam.createPolicy(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-creating)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreatePolicy](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/CreatePolicy)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun createIAMPolicy(policyNameVal: String?): String {
val policyDocumentVal = """
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": "*"
}
]
}
""".trimIndent()
val request =
CreatePolicyRequest {
policyName = policyNameVal
policyDocument = policyDocumentVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createPolicy(request)
return response.policy?.arn.toString()
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [CreatePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
$listAllBucketsPolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]
}";
$listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument);
echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n";
/**
* @param string $policyName
* @param string $policyDocument
* @return array
*/
public function createPolicy(string $policyName, string $policyDocument)
{
$result = $this->customWaiter(function () use ($policyName, $policyDocument) {
return $this->iamClient->createPolicy([
'PolicyName' => $policyName,
'PolicyDocument' => $policyDocument,
]);
});
return $result['Policy'];
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreatePolicy)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會在名為 的目前 AWS 帳戶中建立新的 IAM `MySamplePolicy` 政策。 檔案`MySamplePolicy.json`會提供政策內容。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 政策檔案。**
```
New-IAMPolicy -PolicyName MySamplePolicy -PolicyDocument (Get-Content -Raw MySamplePolicy.json)
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:policy/MySamplePolicy
AttachmentCount : 0
CreateDate : 4/14/2015 2:45:59 PM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : LD4KP6HVFE7WGEXAMPLE1
PolicyName : MySamplePolicy
UpdateDate : 4/14/2015 2:45:59 PM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreatePolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會在名為 的目前 AWS 帳戶中建立新的 IAM `MySamplePolicy` 政策。 檔案`MySamplePolicy.json`會提供政策內容。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 政策檔案。**
```
New-IAMPolicy -PolicyName MySamplePolicy -PolicyDocument (Get-Content -Raw MySamplePolicy.json)
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:policy/MySamplePolicy
AttachmentCount : 0
CreateDate : 4/14/2015 2:45:59 PM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : LD4KP6HVFE7WGEXAMPLE1
PolicyName : MySamplePolicy
UpdateDate : 4/14/2015 2:45:59 PM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreatePolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def create_policy(name, description, actions, resource_arn):
"""
Creates a policy that contains a single statement.
:param name: The name of the policy to create.
:param description: The description of the policy.
:param actions: The actions allowed by the policy. These typically take the
form of service:action, such as s3:PutObject.
:param resource_arn: The Amazon Resource Name (ARN) of the resource this policy
applies to. This ARN can contain wildcards, such as
'arn:aws:s3:::amzn-s3-demo-bucket/*' to allow actions on all objects
in the bucket named 'amzn-s3-demo-bucket'.
:return: The newly created policy.
"""
policy_doc = {
"Version":"2012-10-17",
"Statement": [{"Effect": "Allow", "Action": actions, "Resource": resource_arn}],
}
try:
policy = iam.create_policy(
PolicyName=name,
Description=description,
PolicyDocument=json.dumps(policy_doc),
)
logger.info("Created policy %s.", policy.arn)
except ClientError:
logger.exception("Couldn't create policy %s.", name)
raise
else:
return policy
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [CreatePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicy)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
此範例模組會列出、建立、連接和分離角色政策。
```
# Manages policies in AWS Identity and Access Management (IAM)
class RolePolicyManager
# Initialize with an AWS IAM client
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'PolicyManager'
end
# Creates a policy
#
# @param policy_name [String] The name of the policy
# @param policy_document [Hash] The policy document
# @return [String] The policy ARN if successful, otherwise nil
def create_policy(policy_name, policy_document)
response = @iam_client.create_policy(
policy_name: policy_name,
policy_document: policy_document.to_json
)
response.policy.arn
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating policy: #{e.message}")
nil
end
# Fetches an IAM policy by its ARN
# @param policy_arn [String] the ARN of the IAM policy to retrieve
# @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found
def get_policy(policy_arn)
response = @iam_client.get_policy(policy_arn: policy_arn)
policy = response.policy
@logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.")
policy
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.")
raise
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}")
raise
end
# Attaches a policy to a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def attach_policy_to_role(role_name, policy_arn)
@iam_client.attach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error attaching policy to role: #{e.message}")
false
end
# Lists policy ARNs attached to a role
#
# @param role_name [String] The name of the role
# @return [Array] List of policy ARNs
def list_attached_policy_arns(role_name)
response = @iam_client.list_attached_role_policies(role_name: role_name)
response.attached_policies.map(&:policy_arn)
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing policies attached to role: #{e.message}")
[]
end
# Detaches a policy from a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def detach_policy_from_role(role_name, policy_arn)
@iam_client.detach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error detaching policy from role: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》中的 [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreatePolicy)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn create_policy(
client: &iamClient,
policy_name: &str,
policy_document: &str,
) -> Result {
let policy = client
.create_policy()
.policy_name(policy_name)
.policy_document(policy_document)
.send()
.await?;
Ok(policy.policy.unwrap())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [CreatePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_policy)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->createpolicy(
iv_policyname = iv_policy_name
iv_policydocument = iv_policy_document
iv_description = iv_description ).
MESSAGE 'Policy created successfully.' TYPE 'I'.
CATCH /aws1/cx_iamentityalrdyexex.
MESSAGE 'Policy already exists.' TYPE 'E'.
CATCH /aws1/cx_iammalformedplydocex.
MESSAGE 'Policy document is malformed.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Policy limit exceeded.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreatePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func createPolicy(name: String, policyDocument: String) async throws -> IAMClientTypes.Policy {
let input = CreatePolicyInput(
policyDocument: policyDocument,
policyName: name
)
do {
let output = try await iamClient.createPolicy(input: input)
guard let policy = output.policy else {
throw ServiceHandlerError.noSuchPolicy
}
return policy
} catch {
print("ERROR: createPolicy:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [CreatePolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createpolicy(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreatePolicyVersion` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreatePolicyVersion`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
------
#### [ CLI ]
**AWS CLI**
**建立新版本的受管政策**
此範例會建立新 `v2` 版的 IAM 政策 (其 ARN 為 `arn:aws:iam::123456789012:policy/MyPolicy`),並將該版本設為預設版本。
```
aws iam create-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
--policy-document file://NewPolicyVersion.json \
--set-as-default
```
輸出:
```
{
"PolicyVersion": {
"CreateDate": "2015-06-16T18:56:03.721Z",
"VersionId": "v2",
"IsDefaultVersion": true
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 政策的版本控制](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreatePolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立新 v2 版的 IAM 政策 (其 ARN 為 `arn:aws:iam::123456789012:policy/MyPolicy`),並將該版本設為預設版本。`NewPolicyVersion.json` 檔案會提供政策內容。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 政策檔案。**
```
New-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyPolicy -PolicyDocument (Get-content -Raw NewPolicyVersion.json) -SetAsDefault $true
```
**輸出:**
```
CreateDate Document IsDefaultVersion VersionId
---------- -------- ---------------- ---------
4/15/2015 10:54:54 AM True v2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreatePolicyVersion](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立新 v2 版的 IAM 政策 (其 ARN 為 `arn:aws:iam::123456789012:policy/MyPolicy`),並將該版本設為預設版本。`NewPolicyVersion.json` 檔案會提供政策內容。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 政策檔案。**
```
New-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyPolicy -PolicyDocument (Get-content -Raw NewPolicyVersion.json) -SetAsDefault $true
```
**輸出:**
```
CreateDate Document IsDefaultVersion VersionId
---------- -------- ---------------- ---------
4/15/2015 10:54:54 AM True v2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreatePolicyVersion](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def create_policy_version(policy_arn, actions, resource_arn, set_as_default):
"""
Creates a policy version. Policies can have up to five versions. The default
version is the one that is used for all resources that reference the policy.
:param policy_arn: The ARN of the policy.
:param actions: The actions to allow in the policy version.
:param resource_arn: The ARN of the resource this policy version applies to.
:param set_as_default: When True, this policy version is set as the default
version for the policy. Otherwise, the default
is not changed.
:return: The newly created policy version.
"""
policy_doc = {
"Version":"2012-10-17",
"Statement": [{"Effect": "Allow", "Action": actions, "Resource": resource_arn}],
}
try:
policy = iam.Policy(policy_arn)
policy_version = policy.create_version(
PolicyDocument=json.dumps(policy_doc), SetAsDefault=set_as_default
)
logger.info(
"Created policy version %s for policy %s.",
policy_version.version_id,
policy_version.arn,
)
except ClientError:
logger.exception("Couldn't create a policy version for %s.", policy_arn)
raise
else:
return policy_version
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [CreatePolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicyVersion)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->createpolicyversion(
iv_policyarn = iv_policy_arn
iv_policydocument = iv_policy_document
iv_setasdefault = iv_set_as_default ).
MESSAGE 'Policy version created successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Policy does not exist.' TYPE 'E'.
CATCH /aws1/cx_iammalformedplydocex.
MESSAGE 'Policy document is malformed.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Policy version limit exceeded.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreatePolicyVersion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateRole` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateRole`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [設定 Amazon ECS Service Connect](iam_example_ecs_ServiceConnect_085_section.md)
+ [使用 Lambda 代理整合建立 REST API](iam_example_api_gateway_GettingStarted_087_section.md)
+ [為 Fargate 啟動類型建立 Amazon ECS Linux 任務](iam_example_ecs_GettingStarted_086_section.md)
+ [使用函數名稱做為變數建立 CloudWatch 儀表板](iam_example_cloudwatch_GettingStarted_031_section.md)
+ [為 EC2 啟動類型建立 Amazon ECS 服務](iam_example_ecs_GettingStarted_018_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [建立您的第一個 Lambda 函數](iam_example_lambda_GettingStarted_019_section.md)
+ [開始使用 Redshift Serverless](iam_example_redshift_GettingStarted_038_section.md)
+ [Amazon EKS 入門](iam_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Amazon Redshift 佈建叢集入門](iam_example_redshift_GettingStarted_039_section.md)
+ [Amazon SageMaker Feature Store 入門](iam_example_iam_GettingStarted_028_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理角色](iam_example_iam_Scenario_RoleManagement_section.md)
+ [將硬式編碼秘密移至 Secrets Manager](iam_example_secrets_manager_GettingStarted_073_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
+ [在 CloudWatch 儀表板中使用屬性變數來監控多個 Lambda 函數](iam_example_iam_GettingStarted_032_section.md)
+ [使用串流和存留時間](iam_example_dynamodb_Scenario_StreamsAndTTL_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Create a new IAM role.
///
/// The name of the IAM role.
/// The name of the IAM policy document
/// for the new role.
/// The Amazon Resource Name (ARN) of the role.
public async Task CreateRoleAsync(string roleName, string rolePolicyDocument)
{
var request = new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = rolePolicyDocument,
};
var response = await _IAMService.CreateRoleAsync(request);
return response.Role.Arn;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [CreateRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateRole)。
------
#### [ Bash ]
**AWS CLI 使用 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_create_role
#
# This function creates an IAM role.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_json -- The assume role policy document.
#
# Returns:
# The ARN of the role.
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_role() {
local role_name policy_document response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user_access_key"
echo "Creates an AWS Identity and Access Management (IAM) role."
echo " -n role_name The name of the IAM role."
echo " -p policy_json -- The assume role policy document."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_document="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_document" ]]; then
errecho "ERROR: You must provide a policy document with the -p parameter."
usage
return 1
fi
response=$(aws iam create-role \
--role-name "$role_name" \
--assume-role-policy-document "$policy_document" \
--output text \
--query Role.Arn)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-role operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::createIamRole(
const Aws::String &roleName,
const Aws::String &policy,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient client(clientConfig);
Aws::IAM::Model::CreateRoleRequest request;
request.SetRoleName(roleName);
request.SetAssumeRolePolicyDocument(policy);
Aws::IAM::Model::CreateRoleOutcome outcome = client.CreateRole(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating role. " <<
outcome.GetError().GetMessage() << std::endl;
}
else {
const Aws::IAM::Model::Role iamRole = outcome.GetResult().GetRole();
std::cout << "Created role " << iamRole.GetRoleName() << "\n";
std::cout << "ID: " << iamRole.GetRoleId() << "\n";
std::cout << "ARN: " << iamRole.GetArn() << std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [CreateRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateRole)。
------
#### [ CLI ]
**AWS CLI**
**範例 1:建立 IAM 角色**
下列 `create-role` 命令會建立名為 `Test-Role` 的角色,並將信任政策連接至該角色。
```
aws iam create-role \
--role-name Test-Role \
--assume-role-policy-document file://Test-Role-Trust-Policy.json
```
輸出:
```
{
"Role": {
"AssumeRolePolicyDocument": "",
"RoleId": "AKIAIOSFODNN7EXAMPLE",
"CreateDate": "2013-06-07T20:43:32.821Z",
"RoleName": "Test-Role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/Test-Role"
}
}
```
在 *Test-Role-Trust-Policy.json* 檔案中,將信任政策定義為 JSON 文件。(檔案名稱和副檔名沒有意義。) 信任政策必須指定主體。
若要將許可政策連接至角色,請使用 `put-role-policy` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。
**範例 2:建立具有指定最長工作階段持續時間的 IAM 角色**
下列 `create-role` 命令會建立名為 `Test-Role` 的角色,並設定 7200 秒 (2 小時) 的最長工作階段持續時間。
```
aws iam create-role \
--role-name Test-Role \
--assume-role-policy-document file://Test-Role-Trust-Policy.json \
--max-session-duration 7200
```
輸出:
```
{
"Role": {
"Path": "/",
"RoleName": "Test-Role",
"RoleId": "AKIAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::12345678012:role/Test-Role",
"CreateDate": "2023-05-24T23:50:25+00:00",
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678012:root"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
```
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[修改角色最長工作階段持續時間 (AWS API)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-api.html#roles-modify_max-session-duration-api)。
**範例 3:建立內含標籤的 IAM 角色**
下列命令會建立內含標籤的 IAM 角色 `Test-Role`。此範例使用具有下列 JSON 格式標記的 `--tags` 參數旗標:`'{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'`。或者,`--tags` 旗標可以與速記格式的標籤一起使用:`'Key=Department,Value=Accounting Key=Location,Value=Seattle'`。
```
aws iam create-role \
--role-name Test-Role \
--assume-role-policy-document file://Test-Role-Trust-Policy.json \
--tags '{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'
```
輸出:
```
{
"Role": {
"Path": "/",
"RoleName": "Test-Role",
"RoleId": "AKIAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::123456789012:role/Test-Role",
"CreateDate": "2023-05-25T23:29:41+00:00",
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
},
"Tags": [
{
"Key": "Department",
"Value": "Accounting"
},
{
"Key": "Location",
"Value": "Seattle"
}
]
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[標記 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_roles.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// CreateRole creates a role that trusts a specified user. The trusted user can assume
// the role to acquire its permissions.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper RoleWrapper) CreateRole(ctx context.Context, roleName string, trustedUserArn string) (*types.Role, error) {
var role *types.Role
trustPolicy := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Principal: map[string]string{"AWS": trustedUserArn},
Action: []string{"sts:AssumeRole"},
}},
}
policyBytes, err := json.Marshal(trustPolicy)
if err != nil {
log.Printf("Couldn't create trust policy for %v. Here's why: %v\n", trustedUserArn, err)
return nil, err
}
result, err := wrapper.IamClient.CreateRole(ctx, &iam.CreateRoleInput{
AssumeRolePolicyDocument: aws.String(string(policyBytes)),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't create role %v. Here's why: %v\n", roleName, err)
} else {
role = result.Role
}
return role, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [CreateRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateRole)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import org.json.simple.JSONObject;
import org.json.simple.parser.JSONParser;
import software.amazon.awssdk.services.iam.model.CreateRoleRequest;
import software.amazon.awssdk.services.iam.model.CreateRoleResponse;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import java.io.FileReader;
/*
* This example requires a trust policy document. For more information, see:
* https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
*
*
* In addition, set up your development environment, including your credentials.
*
* For information, see this documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class CreateRole {
public static void main(String[] args) throws Exception {
final String usage = """
Usage:
\s
Where:
rolename - The name of the role to create.\s
fileLocation - The location of the JSON document that represents the trust policy.\s
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String rolename = args[0];
String fileLocation = args[1];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
String result = createIAMRole(iam, rolename, fileLocation);
System.out.println("Successfully created user: " + result);
iam.close();
}
public static String createIAMRole(IamClient iam, String rolename, String fileLocation) throws Exception {
try {
JSONObject jsonObject = (JSONObject) readJsonSimpleDemo(fileLocation);
CreateRoleRequest request = CreateRoleRequest.builder()
.roleName(rolename)
.assumeRolePolicyDocument(jsonObject.toJSONString())
.description("Created using the AWS SDK for Java")
.build();
CreateRoleResponse response = iam.createRole(request);
System.out.println("The ARN of the role is " + response.role().arn());
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
public static Object readJsonSimpleDemo(String filename) throws Exception {
FileReader reader = new FileReader(filename);
JSONParser jsonParser = new JSONParser();
return jsonParser.parse(reader);
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [CreateRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateRole)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
建立角色。
```
import { CreateRoleCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} roleName
*/
export const createRole = (roleName) => {
const command = new CreateRoleCommand({
AssumeRolePolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: {
Service: "lambda.amazonaws.com",
},
Action: "sts:AssumeRole",
},
],
}),
RoleName: roleName,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreateRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateRoleCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
$assumeRolePolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"{$user['Arn']}\"},
\"Action\": \"sts:AssumeRole\"
}]
}";
$assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument);
echo "Created role: {$assumeRoleRole['RoleName']}\n";
/**
* @param string $roleName
* @param string $rolePolicyDocument
* @return array
* @throws AwsException
*/
public function createRole(string $roleName, string $rolePolicyDocument)
{
$result = $this->customWaiter(function () use ($roleName, $rolePolicyDocument) {
return $this->iamClient->createRole([
'AssumeRolePolicyDocument' => $rolePolicyDocument,
'RoleName' => $roleName,
]);
});
return $result['Role'];
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [CreateRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateRole)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立名為 `MyNewRole` 的新角色,並將其連接至在 `NewRoleTrustPolicy.json` 檔案中找到的政策。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 政策檔案。輸出中顯示的政策文件是以 URL 編碼。在此範例中,它會使用 `UrlDecode` .NET 方法解碼。**
```
$results = New-IAMRole -AssumeRolePolicyDocument (Get-Content -raw NewRoleTrustPolicy.json) -RoleName MyNewRole
$results
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:role/MyNewRole
AssumeRolePolicyDocument : %7B%0D%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0D%0A%20%20%22Statement%22
%3A%20%5B%0D%0A%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%22Sid%22%3A%20%22%22%2C
%0D%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0D%0A%20%20%20%20%20%20
%22Principal%22%3A%20%7B%0D%0A%20%20%20%20%20%20%20%20%22AWS%22%3A%20%22arn%3Aaws
%3Aiam%3A%3A123456789012%3ADavid%22%0D%0A%20%20%20%20%20%20%7D%2C%0D%0A%20%20%20
%20%20%20%22Action%22%3A%20%22sts%3AAssumeRole%22%0D%0A%20%20%20%20%7D%0D%0A%20
%20%5D%0D%0A%7D
CreateDate : 4/15/2015 11:04:23 AM
Path : /
RoleId : V5PAJI2KPN4EAEXAMPLE1
RoleName : MyNewRole
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
[System.Web.HttpUtility]::UrlDecode($results.AssumeRolePolicyDocument)
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:David"
},
"Action": "sts:AssumeRole"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立名為 `MyNewRole` 的新角色,並將其連接至在 `NewRoleTrustPolicy.json` 檔案中找到的政策。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 政策檔案。輸出中顯示的政策文件是以 URL 編碼。在此範例中,它會使用 `UrlDecode` .NET 方法解碼。**
```
$results = New-IAMRole -AssumeRolePolicyDocument (Get-Content -raw NewRoleTrustPolicy.json) -RoleName MyNewRole
$results
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:role/MyNewRole
AssumeRolePolicyDocument : %7B%0D%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0D%0A%20%20%22Statement%22
%3A%20%5B%0D%0A%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%22Sid%22%3A%20%22%22%2C
%0D%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0D%0A%20%20%20%20%20%20
%22Principal%22%3A%20%7B%0D%0A%20%20%20%20%20%20%20%20%22AWS%22%3A%20%22arn%3Aaws
%3Aiam%3A%3A123456789012%3ADavid%22%0D%0A%20%20%20%20%20%20%7D%2C%0D%0A%20%20%20
%20%20%20%22Action%22%3A%20%22sts%3AAssumeRole%22%0D%0A%20%20%20%20%7D%0D%0A%20
%20%5D%0D%0A%7D
CreateDate : 4/15/2015 11:04:23 AM
Path : /
RoleId : V5PAJI2KPN4EAEXAMPLE1
RoleName : MyNewRole
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
[System.Web.HttpUtility]::UrlDecode($results.AssumeRolePolicyDocument)
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:David"
},
"Action": "sts:AssumeRole"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def create_role(role_name, allowed_services):
"""
Creates a role that lets a list of specified services assume the role.
:param role_name: The name of the role.
:param allowed_services: The services that can assume the role.
:return: The newly created role.
"""
trust_policy = {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": service},
"Action": "sts:AssumeRole",
}
for service in allowed_services
],
}
try:
role = iam.create_role(
RoleName=role_name, AssumeRolePolicyDocument=json.dumps(trust_policy)
)
logger.info("Created role %s.", role.name)
except ClientError:
logger.exception("Couldn't create role %s.", role_name)
raise
else:
return role
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [CreateRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateRole)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Creates a role and attaches policies to it.
#
# @param role_name [String] The name of the role.
# @param assume_role_policy_document [Hash] The trust relationship policy document.
# @param policy_arns [Array] The ARNs of the policies to attach.
# @return [String, nil] The ARN of the new role if successful, or nil if an error occurred.
def create_role(role_name, assume_role_policy_document, policy_arns)
response = @iam_client.create_role(
role_name: role_name,
assume_role_policy_document: assume_role_policy_document.to_json
)
role_arn = response.role.arn
policy_arns.each do |policy_arn|
@iam_client.attach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
end
role_arn
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating role: #{e.message}")
nil
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [CreateRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateRole)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn create_role(
client: &iamClient,
role_name: &str,
role_policy_document: &str,
) -> Result {
let response: CreateRoleOutput = loop {
if let Ok(response) = client
.create_role()
.role_name(role_name)
.assume_role_policy_document(role_policy_document)
.send()
.await
{
break response;
}
};
Ok(response.role.unwrap())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [CreateRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_role)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->createrole(
iv_rolename = iv_role_name
iv_assumerolepolicydocument = iv_assume_role_policy_document ).
MESSAGE 'Role created successfully.' TYPE 'I'.
CATCH /aws1/cx_iamentityalrdyexex.
MESSAGE 'Role already exists.' TYPE 'E'.
CATCH /aws1/cx_iammalformedplydocex.
MESSAGE 'Assume role policy document is malformed.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Role limit exceeded.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreateRole](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func createRole(name: String, policyDocument: String) async throws -> String {
let input = CreateRoleInput(
assumeRolePolicyDocument: policyDocument,
roleName: name
)
do {
let output = try await client.createRole(input: input)
guard let role = output.role else {
throw ServiceHandlerError.noSuchRole
}
guard let id = role.roleId else {
throw ServiceHandlerError.noSuchRole
}
return id
} catch {
print("ERROR: createRole:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [CreateRole](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createrole(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateSAMLProvider` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateSAMLProvider`。
------
#### [ CLI ]
**AWS CLI**
**建立 SAML 提供者**
此範例會在 IAM 中建立名為 `MySAMLProvider` 的新 SAML 提供者。它會由在檔案 `SAMLMetaData.xml` 中找到的 SAML 中繼資料文件進行描述。
```
aws iam create-saml-provider \
--saml-metadata-document file://SAMLMetaData.xml \
--name MySAMLProvider
```
輸出:
```
{
"SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/MySAMLProvider"
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM SAML 身分提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateSAMLProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-saml-provider.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { CreateSAMLProviderCommand, IAMClient } from "@aws-sdk/client-iam";
import { readFileSync } from "node:fs";
import * as path from "node:path";
import { dirnameFromMetaUrl } from "@aws-doc-sdk-examples/lib/utils/util-fs.js";
const client = new IAMClient({});
/**
* This sample document was generated using Auth0.
* For more information on generating this document, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html#samlstep1.
*/
const sampleMetadataDocument = readFileSync(
path.join(
dirnameFromMetaUrl(import.meta.url),
"../../../../resources/sample_files/sample_saml_metadata.xml",
),
);
/**
*
* @param {*} providerName
* @returns
*/
export const createSAMLProvider = async (providerName) => {
const command = new CreateSAMLProviderCommand({
Name: providerName,
SAMLMetadataDocument: sampleMetadataDocument.toString(),
});
const response = await client.send(command);
console.log(response);
return response;
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [CreateSAMLProvider](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateSAMLProviderCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會在 IAM 中建立新的 SAML 提供者實體。它被命名為 `MySAMLProvider`,由在檔案 `SAMLMetaData.xml` 中找到的 SAML 中繼資料文件描述,該檔案需從 SAML 服務提供者的網站單獨下載。**
```
New-IAMSAMLProvider -Name MySAMLProvider -SAMLMetadataDocument (Get-Content -Raw SAMLMetaData.xml)
```
**輸出:**
```
arn:aws:iam::123456789012:saml-provider/MySAMLProvider
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateSAMLProvider](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會在 IAM 中建立新的 SAML 提供者實體。它被命名為 `MySAMLProvider`,由在檔案 `SAMLMetaData.xml` 中找到的 SAML 中繼資料文件描述,該檔案需從 SAML 服務提供者的網站單獨下載。**
```
New-IAMSAMLProvider -Name MySAMLProvider -SAMLMetadataDocument (Get-Content -Raw SAMLMetaData.xml)
```
**輸出:**
```
arn:aws:iam::123456789012:saml-provider/MySAMLProvider
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateSAMLProvider](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateServiceLinkedRole` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateServiceLinkedRole`。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Create an IAM service-linked role.
///
/// The name of the AWS Service.
/// A description of the IAM service-linked role.
/// The IAM role that was created.
public async Task CreateServiceLinkedRoleAsync(string serviceName, string description)
{
var request = new CreateServiceLinkedRoleRequest
{
AWSServiceName = serviceName,
Description = description
};
var response = await _IAMService.CreateServiceLinkedRoleAsync(request);
return response.Role;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [CreateServiceLinkedRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateServiceLinkedRole)。
------
#### [ CLI ]
**AWS CLI**
**建立服務連結角色**
下列`create-service-linked-role`範例會為指定的服務建立 AWS 服務連結角色,並連接指定的描述。
```
aws iam create-service-linked-role \
--aws-service-name lex.amazonaws.com \
--description "My service-linked role to support Lex"
```
輸出:
```
{
"Role": {
"Path": "/aws-service-role/lex.amazonaws.com/",
"RoleName": "AWSServiceRoleForLexBots",
"RoleId": "AROA1234567890EXAMPLE",
"Arn": "arn:aws:iam::1234567890:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots",
"CreateDate": "2019-04-17T20:34:14+00:00",
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"lex.amazonaws.com"
]
}
}
]
}
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用服務連結角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateServiceLinkedRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-service-linked-role.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// CreateServiceLinkedRole creates a service-linked role that is owned by the specified service.
func (wrapper RoleWrapper) CreateServiceLinkedRole(ctx context.Context, serviceName string, description string) (
*types.Role, error) {
var role *types.Role
result, err := wrapper.IamClient.CreateServiceLinkedRole(ctx, &iam.CreateServiceLinkedRoleInput{
AWSServiceName: aws.String(serviceName),
Description: aws.String(description),
})
if err != nil {
log.Printf("Couldn't create service-linked role %v. Here's why: %v\n", serviceName, err)
} else {
role = result.Role
}
return role, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [CreateServiceLinkedRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateServiceLinkedRole)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
建立服務連結角色。
```
import {
CreateServiceLinkedRoleCommand,
GetRoleCommand,
IAMClient,
} from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} serviceName
*/
export const createServiceLinkedRole = async (serviceName) => {
const command = new CreateServiceLinkedRoleCommand({
// For a list of AWS services that support service-linked roles,
// see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html.
//
// For a list of AWS service endpoints, see https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html.
AWSServiceName: serviceName,
});
try {
const response = await client.send(command);
console.log(response);
return response;
} catch (caught) {
if (
caught instanceof Error &&
caught.name === "InvalidInputException" &&
caught.message.includes(
"Service role name AWSServiceRoleForElasticBeanstalk has been taken in this account",
)
) {
console.warn(caught.message);
return client.send(
new GetRoleCommand({ RoleName: "AWSServiceRoleForElasticBeanstalk" }),
);
}
throw caught;
}
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreateServiceLinkedRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateServiceLinkedRoleCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function createServiceLinkedRole($awsServiceName, $customSuffix = "", $description = "")
{
$createServiceLinkedRoleArguments = ['AWSServiceName' => $awsServiceName];
if ($customSuffix) {
$createServiceLinkedRoleArguments['CustomSuffix'] = $customSuffix;
}
if ($description) {
$createServiceLinkedRoleArguments['Description'] = $description;
}
return $this->iamClient->createServiceLinkedRole($createServiceLinkedRoleArguments);
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [CreateServiceLinkedRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateServiceLinkedRole)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立用於自動擴展服務的服務連結角色。**
```
New-IAMServiceLinkedRole -AWSServiceName autoscaling.amazonaws.com -CustomSuffix RoleNameEndsWithThis -Description "My service-linked role to support autoscaling"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateServiceLinkedRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立用於自動擴展服務的服務連結角色。**
```
New-IAMServiceLinkedRole -AWSServiceName autoscaling.amazonaws.com -CustomSuffix RoleNameEndsWithThis -Description "My service-linked role to support autoscaling"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateServiceLinkedRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def create_service_linked_role(service_name, description):
"""
Creates a service-linked role.
:param service_name: The name of the service that owns the role.
:param description: A description to give the role.
:return: The newly created role.
"""
try:
response = iam.meta.client.create_service_linked_role(
AWSServiceName=service_name, Description=description
)
role = iam.Role(response["Role"]["RoleName"])
logger.info("Created service-linked role %s.", role.name)
except ClientError:
logger.exception("Couldn't create service-linked role for %s.", service_name)
raise
else:
return role
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [CreateServiceLinkedRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateServiceLinkedRole)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Creates a service-linked role
#
# @param service_name [String] The service name to create the role for.
# @param description [String] The description of the service-linked role.
# @param suffix [String] Suffix for customizing role name.
# @return [String] The name of the created role
def create_service_linked_role(service_name, description, suffix)
response = @iam_client.create_service_linked_role(
aws_service_name: service_name, description: description, custom_suffix: suffix
)
role_name = response.role.role_name
@logger.info("Created service-linked role #{role_name}.")
role_name
rescue Aws::Errors::ServiceError => e
@logger.error("Couldn't create service-linked role for #{service_name}. Here's why:")
@logger.error("\t#{e.code}: #{e.message}")
raise
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [CreateServiceLinkedRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateServiceLinkedRole)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn create_service_linked_role(
client: &iamClient,
aws_service_name: String,
custom_suffix: Option,
description: Option,
) -> Result> {
let response = client
.create_service_linked_role()
.aws_service_name(aws_service_name)
.set_custom_suffix(custom_suffix)
.set_description(description)
.send()
.await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [CreateServiceLinkedRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_service_linked_role)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listpolicyversions(
iv_policyarn = iv_policy_arn ).
MESSAGE 'Retrieved policy versions list.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Policy does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when listing policy versions.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreateServiceLinkedRole](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func createServiceLinkedRole(service: String, suffix: String? = nil, description: String?)
async throws -> IAMClientTypes.Role {
let input = CreateServiceLinkedRoleInput(
awsServiceName: service,
customSuffix: suffix,
description: description
)
do {
let output = try await client.createServiceLinkedRole(input: input)
guard let role = output.role else {
throw ServiceHandlerError.noSuchRole
}
return role
} catch {
print("ERROR: createServiceLinkedRole:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [CreateServiceLinkedRole](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createservicelinkedrole(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateUser` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateUser`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Create an IAM user.
///
/// The username for the new IAM user.
/// The IAM user that was created.
public async Task CreateUserAsync(string userName)
{
var response = await _IAMService.CreateUserAsync(new CreateUserRequest { UserName = userName });
return response.User;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [CreateUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateUser)。
------
#### [ Bash ]
**AWS CLI 使用 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function iecho
#
# This function enables the script to display the specified text only if
# the global variable $VERBOSE is set to true.
###############################################################################
function iecho() {
if [[ $VERBOSE == true ]]; then
echo "$@"
fi
}
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_create_user
#
# This function creates the specified IAM user, unless
# it already exists.
#
# Parameters:
# -u user_name -- The name of the user to create.
#
# Returns:
# The ARN of the user.
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_user() {
local user_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user"
echo "Creates an AWS Identity and Access Management (IAM) user. You must supply a username:"
echo " -u user_name The name of the user. It must be unique within the account."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " User name: $user_name"
iecho ""
# If the user already exists, we don't want to try to create it.
if (iam_user_exists "$user_name"); then
errecho "ERROR: A user with that name already exists in the account."
return 1
fi
response=$(aws iam create-user --user-name "$user_name" \
--output text \
--query 'User.Arn')
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-user operation failed.$response"
return 1
fi
echo "$response"
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateUser)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::CreateUserRequest create_request;
create_request.SetUserName(userName);
auto create_outcome = iam.CreateUser(create_request);
if (!create_outcome.IsSuccess()) {
std::cerr << "Error creating IAM user " << userName << ":" <<
create_outcome.GetError().GetMessage() << std::endl;
}
else {
std::cout << "Successfully created IAM user " << userName << std::endl;
}
return create_outcome.IsSuccess();
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [CreateUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateUser)。
------
#### [ CLI ]
**AWS CLI**
**範例 1:建立 IAM 使用者**
下列 `create-user` 命令會建立目前帳戶中名為 `Bob` 的 IAM 使用者。
```
aws iam create-user \
--user-name Bob
```
輸出:
```
{
"User": {
"UserName": "Bob",
"Path": "/",
"CreateDate": "2023-06-08T03:20:41.270Z",
"UserId": "AIDAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::123456789012:user/Bob"
}
}
```
如需詳細資訊,請參閱《[IAM 使用者指南》中的在 AWS 帳戶中建立](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) *AWS IAM* 使用者。
**範例 2:在指定路徑建立 IAM 使用者**
下列 `create-user` 命令會在指定路徑建立名為 `Bob` 的 IAM 使用者。
```
aws iam create-user \
--user-name Bob \
--path /division_abc/subdivision_xyz/
```
輸出:
```
{
"User": {
"Path": "/division_abc/subdivision_xyz/",
"UserName": "Bob",
"UserId": "AIDAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::12345678012:user/division_abc/subdivision_xyz/Bob",
"CreateDate": "2023-05-24T18:20:17+00:00"
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 識別符](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)。
**範例 3:建立內含標籤的 IAM 使用者**
下列 `create-user` 命令會建立內含標籤、名為 `Bob` 的 IAM 使用者。此範例使用具有下列 JSON 格式標記的 `--tags` 參數旗標:`'{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'`。或者,`--tags` 旗標可以與速記格式的標籤一起使用:`'Key=Department,Value=Accounting Key=Location,Value=Seattle'`。
```
aws iam create-user \
--user-name Bob \
--tags '{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'
```
輸出:
```
{
"User": {
"Path": "/",
"UserName": "Bob",
"UserId": "AIDAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::12345678012:user/Bob",
"CreateDate": "2023-05-25T17:14:21+00:00",
"Tags": [
{
"Key": "Department",
"Value": "Accounting"
},
{
"Key": "Location",
"Value": "Seattle"
}
]
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[標記 IAM 使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_users.html)。
**範例 3:建立具有設定許可界限的 IAM 使用者**
下列 `create-user` 命令會使用 AmazonS3FullAccess 許可界限,建立名為 `Bob` 的 IAM 使用者。
```
aws iam create-user \
--user-name Bob \
--permissions-boundary arn:aws:iam::aws:policy/AmazonS3FullAccess
```
輸出:
```
{
"User": {
"Path": "/",
"UserName": "Bob",
"UserId": "AIDAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::12345678012:user/Bob",
"CreateDate": "2023-05-24T17:50:53+00:00",
"PermissionsBoundary": {
"PermissionsBoundaryType": "Policy",
"PermissionsBoundaryArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 實體許可界限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-user.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// CreateUser creates a new user with the specified name.
func (wrapper UserWrapper) CreateUser(ctx context.Context, userName string) (*types.User, error) {
var user *types.User
result, err := wrapper.IamClient.CreateUser(ctx, &iam.CreateUserInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err)
} else {
user = result.User
}
return user, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [CreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateUser)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.core.waiters.WaiterResponse;
import software.amazon.awssdk.services.iam.model.CreateUserRequest;
import software.amazon.awssdk.services.iam.model.CreateUserResponse;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.waiters.IamWaiter;
import software.amazon.awssdk.services.iam.model.GetUserRequest;
import software.amazon.awssdk.services.iam.model.GetUserResponse;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class CreateUser {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
username - The name of the user to create.\s
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String username = args[0];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
String result = createIAMUser(iam, username);
System.out.println("Successfully created user: " + result);
iam.close();
}
public static String createIAMUser(IamClient iam, String username) {
try {
// Create an IamWaiter object.
IamWaiter iamWaiter = iam.waiter();
CreateUserRequest request = CreateUserRequest.builder()
.userName(username)
.build();
CreateUserResponse response = iam.createUser(request);
// Wait until the user is created.
GetUserRequest userRequest = GetUserRequest.builder()
.userName(response.user().userName())
.build();
WaiterResponse waitUntilUserExists = iamWaiter.waitUntilUserExists(userRequest);
waitUntilUserExists.matched().response().ifPresent(System.out::println);
return response.user().userName();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [CreateUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateUser)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
建立使用者。
```
import { CreateUserCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} name
*/
export const createUser = (name) => {
const command = new CreateUserCommand({ UserName: name });
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-creating-users)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreateUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateUserCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
UserName: process.argv[2],
};
iam.getUser(params, function (err, data) {
if (err && err.code === "NoSuchEntity") {
iam.createUser(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
} else {
console.log(
"User " + process.argv[2] + " already exists",
data.User.UserId
);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-creating-users)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [CreateUser](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/CreateUser)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun createIAMUser(usernameVal: String?): String? {
val request =
CreateUserRequest {
userName = usernameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createUser(request)
return response.user?.userName
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [CreateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
$user = $service->createUser("iam_demo_user_$uuid");
echo "Created user with the arn: {$user['Arn']}\n";
/**
* @param string $name
* @return array
* @throws AwsException
*/
public function createUser(string $name): array
{
$result = $this->iamClient->createUser([
'UserName' => $name,
]);
return $result['User'];
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [CreateUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateUser)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立名為 `Bob` 的 IAM 使用者。如果 Bob 需要登入 AWS 主控台,則您必須分別執行 命令`New-IAMLoginProfile`,以使用密碼建立登入設定檔。如果 Bob 需要執行 AWS PowerShell 或跨平台 CLI 命令或進行 AWS API 呼叫,則必須單獨執行`New-IAMAccessKey`命令來建立存取金鑰。**
```
New-IAMUser -UserName Bob
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Bob
CreateDate : 4/22/2015 12:02:11 PM
PasswordLastUsed : 1/1/0001 12:00:00 AM
Path : /
UserId : AIDAJWGEFDMEMEXAMPLE1
UserName : Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateUser](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立名為 `Bob` 的 IAM 使用者。如果 Bob 需要登入 AWS 主控台,則您必須分別執行 命令`New-IAMLoginProfile`,以使用密碼建立登入設定檔。如果 Bob 需要執行 AWS PowerShell 或跨平台 CLI 命令或進行 AWS API 呼叫,則必須單獨執行`New-IAMAccessKey`命令來建立存取金鑰。**
```
New-IAMUser -UserName Bob
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Bob
CreateDate : 4/22/2015 12:02:11 PM
PasswordLastUsed : 1/1/0001 12:00:00 AM
Path : /
UserId : AIDAJWGEFDMEMEXAMPLE1
UserName : Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateUser](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def create_user(user_name):
"""
Creates a user. By default, a user has no permissions or access keys.
:param user_name: The name of the user.
:return: The newly created user.
"""
try:
user = iam.create_user(UserName=user_name)
logger.info("Created user %s.", user.name)
except ClientError:
logger.exception("Couldn't create user %s.", user_name)
raise
else:
return user
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [CreateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateUser)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Creates a user and their login profile
#
# @param user_name [String] The name of the user
# @param initial_password [String] The initial password for the user
# @return [String, nil] The ID of the user if created, or nil if an error occurred
def create_user(user_name, initial_password)
response = @iam_client.create_user(user_name: user_name)
@iam_client.wait_until(:user_exists, user_name: user_name)
@iam_client.create_login_profile(
user_name: user_name,
password: initial_password,
password_reset_required: true
)
@logger.info("User '#{user_name}' created successfully.")
response.user.user_id
rescue Aws::IAM::Errors::EntityAlreadyExists
@logger.error("Error creating user '#{user_name}': user already exists.")
nil
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating user '#{user_name}': #{e.message}")
nil
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [CreateUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateUser)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn create_user(client: &iamClient, user_name: &str) -> Result {
let response = client.create_user().user_name(user_name).send().await?;
Ok(response.user.unwrap())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [CreateUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_user)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->createuser(
iv_username = iv_user_name ).
MESSAGE 'User created successfully.' TYPE 'I'.
CATCH /aws1/cx_iamentityalrdyexex.
MESSAGE 'User already exists.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Limit exceeded for IAM users.' TYPE 'E'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Entity does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreateUser](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func createUser(name: String) async throws -> String {
let input = CreateUserInput(
userName: name
)
do {
let output = try await client.createUser(input: input)
guard let user = output.user else {
throw ServiceHandlerError.noSuchUser
}
guard let id = user.userId else {
throw ServiceHandlerError.noSuchUser
}
return id
} catch {
print("ERROR: createUser:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [CreateUser](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createuser(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `CreateVirtualMfaDevice` 與 CLI
下列程式碼範例示範如何使用 `CreateVirtualMfaDevice`。
------
#### [ CLI ]
**AWS CLI**
**若要建立虛擬 MFA 裝置**
此範例會建立名為 `BobsMFADevice` 的新虛擬 MFA 裝置。它會建立包含名為 `QRCode.png` 的引導資訊的檔案,並將其放至 `C:/` 目錄中。此範例中使用的引導方法為 `QRCodePNG`。
```
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name BobsMFADevice \
--outfile C:/QRCode.png \
--bootstrap-method QRCodePNG
```
輸出:
```
{
"VirtualMFADevice": {
"SerialNumber": "arn:aws:iam::210987654321:mfa/BobsMFADevice"
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 AWS中使用多重要素驗證 (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [CreateVirtualMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-virtual-mfa-device.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立新的虛擬 MFA 裝置。第 2 行和第 3 行擷取虛擬 MFA 軟體程式建立帳戶所需的 `Base32StringSeed` 值 (做為 QR 程式碼的替代方案)。使用值設定程式後,依序從程式取得兩個驗證碼。最後,使用最後一個命令將虛擬 MFA 裝置連結至 IAM 使用者 `Bob`,並使用兩個驗證碼同步帳戶。**
```
$Device = New-IAMVirtualMFADevice -VirtualMFADeviceName BobsMFADevice
$SR = New-Object System.IO.StreamReader($Device.Base32StringSeed)
$base32stringseed = $SR.ReadToEnd()
$base32stringseed
CZWZMCQNW4DEXAMPLE3VOUGXJFZYSUW7EXAMPLECR4NJFD65GX2SLUDW2EXAMPLE
```
**輸出:**
```
-- Pause here to enter base-32 string seed code into virtual MFA program to register account. --
Enable-IAMMFADevice -SerialNumber $Device.SerialNumber -UserName Bob -AuthenticationCode1 123456 -AuthenticationCode2 789012
```
**範例 2:此範例會建立新的虛擬 MFA 裝置。第 2 行和第 3 行會擷取 `QRCodePNG` 值,並將其寫入檔案。此映像可由虛擬 MFA 軟體程式掃描,以建立帳戶 (做為手動輸入 Base32StringSeed 值的替代方案)。在虛擬 MFA 程式中建立帳戶後,請依序取得兩個驗證碼,並在最後一個命令中輸入它們,將虛擬 MFA 裝置連結至 IAM 使用者 `Bob` 並同步帳戶。**
```
$Device = New-IAMVirtualMFADevice -VirtualMFADeviceName BobsMFADevice
$BR = New-Object System.IO.BinaryReader($Device.QRCodePNG)
$BR.ReadBytes($BR.BaseStream.Length) | Set-Content -Encoding Byte -Path QRCode.png
```
**輸出:**
```
-- Pause here to scan PNG with virtual MFA program to register account. --
Enable-IAMMFADevice -SerialNumber $Device.SerialNumber -UserName Bob -AuthenticationCode1 123456 -AuthenticationCode2 789012
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateVirtualMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立新的虛擬 MFA 裝置。第 2 行和第 3 行擷取虛擬 MFA 軟體程式建立帳戶所需的 `Base32StringSeed` 值 (做為 QR 程式碼的替代方案)。使用值設定程式後,依序從程式取得兩個驗證碼。最後,使用最後一個命令將虛擬 MFA 裝置連結至 IAM 使用者 `Bob`,並使用兩個驗證碼同步帳戶。**
```
$Device = New-IAMVirtualMFADevice -VirtualMFADeviceName BobsMFADevice
$SR = New-Object System.IO.StreamReader($Device.Base32StringSeed)
$base32stringseed = $SR.ReadToEnd()
$base32stringseed
CZWZMCQNW4DEXAMPLE3VOUGXJFZYSUW7EXAMPLECR4NJFD65GX2SLUDW2EXAMPLE
```
**輸出:**
```
-- Pause here to enter base-32 string seed code into virtual MFA program to register account. --
Enable-IAMMFADevice -SerialNumber $Device.SerialNumber -UserName Bob -AuthenticationCode1 123456 -AuthenticationCode2 789012
```
**範例 2:此範例會建立新的虛擬 MFA 裝置。第 2 行和第 3 行會擷取 `QRCodePNG` 值,並將其寫入檔案。此映像可由虛擬 MFA 軟體程式掃描,以建立帳戶 (做為手動輸入 Base32StringSeed 值的替代方案)。在虛擬 MFA 程式中建立帳戶後,請依序取得兩個驗證碼,並在最後一個命令中輸入它們,將虛擬 MFA 裝置連結至 IAM 使用者 `Bob` 並同步帳戶。**
```
$Device = New-IAMVirtualMFADevice -VirtualMFADeviceName BobsMFADevice
$BR = New-Object System.IO.BinaryReader($Device.QRCodePNG)
$BR.ReadBytes($BR.BaseStream.Length) | Set-Content -Encoding Byte -Path QRCode.png
```
**輸出:**
```
-- Pause here to scan PNG with virtual MFA program to register account. --
Enable-IAMMFADevice -SerialNumber $Device.SerialNumber -UserName Bob -AuthenticationCode1 123456 -AuthenticationCode2 789012
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateVirtualMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeactivateMfaDevice` 與 CLI
下列程式碼範例示範如何使用 `DeactivateMfaDevice`。
------
#### [ CLI ]
**AWS CLI**
**若要停用 MFA 裝置**
此命令會使用與使用者 `Bob` 關聯的 ARN `arn:aws:iam::210987654321:mfa/BobsMFADevice` 停用虛擬 MFA 裝置。
```
aws iam deactivate-mfa-device \
--user-name Bob \
--serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 AWS中使用多重要素驗證 (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DeactivateMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會停用與序號為 `123456789012` 的使用者 `Bob` 關聯的硬體 MFA 裝置。**
```
Disable-IAMMFADevice -UserName "Bob" -SerialNumber "123456789012"
```
**範例 2:此命令會停用與 ARN 為 `arn:aws:iam::210987654321:mfa/David` 的使用者 `David` 關聯的虛擬 MFA 裝置。請注意,虛擬 MFA 裝置不會從帳戶中刪除。虛擬裝置仍然存在,並顯示在 `Get-IAMVirtualMFADevice` 命令的輸出中。必須先使用 `Remove-IAMVirtualMFADevice` 命令刪除舊的虛擬 MFA 裝置,才能為同一使用者建立新裝置。**
```
Disable-IAMMFADevice -UserName "David" -SerialNumber "arn:aws:iam::210987654321:mfa/David"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeactivateMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會停用與序號為 `123456789012` 的使用者 `Bob` 關聯的硬體 MFA 裝置。**
```
Disable-IAMMFADevice -UserName "Bob" -SerialNumber "123456789012"
```
**範例 2:此命令會停用與 ARN 為 `arn:aws:iam::210987654321:mfa/David` 的使用者 `David` 關聯的虛擬 MFA 裝置。請注意,虛擬 MFA 裝置不會從帳戶中刪除。虛擬裝置仍然存在,並顯示在 `Get-IAMVirtualMFADevice` 命令的輸出中。必須先使用 `Remove-IAMVirtualMFADevice` 命令刪除舊的虛擬 MFA 裝置,才能為同一使用者建立新裝置。**
```
Disable-IAMMFADevice -UserName "David" -SerialNumber "arn:aws:iam::210987654321:mfa/David"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeactivateMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteAccessKey` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteAccessKey`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
+ [管理存取金鑰](iam_example_iam_Scenario_ManageAccessKeys_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Delete an IAM user's access key.
///
/// The Id for the IAM access key.
/// The username of the user that owns the IAM
/// access key.
/// A Boolean value indicating the success of the action.
public async Task DeleteAccessKeyAsync(string accessKeyId, string userName)
{
var response = await _IAMService.DeleteAccessKeyAsync(new DeleteAccessKeyRequest
{
AccessKeyId = accessKeyId,
UserName = userName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [DeleteAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteAccessKey)。
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_delete_access_key
#
# This function deletes an IAM access key for the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user.
# -k access_key -- The access key to delete.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_access_key() {
local user_name access_key response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_access_key"
echo "Deletes an AWS Identity and Access Management (IAM) access key for the specified IAM user"
echo " -u user_name The name of the user."
echo " -k access_key The access key to delete."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:k:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
k) access_key="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
if [[ -z "$access_key" ]]; then
errecho "ERROR: You must provide an access key with the -k parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Username: $user_name"
iecho " Access key: $access_key"
iecho ""
response=$(aws iam delete-access-key \
--user-name "$user_name" \
--access-key-id "$access_key")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-access-key operation failed.\n$response"
return 1
fi
iecho "delete-access-key response:$response"
iecho
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteAccessKey)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::deleteAccessKey(const Aws::String &userName,
const Aws::String &accessKeyID,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::DeleteAccessKeyRequest request;
request.SetUserName(userName);
request.SetAccessKeyId(accessKeyID);
auto outcome = iam.DeleteAccessKey(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting access key " << accessKeyID << " from user "
<< userName << ": " << outcome.GetError().GetMessage() <<
std::endl;
}
else {
std::cout << "Successfully deleted access key " << accessKeyID
<< " for IAM user " << userName << std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteAccessKey)。
------
#### [ CLI ]
**AWS CLI**
**刪除 IAM 使用者的存取金鑰**
下列 `delete-access-key` 命令會為名為 `Bob` 的 IAM 使用者刪除指定的存取金鑰 (存取金鑰 ID 與私密存取金鑰)。
```
aws iam delete-access-key \
--access-key-id AKIDPMS9RO4H3FEXAMPLE \
--user-name Bob
```
此命令不會產生輸出。
若要列出為 IAM 使用者定義的存取金鑰,請使用 `list-access-keys` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的存取金鑰](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteAccessKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-access-key.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// DeleteAccessKey deletes an access key from a user.
func (wrapper UserWrapper) DeleteAccessKey(ctx context.Context, userName string, keyId string) error {
_, err := wrapper.IamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
AccessKeyId: aws.String(keyId),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete access key %v. Here's why: %v\n", keyId, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [DeleteAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteAccessKey)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.DeleteAccessKeyRequest;
import software.amazon.awssdk.services.iam.model.IamException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class DeleteAccessKey {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
username - The name of the user.\s
accessKey - The access key ID for the secret access key you want to delete.\s
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String username = args[0];
String accessKey = args[1];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
deleteKey(iam, username, accessKey);
iam.close();
}
public static void deleteKey(IamClient iam, String username, String accessKey) {
try {
DeleteAccessKeyRequest request = DeleteAccessKeyRequest.builder()
.accessKeyId(accessKey)
.userName(username)
.build();
iam.deleteAccessKey(request);
System.out.println("Successfully deleted access key " + accessKey +
" from user " + username);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteAccessKey)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
刪除存取金鑰。
```
import { DeleteAccessKeyCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} userName
* @param {string} accessKeyId
*/
export const deleteAccessKey = (userName, accessKeyId) => {
const command = new DeleteAccessKeyCommand({
AccessKeyId: accessKeyId,
UserName: userName,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-deleting)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteAccessKeyCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
AccessKeyId: "ACCESS_KEY_ID",
UserName: "USER_NAME",
};
iam.deleteAccessKey(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-deleting)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteAccessKey](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DeleteAccessKey)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun deleteKey(
userNameVal: String,
accessKey: String,
) {
val request =
DeleteAccessKeyRequest {
accessKeyId = accessKey
userName = userNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.deleteAccessKey(request)
println("Successfully deleted access key $accessKey from $userNameVal")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DeleteAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例`AKIAIOSFODNN7EXAMPLE`會從名為 的使用者中刪除具有金鑰 ID 的 AWS 存取金鑰對`Bob`。**
```
Remove-IAMAccessKey -AccessKeyId AKIAIOSFODNN7EXAMPLE -UserName Bob -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteAccessKey](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例`AKIAIOSFODNN7EXAMPLE`會從名為 的使用者中刪除具有金鑰 ID 的 AWS 存取金鑰對`Bob`。**
```
Remove-IAMAccessKey -AccessKeyId AKIAIOSFODNN7EXAMPLE -UserName Bob -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteAccessKey](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def delete_key(user_name, key_id):
"""
Deletes a user's access key.
:param user_name: The user that owns the key.
:param key_id: The ID of the key to delete.
"""
try:
key = iam.AccessKey(user_name, key_id)
key.delete()
logger.info("Deleted access key %s for %s.", key.id, key.user_name)
except ClientError:
logger.exception("Couldn't delete key %s for %s", key_id, user_name)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
此範例模組會列出、建立、停用和刪除存取金鑰。
```
# Manages access keys for IAM users
class AccessKeyManager
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'AccessKeyManager'
end
# Lists access keys for a user
#
# @param user_name [String] The name of the user.
def list_access_keys(user_name)
response = @iam_client.list_access_keys(user_name: user_name)
if response.access_key_metadata.empty?
@logger.info("No access keys found for user '#{user_name}'.")
else
response.access_key_metadata.map(&:access_key_id)
end
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Error listing access keys: cannot find user '#{user_name}'.")
[]
rescue StandardError => e
@logger.error("Error listing access keys: #{e.message}")
[]
end
# Creates an access key for a user
#
# @param user_name [String] The name of the user.
# @return [Boolean]
def create_access_key(user_name)
response = @iam_client.create_access_key(user_name: user_name)
access_key = response.access_key
@logger.info("Access key created for user '#{user_name}': #{access_key.access_key_id}")
access_key
rescue Aws::IAM::Errors::LimitExceeded
@logger.error('Error creating access key: limit exceeded. Cannot create more.')
nil
rescue StandardError => e
@logger.error("Error creating access key: #{e.message}")
nil
end
# Deactivates an access key
#
# @param user_name [String] The name of the user.
# @param access_key_id [String] The ID for the access key.
# @return [Boolean]
def deactivate_access_key(user_name, access_key_id)
@iam_client.update_access_key(
user_name: user_name,
access_key_id: access_key_id,
status: 'Inactive'
)
true
rescue StandardError => e
@logger.error("Error deactivating access key: #{e.message}")
false
end
# Deletes an access key
#
# @param user_name [String] The name of the user.
# @param access_key_id [String] The ID for the access key.
# @return [Boolean]
def delete_access_key(user_name, access_key_id)
@iam_client.delete_access_key(
user_name: user_name,
access_key_id: access_key_id
)
true
rescue StandardError => e
@logger.error("Error deleting access key: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》中的 [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteAccessKey)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn delete_access_key(
client: &iamClient,
user: &User,
key: &AccessKey,
) -> Result<(), iamError> {
loop {
match client
.delete_access_key()
.user_name(user.user_name())
.access_key_id(key.access_key_id())
.send()
.await
{
Ok(_) => {
break;
}
Err(e) => {
println!("Can't delete the access key: {:?}", e);
sleep(Duration::from_secs(2)).await;
}
}
}
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [DeleteAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_access_key)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->deleteaccesskey(
iv_accesskeyid = iv_access_key_id
iv_username = iv_user_name ).
MESSAGE 'Access key deleted successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Access key or user does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DeleteAccessKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func deleteAccessKey(user: IAMClientTypes.User? = nil,
key: IAMClientTypes.AccessKey) async throws
{
let userName: String?
if user != nil {
userName = user!.userName
} else {
userName = nil
}
let input = DeleteAccessKeyInput(
accessKeyId: key.accessKeyId,
userName: userName
)
do {
_ = try await iamClient.deleteAccessKey(input: input)
} catch {
print("ERROR: deleteAccessKey:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [DeleteAccessKey](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deleteaccesskey(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteAccountAlias` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteAccountAlias`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::deleteAccountAlias(const Aws::String &accountAlias,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::DeleteAccountAliasRequest request;
request.SetAccountAlias(accountAlias);
const auto outcome = iam.DeleteAccountAlias(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting account alias " << accountAlias << ": "
<< outcome.GetError().GetMessage() << std::endl;
}
else {
std::cout << "Successfully deleted account alias " << accountAlias <<
std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [DeleteAccountAlias](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteAccountAlias)。
------
#### [ CLI ]
**AWS CLI**
**刪除帳戶別名**
下列 `delete-account-alias` 命令會移除目前帳戶的別名 `mycompany`。
```
aws iam delete-account-alias \
--account-alias mycompany
```
此命令不會產生輸出。
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[AWS 您的帳戶 ID 及其別名](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteAccountAlias](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-account-alias.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.DeleteAccountAliasRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class DeleteAccountAlias {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
alias - The account alias to delete.\s
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String alias = args[0];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
deleteIAMAccountAlias(iam, alias);
iam.close();
}
public static void deleteIAMAccountAlias(IamClient iam, String alias) {
try {
DeleteAccountAliasRequest request = DeleteAccountAliasRequest.builder()
.accountAlias(alias)
.build();
iam.deleteAccountAlias(request);
System.out.println("Successfully deleted account alias " + alias);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
System.out.println("Done");
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [DeleteAccountAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteAccountAlias)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
刪除帳戶別名。
```
import { DeleteAccountAliasCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} alias
*/
export const deleteAccountAlias = (alias) => {
const command = new DeleteAccountAliasCommand({ AccountAlias: alias });
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-deleting)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteAccountAlias](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteAccountAliasCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
iam.deleteAccountAlias({ AccountAlias: process.argv[2] }, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-deleting)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteAccountAlias](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DeleteAccountAlias)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun deleteIAMAccountAlias(alias: String) {
val request =
DeleteAccountAliasRequest {
accountAlias = alias
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.deleteAccountAlias(request)
println("Successfully deleted account alias $alias")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DeleteAccountAlias](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從 中移除帳戶別名 AWS 帳戶。在 https://mycompanyaws.signin.aws.amazon.com/console,使用者無法再使用別名登入頁面。您必須改為在 https://https://.signin.aws.amazon.com/console 使用原始 URL 搭配您的 AWS 帳戶 ID 號碼。**
```
Remove-IAMAccountAlias -AccountAlias mycompanyaws
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteAccountAlias](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從 中移除帳戶別名 AWS 帳戶。在 https://mycompanyaws.signin.aws.amazon.com/console,使用者無法再使用別名登入頁面。您必須改為在 https://https://.signin.aws.amazon.com/console 使用原始 URL 搭配您的 AWS 帳戶 ID 號碼。**
```
Remove-IAMAccountAlias -AccountAlias mycompanyaws
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteAccountAlias](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def delete_alias(alias):
"""
Removes the alias from the current account.
:param alias: The alias to remove.
"""
try:
iam.meta.client.delete_account_alias(AccountAlias=alias)
logger.info("Removed alias '%s' from your account.", alias)
except ClientError:
logger.exception("Couldn't remove alias '%s' from your account.", alias)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [DeleteAccountAlias](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccountAlias)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
列出、建立和刪除帳戶別名。
```
class IAMAliasManager
# Initializes the IAM client and logger
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client.
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
end
# Lists available AWS account aliases.
def list_aliases
response = @iam_client.list_account_aliases
if response.account_aliases.count.positive?
@logger.info('Account aliases are:')
response.account_aliases.each { |account_alias| @logger.info(" #{account_alias}") }
else
@logger.info('No account aliases found.')
end
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing account aliases: #{e.message}")
end
# Creates an AWS account alias.
#
# @param account_alias [String] The name of the account alias to create.
# @return [Boolean] true if the account alias was created; otherwise, false.
def create_account_alias(account_alias)
@iam_client.create_account_alias(account_alias: account_alias)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating account alias: #{e.message}")
false
end
# Deletes an AWS account alias.
#
# @param account_alias [String] The name of the account alias to delete.
# @return [Boolean] true if the account alias was deleted; otherwise, false.
def delete_account_alias(account_alias)
@iam_client.delete_account_alias(account_alias: account_alias)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting account alias: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [DeleteAccountAlias](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteAccountAlias)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->deleteaccountalias(
iv_accountalias = iv_account_alias ).
MESSAGE 'Account alias deleted successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Account alias does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DeleteAccountAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeleteAccountPasswordPolicy` 與 CLI
下列程式碼範例示範如何使用 `DeleteAccountPasswordPolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要刪除目前的帳戶密碼政策**
下列 `delete-account-password-policy` 命令會移除目前帳戶的密碼政策。
```
aws iam delete-account-password-policy
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[設定 IAM 使用者的帳戶密碼政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DeleteAccountPasswordPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-account-password-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除 的密碼政策, AWS 帳戶 並將所有值重設為其原始預設值。如果密碼政策目前不存在,則會出現下列錯誤訊息:找不到名為 PasswordPolicy 的帳戶政策。**
```
Remove-IAMAccountPasswordPolicy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除 的密碼政策, AWS 帳戶 並將所有值重設為其原始預設值。如果密碼政策目前不存在,則會出現下列錯誤訊息:找不到名為 PasswordPolicy 的帳戶政策。**
```
Remove-IAMAccountPasswordPolicy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteGroup` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteGroup`。
------
#### [ CLI ]
**AWS CLI**
**刪除 IAM 群組**
下列 `delete-group` 命令會刪除名為 `MyTestGroup` 的 IAM 群組。
```
aws iam delete-group \
--group-name MyTestGroup
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[刪除 IAM 使用者群組](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_delete.html)。
+ 如需 API 詳細資訊,請參閱**《AWS CLI 命令參考》中的 [DeleteGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { DeleteGroupCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} groupName
*/
export const deleteGroup = async (groupName) => {
const command = new DeleteGroupCommand({
GroupName: groupName,
});
const response = await client.send(command);
console.log(response);
return response;
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [DeleteGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteGroupCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除名為 `MyTestGroup` 的 IAM 群組。第一個命令會移除所有屬於群組的 IAM 使用者,第二個命令則會刪除 IAM 群組。這兩個命令皆可在沒有任何確認提示的情況下運作。**
```
(Get-IAMGroup -GroupName MyTestGroup).Users | Remove-IAMUserFromGroup -GroupName MyTestGroup -Force
Remove-IAMGroup -GroupName MyTestGroup -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteGroup](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除名為 `MyTestGroup` 的 IAM 群組。第一個命令會移除所有屬於群組的 IAM 使用者,第二個命令則會刪除 IAM 群組。這兩個命令皆可在沒有任何確認提示的情況下運作。**
```
(Get-IAMGroup -GroupName MyTestGroup).Users | Remove-IAMUserFromGroup -GroupName MyTestGroup -Force
Remove-IAMGroup -GroupName MyTestGroup -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteGroup](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeleteGroupPolicy` 與 CLI
下列程式碼範例示範如何使用 `DeleteGroupPolicy`。
------
#### [ CLI ]
**AWS CLI**
**從 IAM 群組中刪除政策**
下列 `delete-group-policy` 命令會將名為 `ExamplePolicy` 的政策從名為 `Admins` 的群組中刪除。
```
aws iam delete-group-policy \
--group-name Admins \
--policy-name ExamplePolicy
```
此命令不會產生輸出。
若要查看連接至群組的政策,請使用 `list-group-policies` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從 IAM 群組 `Testers` 中移除名為 `TesterPolicy` 的內嵌政策。該群組中的使用者會立即失去此政策中定義的許可。**
```
Remove-IAMGroupPolicy -GroupName Testers -PolicyName TestPolicy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從 IAM 群組 `Testers` 中移除名為 `TesterPolicy` 的內嵌政策。該群組中的使用者會立即失去此政策中定義的許可。**
```
Remove-IAMGroupPolicy -GroupName Testers -PolicyName TestPolicy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteInstanceProfile` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteInstanceProfile`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [建置及管理彈性服務](iam_example_cross_ResilientService_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/cross-service/ResilientService/AutoScalerActions#code-examples)中設定和執行。
```
///
/// Detaches a role from an instance profile, detaches policies from the role,
/// and deletes all the resources.
///
/// The name of the profile to delete.
/// The name of the role to delete.
/// Async task.
public async Task DeleteInstanceProfile(string profileName, string roleName)
{
try
{
await _amazonIam.RemoveRoleFromInstanceProfileAsync(
new RemoveRoleFromInstanceProfileRequest()
{
InstanceProfileName = profileName,
RoleName = roleName
});
await _amazonIam.DeleteInstanceProfileAsync(
new DeleteInstanceProfileRequest() { InstanceProfileName = profileName });
var attachedPolicies = await _amazonIam.ListAttachedRolePoliciesAsync(
new ListAttachedRolePoliciesRequest() { RoleName = roleName });
foreach (var policy in attachedPolicies.AttachedPolicies)
{
await _amazonIam.DetachRolePolicyAsync(
new DetachRolePolicyRequest()
{
RoleName = roleName,
PolicyArn = policy.PolicyArn
});
// Delete the custom policies only.
if (!policy.PolicyArn.StartsWith("arn:aws:iam::aws"))
{
await _amazonIam.DeletePolicyAsync(
new Amazon.IdentityManagement.Model.DeletePolicyRequest()
{
PolicyArn = policy.PolicyArn
});
}
}
await _amazonIam.DeleteRoleAsync(
new DeleteRoleRequest() { RoleName = roleName });
}
catch (NoSuchEntityException)
{
Console.WriteLine($"Instance profile {profileName} does not exist.");
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteInstanceProfile)。
------
#### [ CLI ]
**AWS CLI**
**刪除執行個體設定檔**
下列 `delete-instance-profile` 命令會刪除名為 `ExampleInstanceProfile` 的執行個體設定檔。
```
aws iam delete-instance-profile \
--instance-profile-name ExampleInstanceProfile
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用執行個體設定檔](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-instance-profile.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-resilient-service#code-examples)中設定和執行。
```
const client = new IAMClient({});
await client.send(
new DeleteInstanceProfileCommand({
InstanceProfileName: NAMES.instanceProfileName,
}),
);
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [DeleteInstanceProfile](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteInstanceProfileCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除名為 `MyAppInstanceProfile` 的 EC2 執行個體設定檔。第一個命令將從執行個體設定檔分離任何角色,然後第二個命令將刪除執行個體設定檔。**
```
(Get-IAMInstanceProfile -InstanceProfileName MyAppInstanceProfile).Roles | Remove-IAMRoleFromInstanceProfile -InstanceProfileName MyAppInstanceProfile
Remove-IAMInstanceProfile -InstanceProfileName MyAppInstanceProfile
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除名為 `MyAppInstanceProfile` 的 EC2 執行個體設定檔。第一個命令將從執行個體設定檔分離任何角色,然後第二個命令將刪除執行個體設定檔。**
```
(Get-IAMInstanceProfile -InstanceProfileName MyAppInstanceProfile).Roles | Remove-IAMRoleFromInstanceProfile -InstanceProfileName MyAppInstanceProfile
Remove-IAMInstanceProfile -InstanceProfileName MyAppInstanceProfile
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
此範例會從執行個體設定檔中移除角色、分離所有附加到該角色的政策並刪除全部資源。
```
class AutoScalingWrapper:
"""
Encapsulates Amazon EC2 Auto Scaling and EC2 management actions.
"""
def __init__(
self,
resource_prefix: str,
inst_type: str,
ami_param: str,
autoscaling_client: boto3.client,
ec2_client: boto3.client,
ssm_client: boto3.client,
iam_client: boto3.client,
):
"""
Initializes the AutoScaler class with the necessary parameters.
:param resource_prefix: The prefix for naming AWS resources that are created by this class.
:param inst_type: The type of EC2 instance to create, such as t3.micro.
:param ami_param: The Systems Manager parameter used to look up the AMI that is created.
:param autoscaling_client: A Boto3 EC2 Auto Scaling client.
:param ec2_client: A Boto3 EC2 client.
:param ssm_client: A Boto3 Systems Manager client.
:param iam_client: A Boto3 IAM client.
"""
self.inst_type = inst_type
self.ami_param = ami_param
self.autoscaling_client = autoscaling_client
self.ec2_client = ec2_client
self.ssm_client = ssm_client
self.iam_client = iam_client
sts_client = boto3.client("sts")
self.account_id = sts_client.get_caller_identity()["Account"]
self.key_pair_name = f"{resource_prefix}-key-pair"
self.launch_template_name = f"{resource_prefix}-template-"
self.group_name = f"{resource_prefix}-group"
# Happy path
self.instance_policy_name = f"{resource_prefix}-pol"
self.instance_role_name = f"{resource_prefix}-role"
self.instance_profile_name = f"{resource_prefix}-prof"
# Failure mode
self.bad_creds_policy_name = f"{resource_prefix}-bc-pol"
self.bad_creds_role_name = f"{resource_prefix}-bc-role"
self.bad_creds_profile_name = f"{resource_prefix}-bc-prof"
def delete_instance_profile(self, profile_name: str, role_name: str) -> None:
"""
Detaches a role from an instance profile, detaches policies from the role,
and deletes all the resources.
:param profile_name: The name of the profile to delete.
:param role_name: The name of the role to delete.
"""
try:
self.iam_client.remove_role_from_instance_profile(
InstanceProfileName=profile_name, RoleName=role_name
)
self.iam_client.delete_instance_profile(InstanceProfileName=profile_name)
log.info("Deleted instance profile %s.", profile_name)
attached_policies = self.iam_client.list_attached_role_policies(
RoleName=role_name
)
for pol in attached_policies["AttachedPolicies"]:
self.iam_client.detach_role_policy(
RoleName=role_name, PolicyArn=pol["PolicyArn"]
)
if not pol["PolicyArn"].startswith("arn:aws:iam::aws"):
self.iam_client.delete_policy(PolicyArn=pol["PolicyArn"])
log.info("Detached and deleted policy %s.", pol["PolicyName"])
self.iam_client.delete_role(RoleName=role_name)
log.info("Deleted role %s.", role_name)
except ClientError as err:
log.error(
f"Couldn't delete instance profile {profile_name} or detach "
f"policies and delete role {role_name}: {err}"
)
if err.response["Error"]["Code"] == "NoSuchEntity":
log.info(
"Instance profile %s doesn't exist, nothing to do.", profile_name
)
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteInstanceProfile)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeleteLoginProfile` 與 CLI
下列程式碼範例示範如何使用 `DeleteLoginProfile`。
------
#### [ CLI ]
**AWS CLI**
**若要為 IAM 使用者刪除密碼**
下列 `delete-login-profile` 命令會刪除名為 `Bob` 之 IAM 使用者的密碼。
```
aws iam delete-login-profile \
--user-name Bob
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的密碼](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DeleteLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-login-profile.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從名為 `Bob` 的 IAM 使用者中刪除登入設定檔。這可防止使用者登入 AWS 主控台。它不會阻止使用者使用可能仍連接至使用者帳戶的 AWS 存取金鑰來執行任何 AWS CLI、PowerShell 或 API 呼叫。**
```
Remove-IAMLoginProfile -UserName Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteLoginProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從名為 `Bob` 的 IAM 使用者中刪除登入設定檔。這可防止使用者登入 AWS 主控台。它不會阻止使用者使用可能仍連接至使用者帳戶的 AWS 存取金鑰來執行任何 AWS CLI、PowerShell 或 API 呼叫。**
```
Remove-IAMLoginProfile -UserName Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteLoginProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeleteOpenIdConnectProvider` 與 CLI
下列程式碼範例示範如何使用 `DeleteOpenIdConnectProvider`。
------
#### [ CLI ]
**AWS CLI**
**若要刪除 IAM OpenID Connect 身分提供者**
此範例會刪除連線至提供者 `example.oidcprovider.com` 的 IAM OIDC 提供者。
```
aws iam delete-open-id-connect-provider \
--open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com
```
此命令不會產生輸出。
如需詳細資訊,請參閱 *AWS IAM User Guide* 中的 [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DeleteOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-open-id-connect-provider.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除連線至提供者 `example.oidcprovider.com` 的 IAM OIDC 提供者。請確定更新或刪除在角色信任政策的 `Principal` 元素中引用此提供者的任何角色。**
```
Remove-IAMOpenIDConnectProvider -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除連線至提供者 `example.oidcprovider.com` 的 IAM OIDC 提供者。請確定更新或刪除在角色信任政策的 `Principal` 元素中引用此提供者的任何角色。**
```
Remove-IAMOpenIDConnectProvider -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeletePolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeletePolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Delete an IAM policy.
///
/// The Amazon Resource Name (ARN) of the policy to
/// delete.
/// A Boolean value indicating the success of the action.
public async Task DeletePolicyAsync(string policyArn)
{
var response = await _IAMService.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [DeletePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeletePolicy)。
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function iecho
#
# This function enables the script to display the specified text only if
# the global variable $VERBOSE is set to true.
###############################################################################
function iecho() {
if [[ $VERBOSE == true ]]; then
echo "$@"
fi
}
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_delete_policy
#
# This function deletes an IAM policy.
#
# Parameters:
# -n policy_arn -- The name of the IAM policy arn.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_policy() {
local policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_policy"
echo "Deletes an AWS Identity and Access Management (IAM) policy"
echo " -n policy_arn -- The name of the IAM policy arn."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:h" option; do
case "${option}" in
n) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy arn with the -n parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Policy arn: $policy_arn"
iecho ""
response=$(aws iam delete-policy \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-policy operation failed.\n$response"
return 1
fi
iecho "delete-policy response:$response"
iecho
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::deletePolicy(const Aws::String &policyArn,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::DeletePolicyRequest request;
request.SetPolicyArn(policyArn);
auto outcome = iam.DeletePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting policy with arn " << policyArn << ": "
<< outcome.GetError().GetMessage() << std::endl;
}
else {
std::cout << "Successfully deleted policy with arn " << policyArn
<< std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeletePolicy)。
------
#### [ CLI ]
**AWS CLI**
**刪除 IAM 政策**
此範例會刪除 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的政策。
```
aws iam delete-policy \
--policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeletePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-policy.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions
// used in the examples.
// It contains an IAM service client that is used to perform policy actions.
type PolicyWrapper struct {
IamClient *iam.Client
}
// DeletePolicy deletes a policy.
func (wrapper PolicyWrapper) DeletePolicy(ctx context.Context, policyArn string) error {
_, err := wrapper.IamClient.DeletePolicy(ctx, &iam.DeletePolicyInput{
PolicyArn: aws.String(policyArn),
})
if err != nil {
log.Printf("Couldn't delete policy %v. Here's why: %v\n", policyArn, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [DeletePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeletePolicy)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.DeletePolicyRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class DeletePolicy {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
policyARN - A policy ARN value to delete.\s
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String policyARN = args[0];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
deleteIAMPolicy(iam, policyARN);
iam.close();
}
public static void deleteIAMPolicy(IamClient iam, String policyARN) {
try {
DeletePolicyRequest request = DeletePolicyRequest.builder()
.policyArn(policyARN)
.build();
iam.deletePolicy(request);
System.out.println("Successfully deleted the policy");
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
System.out.println("Done");
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeletePolicy)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam/#code-examples)中設定和執行。
刪除政策。
```
import { DeletePolicyCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} policyArn
*/
export const deletePolicy = (policyArn) => {
const command = new DeletePolicyCommand({ PolicyArn: policyArn });
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeletePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeletePolicyCommand)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun deleteIAMPolicy(policyARNVal: String?) {
val request =
DeletePolicyRequest {
policyArn = policyARNVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.deletePolicy(request)
println("Successfully deleted $policyARNVal")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DeletePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的政策。在刪除政策之前,必須先執行 `Remove-IAMPolicyVersion` 刪除除預設版本之外的所有版本。還必須將政策與任何 IAM 使用者、群組或角色分離。**
```
Remove-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy
```
**範例 2:此範例會刪除政策,方法是先刪除所有非預設政策版本,將其與所有連接的 IAM 實體分離,最後刪除政策本身。第一行擷取政策物件。第二行擷取未標記為集合預設版本的所有政策版本,然後刪除集合中的每個政策。第三行擷取連接政策的所有 IAM 使用者、群組和角色。第四行到第六行將政策與每個連接的實體分離。最後一行使用此命令移除受管政策以及剩餘的預設版本。此範例會在任何需要 `-Force` 切換參數的行中加入該參數,以抑制確認提示。**
```
$pol = Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy
Get-IAMPolicyVersions -PolicyArn $pol.Arn | where {-not $_.IsDefaultVersion} | Remove-IAMPolicyVersion -PolicyArn $pol.Arn -force
$attached = Get-IAMEntitiesForPolicy -PolicyArn $pol.Arn
$attached.PolicyGroups | Unregister-IAMGroupPolicy -PolicyArn $pol.arn
$attached.PolicyRoles | Unregister-IAMRolePolicy -PolicyArn $pol.arn
$attached.PolicyUsers | Unregister-IAMUserPolicy -PolicyArn $pol.arn
Remove-IAMPolicy $pol.Arn -Force
```
+ 如需 API 詳細資訊,請參閱《*AWS Tools for PowerShell Cmdlet 參考 (V4)*》中的 [DeletePolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的政策。在刪除政策之前,必須先執行 `Remove-IAMPolicyVersion` 刪除除預設版本之外的所有版本。還必須將政策與任何 IAM 使用者、群組或角色分離。**
```
Remove-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy
```
**範例 2:此範例會刪除政策,方法是先刪除所有非預設政策版本,將其與所有連接的 IAM 實體分離,最後刪除政策本身。第一行擷取政策物件。第二行擷取未標記為集合預設版本的所有政策版本,然後刪除集合中的每個政策。第三行擷取連接政策的所有 IAM 使用者、群組和角色。第四行到第六行將政策與每個連接的實體分離。最後一行使用此命令移除受管政策以及剩餘的預設版本。此範例會在任何需要 `-Force` 切換參數的行中加入該參數,以抑制確認提示。**
```
$pol = Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy
Get-IAMPolicyVersions -PolicyArn $pol.Arn | where {-not $_.IsDefaultVersion} | Remove-IAMPolicyVersion -PolicyArn $pol.Arn -force
$attached = Get-IAMEntitiesForPolicy -PolicyArn $pol.Arn
$attached.PolicyGroups | Unregister-IAMGroupPolicy -PolicyArn $pol.arn
$attached.PolicyRoles | Unregister-IAMRolePolicy -PolicyArn $pol.arn
$attached.PolicyUsers | Unregister-IAMUserPolicy -PolicyArn $pol.arn
Remove-IAMPolicy $pol.Arn -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeletePolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def delete_policy(policy_arn):
"""
Deletes a policy.
:param policy_arn: The ARN of the policy to delete.
"""
try:
iam.Policy(policy_arn).delete()
logger.info("Deleted policy %s.", policy_arn)
except ClientError:
logger.exception("Couldn't delete policy %s.", policy_arn)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [DeletePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicy)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn delete_policy(client: &iamClient, policy: Policy) -> Result<(), iamError> {
client
.delete_policy()
.policy_arn(policy.arn.unwrap())
.send()
.await?;
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [DeletePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_policy)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->deletepolicy( iv_policyarn = iv_policy_arn ).
MESSAGE 'Policy deleted successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Policy does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamdeleteconflictex.
MESSAGE 'Policy cannot be deleted due to attachments.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DeletePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func deletePolicy(policy: IAMClientTypes.Policy) async throws {
let input = DeletePolicyInput(
policyArn: policy.arn
)
do {
_ = try await iamClient.deletePolicy(input: input)
} catch {
print("ERROR: deletePolicy:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [DeletePolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deletepolicy(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeletePolicyVersion` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeletePolicyVersion`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [復原政策版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md)
------
#### [ CLI ]
**AWS CLI**
**若要刪除受管政策的版本**
此範例會從 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的政策中刪除標識為 `v2` 的版本。
```
aws iam delete-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
--version-id v2
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱 *AWS CLI Command Reference* 中的 [DeletePolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-policy-version.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的政策中刪除標識為 `v2` 的版本。**
```
Remove-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy -VersionID v2
```
**範例 2:此範例會先刪除所有非預設政策版本,然後刪除政策本身,從而刪除政策。第一行擷取政策物件。第二行擷取未標記為集合預設值的所有政策版本,然後使用此命令刪除集合中的每個政策。最後一行移除政策本身以及剩餘的預設版本。請注意,若要成功刪除受管政策,還必須使用 `Unregister-IAMUserPolicy`、`Unregister-IAMGroupPolicy` 和 `Unregister-IAMRolePolicy` 命令,將政策與任何使用者、群組或角色分離。請參閱 `Remove-IAMPolicy` cmdlet 的範例。**
```
$pol = Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy
Get-IAMPolicyVersions -PolicyArn $pol.Arn | where {-not $_.IsDefaultVersion} | Remove-IAMPolicyVersion -PolicyArn $pol.Arn -force
Remove-IAMPolicy -PolicyArn $pol.Arn -force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeletePolicyVersion](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的政策中刪除標識為 `v2` 的版本。**
```
Remove-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy -VersionID v2
```
**範例 2:此範例會先刪除所有非預設政策版本,然後刪除政策本身,從而刪除政策。第一行擷取政策物件。第二行擷取未標記為集合預設值的所有政策版本,然後使用此命令刪除集合中的每個政策。最後一行移除政策本身以及剩餘的預設版本。請注意,若要成功刪除受管政策,還必須使用 `Unregister-IAMUserPolicy`、`Unregister-IAMGroupPolicy` 和 `Unregister-IAMRolePolicy` 命令,將政策與任何使用者、群組或角色分離。請參閱 `Remove-IAMPolicy` cmdlet 的範例。**
```
$pol = Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy
Get-IAMPolicyVersions -PolicyArn $pol.Arn | where {-not $_.IsDefaultVersion} | Remove-IAMPolicyVersion -PolicyArn $pol.Arn -force
Remove-IAMPolicy -PolicyArn $pol.Arn -force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeletePolicyVersion](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->deletepolicyversion(
iv_policyarn = iv_policy_arn
iv_versionid = iv_version_id ).
MESSAGE 'Policy version deleted successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Policy or version does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamdeleteconflictex.
MESSAGE 'Cannot delete default policy version.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Limit exceeded.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DeletePolicyVersion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteRole` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteRole`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [設定 Amazon ECS Service Connect](iam_example_ecs_ServiceConnect_085_section.md)
+ [使用 Lambda 代理整合建立 REST API](iam_example_api_gateway_GettingStarted_087_section.md)
+ [使用函數名稱做為變數建立 CloudWatch 儀表板](iam_example_cloudwatch_GettingStarted_031_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [建立您的第一個 Lambda 函數](iam_example_lambda_GettingStarted_019_section.md)
+ [開始使用 Redshift Serverless](iam_example_redshift_GettingStarted_038_section.md)
+ [Amazon EKS 入門](iam_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Amazon Redshift 佈建叢集入門](iam_example_redshift_GettingStarted_039_section.md)
+ [Amazon SageMaker Feature Store 入門](iam_example_iam_GettingStarted_028_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理角色](iam_example_iam_Scenario_RoleManagement_section.md)
+ [將硬式編碼秘密移至 Secrets Manager](iam_example_secrets_manager_GettingStarted_073_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
+ [在 CloudWatch 儀表板中使用屬性變數來監控多個 Lambda 函數](iam_example_iam_GettingStarted_032_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Delete an IAM role.
///
/// The name of the IAM role to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteRoleAsync(string roleName)
{
var response = await _IAMService.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [DeleteRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteRole)。
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function iecho
#
# This function enables the script to display the specified text only if
# the global variable $VERBOSE is set to true.
###############################################################################
function iecho() {
if [[ $VERBOSE == true ]]; then
echo "$@"
fi
}
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_delete_role
#
# This function deletes an IAM role.
#
# Parameters:
# -n role_name -- The name of the IAM role.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_role() {
local role_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_role"
echo "Deletes an AWS Identity and Access Management (IAM) role"
echo " -n role_name -- The name of the IAM role."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
echo "role_name:$role_name"
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Role name: $role_name"
iecho ""
response=$(aws iam delete-role \
--role-name "$role_name")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-role operation failed.\n$response"
return 1
fi
iecho "delete-role response:$response"
iecho
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole)。
------
#### [ CLI ]
**AWS CLI**
**刪除 IAM 角色**
下列 `delete-role` 命令會將名為 `Test-Role` 的角色移除。
```
aws iam delete-role \
--role-name Test-Role
```
此命令不會產生輸出。
刪除角色之前,您必須先從任何執行個體設定檔 (`remove-role-from-instance-profile`) 移除該角色、分離任何受管政策 (`detach-role-policy`),並刪除任何連接至該角色的內嵌政策 (`delete-role-policy`)。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)和[使用執行個體設定檔](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-role.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// DeleteRole deletes a role. All attached policies must be detached before a
// role can be deleted.
func (wrapper RoleWrapper) DeleteRole(ctx context.Context, roleName string) error {
_, err := wrapper.IamClient.DeleteRole(ctx, &iam.DeleteRoleInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't delete role %v. Here's why: %v\n", roleName, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [DeleteRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteRole)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
刪除角色。
```
import { DeleteRoleCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} roleName
*/
export const deleteRole = (roleName) => {
const command = new DeleteRoleCommand({ RoleName: roleName });
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteRoleCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從目前的 IAM 帳戶刪除名為 `MyNewRole` 的角色。在刪除角色之前,必須先使用 `Unregister-IAMRolePolicy` 命令來分離任何受管政策。內嵌政策會與角色一起刪除。**
```
Remove-IAMRole -RoleName MyNewRole
```
**範例 2:此範例會從名為 `MyNewRole` 的角色分離任何受管政策,然後刪除該角色。第一行將連接至角色的任何受管政策擷取為集合,然後讓集合中的每個政策與角色分離。第二行刪除角色本身。內嵌政策會與角色一起刪除。**
```
Get-IAMAttachedRolePolicyList -RoleName MyNewRole | Unregister-IAMRolePolicy -RoleName MyNewRole
Remove-IAMRole -RoleName MyNewRole
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從目前的 IAM 帳戶刪除名為 `MyNewRole` 的角色。在刪除角色之前,必須先使用 `Unregister-IAMRolePolicy` 命令來分離任何受管政策。內嵌政策會與角色一起刪除。**
```
Remove-IAMRole -RoleName MyNewRole
```
**範例 2:此範例會從名為 `MyNewRole` 的角色分離任何受管政策,然後刪除該角色。第一行將連接至角色的任何受管政策擷取為集合,然後讓集合中的每個政策與角色分離。第二行刪除角色本身。內嵌政策會與角色一起刪除。**
```
Get-IAMAttachedRolePolicyList -RoleName MyNewRole | Unregister-IAMRolePolicy -RoleName MyNewRole
Remove-IAMRole -RoleName MyNewRole
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def delete_role(role_name):
"""
Deletes a role.
:param role_name: The name of the role to delete.
"""
try:
iam.Role(role_name).delete()
logger.info("Deleted role %s.", role_name)
except ClientError:
logger.exception("Couldn't delete role %s.", role_name)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [DeleteRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteRole)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Deletes a role and its attached policies.
#
# @param role_name [String] The name of the role to delete.
def delete_role(role_name)
# Detach and delete attached policies
@iam_client.list_attached_role_policies(role_name: role_name).each do |response|
response.attached_policies.each do |policy|
@iam_client.detach_role_policy({
role_name: role_name,
policy_arn: policy.policy_arn
})
# Check if the policy is a customer managed policy (not AWS managed)
unless policy.policy_arn.include?('aws:policy/')
@iam_client.delete_policy({ policy_arn: policy.policy_arn })
@logger.info("Deleted customer managed policy #{policy.policy_name}.")
end
end
end
# Delete the role
@iam_client.delete_role({ role_name: role_name })
@logger.info("Deleted role #{role_name}.")
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't detach policies and delete role #{role_name}. Here's why:")
@logger.error("\t#{e.code}: #{e.message}")
raise
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [DeleteRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteRole)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn delete_role(client: &iamClient, role: &Role) -> Result<(), iamError> {
let role = role.clone();
while client
.delete_role()
.role_name(role.role_name())
.send()
.await
.is_err()
{
sleep(Duration::from_secs(2)).await;
}
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [DeleteRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_role)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->deleterole( iv_rolename = iv_role_name ).
MESSAGE 'Role deleted successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Role does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamdeleteconflictex.
MESSAGE 'Role cannot be deleted due to attached resources.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DeleteRole](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func deleteRole(role: IAMClientTypes.Role) async throws {
let input = DeleteRoleInput(
roleName: role.roleName
)
do {
_ = try await iamClient.deleteRole(input: input)
} catch {
print("ERROR: deleteRole:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [DeleteRole](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deleterole(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeleteRolePermissionsBoundary` 與 CLI
下列程式碼範例示範如何使用 `DeleteRolePermissionsBoundary`。
------
#### [ CLI ]
**AWS CLI**
**若要從 IAM 角色刪除許可界限**
下列 `delete-role-permissions-boundary` 範例將刪除指定 IAM 角色的許可界限。若要將許可界限套用至角色,請使用 `put-role-permissions-boundary` 命令。
```
aws iam delete-role-permissions-boundary \
--role-name lambda-application-role
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DeleteRolePermissionsBoundary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-role-permissions-boundary.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例示範如何移除連接至 IAM 角色的許可界限。**
```
Remove-IAMRolePermissionsBoundary -RoleName MyRoleName
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteRolePermissionsBoundary](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例示範如何移除連接至 IAM 角色的許可界限。**
```
Remove-IAMRolePermissionsBoundary -RoleName MyRoleName
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteRolePermissionsBoundary](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteRolePolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteRolePolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [開始使用 Redshift Serverless](iam_example_redshift_GettingStarted_038_section.md)
+ [Amazon Redshift 佈建叢集入門](iam_example_redshift_GettingStarted_039_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Delete an IAM role policy.
///
/// The name of the IAM role.
/// The name of the IAM role policy to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteRolePolicyAsync(string roleName, string policyName)
{
var response = await _IAMService.DeleteRolePolicyAsync(new DeleteRolePolicyRequest
{
PolicyName = policyName,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [DeleteRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteRolePolicy)。
------
#### [ CLI ]
**AWS CLI**
**從 IAM 角色中移除政策**
下列 `delete-role-policy` 命令會將名為 `ExamplePolicy` 的政策從名為 `Test-Role` 的角色中移除。
```
aws iam delete-role-policy \
--role-name Test-Role \
--policy-name ExamplePolicy
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-role-policy.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { DeleteRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} roleName
* @param {string} policyName
*/
export const deleteRolePolicy = (roleName, policyName) => {
const command = new DeleteRolePolicyCommand({
RoleName: roleName,
PolicyName: policyName,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [DeleteRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteRolePolicyCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除內嵌在 IAM 角色 `S3BackupRole` 中的內嵌政策 `S3AccessPolicy`。**
```
Remove-IAMRolePolicy -PolicyName S3AccessPolicy -RoleName S3BackupRole
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除內嵌在 IAM 角色 `S3BackupRole` 中的內嵌政策 `S3AccessPolicy`。**
```
Remove-IAMRolePolicy -PolicyName S3AccessPolicy -RoleName S3BackupRole
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteSAMLProvider` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteSAMLProvider`。
------
#### [ CLI ]
**AWS CLI**
**刪除 SAML 提供者**
此範例會刪除 ARN 為 `arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider` 的 IAM SAML 2.0 提供者。
```
aws iam delete-saml-provider \
--saml-provider-arn arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM SAML 身分提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteSAMLProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-saml-provider.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { DeleteSAMLProviderCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} providerArn
* @returns
*/
export const deleteSAMLProvider = async (providerArn) => {
const command = new DeleteSAMLProviderCommand({
SAMLProviderArn: providerArn,
});
const response = await client.send(command);
console.log(response);
return response;
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [DeleteSAMLProvider](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteSAMLProviderCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除 ARN 為 `arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider` 的 IAM SAML 2.0 提供者。**
```
Remove-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteSAMLProvider](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除 ARN 為 `arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider` 的 IAM SAML 2.0 提供者。**
```
Remove-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteSAMLProvider](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteServerCertificate` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteServerCertificate`。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::deleteServerCertificate(const Aws::String &certificateName,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::DeleteServerCertificateRequest request;
request.SetServerCertificateName(certificateName);
const auto outcome = iam.DeleteServerCertificate(request);
bool result = true;
if (!outcome.IsSuccess()) {
if (outcome.GetError().GetErrorType() != Aws::IAM::IAMErrors::NO_SUCH_ENTITY) {
std::cerr << "Error deleting server certificate " << certificateName <<
": " << outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Certificate '" << certificateName
<< "' not found." << std::endl;
}
}
else {
std::cout << "Successfully deleted server certificate " << certificateName
<< std::endl;
}
return result;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [DeleteServerCertificate](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteServerCertificate)。
------
#### [ CLI ]
**AWS CLI**
**從 AWS 您的帳戶刪除伺服器憑證**
下列`delete-server-certificate`命令會從 AWS 您的帳戶移除指定的伺服器憑證。
```
aws iam delete-server-certificate \
--server-certificate-name myUpdatedServerCertificate
```
此命令不會產生輸出。
若要列出您 AWS 帳戶中可用的伺服器憑證,請使用 `list-server-certificates`命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 IAM 中管理伺服器憑證](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteServerCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-server-certificate.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
刪除伺服器憑證。
```
import { DeleteServerCertificateCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} certName
*/
export const deleteServerCertificate = (certName) => {
const command = new DeleteServerCertificateCommand({
ServerCertificateName: certName,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-deleting](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-deleting)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteServerCertificate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteServerCertificateCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
iam.deleteServerCertificate(
{ ServerCertificateName: "CERTIFICATE_NAME" },
function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
}
);
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-deleting](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-deleting)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteServerCertificate](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DeleteServerCertificate)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除名為 `MyServerCert` 的伺服器憑證。**
```
Remove-IAMServerCertificate -ServerCertificateName MyServerCert
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteServerCertificate](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除名為 `MyServerCert` 的伺服器憑證。**
```
Remove-IAMServerCertificate -ServerCertificateName MyServerCert
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteServerCertificate](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
列出、更新和刪除伺服器憑證。
```
class ServerCertificateManager
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'ServerCertificateManager'
end
# Creates a new server certificate.
# @param name [String] the name of the server certificate
# @param certificate_body [String] the contents of the certificate
# @param private_key [String] the private key contents
# @return [Boolean] returns true if the certificate was successfully created
def create_server_certificate(name, certificate_body, private_key)
@iam_client.upload_server_certificate({
server_certificate_name: name,
certificate_body: certificate_body,
private_key: private_key
})
true
rescue Aws::IAM::Errors::ServiceError => e
puts "Failed to create server certificate: #{e.message}"
false
end
# Lists available server certificate names.
def list_server_certificate_names
response = @iam_client.list_server_certificates
if response.server_certificate_metadata_list.empty?
@logger.info('No server certificates found.')
return
end
response.server_certificate_metadata_list.each do |certificate_metadata|
@logger.info("Certificate Name: #{certificate_metadata.server_certificate_name}")
end
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing server certificates: #{e.message}")
end
# Updates the name of a server certificate.
def update_server_certificate_name(current_name, new_name)
@iam_client.update_server_certificate(
server_certificate_name: current_name,
new_server_certificate_name: new_name
)
@logger.info("Server certificate name updated from '#{current_name}' to '#{new_name}'.")
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error updating server certificate name: #{e.message}")
false
end
# Deletes a server certificate.
def delete_server_certificate(name)
@iam_client.delete_server_certificate(server_certificate_name: name)
@logger.info("Server certificate '#{name}' deleted.")
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting server certificate: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [DeleteServerCertificate](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteServerCertificate)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteServiceLinkedRole` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteServiceLinkedRole`。
------
#### [ CLI ]
**AWS CLI**
**刪除服務連結角色**
下列 `delete-service-linked-role` 範例會刪除您不再需要的指定服務連結角色。刪除會以非同步方式發生。您可以使用 `get-service-linked-role-deletion-status` 命令,檢查刪除狀態並確認刪除的時間。
```
aws iam delete-service-linked-role \
--role-name AWSServiceRoleForLexBots
```
輸出:
```
{
"DeletionTaskId": "task/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots/1a2b3c4d-1234-abcd-7890-abcdeEXAMPLE"
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用服務連結角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteServiceLinkedRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-service-linked-role.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// DeleteServiceLinkedRole deletes a service-linked role.
func (wrapper RoleWrapper) DeleteServiceLinkedRole(ctx context.Context, roleName string) error {
_, err := wrapper.IamClient.DeleteServiceLinkedRole(ctx, &iam.DeleteServiceLinkedRoleInput{
RoleName: aws.String(roleName)},
)
if err != nil {
log.Printf("Couldn't delete service-linked role %v. Here's why: %v\n", roleName, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [DeleteServiceLinkedRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteServiceLinkedRole)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { DeleteServiceLinkedRoleCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} roleName
*/
export const deleteServiceLinkedRole = (roleName) => {
const command = new DeleteServiceLinkedRoleCommand({ RoleName: roleName });
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [DeleteServiceLinkedRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteServiceLinkedRoleCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例已經刪除服務連結的角色。請注意,如果服務仍在使用該角色,則此命令會導致失敗。**
```
Remove-IAMServiceLinkedRole -RoleName AWSServiceRoleForAutoScaling_RoleNameEndsWithThis
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteServiceLinkedRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例已經刪除服務連結的角色。請注意,如果服務仍在使用該角色,則此命令會導致失敗。**
```
Remove-IAMServiceLinkedRole -RoleName AWSServiceRoleForAutoScaling_RoleNameEndsWithThis
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteServiceLinkedRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Deletes a service-linked role.
#
# @param role_name [String] The name of the role to delete.
def delete_service_linked_role(role_name)
response = @iam_client.delete_service_linked_role(role_name: role_name)
task_id = response.deletion_task_id
check_deletion_status(role_name, task_id)
rescue Aws::Errors::ServiceError => e
handle_deletion_error(e, role_name)
end
private
# Checks the deletion status of a service-linked role
#
# @param role_name [String] The name of the role being deleted
# @param task_id [String] The task ID for the deletion process
def check_deletion_status(role_name, task_id)
loop do
response = @iam_client.get_service_linked_role_deletion_status(
deletion_task_id: task_id
)
status = response.status
@logger.info("Deletion of #{role_name} #{status}.")
break if %w[SUCCEEDED FAILED].include?(status)
sleep(3)
end
end
# Handles deletion error
#
# @param e [Aws::Errors::ServiceError] The error encountered during deletion
# @param role_name [String] The name of the role attempted to delete
def handle_deletion_error(e, role_name)
return if e.code == 'NoSuchEntity'
@logger.error("Couldn't delete #{role_name}. Here's why:")
@logger.error("\t#{e.code}: #{e.message}")
raise
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [DeleteServiceLinkedRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteServiceLinkedRole)。
------
#### [ Rust ]
**適用於 Rust 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn delete_service_linked_role(
client: &iamClient,
role_name: &str,
) -> Result<(), iamError> {
client
.delete_service_linked_role()
.role_name(role_name)
.send()
.await?;
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [DeleteServiceLinkedRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_service_linked_role)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeleteSigningCertificate` 與 CLI
下列程式碼範例示範如何使用 `DeleteSigningCertificate`。
------
#### [ CLI ]
**AWS CLI**
**若要刪除 IAM 使用者的簽署憑證**
下列 `delete-signing-certificate` 命令將刪除名為 `Bob` 之 IAM 使用者的指定簽署憑證。
```
aws iam delete-signing-certificate \
--user-name Bob \
--certificate-id TA7SMP42TDN5Z26OBPJE7EXAMPLE
```
此命令不會產生輸出。
若要取得簽署憑證的 ID,請使用 `list-signing-certificates` 命令。
如需詳細資訊,請參閱《Amazon EC2 使用者指南》**中的[管理簽署憑證](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-up-ami-tools.html#ami-tools-managing-certs)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DeleteSigningCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-signing-certificate.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從名為 `Bob` 的 IAM 使用者中刪除 ID 為 `Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU` 的簽署憑證。**
```
Remove-IAMSigningCertificate -UserName Bob -CertificateId Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteSigningCertificate](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從名為 `Bob` 的 IAM 使用者中刪除 ID 為 `Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU` 的簽署憑證。**
```
Remove-IAMSigningCertificate -UserName Bob -CertificateId Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteSigningCertificate](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteUser` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteUser`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Delete an IAM user.
///
/// The username of the IAM user to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteUserAsync(string userName)
{
var response = await _IAMService.DeleteUserAsync(new DeleteUserRequest { UserName = userName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [DeleteUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUser)。
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function iecho
#
# This function enables the script to display the specified text only if
# the global variable $VERBOSE is set to true.
###############################################################################
function iecho() {
if [[ $VERBOSE == true ]]; then
echo "$@"
fi
}
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_delete_user
#
# This function deletes the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user to create.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_user() {
local user_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_user"
echo "Deletes an AWS Identity and Access Management (IAM) user. You must supply a username:"
echo " -u user_name The name of the user."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " User name: $user_name"
iecho ""
# If the user does not exist, we don't want to try to delete it.
if (! iam_user_exists "$user_name"); then
errecho "ERROR: A user with that name does not exist in the account."
return 1
fi
response=$(aws iam delete-user \
--user-name "$user_name")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-user operation failed.$response"
return 1
fi
iecho "delete-user response:$response"
iecho
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUser)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::DeleteUserRequest request;
request.SetUserName(userName);
auto outcome = iam.DeleteUser(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting IAM user " << userName << ": " <<
outcome.GetError().GetMessage() << std::endl;;
}
else {
std::cout << "Successfully deleted IAM user " << userName << std::endl;
}
return outcome.IsSuccess();
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [DeleteUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUser)。
------
#### [ CLI ]
**AWS CLI**
**刪除 IAM 使用者**
下列 `delete-user` 命令會將名為 `Bob` 的 IAM 使用者從目前帳戶中移除。
```
aws iam delete-user \
--user-name Bob
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[刪除 IAM 使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-user.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// DeleteUser deletes a user.
func (wrapper UserWrapper) DeleteUser(ctx context.Context, userName string) error {
_, err := wrapper.IamClient.DeleteUser(ctx, &iam.DeleteUserInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete user %v. Here's why: %v\n", userName, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUser)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.DeleteUserRequest;
import software.amazon.awssdk.services.iam.model.IamException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class DeleteUser {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
userName - The name of the user to delete.\s
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String userName = args[0];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
deleteIAMUser(iam, userName);
System.out.println("Done");
iam.close();
}
public static void deleteIAMUser(IamClient iam, String userName) {
try {
DeleteUserRequest request = DeleteUserRequest.builder()
.userName(userName)
.build();
iam.deleteUser(request);
System.out.println("Successfully deleted IAM user " + userName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [DeleteUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUser)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
刪除使用者。
```
import { DeleteUserCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} name
*/
export const deleteUser = (name) => {
const command = new DeleteUserCommand({ UserName: name });
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-deleting-users)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
UserName: process.argv[2],
};
iam.getUser(params, function (err, data) {
if (err && err.code === "NoSuchEntity") {
console.log("User " + process.argv[2] + " does not exist.");
} else {
iam.deleteUser(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-deleting-users)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DeleteUser](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DeleteUser)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun deleteIAMUser(userNameVal: String) {
val request =
DeleteUserRequest {
userName = userNameVal
}
// To delete a user, ensure that the user's access keys are deleted first.
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.deleteUser(request)
println("Successfully deleted user $userNameVal")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DeleteUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除名為 `Bob` 的 IAM 使用者。**
```
Remove-IAMUser -UserName Bob
```
**範例 2:此範例會刪除名為 `Theresa` 的 IAM 使用者以及任何必須先刪除的元素。**
```
$name = "Theresa"
# find any groups and remove user from them
$groups = Get-IAMGroupForUser -UserName $name
foreach ($group in $groups) { Remove-IAMUserFromGroup -GroupName $group.GroupName -UserName $name -Force }
# find any inline policies and delete them
$inlinepols = Get-IAMUserPolicies -UserName $name
foreach ($pol in $inlinepols) { Remove-IAMUserPolicy -PolicyName $pol -UserName $name -Force}
# find any managed polices and detach them
$managedpols = Get-IAMAttachedUserPolicies -UserName $name
foreach ($pol in $managedpols) { Unregister-IAMUserPolicy -PolicyArn $pol.PolicyArn -UserName $name }
# find any signing certificates and delete them
$certs = Get-IAMSigningCertificate -UserName $name
foreach ($cert in $certs) { Remove-IAMSigningCertificate -CertificateId $cert.CertificateId -UserName $name -Force }
# find any access keys and delete them
$keys = Get-IAMAccessKey -UserName $name
foreach ($key in $keys) { Remove-IAMAccessKey -AccessKeyId $key.AccessKeyId -UserName $name -Force }
# delete the user's login profile, if one exists - note: need to use try/catch to suppress not found error
try { $prof = Get-IAMLoginProfile -UserName $name -ea 0 } catch { out-null }
if ($prof) { Remove-IAMLoginProfile -UserName $name -Force }
# find any MFA device, detach it, and if virtual, delete it.
$mfa = Get-IAMMFADevice -UserName $name
if ($mfa) {
Disable-IAMMFADevice -SerialNumber $mfa.SerialNumber -UserName $name
if ($mfa.SerialNumber -like "arn:*") { Remove-IAMVirtualMFADevice -SerialNumber $mfa.SerialNumber }
}
# finally, remove the user
Remove-IAMUser -UserName $name -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteUser](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除名為 `Bob` 的 IAM 使用者。**
```
Remove-IAMUser -UserName Bob
```
**範例 2:此範例會刪除名為 `Theresa` 的 IAM 使用者以及任何必須先刪除的元素。**
```
$name = "Theresa"
# find any groups and remove user from them
$groups = Get-IAMGroupForUser -UserName $name
foreach ($group in $groups) { Remove-IAMUserFromGroup -GroupName $group.GroupName -UserName $name -Force }
# find any inline policies and delete them
$inlinepols = Get-IAMUserPolicies -UserName $name
foreach ($pol in $inlinepols) { Remove-IAMUserPolicy -PolicyName $pol -UserName $name -Force}
# find any managed polices and detach them
$managedpols = Get-IAMAttachedUserPolicies -UserName $name
foreach ($pol in $managedpols) { Unregister-IAMUserPolicy -PolicyArn $pol.PolicyArn -UserName $name }
# find any signing certificates and delete them
$certs = Get-IAMSigningCertificate -UserName $name
foreach ($cert in $certs) { Remove-IAMSigningCertificate -CertificateId $cert.CertificateId -UserName $name -Force }
# find any access keys and delete them
$keys = Get-IAMAccessKey -UserName $name
foreach ($key in $keys) { Remove-IAMAccessKey -AccessKeyId $key.AccessKeyId -UserName $name -Force }
# delete the user's login profile, if one exists - note: need to use try/catch to suppress not found error
try { $prof = Get-IAMLoginProfile -UserName $name -ea 0 } catch { out-null }
if ($prof) { Remove-IAMLoginProfile -UserName $name -Force }
# find any MFA device, detach it, and if virtual, delete it.
$mfa = Get-IAMMFADevice -UserName $name
if ($mfa) {
Disable-IAMMFADevice -SerialNumber $mfa.SerialNumber -UserName $name
if ($mfa.SerialNumber -like "arn:*") { Remove-IAMVirtualMFADevice -SerialNumber $mfa.SerialNumber }
}
# finally, remove the user
Remove-IAMUser -UserName $name -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteUser](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def delete_user(user_name):
"""
Deletes a user. Before a user can be deleted, all associated resources,
such as access keys and policies, must be deleted or detached.
:param user_name: The name of the user.
"""
try:
iam.User(user_name).delete()
logger.info("Deleted user %s.", user_name)
except ClientError:
logger.exception("Couldn't delete user %s.", user_name)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [DeleteUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUser)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Deletes a user and their associated resources
#
# @param user_name [String] The name of the user to delete
def delete_user(user_name)
user = @iam_client.list_access_keys(user_name: user_name).access_key_metadata
user.each do |key|
@iam_client.delete_access_key({ access_key_id: key.access_key_id, user_name: user_name })
@logger.info("Deleted access key #{key.access_key_id} for user '#{user_name}'.")
end
@iam_client.delete_user(user_name: user_name)
@logger.info("Deleted user '#{user_name}'.")
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting user '#{user_name}': #{e.message}")
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [DeleteUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUser)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn delete_user(client: &iamClient, user: &User) -> Result<(), SdkError> {
let user = user.clone();
let mut tries: i32 = 0;
let max_tries: i32 = 10;
let response: Result<(), SdkError> = loop {
match client
.delete_user()
.user_name(user.user_name())
.send()
.await
{
Ok(_) => {
break Ok(());
}
Err(e) => {
tries += 1;
if tries > max_tries {
break Err(e);
}
sleep(Duration::from_secs(2)).await;
}
}
};
response
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [DeleteUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->deleteuser( iv_username = iv_user_name ).
MESSAGE 'User deleted successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'User does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamdeleteconflictex.
MESSAGE 'User cannot be deleted due to attached resources.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DeleteUser](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func deleteUser(user: IAMClientTypes.User) async throws {
let input = DeleteUserInput(
userName: user.userName
)
do {
_ = try await iamClient.deleteUser(input: input)
} catch {
print("ERROR: deleteUser:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [DeleteUser](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deleteuser(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeleteUserPermissionsBoundary` 與 CLI
下列程式碼範例示範如何使用 `DeleteUserPermissionsBoundary`。
------
#### [ CLI ]
**AWS CLI**
**若要從 IAM 使用者刪除許可界限**
下列 `delete-user-permissions-boundary` 範例將刪除連接到名為 `intern` 之 IAM 使用者的許可界限。若要將許可界限套用至使用者,請使用 `put-user-permissions-boundary` 命令。
```
aws iam delete-user-permissions-boundary \
--user-name intern
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DeleteUserPermissionsBoundary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-user-permissions-boundary.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例示範如何移除連接到 IAM 使用者的許可界限。**
```
Remove-IAMUserPermissionsBoundary -UserName joe
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteUserPermissionsBoundary](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例示範如何移除連接到 IAM 使用者的許可界限。**
```
Remove-IAMUserPermissionsBoundary -UserName joe
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteUserPermissionsBoundary](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteUserPolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteUserPolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Delete an IAM user policy.
///
/// The name of the IAM policy to delete.
/// The username of the IAM user.
/// A Boolean value indicating the success of the action.
public async Task DeleteUserPolicyAsync(string policyName, string userName)
{
var response = await _IAMService.DeleteUserPolicyAsync(new DeleteUserPolicyRequest { PolicyName = policyName, UserName = userName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [DeleteUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUserPolicy)。
------
#### [ CLI ]
**AWS CLI**
**從 IAM 使用者中移除政策**
下列 `delete-user-policy` 命令會將指定的政策從名為 `Bob` 的 IAM 使用者中移除。
```
aws iam delete-user-policy \
--user-name Bob \
--policy-name ExamplePolicy
```
此命令不會產生輸出。
若要取得 IAM 使用者的政策清單,請使用 `list-user-policies` 命令。
如需詳細資訊,請參閱《[IAM 使用者指南》中的在 AWS 帳戶中建立](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) *AWS IAM* 使用者。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-user-policy.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// DeleteUserPolicy deletes an inline policy from a user.
func (wrapper UserWrapper) DeleteUserPolicy(ctx context.Context, userName string, policyName string) error {
_, err := wrapper.IamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{
PolicyName: aws.String(policyName),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete policy from user %v. Here's why: %v\n", userName, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [DeleteUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUserPolicy)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除內嵌在名為 `Bob` 之 IAM 使用者中的、名為 `AccessToEC2Policy` 的內嵌政策。**
```
Remove-IAMUserPolicy -PolicyName AccessToEC2Policy -UserName Bob
```
**範例 2:此範例會尋找內嵌在名為 `Theresa` 的 IAM 使用者中的所有內嵌政策,然後將其刪除。**
```
$inlinepols = Get-IAMUserPolicies -UserName Theresa
foreach ($pol in $inlinepols) { Remove-IAMUserPolicy -PolicyName $pol -UserName Theresa -Force}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除內嵌在名為 `Bob` 之 IAM 使用者中的、名為 `AccessToEC2Policy` 的內嵌政策。**
```
Remove-IAMUserPolicy -PolicyName AccessToEC2Policy -UserName Bob
```
**範例 2:此範例會尋找內嵌在名為 `Theresa` 的 IAM 使用者中的所有內嵌政策,然後將其刪除。**
```
$inlinepols = Get-IAMUserPolicies -UserName Theresa
foreach ($pol in $inlinepols) { Remove-IAMUserPolicy -PolicyName $pol -UserName Theresa -Force}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Deletes a user and their associated resources
#
# @param user_name [String] The name of the user to delete
def delete_user(user_name)
user = @iam_client.list_access_keys(user_name: user_name).access_key_metadata
user.each do |key|
@iam_client.delete_access_key({ access_key_id: key.access_key_id, user_name: user_name })
@logger.info("Deleted access key #{key.access_key_id} for user '#{user_name}'.")
end
@iam_client.delete_user(user_name: user_name)
@logger.info("Deleted user '#{user_name}'.")
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting user '#{user_name}': #{e.message}")
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUserPolicy)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn delete_user_policy(
client: &iamClient,
user: &User,
policy_name: &str,
) -> Result<(), SdkError> {
client
.delete_user_policy()
.user_name(user.user_name())
.policy_name(policy_name)
.send()
.await?;
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [DeleteUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user_policy)。
------
#### [ Swift ]
**SDK for Swift**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
func deleteUserPolicy(user: IAMClientTypes.User, policyName: String) async throws {
let input = DeleteUserPolicyInput(
policyName: policyName,
userName: user.userName
)
do {
_ = try await iamClient.deleteUserPolicy(input: input)
} catch {
print("ERROR: deleteUserPolicy:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [DeleteUserPolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deleteuserpolicy(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DeleteVirtualMfaDevice` 與 CLI
下列程式碼範例示範如何使用 `DeleteVirtualMfaDevice`。
------
#### [ CLI ]
**AWS CLI**
**若要移除虛擬 MFA 裝置**
下列 `delete-virtual-mfa-device` 命令會從目前帳戶移除指定的 MFA 裝置。
```
aws iam delete-virtual-mfa-device \
--serial-number arn:aws:iam::123456789012:mfa/MFATest
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [Deactivating MFA devices](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_disable.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DeleteVirtualMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-virtual-mfa-device.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會刪除 ARN 為 `arn:aws:iam::123456789012:mfa/bob` 的 IAM 虛擬 MFA 裝置。**
```
Remove-IAMVirtualMFADevice -SerialNumber arn:aws:iam::123456789012:mfa/bob
```
**範例 2:此範例會檢查 IAM 使用者 Theresa 是否已獲分派 MFA 裝置。如果找到一個,系統會為 IAM 使用者停用裝置。如果裝置是虛擬裝置,亦將刪除。**
```
$mfa = Get-IAMMFADevice -UserName Theresa
if ($mfa) {
Disable-IAMMFADevice -SerialNumber $mfa.SerialNumber -UserName $name
if ($mfa.SerialNumber -like "arn:*") { Remove-IAMVirtualMFADevice -SerialNumber $mfa.SerialNumber }
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteVirtualMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會刪除 ARN 為 `arn:aws:iam::123456789012:mfa/bob` 的 IAM 虛擬 MFA 裝置。**
```
Remove-IAMVirtualMFADevice -SerialNumber arn:aws:iam::123456789012:mfa/bob
```
**範例 2:此範例會檢查 IAM 使用者 Theresa 是否已獲分派 MFA 裝置。如果找到一個,系統會為 IAM 使用者停用裝置。如果裝置是虛擬裝置,亦將刪除。**
```
$mfa = Get-IAMMFADevice -UserName Theresa
if ($mfa) {
Disable-IAMMFADevice -SerialNumber $mfa.SerialNumber -UserName $name
if ($mfa.SerialNumber -like "arn:*") { Remove-IAMVirtualMFADevice -SerialNumber $mfa.SerialNumber }
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteVirtualMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DetachGroupPolicy` 與 CLI
下列程式碼範例示範如何使用 `DetachGroupPolicy`。
------
#### [ CLI ]
**AWS CLI**
**從群組分離政策**
此範例會從名為 `Testers` 的群組中移除 ARN 為 `arn:aws:iam::123456789012:policy/TesterAccessPolicy` 的受管政策。
```
aws iam detach-group-policy \
--group-name Testers \
--policy-arn arn:aws:iam::123456789012:policy/TesterAccessPolicy
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者群組](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [DetachGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-group-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/TesterAccessPolicy` 的受管群組政策與名為 `Testers` 的群組分離。**
```
Unregister-IAMGroupPolicy -GroupName Testers -PolicyArn arn:aws:iam::123456789012:policy/TesterAccessPolicy
```
**範例 2:此範例會找出連接到名為 `Testers` 的群組的所有受管政策,並將其與群組分離。**
```
Get-IAMAttachedGroupPolicies -GroupName Testers | Unregister-IAMGroupPolicy -Groupname Testers
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DetachGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/TesterAccessPolicy` 的受管群組政策與名為 `Testers` 的群組分離。**
```
Unregister-IAMGroupPolicy -GroupName Testers -PolicyArn arn:aws:iam::123456789012:policy/TesterAccessPolicy
```
**範例 2:此範例會找出連接到名為 `Testers` 的群組的所有受管政策,並將其與群組分離。**
```
Get-IAMAttachedGroupPolicies -GroupName Testers | Unregister-IAMGroupPolicy -Groupname Testers
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DetachGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DetachRolePolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DetachRolePolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
+ [設定 Amazon ECS Service Connect](iam_example_ecs_ServiceConnect_085_section.md)
+ [使用 Lambda 代理整合建立 REST API](iam_example_api_gateway_GettingStarted_087_section.md)
+ [使用函數名稱做為變數建立 CloudWatch 儀表板](iam_example_cloudwatch_GettingStarted_031_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [建立您的第一個 Lambda 函數](iam_example_lambda_GettingStarted_019_section.md)
+ [Amazon EKS 入門](iam_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Amazon SageMaker Feature Store 入門](iam_example_iam_GettingStarted_028_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理角色](iam_example_iam_Scenario_RoleManagement_section.md)
+ [將硬式編碼秘密移至 Secrets Manager](iam_example_secrets_manager_GettingStarted_073_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
+ [在 CloudWatch 儀表板中使用屬性變數來監控多個 Lambda 函數](iam_example_iam_GettingStarted_032_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Detach an IAM policy from an IAM role.
///
/// The Amazon Resource Name (ARN) of the IAM policy.
/// The name of the IAM role.
/// A Boolean value indicating the success of the action.
public async Task DetachRolePolicyAsync(string policyArn, string roleName)
{
var response = await _IAMService.DetachRolePolicyAsync(new DetachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [DetachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DetachRolePolicy)。
------
#### [ Bash ]
**AWS CLI 使用 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_detach_role_policy
#
# This function detaches an IAM policy to a tole.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_ARN -- The IAM policy document ARN..
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_detach_role_policy() {
local role_name policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_detach_role_policy"
echo "Detaches an AWS Identity and Access Management (IAM) policy to an IAM role."
echo " -n role_name The name of the IAM role."
echo " -p policy_ARN -- The IAM policy document ARN."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy ARN with the -p parameter."
usage
return 1
fi
response=$(aws iam detach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports detach-role-policy operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::DetachRolePolicyRequest detachRequest;
detachRequest.SetRoleName(roleName);
detachRequest.SetPolicyArn(policyArn);
auto detachOutcome = iam.DetachRolePolicy(detachRequest);
if (!detachOutcome.IsSuccess()) {
std::cerr << "Failed to detach policy " << policyArn << " from role "
<< roleName << ": " << detachOutcome.GetError().GetMessage() <<
std::endl;
}
else {
std::cout << "Successfully detached policy " << policyArn << " from role "
<< roleName << std::endl;
}
return detachOutcome.IsSuccess();
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DetachRolePolicy)。
------
#### [ CLI ]
**AWS CLI**
**將政策與角色分離**
此範例會將具有 ARN `arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy` 的受管政策從名為 `FedTesterRole` 的角色中移除。
```
aws iam detach-role-policy \
--role-name FedTesterRole \
--policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DetachRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-role-policy.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// DetachRolePolicy detaches a policy from a role.
func (wrapper RoleWrapper) DetachRolePolicy(ctx context.Context, roleName string, policyArn string) error {
_, err := wrapper.IamClient.DetachRolePolicy(ctx, &iam.DetachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't detach policy from role %v. Here's why: %v\n", roleName, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [DetachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DetachRolePolicy)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class DetachRolePolicy {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
roleName - A role name that you can obtain from the AWS Management Console.\s
policyArn - A policy ARN that you can obtain from the AWS Management Console.\s
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String roleName = args[0];
String policyArn = args[1];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
detachPolicy(iam, roleName, policyArn);
System.out.println("Done");
iam.close();
}
public static void detachPolicy(IamClient iam, String roleName, String policyArn) {
try {
DetachRolePolicyRequest request = DetachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(policyArn)
.build();
iam.detachRolePolicy(request);
System.out.println("Successfully detached policy " + policyArn +
" from role " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DetachRolePolicy)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
分離政策。
```
import { DetachRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} policyArn
* @param {string} roleName
*/
export const detachRolePolicy = (policyArn, roleName) => {
const command = new DetachRolePolicyCommand({
PolicyArn: policyArn,
RoleName: roleName,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-detaching-role-policy)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DetachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DetachRolePolicyCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var paramsRoleList = {
RoleName: process.argv[2],
};
iam.listAttachedRolePolicies(paramsRoleList, function (err, data) {
if (err) {
console.log("Error", err);
} else {
var myRolePolicies = data.AttachedPolicies;
myRolePolicies.forEach(function (val, index, array) {
if (myRolePolicies[index].PolicyName === "AmazonDynamoDBFullAccess") {
var params = {
PolicyArn: "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
RoleName: process.argv[2],
};
iam.detachRolePolicy(params, function (err, data) {
if (err) {
console.log("Unable to detach policy from role", err);
} else {
console.log("Policy detached from role successfully");
process.exit();
}
});
}
});
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-detaching-role-policy)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [DetachRolePolicy](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DetachRolePolicy)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun detachPolicy(
roleNameVal: String,
policyArnVal: String,
) {
val request =
DetachRolePolicyRequest {
roleName = roleNameVal
policyArn = policyArnVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.detachRolePolicy(request)
println("Successfully detached policy $policyArnVal from role $roleNameVal")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DetachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy` 的受管群組政策與名為 `FedTesterRole` 的角色分離。**
```
Unregister-IAMRolePolicy -RoleName FedTesterRole -PolicyArn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy
```
**範例 2:此範例會找出連接到名為 `FedTesterRole` 的角色的所有受管政策,並將其與角色分離。**
```
Get-IAMAttachedRolePolicyList -RoleName FedTesterRole | Unregister-IAMRolePolicy -Rolename FedTesterRole
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DetachRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy` 的受管群組政策與名為 `FedTesterRole` 的角色分離。**
```
Unregister-IAMRolePolicy -RoleName FedTesterRole -PolicyArn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy
```
**範例 2:此範例會找出連接到名為 `FedTesterRole` 的角色的所有受管政策,並將其與角色分離。**
```
Get-IAMAttachedRolePolicyList -RoleName FedTesterRole | Unregister-IAMRolePolicy -Rolename FedTesterRole
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DetachRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
使用 Boto3 Policy 物件將政策與角色分離。
```
def detach_from_role(role_name, policy_arn):
"""
Detaches a policy from a role.
:param role_name: The name of the role. **Note** this is the name, not the ARN.
:param policy_arn: The ARN of the policy.
"""
try:
iam.Policy(policy_arn).detach_role(RoleName=role_name)
logger.info("Detached policy %s from role %s.", policy_arn, role_name)
except ClientError:
logger.exception(
"Couldn't detach policy %s from role %s.", policy_arn, role_name
)
raise
```
使用 Boto3 Role 物件將政策與角色分離。
```
def detach_policy(role_name, policy_arn):
"""
Detaches a policy from a role.
:param role_name: The name of the role. **Note** this is the name, not the ARN.
:param policy_arn: The ARN of the policy.
"""
try:
iam.Role(role_name).detach_policy(PolicyArn=policy_arn)
logger.info("Detached policy %s from role %s.", policy_arn, role_name)
except ClientError:
logger.exception(
"Couldn't detach policy %s from role %s.", policy_arn, role_name
)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [DetachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachRolePolicy)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
此範例模組會列出、建立、連接和分離角色政策。
```
# Manages policies in AWS Identity and Access Management (IAM)
class RolePolicyManager
# Initialize with an AWS IAM client
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'PolicyManager'
end
# Creates a policy
#
# @param policy_name [String] The name of the policy
# @param policy_document [Hash] The policy document
# @return [String] The policy ARN if successful, otherwise nil
def create_policy(policy_name, policy_document)
response = @iam_client.create_policy(
policy_name: policy_name,
policy_document: policy_document.to_json
)
response.policy.arn
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating policy: #{e.message}")
nil
end
# Fetches an IAM policy by its ARN
# @param policy_arn [String] the ARN of the IAM policy to retrieve
# @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found
def get_policy(policy_arn)
response = @iam_client.get_policy(policy_arn: policy_arn)
policy = response.policy
@logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.")
policy
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.")
raise
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}")
raise
end
# Attaches a policy to a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def attach_policy_to_role(role_name, policy_arn)
@iam_client.attach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error attaching policy to role: #{e.message}")
false
end
# Lists policy ARNs attached to a role
#
# @param role_name [String] The name of the role
# @return [Array] List of policy ARNs
def list_attached_policy_arns(role_name)
response = @iam_client.list_attached_role_policies(role_name: role_name)
response.attached_policies.map(&:policy_arn)
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing policies attached to role: #{e.message}")
[]
end
# Detaches a policy from a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def detach_policy_from_role(role_name, policy_arn)
@iam_client.detach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error detaching policy from role: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》中的 [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DetachRolePolicy)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn detach_role_policy(
client: &iamClient,
role_name: &str,
policy_arn: &str,
) -> Result<(), iamError> {
client
.detach_role_policy()
.role_name(role_name)
.policy_arn(policy_arn)
.send()
.await?;
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [DetachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.detach_role_policy)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->detachrolepolicy(
iv_rolename = iv_role_name
iv_policyarn = iv_policy_arn ).
MESSAGE 'Policy detached from role successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Role or policy does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DetachRolePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func detachRolePolicy(policy: IAMClientTypes.Policy, role: IAMClientTypes.Role) async throws {
let input = DetachRolePolicyInput(
policyArn: policy.arn,
roleName: role.roleName
)
do {
_ = try await iamClient.detachRolePolicy(input: input)
} catch {
print("ERROR: detachRolePolicy:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱*《AWS SDK for Rust API 參考》*中的 [DetachRolePolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/detachrolepolicy(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DetachUserPolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DetachUserPolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
------
#### [ CLI ]
**AWS CLI**
**將政策與使用者分離**
此範例會將具有 ARN `arn:aws:iam::123456789012:policy/TesterPolicy` 的受管政策從使用者 `Bob` 中移除。
```
aws iam detach-user-policy \
--user-name Bob \
--policy-arn arn:aws:iam::123456789012:policy/TesterPolicy
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[變更 IAM 使用者的許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DetachUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/TesterPolicy` 的受管政策與名為 `Bob` 的 IAM 使用者分離。**
```
Unregister-IAMUserPolicy -UserName Bob -PolicyArn arn:aws:iam::123456789012:policy/TesterPolicy
```
**範例 2:此範例會找出連接到名為 `Theresa` 的 IAM 使用者的所有受管政策,並將這些政策與使用者分離。**
```
Get-IAMAttachedUserPolicyList -UserName Theresa | Unregister-IAMUserPolicy -Username Theresa
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DetachUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/TesterPolicy` 的受管政策與名為 `Bob` 的 IAM 使用者分離。**
```
Unregister-IAMUserPolicy -UserName Bob -PolicyArn arn:aws:iam::123456789012:policy/TesterPolicy
```
**範例 2:此範例會找出連接到名為 `Theresa` 的 IAM 使用者的所有受管政策,並將這些政策與使用者分離。**
```
Get-IAMAttachedUserPolicyList -UserName Theresa | Unregister-IAMUserPolicy -Username Theresa
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DetachUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def detach_policy(user_name, policy_arn):
"""
Detaches a policy from a user.
:param user_name: The name of the user.
:param policy_arn: The Amazon Resource Name (ARN) of the policy.
"""
try:
iam.User(user_name).detach_policy(PolicyArn=policy_arn)
logger.info("Detached policy %s from user %s.", policy_arn, user_name)
except ClientError:
logger.exception(
"Couldn't detach policy %s from user %s.", policy_arn, user_name
)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [DetachUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachUserPolicy)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Detaches a policy from a user
#
# @param user_name [String] The name of the user
# @param policy_arn [String] The ARN of the policy to detach
# @return [Boolean] true if the policy was successfully detached, false otherwise
def detach_user_policy(user_name, policy_arn)
@iam_client.detach_user_policy(
user_name: user_name,
policy_arn: policy_arn
)
@logger.info("Policy '#{policy_arn}' detached from user '#{user_name}' successfully.")
true
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error('Error detaching policy: Policy or user does not exist.')
false
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error detaching policy from user '#{user_name}': #{e.message}")
false
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [DetachUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DetachUserPolicy)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn detach_user_policy(
client: &iamClient,
user_name: &str,
policy_arn: &str,
) -> Result<(), iamError> {
client
.detach_user_policy()
.user_name(user_name)
.policy_arn(policy_arn)
.send()
.await?;
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [DetachUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.detach_user_policy)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->detachuserpolicy(
iv_username = iv_user_name
iv_policyarn = iv_policy_arn ).
MESSAGE 'Policy detached from user successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'User or policy does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DetachUserPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `EnableMfaDevice` 與 CLI
下列程式碼範例示範如何使用 `EnableMfaDevice`。
------
#### [ CLI ]
**AWS CLI**
**若要啟用 MFA 裝置**
使用 `create-virtual-mfa-device` 命令建立新的虛擬 MFA 裝置後,可以將 MFA 裝置指派給使用者。下列 `enable-mfa-device` 範例會將序號為 `arn:aws:iam::210987654321:mfa/BobsMFADevice` 的 MFA 裝置指派給使用者 `Bob`。命令也會依序包含來自虛擬 MFA 裝置的前兩個代碼, AWS 以將裝置與 同步。
```
aws iam enable-mfa-device \
--user-name Bob \
--serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \
--authentication-code1 123456 \
--authentication-code2 789012
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[啟用虛擬多重要素驗證 (MFA) 裝置](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [EnableMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/enable-mfa-device.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會啟用序號為 `987654321098` 的硬體 MFA 裝置,並將裝置與使用者 `Bob` 關聯起來。它包含裝置中依序排列的前兩個代碼。**
```
Enable-IAMMFADevice -UserName "Bob" -SerialNumber "987654321098" -AuthenticationCode1 "12345678" -AuthenticationCode2 "87654321"
```
**範例 2:此範例會建立並啟用虛擬 MFA 裝置。第一個命令會建立虛擬裝置,並在變數 `$MFADevice` 中傳回裝置的物件表示。可以使用 `.Base32StringSeed` 或 `QRCodePng` 屬性來設定使用者的軟體應用程式。最後一個命令會將裝置指派給使用者 `David`,依裝置序號標識裝置。命令也會依序包含來自虛擬 MFA 裝置的前兩個代碼, AWS 以將裝置與 同步。**
```
$MFADevice = New-IAMVirtualMFADevice -VirtualMFADeviceName "MyMFADevice"
# see example for New-IAMVirtualMFADevice to see how to configure the software program with PNG or base32 seed code
Enable-IAMMFADevice -UserName "David" -SerialNumber -SerialNumber $MFADevice.SerialNumber -AuthenticationCode1 "24681357" -AuthenticationCode2 "13572468"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [EnableMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會啟用序號為 `987654321098` 的硬體 MFA 裝置,並將裝置與使用者 `Bob` 關聯起來。它包含裝置中依序排列的前兩個代碼。**
```
Enable-IAMMFADevice -UserName "Bob" -SerialNumber "987654321098" -AuthenticationCode1 "12345678" -AuthenticationCode2 "87654321"
```
**範例 2:此範例會建立並啟用虛擬 MFA 裝置。第一個命令會建立虛擬裝置,並在變數 `$MFADevice` 中傳回裝置的物件表示。可以使用 `.Base32StringSeed` 或 `QRCodePng` 屬性來設定使用者的軟體應用程式。最後一個命令會將裝置指派給使用者 `David`,依裝置序號標識裝置。命令也會依序包含來自虛擬 MFA 裝置的前兩個代碼, AWS 以將裝置與 同步。**
```
$MFADevice = New-IAMVirtualMFADevice -VirtualMFADeviceName "MyMFADevice"
# see example for New-IAMVirtualMFADevice to see how to configure the software program with PNG or base32 seed code
Enable-IAMMFADevice -UserName "David" -SerialNumber -SerialNumber $MFADevice.SerialNumber -AuthenticationCode1 "24681357" -AuthenticationCode2 "13572468"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [EnableMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GenerateCredentialReport` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GenerateCredentialReport`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
------
#### [ CLI ]
**AWS CLI**
**產生憑證報告**
下列範例會嘗試產生 AWS 帳戶的登入資料報告。
```
aws iam generate-credential-report
```
輸出:
```
{
"State": "STARTED",
"Description": "No report exists. Starting a new report generation task"
}
```
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[取得 AWS 帳戶的登入資料報告](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GenerateCredentialReport](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/generate-credential-report.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會請求產生新的報告,這可以每四小時執行一次。如果最後一個報告仍然是最新的,「狀態」欄位會顯示:`COMPLETE`。`Get-IAMCredentialReport` 可用於檢視已完成的報告。**
```
Request-IAMCredentialReport
```
**輸出:**
```
Description State
----------- -----
No report exists. Starting a new report generation task STARTED
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GenerateCredentialReport](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會請求產生新的報告,這可以每四小時執行一次。如果最後一個報告仍然是最新的,「狀態」欄位會顯示:`COMPLETE`。`Get-IAMCredentialReport` 可用於檢視已完成的報告。**
```
Request-IAMCredentialReport
```
**輸出:**
```
Description State
----------- -----
No report exists. Starting a new report generation task STARTED
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GenerateCredentialReport](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def generate_credential_report():
"""
Starts generation of a credentials report about the current account. After
calling this function to generate the report, call get_credential_report
to get the latest report. A new report can be generated a minimum of four hours
after the last one was generated.
"""
try:
response = iam.meta.client.generate_credential_report()
logger.info(
"Generating credentials report for your account. " "Current state is %s.",
response["State"],
)
except ClientError:
logger.exception("Couldn't generate a credentials report for your account.")
raise
else:
return response
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GenerateCredentialReport](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GenerateCredentialReport)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->generatecredentialreport( ).
MESSAGE 'Credential report generation started.' TYPE 'I'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Report generation limit exceeded.' TYPE 'E'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when generating credential report.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GenerateCredentialReport](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GenerateServiceLastAccessedDetails` 與 CLI
下列程式碼範例示範如何使用 `GenerateServiceLastAccessedDetails`。
------
#### [ CLI ]
**AWS CLI**
**範例 1:產生自訂政策的服務存取報告**
下列 `generate-service-last-accessed-details` 範例會啟動背景任務以產生報告,列出 IAM 使用者以及採用名為 `intern-boundary` 之自訂政策的其他實體存取的服務。您可以執行 `get-service-last-accessed-details` 命令,讓報告在建立後顯示出來。
```
aws iam generate-service-last-accessed-details \
--arn arn:aws:iam::123456789012:policy/intern-boundary
```
輸出:
```
{
"JobId": "2eb6c2b8-7b4c-3xmp-3c13-03b72c8cdfdc"
}
```
**範例 2:產生 AWS 受管 AdministratorAccess 政策的服務存取報告**
下列`generate-service-last-accessed-details`範例會啟動背景任務,以產生報告,列出 IAM 使用者和其他實體使用 AWS 受管`AdministratorAccess`政策存取的服務。您可以執行 `get-service-last-accessed-details` 命令,讓報告在建立後顯示出來。
```
aws iam generate-service-last-accessed-details \
--arn arn:aws:iam::aws:policy/AdministratorAccess
```
輸出:
```
{
"JobId": "78b6c2ba-d09e-6xmp-7039-ecde30b26916"
}
```
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[AWS 使用上次存取資訊在 中精簡許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*i中的 [GenerateServiceLastAccessedDetails](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/generate-service-last-accessed-details.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例等同於 GenerateServiceLastAccessedDetails API 的 cmdlet。這提供了任務 ID,可用於 Get-IAMServiceLastAccessedDetail 和 Get-IAMServiceLastAccessedDetailWithEntity**
```
Request-IAMServiceLastAccessedDetail -Arn arn:aws:iam::123456789012:user/TestUser
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GenerateServiceLastAccessedDetails](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例等同於 GenerateServiceLastAccessedDetails API 的 cmdlet。這提供了任務 ID,可用於 Get-IAMServiceLastAccessedDetail 和 Get-IAMServiceLastAccessedDetailWithEntity**
```
Request-IAMServiceLastAccessedDetail -Arn arn:aws:iam::123456789012:user/TestUser
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GenerateServiceLastAccessedDetails](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetAccessKeyLastUsed` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetAccessKeyLastUsed`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理存取金鑰](iam_example_iam_Scenario_ManageAccessKeys_section.md)
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::accessKeyLastUsed(const Aws::String &secretKeyID,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::GetAccessKeyLastUsedRequest request;
request.SetAccessKeyId(secretKeyID);
Aws::IAM::Model::GetAccessKeyLastUsedOutcome outcome = iam.GetAccessKeyLastUsed(
request);
if (!outcome.IsSuccess()) {
std::cerr << "Error querying last used time for access key " <<
secretKeyID << ":" << outcome.GetError().GetMessage() << std::endl;
}
else {
Aws::String lastUsedTimeString =
outcome.GetResult()
.GetAccessKeyLastUsed()
.GetLastUsedDate()
.ToGmtString(Aws::Utils::DateFormat::ISO_8601);
std::cout << "Access key " << secretKeyID << " last used at time " <<
lastUsedTimeString << std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [GetAccessKeyLastUsed](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/GetAccessKeyLastUsed)。
------
#### [ CLI ]
**AWS CLI**
**擷取最後一次使用指定存取金鑰之時機的相關資訊**
下列範例會擷取最後一次使用存取金鑰 `ABCDEXAMPLE` 之時機的相關資訊。
```
aws iam get-access-key-last-used \
--access-key-id ABCDEXAMPLE
```
輸出:
```
{
"UserName": "Bob",
"AccessKeyLastUsed": {
"Region": "us-east-1",
"ServiceName": "iam",
"LastUsedDate": "2015-06-16T22:45:00Z"
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的存取金鑰](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetAccessKeyLastUsed](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-access-key-last-used.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
獲取存取金鑰。
```
import { GetAccessKeyLastUsedCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} accessKeyId
*/
export const getAccessKeyLastUsed = async (accessKeyId) => {
const command = new GetAccessKeyLastUsedCommand({
AccessKeyId: accessKeyId,
});
const response = await client.send(command);
if (response.AccessKeyLastUsed?.LastUsedDate) {
console.log(`
${accessKeyId} was last used by ${response.UserName} via
the ${response.AccessKeyLastUsed.ServiceName} service on
${response.AccessKeyLastUsed.LastUsedDate.toISOString()}
`);
}
return response;
};
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [GetAccessKeyLastUsed](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetAccessKeyLastUsedCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
iam.getAccessKeyLastUsed(
{ AccessKeyId: "ACCESS_KEY_ID" },
function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data.AccessKeyLastUsed);
}
}
);
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-last-used](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-last-used)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [GetAccessKeyLastUsed](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/GetAccessKeyLastUsed)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:傳回所提供存取金鑰的擁有使用者名稱和上次使用資訊。**
```
Get-IAMAccessKeyLastUsed -AccessKeyId ABCDEXAMPLE
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetAccessKeyLastUsed](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:傳回所提供存取金鑰的擁有使用者名稱和上次使用資訊。**
```
Get-IAMAccessKeyLastUsed -AccessKeyId ABCDEXAMPLE
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetAccessKeyLastUsed](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def get_last_use(key_id):
"""
Gets information about when and how a key was last used.
:param key_id: The ID of the key to look up.
:return: Information about the key's last use.
"""
try:
response = iam.meta.client.get_access_key_last_used(AccessKeyId=key_id)
last_used_date = response["AccessKeyLastUsed"].get("LastUsedDate", None)
last_service = response["AccessKeyLastUsed"].get("ServiceName", None)
logger.info(
"Key %s was last used by %s on %s to access %s.",
key_id,
response["UserName"],
last_used_date,
last_service,
)
except ClientError:
logger.exception("Couldn't get last use of key %s.", key_id)
raise
else:
return response
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GetAccessKeyLastUsed](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccessKeyLastUsed)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->getaccesskeylastused(
iv_accesskeyid = iv_access_key_id ).
MESSAGE 'Retrieved access key last used information.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Access key does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetAccessKeyLastUsed](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetAccountAuthorizationDetails` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetAccountAuthorizationDetails`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
------
#### [ CLI ]
**AWS CLI**
**列出 AWS 帳戶的 IAM 使用者、群組、角色和政策**
下列`get-account-authorization-details`命令會傳回 AWS 帳戶中所有 IAM 使用者、群組、角色和政策的相關資訊。
```
aws iam get-account-authorization-details
```
輸出:
```
{
"RoleDetailList": [
{
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"RoleId": "AROA1234567890EXAMPLE",
"CreateDate": "2014-07-30T17:09:20Z",
"InstanceProfileList": [
{
"InstanceProfileId": "AIPA1234567890EXAMPLE",
"Roles": [
{
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"RoleId": "AROA1234567890EXAMPLE",
"CreateDate": "2014-07-30T17:09:20Z",
"RoleName": "EC2role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/EC2role"
}
],
"CreateDate": "2014-07-30T17:09:20Z",
"InstanceProfileName": "EC2role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:instance-profile/EC2role"
}
],
"RoleName": "EC2role",
"Path": "/",
"AttachedManagedPolicies": [
{
"PolicyName": "AmazonS3FullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
},
{
"PolicyName": "AmazonDynamoDBFullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
}
],
"RoleLastUsed": {
"Region": "us-west-2",
"LastUsedDate": "2019-11-13T17:30:00Z"
},
"RolePolicyList": [],
"Arn": "arn:aws:iam::123456789012:role/EC2role"
}
],
"GroupDetailList": [
{
"GroupId": "AIDA1234567890EXAMPLE",
"AttachedManagedPolicies": {
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
},
"GroupName": "Admins",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:group/Admins",
"CreateDate": "2013-10-14T18:32:24Z",
"GroupPolicyList": []
},
{
"GroupId": "AIDA1234567890EXAMPLE",
"AttachedManagedPolicies": {
"PolicyName": "PowerUserAccess",
"PolicyArn": "arn:aws:iam::aws:policy/PowerUserAccess"
},
"GroupName": "Dev",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:group/Dev",
"CreateDate": "2013-10-14T18:33:55Z",
"GroupPolicyList": []
},
{
"GroupId": "AIDA1234567890EXAMPLE",
"AttachedManagedPolicies": [],
"GroupName": "Finance",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:group/Finance",
"CreateDate": "2013-10-14T18:57:48Z",
"GroupPolicyList": [
{
"PolicyName": "policygen-201310141157",
"PolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Action": "aws-portal:*",
"Sid": "Stmt1381777017000",
"Resource": "*",
"Effect": "Allow"
}
]
}
}
]
}
],
"UserDetailList": [
{
"UserName": "Alice",
"GroupList": [
"Admins"
],
"CreateDate": "2013-10-14T18:32:24Z",
"UserId": "AIDA1234567890EXAMPLE",
"UserPolicyList": [],
"Path": "/",
"AttachedManagedPolicies": [],
"Arn": "arn:aws:iam::123456789012:user/Alice"
},
{
"UserName": "Bob",
"GroupList": [
"Admins"
],
"CreateDate": "2013-10-14T18:32:25Z",
"UserId": "AIDA1234567890EXAMPLE",
"UserPolicyList": [
{
"PolicyName": "DenyBillingAndIAMPolicy",
"PolicyDocument": {
"Version":"2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": [
"aws-portal:*",
"iam:*"
],
"Resource": "*"
}
}
}
],
"Path": "/",
"AttachedManagedPolicies": [],
"Arn": "arn:aws:iam::123456789012:user/Bob"
},
{
"UserName": "Charlie",
"GroupList": [
"Dev"
],
"CreateDate": "2013-10-14T18:33:56Z",
"UserId": "AIDA1234567890EXAMPLE",
"UserPolicyList": [],
"Path": "/",
"AttachedManagedPolicies": [],
"Arn": "arn:aws:iam::123456789012:user/Charlie"
}
],
"Policies": [
{
"PolicyName": "create-update-delete-set-managed-policies",
"CreateDate": "2015-02-06T19:58:34Z",
"AttachmentCount": 1,
"IsAttachable": true,
"PolicyId": "ANPA1234567890EXAMPLE",
"DefaultVersionId": "v1",
"PolicyVersionList": [
{
"CreateDate": "2015-02-06T19:58:34Z",
"VersionId": "v1",
"Document": {
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:SetDefaultPolicyVersion"
],
"Resource": "*"
}
},
"IsDefaultVersion": true
}
],
"Path": "/",
"Arn": "arn:aws:iam::123456789012:policy/create-update-delete-set-managed-policies",
"UpdateDate": "2015-02-06T19:58:34Z"
},
{
"PolicyName": "S3-read-only-specific-bucket",
"CreateDate": "2015-01-21T21:39:41Z",
"AttachmentCount": 1,
"IsAttachable": true,
"PolicyId": "ANPA1234567890EXAMPLE",
"DefaultVersionId": "v1",
"PolicyVersionList": [
{
"CreateDate": "2015-01-21T21:39:41Z",
"VersionId": "v1",
"Document": {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
},
"IsDefaultVersion": true
}
],
"Path": "/",
"Arn": "arn:aws:iam::123456789012:policy/S3-read-only-specific-bucket",
"UpdateDate": "2015-01-21T23:39:41Z"
},
{
"PolicyName": "AmazonEC2FullAccess",
"CreateDate": "2015-02-06T18:40:15Z",
"AttachmentCount": 1,
"IsAttachable": true,
"PolicyId": "ANPA1234567890EXAMPLE",
"DefaultVersionId": "v1",
"PolicyVersionList": [
{
"CreateDate": "2014-10-30T20:59:46Z",
"VersionId": "v1",
"Document": {
"Version":"2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
}
]
},
"IsDefaultVersion": true
}
],
"Path": "/",
"Arn": "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"UpdateDate": "2015-02-06T18:40:15Z"
}
],
"Marker": "EXAMPLEkakv9BCuUNFDtxWSyfzetYwEx2ADc8dnzfvERF5S6YMvXKx41t6gCl/eeaCX3Jo94/bKqezEAg8TEVS99EKFLxm3jtbpl25FDWEXAMPLE",
"IsTruncated": true
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [AWS 安全性稽核指南](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-audit-guide.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetAccountAuthorizationDetails](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-account-authorization-details.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會取得 AWS 帳戶中身分的授權詳細資訊,並顯示傳回物件的元素清單,包括使用者、群組和角色。例如,`UserDetailList` 屬性會顯示使用者的詳細資訊。`RoleDetailList` 和 `GroupDetailList` 屬性提供類似的資訊。**
```
$Details=Get-IAMAccountAuthorizationDetail
$Details
```
**輸出:**
```
GroupDetailList : {Administrators, Developers, Testers, Backup}
IsTruncated : False
Marker :
RoleDetailList : {TestRole1, AdminRole, TesterRole, clirole...}
UserDetailList : {Administrator, Bob, BackupToS3, }
```
```
$Details.UserDetailList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Administrator
CreateDate : 10/16/2014 9:03:09 AM
GroupList : {Administrators}
Path : /
UserId : AIDACKCEVSQ6CEXAMPLE1
UserName : Administrator
UserPolicyList : {}
Arn : arn:aws:iam::123456789012:user/Bob
CreateDate : 4/6/2015 12:54:42 PM
GroupList : {Developers}
Path : /
UserId : AIDACKCEVSQ6CEXAMPLE2
UserName : bab
UserPolicyList : {}
Arn : arn:aws:iam::123456789012:user/BackupToS3
CreateDate : 1/27/2015 10:15:08 AM
GroupList : {Backup}
Path : /
UserId : AIDACKCEVSQ6CEXAMPLE3
UserName : BackupToS3
UserPolicyList : {BackupServicePermissionsToS3Buckets}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetAccountAuthorizationDetails](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會取得 AWS 帳戶中身分的授權詳細資訊,並顯示傳回物件的元素清單,包括使用者、群組和角色。例如,`UserDetailList` 屬性會顯示使用者的詳細資訊。`RoleDetailList` 和 `GroupDetailList` 屬性提供類似的資訊。**
```
$Details=Get-IAMAccountAuthorizationDetail
$Details
```
**輸出:**
```
GroupDetailList : {Administrators, Developers, Testers, Backup}
IsTruncated : False
Marker :
RoleDetailList : {TestRole1, AdminRole, TesterRole, clirole...}
UserDetailList : {Administrator, Bob, BackupToS3, }
```
```
$Details.UserDetailList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Administrator
CreateDate : 10/16/2014 9:03:09 AM
GroupList : {Administrators}
Path : /
UserId : AIDACKCEVSQ6CEXAMPLE1
UserName : Administrator
UserPolicyList : {}
Arn : arn:aws:iam::123456789012:user/Bob
CreateDate : 4/6/2015 12:54:42 PM
GroupList : {Developers}
Path : /
UserId : AIDACKCEVSQ6CEXAMPLE2
UserName : bab
UserPolicyList : {}
Arn : arn:aws:iam::123456789012:user/BackupToS3
CreateDate : 1/27/2015 10:15:08 AM
GroupList : {Backup}
Path : /
UserId : AIDACKCEVSQ6CEXAMPLE3
UserName : BackupToS3
UserPolicyList : {BackupServicePermissionsToS3Buckets}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetAccountAuthorizationDetails](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def get_authorization_details(response_filter):
"""
Gets an authorization detail report for the current account.
:param response_filter: A list of resource types to include in the report, such
as users or roles. When not specified, all resources
are included.
:return: The authorization detail report.
"""
try:
account_details = iam.meta.client.get_account_authorization_details(
Filter=response_filter
)
logger.debug(account_details)
except ClientError:
logger.exception("Couldn't get details for your account.")
raise
else:
return account_details
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GetAccountAuthorizationDetails](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccountAuthorizationDetails)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->getaccountauthdetails( ).
MESSAGE 'Retrieved account authorization details.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when getting account authorization details.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetAccountAuthorizationDetails](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetAccountPasswordPolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetAccountPasswordPolicy`。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Gets the IAM password policy for an AWS account.
///
/// The PasswordPolicy for the AWS account.
public async Task GetAccountPasswordPolicyAsync()
{
var response = await _IAMService.GetAccountPasswordPolicyAsync(new GetAccountPasswordPolicyRequest());
return response.PasswordPolicy;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [GetAccountPasswordPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/GetAccountPasswordPolicy)。
------
#### [ CLI ]
**AWS CLI**
**查看目前的帳戶密碼政策**
下列 `get-account-password-policy` 命令會顯示有關目前帳戶密碼政策的詳細資訊。
```
aws iam get-account-password-policy
```
輸出:
```
{
"PasswordPolicy": {
"AllowUsersToChangePassword": false,
"RequireLowercaseCharacters": false,
"RequireUppercaseCharacters": false,
"MinimumPasswordLength": 8,
"RequireNumbers": true,
"RequireSymbols": true
}
}
```
如果沒有為帳戶定義密碼政策,則該命令會傳回 `NoSuchEntity` 錯誤。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[設定 IAM 使用者的帳戶密碼政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetAccountPasswordPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-account-password-policy.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// AccountWrapper encapsulates AWS Identity and Access Management (IAM) account actions
// used in the examples.
// It contains an IAM service client that is used to perform account actions.
type AccountWrapper struct {
IamClient *iam.Client
}
// GetAccountPasswordPolicy gets the account password policy for the current account.
// If no policy has been set, a NoSuchEntityException is error is returned.
func (wrapper AccountWrapper) GetAccountPasswordPolicy(ctx context.Context) (*types.PasswordPolicy, error) {
var pwPolicy *types.PasswordPolicy
result, err := wrapper.IamClient.GetAccountPasswordPolicy(ctx,
&iam.GetAccountPasswordPolicyInput{})
if err != nil {
log.Printf("Couldn't get account password policy. Here's why: %v\n", err)
} else {
pwPolicy = result.PasswordPolicy
}
return pwPolicy, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [GetAccountPasswordPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.GetAccountPasswordPolicy)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
取得帳戶密碼政策。
```
import {
GetAccountPasswordPolicyCommand,
IAMClient,
} from "@aws-sdk/client-iam";
const client = new IAMClient({});
export const getAccountPasswordPolicy = async () => {
const command = new GetAccountPasswordPolicyCommand({});
const response = await client.send(command);
console.log(response.PasswordPolicy);
return response;
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [GetAccountPasswordPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetAccountPasswordPolicyCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function getAccountPasswordPolicy()
{
return $this->iamClient->getAccountPasswordPolicy();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [GetAccountPasswordPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/GetAccountPasswordPolicy)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回目前帳戶之密碼政策的詳細資訊。如果沒有為帳戶定義密碼政策,命令會傳回 `NoSuchEntity` 錯誤。**
```
Get-IAMAccountPasswordPolicy
```
**輸出:**
```
AllowUsersToChangePassword : True
ExpirePasswords : True
HardExpiry : False
MaxPasswordAge : 90
MinimumPasswordLength : 8
PasswordReusePrevention : 20
RequireLowercaseCharacters : True
RequireNumbers : True
RequireSymbols : False
RequireUppercaseCharacters : True
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回目前帳戶之密碼政策的詳細資訊。如果沒有為帳戶定義密碼政策,命令會傳回 `NoSuchEntity` 錯誤。**
```
Get-IAMAccountPasswordPolicy
```
**輸出:**
```
AllowUsersToChangePassword : True
ExpirePasswords : True
HardExpiry : False
MaxPasswordAge : 90
MinimumPasswordLength : 8
PasswordReusePrevention : 20
RequireLowercaseCharacters : True
RequireNumbers : True
RequireSymbols : False
RequireUppercaseCharacters : True
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def print_password_policy():
"""
Prints the password policy for the account.
"""
try:
pw_policy = iam.AccountPasswordPolicy()
print("Current account password policy:")
print(
f"\tallow_users_to_change_password: {pw_policy.allow_users_to_change_password}"
)
print(f"\texpire_passwords: {pw_policy.expire_passwords}")
print(f"\thard_expiry: {pw_policy.hard_expiry}")
print(f"\tmax_password_age: {pw_policy.max_password_age}")
print(f"\tminimum_password_length: {pw_policy.minimum_password_length}")
print(f"\tpassword_reuse_prevention: {pw_policy.password_reuse_prevention}")
print(
f"\trequire_lowercase_characters: {pw_policy.require_lowercase_characters}"
)
print(f"\trequire_numbers: {pw_policy.require_numbers}")
print(f"\trequire_symbols: {pw_policy.require_symbols}")
print(
f"\trequire_uppercase_characters: {pw_policy.require_uppercase_characters}"
)
printed = True
except ClientError as error:
if error.response["Error"]["Code"] == "NoSuchEntity":
print("The account does not have a password policy set.")
else:
logger.exception("Couldn't get account password policy.")
raise
else:
return printed
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GetAccountPasswordPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccountPasswordPolicy)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Class to manage IAM account password policies
class PasswordPolicyManager
attr_accessor :iam_client, :logger
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'IAMPolicyManager'
end
# Retrieves and logs the account password policy
def print_account_password_policy
response = @iam_client.get_account_password_policy
@logger.info("The account password policy is: #{response.password_policy.to_h}")
rescue Aws::IAM::Errors::NoSuchEntity
@logger.info('The account does not have a password policy.')
rescue Aws::Errors::ServiceError => e
@logger.error("Couldn't print the account password policy. Error: #{e.code} - #{e.message}")
raise
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [GetAccountPasswordPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/GetAccountPasswordPolicy)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn get_account_password_policy(
client: &iamClient,
) -> Result> {
let response = client.get_account_password_policy().send().await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [GetAccountPasswordPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.get_account_password_policy)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->getaccountpasswordpolicy( ).
MESSAGE 'Retrieved account password policy.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'No password policy exists.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when getting password policy.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetAccountPasswordPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetAccountSummary` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetAccountSummary`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
------
#### [ CLI ]
**AWS CLI**
**取得有關目前帳戶中 IAM 實體用量和 IAM 配額的資訊**
下列 `get-account-summary` 命令會傳回有關帳戶中目前 IAM 實體用量和目前 IAM 實體配額的資訊。
```
aws iam get-account-summary
```
輸出:
```
{
"SummaryMap": {
"UsersQuota": 5000,
"GroupsQuota": 100,
"InstanceProfiles": 6,
"SigningCertificatesPerUserQuota": 2,
"AccountAccessKeysPresent": 0,
"RolesQuota": 250,
"RolePolicySizeQuota": 10240,
"AccountSigningCertificatesPresent": 0,
"Users": 27,
"ServerCertificatesQuota": 20,
"ServerCertificates": 0,
"AssumeRolePolicySizeQuota": 2048,
"Groups": 7,
"MFADevicesInUse": 1,
"Roles": 3,
"AccountMFAEnabled": 1,
"MFADevices": 3,
"GroupsPerUserQuota": 10,
"GroupPolicySizeQuota": 5120,
"InstanceProfilesQuota": 100,
"AccessKeysPerUserQuota": 2,
"Providers": 0,
"UserPolicySizeQuota": 2048
}
}
```
如需實體限制的詳細資訊,請參閱《[IAM 使用者指南》中的 IAM 和 AWS STS 配額](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html)。 *AWS *
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetAccountSummary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-account-summary.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回 AWS 帳戶中目前 IAM 實體用量和目前 IAM 實體配額的相關資訊。**
```
Get-IAMAccountSummary
```
**輸出:**
```
Key Value
Users 7
GroupPolicySizeQuota 5120
PolicyVersionsInUseQuota 10000
ServerCertificatesQuota 20
AccountSigningCertificatesPresent 0
AccountAccessKeysPresent 0
Groups 3
UsersQuota 5000
RolePolicySizeQuota 10240
UserPolicySizeQuota 2048
GroupsPerUserQuota 10
AssumeRolePolicySizeQuota 2048
AttachedPoliciesPerGroupQuota 2
Roles 9
VersionsPerPolicyQuota 5
GroupsQuota 100
PolicySizeQuota 5120
Policies 5
RolesQuota 250
ServerCertificates 0
AttachedPoliciesPerRoleQuota 2
MFADevicesInUse 2
PoliciesQuota 1000
AccountMFAEnabled 1
Providers 2
InstanceProfilesQuota 100
MFADevices 4
AccessKeysPerUserQuota 2
AttachedPoliciesPerUserQuota 2
SigningCertificatesPerUserQuota 2
PolicyVersionsInUse 4
InstanceProfiles 1
...
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetAccountSummary](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回 AWS 帳戶中目前 IAM 實體用量和目前 IAM 實體配額的相關資訊。**
```
Get-IAMAccountSummary
```
**輸出:**
```
Key Value
Users 7
GroupPolicySizeQuota 5120
PolicyVersionsInUseQuota 10000
ServerCertificatesQuota 20
AccountSigningCertificatesPresent 0
AccountAccessKeysPresent 0
Groups 3
UsersQuota 5000
RolePolicySizeQuota 10240
UserPolicySizeQuota 2048
GroupsPerUserQuota 10
AssumeRolePolicySizeQuota 2048
AttachedPoliciesPerGroupQuota 2
Roles 9
VersionsPerPolicyQuota 5
GroupsQuota 100
PolicySizeQuota 5120
Policies 5
RolesQuota 250
ServerCertificates 0
AttachedPoliciesPerRoleQuota 2
MFADevicesInUse 2
PoliciesQuota 1000
AccountMFAEnabled 1
Providers 2
InstanceProfilesQuota 100
MFADevices 4
AccessKeysPerUserQuota 2
AttachedPoliciesPerUserQuota 2
SigningCertificatesPerUserQuota 2
PolicyVersionsInUse 4
InstanceProfiles 1
...
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetAccountSummary](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def get_summary():
"""
Gets a summary of account usage.
:return: The summary of account usage.
"""
try:
summary = iam.AccountSummary()
logger.debug(summary.summary_map)
except ClientError:
logger.exception("Couldn't get a summary for your account.")
raise
else:
return summary.summary_map
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GetAccountSummary](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccountSummary)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->getaccountsummary( ).
MESSAGE 'Retrieved account summary.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when getting account summary.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetAccountSummary](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetContextKeysForCustomPolicy` 與 CLI
下列程式碼範例示範如何使用 `GetContextKeysForCustomPolicy`。
------
#### [ CLI ]
**AWS CLI**
**範例 1:列出命令列上以參數形式提供的一個或多個自訂 JSON 政策引用的內容索引鍵**
下列 `get-context-keys-for-custom-policy` 命令會剖析提供的每個政策,並列出這些政策使用的內容索引鍵。使用此命令來識別您必須提供的內容索引鍵值,以成功使用政策模擬器命令 `simulate-custom-policy` 和 `simulate-custom-policy`。也可以使用 `get-context-keys-for-custom-policy` 命令,擷取 IAM 使用者或角色關聯之所有政策所使用的內容索引鍵清單。以 `file://` 開頭的參數會告訴命令讀取檔案的內容,並將其用作參數的值 (而不是檔案名稱本身)。
```
aws iam get-context-keys-for-custom-policy \
--policy-input-list '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/${aws:username}","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}'
```
輸出:
```
{
"ContextKeyNames": [
"aws:username",
"aws:CurrentTime"
]
}
```
**範例 2:列出以檔案輸入形式提供的一個或多個自訂 JSON 政策引用的內容索引鍵**
下列 `get-context-keys-for-custom-policy` 命令與先前的範例相同,但政策是在檔案中提供,而不是以參數形式提供。由於該命令需要的是 JSON 字串清單,而非 JSON 結構清單,因此檔案的結構必須如下所示,但您可以將其摺疊為一個。
```
[
"Policy1",
"Policy2"
]
```
例如,包含上一個範例中的政策的檔案必須如下所示。必須在政策字串前面加上反斜線 '',以逸出政策字串中的每個內嵌雙引號。
```
[ "{\"Version\": \"2012-10-17\", \"Statement\": {\"Effect\": \"Allow\", \"Action\": \"dynamodb:*\", \"Resource\": \"arn:aws:dynamodb:us-west-2:128716708097:table/${aws:username}\", \"Condition\": {\"DateGreaterThan\": {\"aws:CurrentTime\": \"2015-08-16T12:00:00Z\"}}}}" ]
```
然後可將此檔案提交至下列命令。
```
aws iam get-context-keys-for-custom-policy \
--policy-input-list file://policyfile.json
```
輸出:
```
{
"ContextKeyNames": [
"aws:username",
"aws:CurrentTime"
]
}
```
如需詳細資訊,請參閱《[IAM 使用者指南》中的使用 IAM 政策模擬器 (AWS CLI 和 AWS API)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api)。 *AWS *
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetContextKeysForCustomPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-context-keys-for-custom-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取所提供政策 json 中的所有內容索引鍵。若要提供多個政策,可以採用以逗號分隔的值清單形式提供。**
```
$policy1 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}'
$policy2 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/"}}'
Get-IAMContextKeysForCustomPolicy -PolicyInputList $policy1,$policy2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetContextKeysForCustomPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取所提供政策 json 中的所有內容索引鍵。若要提供多個政策,可以採用以逗號分隔的值清單形式提供。**
```
$policy1 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}'
$policy2 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/"}}'
Get-IAMContextKeysForCustomPolicy -PolicyInputList $policy1,$policy2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetContextKeysForCustomPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetContextKeysForPrincipalPolicy` 與 CLI
下列程式碼範例示範如何使用 `GetContextKeysForPrincipalPolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要列出與 IAM 主體關聯之所有政策引用的內容索引鍵**
下列 `get-context-keys-for-principal-policy` 命令會擷取連接至使用者 `saanvi` 及其所屬任何群組的所有政策。然後,它會剖析每個政策,並列出這些政策所使用的內容索引鍵。此命令可用於確定為成功使用 `simulate-custom-policy` 和 `simulate-principal-policy` 命令,您必須提供的內容索引鍵值。也可以使用 `get-context-keys-for-custom-policy` 命令來擷取任意 JSON 政策所使用的內容索引鍵清單。
```
aws iam get-context-keys-for-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:user/saanvi
```
輸出:
```
{
"ContextKeyNames": [
"aws:username",
"aws:CurrentTime"
]
}
```
如需詳細資訊,請參閱《[IAM 使用者指南》中的使用 IAM 政策模擬器 (AWS CLI 和 AWS API)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api)。 *AWS *
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetContextKeysForPrincipalPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-context-keys-for-principal-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取所提供政策 json 中的所有內容索引鍵,以及連接至 IAM 實體 (使用者/角色等) 的政策。對於 -PolicyInputList,您可以提供包含多個以逗號分隔的值的清單。**
```
$policy1 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}'
$policy2 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/"}}'
Get-IAMContextKeysForPrincipalPolicy -PolicyInputList $policy1,$policy2 -PolicySourceArn arn:aws:iam::852640994763:user/TestUser
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetContextKeysForPrincipalPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取所提供政策 json 中的所有內容索引鍵,以及連接至 IAM 實體 (使用者/角色等) 的政策。對於 -PolicyInputList,您可以提供包含多個以逗號分隔的值的清單。**
```
$policy1 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}'
$policy2 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/"}}'
Get-IAMContextKeysForPrincipalPolicy -PolicyInputList $policy1,$policy2 -PolicySourceArn arn:aws:iam::852640994763:user/TestUser
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetContextKeysForPrincipalPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetCredentialReport` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetCredentialReport`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
------
#### [ CLI ]
**AWS CLI**
**取得憑證報告**
此範例會開啟傳回的報告,並以文字行陣列的形式將其輸出至管道。
```
aws iam get-credential-report
```
輸出:
```
{
"GeneratedTime": "2015-06-17T19:11:50Z",
"ReportFormat": "text/csv"
}
```
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[取得 AWS 帳戶的登入資料報告](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetCredentialReport](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-credential-report.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會開啟傳回的報告,並以文字行陣列的形式將其輸出至管道。第一行是帶有以逗號分隔的資料欄名稱的標題。每個連續資料列是一個使用者的詳細資訊列,每個欄位以逗號分隔。必須先使用 `Request-IAMCredentialReport` cmdlet 產生報告,然後才能檢視報告。若要以單一字串擷取報告,請使用 `-Raw`,勿用 `-AsTextArray`。`-AsTextArray` 交換器也接受別名 `-SplitLines`。如需輸出中資料欄的完整清單,請參閱服務 API 參考。請注意,如果不使用 `-AsTextArray` 或 `-SplitLines`,必須使用 .NET `StreamReader` 類從 `.Content` 屬性擷取文字。**
```
Request-IAMCredentialReport
```
**輸出:**
```
Description State
----------- -----
No report exists. Starting a new report generation task STARTED
```
```
Get-IAMCredentialReport -AsTextArray
```
**輸出:**
```
user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_2_active,access_key_2_last_rotated,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated root_account,arn:aws:iam::123456789012:root,2014-10-15T16:31:25+00:00,not_supported,2015-04-20T17:41:10+00:00,not_supported,not_supported,true,false,N/A,false,N/A,false,N/A,false,N/A
Administrator,arn:aws:iam::123456789012:user/Administrator,2014-10-16T16:03:09+00:00,true,2015-04-20T15:18:32+00:00,2014-10-16T16:06:00+00:00,N/A,false,true,2014-12-03T18:53:41+00:00,true,2015-03-25T20:38:14+00:00,false,N/A,false,N/A
Bill,arn:aws:iam::123456789012:user/Bill,2015-04-15T18:27:44+00:00,false,N/A,N/A,N/A,false,false,N/A,false,N/A,false,2015-04-20T20:00:12+00:00,false,N/A
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetCredentialReport](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會開啟傳回的報告,並以文字行陣列的形式將其輸出至管道。第一行是帶有以逗號分隔的資料欄名稱的標題。每個連續資料列是一個使用者的詳細資訊列,每個欄位以逗號分隔。必須先使用 `Request-IAMCredentialReport` cmdlet 產生報告,然後才能檢視報告。若要以單一字串擷取報告,請使用 `-Raw`,勿用 `-AsTextArray`。`-AsTextArray` 交換器也接受別名 `-SplitLines`。如需輸出中資料欄的完整清單,請參閱服務 API 參考。請注意,如果不使用 `-AsTextArray` 或 `-SplitLines`,必須使用 .NET `StreamReader` 類從 `.Content` 屬性擷取文字。**
```
Request-IAMCredentialReport
```
**輸出:**
```
Description State
----------- -----
No report exists. Starting a new report generation task STARTED
```
```
Get-IAMCredentialReport -AsTextArray
```
**輸出:**
```
user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_2_active,access_key_2_last_rotated,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated root_account,arn:aws:iam::123456789012:root,2014-10-15T16:31:25+00:00,not_supported,2015-04-20T17:41:10+00:00,not_supported,not_supported,true,false,N/A,false,N/A,false,N/A,false,N/A
Administrator,arn:aws:iam::123456789012:user/Administrator,2014-10-16T16:03:09+00:00,true,2015-04-20T15:18:32+00:00,2014-10-16T16:06:00+00:00,N/A,false,true,2014-12-03T18:53:41+00:00,true,2015-03-25T20:38:14+00:00,false,N/A,false,N/A
Bill,arn:aws:iam::123456789012:user/Bill,2015-04-15T18:27:44+00:00,false,N/A,N/A,N/A,false,false,N/A,false,N/A,false,2015-04-20T20:00:12+00:00,false,N/A
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetCredentialReport](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def get_credential_report():
"""
Gets the most recently generated credentials report about the current account.
:return: The credentials report.
"""
try:
response = iam.meta.client.get_credential_report()
logger.debug(response["Content"])
except ClientError:
logger.exception("Couldn't get credentials report.")
raise
else:
return response["Content"]
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GetCredentialReport](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetCredentialReport)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->getcredentialreport( ).
MESSAGE 'Retrieved credential report.' TYPE 'I'.
CATCH /aws1/cx_iamcredrptnotpresen00.
MESSAGE 'Credential report not present.' TYPE 'E'.
CATCH /aws1/cx_iamcredrptexpiredex.
MESSAGE 'Credential report expired.' TYPE 'E'.
CATCH /aws1/cx_iamcredrptnotreadyex.
MESSAGE 'Credential report not ready.' TYPE 'E'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when getting credential report.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetCredentialReport](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetGroup` 與 CLI
下列程式碼範例示範如何使用 `GetGroup`。
------
#### [ CLI ]
**AWS CLI**
**若要取得 IAM 群組**
此範例會傳回 IAM 群組 `Admins` 的詳細資訊。
```
aws iam get-group \
--group-name Admins
```
輸出:
```
{
"Group": {
"Path": "/",
"CreateDate": "2015-06-16T19:41:48Z",
"GroupId": "AIDGPMS9RO4H3FEXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/Admins",
"GroupName": "Admins"
},
"Users": []
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 身分 (使用者、使用者群組和角色)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-group.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回 IAM 群組 `Testers` 的詳細資訊,包括屬於該群組的所有 IAM 使用者的集合。**
```
$results = Get-IAMGroup -GroupName "Testers"
$results
```
**輸出:**
```
Group IsTruncated Marker Users
----- ----------- ------ -----
Amazon.IdentityManagement.Model.Group False {Theresa, David}
```
```
$results.Group
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:group/Testers
CreateDate : 12/10/2014 3:39:11 PM
GroupId : 3RHNZZGQJ7QHMAEXAMPLE1
GroupName : Testers
Path : /
```
```
$results.Users
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Theresa
CreateDate : 12/10/2014 3:39:27 PM
PasswordLastUsed : 1/1/0001 12:00:00 AM
Path : /
UserId : 4OSVDDJJTF4XEEXAMPLE2
UserName : Theresa
Arn : arn:aws:iam::123456789012:user/David
CreateDate : 12/10/2014 3:39:27 PM
PasswordLastUsed : 3/19/2015 8:44:04 AM
Path : /
UserId : Y4FKWQCXTA52QEXAMPLE3
UserName : David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetGroup](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回 IAM 群組 `Testers` 的詳細資訊,包括屬於該群組的所有 IAM 使用者的集合。**
```
$results = Get-IAMGroup -GroupName "Testers"
$results
```
**輸出:**
```
Group IsTruncated Marker Users
----- ----------- ------ -----
Amazon.IdentityManagement.Model.Group False {Theresa, David}
```
```
$results.Group
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:group/Testers
CreateDate : 12/10/2014 3:39:11 PM
GroupId : 3RHNZZGQJ7QHMAEXAMPLE1
GroupName : Testers
Path : /
```
```
$results.Users
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Theresa
CreateDate : 12/10/2014 3:39:27 PM
PasswordLastUsed : 1/1/0001 12:00:00 AM
Path : /
UserId : 4OSVDDJJTF4XEEXAMPLE2
UserName : Theresa
Arn : arn:aws:iam::123456789012:user/David
CreateDate : 12/10/2014 3:39:27 PM
PasswordLastUsed : 3/19/2015 8:44:04 AM
Path : /
UserId : Y4FKWQCXTA52QEXAMPLE3
UserName : David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetGroup](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetGroupPolicy` 與 CLI
下列程式碼範例示範如何使用 `GetGroupPolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要取得連接到 IAM 群組的政策的相關資訊**
下列 `get-group-policy` 命令會取得連接到名為 `Test-Group` 的群組之指定政策的相關資訊。
```
aws iam get-group-policy \
--group-name Test-Group \
--policy-name S3-ReadOnly-Policy
```
輸出:
```
{
"GroupName": "Test-Group",
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]
},
"PolicyName": "S3-ReadOnly-Policy"
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-group-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回群組 `PowerUserAccess-Testers` 名為 `Testers` 的嵌入式內嵌政策的詳細資訊。`PolicyDocument` 屬性經過 URL 編碼。在此範例中,它會使用 `UrlDecode` .NET 方法解碼。**
```
$results = Get-IAMGroupPolicy -GroupName Testers -PolicyName PowerUserAccess-Testers
$results
```
**輸出:**
```
GroupName PolicyDocument PolicyName
--------- -------------- ----------
Testers %7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20... PowerUserAccess-Testers
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
[System.Web.HttpUtility]::UrlDecode($results.PolicyDocument)
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f"
]
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回群組 `PowerUserAccess-Testers` 名為 `Testers` 的嵌入式內嵌政策的詳細資訊。`PolicyDocument` 屬性經過 URL 編碼。在此範例中,它會使用 `UrlDecode` .NET 方法解碼。**
```
$results = Get-IAMGroupPolicy -GroupName Testers -PolicyName PowerUserAccess-Testers
$results
```
**輸出:**
```
GroupName PolicyDocument PolicyName
--------- -------------- ----------
Testers %7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20... PowerUserAccess-Testers
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
[System.Web.HttpUtility]::UrlDecode($results.PolicyDocument)
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f"
]
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetInstanceProfile` 與 CLI
下列程式碼範例示範如何使用 `GetInstanceProfile`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
------
#### [ CLI ]
**AWS CLI**
**若要取得有關執行個體設定檔的資訊**
下列 `get-instance-profile` 命令會取得名為 `ExampleInstanceProfile` 之執行個體設定檔的相關資訊。
```
aws iam get-instance-profile \
--instance-profile-name ExampleInstanceProfile
```
輸出:
```
{
"InstanceProfile": {
"InstanceProfileId": "AID2MAB8DPLSRHEXAMPLE",
"Roles": [
{
"AssumeRolePolicyDocument": "",
"RoleId": "AIDGPMS9RO4H3FEXAMPLE",
"CreateDate": "2013-01-09T06:33:26Z",
"RoleName": "Test-Role",
"Path": "/",
"Arn": "arn:aws:iam::336924118301:role/Test-Role"
}
],
"CreateDate": "2013-06-12T23:52:02Z",
"InstanceProfileName": "ExampleInstanceProfile",
"Path": "/",
"Arn": "arn:aws:iam::336924118301:instance-profile/ExampleInstanceProfile"
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用執行個體設定檔](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-instance-profile.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回目前 AWS 帳戶中定義的名為 `ec2instancerole` 的執行個體描述檔詳細資訊。**
```
Get-IAMInstanceProfile -InstanceProfileName ec2instancerole
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole
CreateDate : 2/17/2015 2:49:04 PM
InstanceProfileId : HH36PTZQJUR32EXAMPLE1
InstanceProfileName : ec2instancerole
Path : /
Roles : {ec2instancerole}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回目前 AWS 帳戶中定義的名為 `ec2instancerole` 的執行個體描述檔詳細資訊。**
```
Get-IAMInstanceProfile -InstanceProfileName ec2instancerole
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole
CreateDate : 2/17/2015 2:49:04 PM
InstanceProfileId : HH36PTZQJUR32EXAMPLE1
InstanceProfileName : ec2instancerole
Path : /
Roles : {ec2instancerole}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetLoginProfile` 與 CLI
下列程式碼範例示範如何使用 `GetLoginProfile`。
------
#### [ CLI ]
**AWS CLI**
**若要取得 IAM 使用者的密碼資訊**
下列 `get-login-profile` 命令會取得名為 `Bob` 之 IAM 使用者的密碼資訊。
```
aws iam get-login-profile \
--user-name Bob
```
輸出:
```
{
"LoginProfile": {
"UserName": "Bob",
"CreateDate": "2012-09-21T23:03:39Z"
}
}
```
`get-login-profile` 命令可用來驗證 IAM 使用者是否有密碼。如果沒有為使用者定義密碼,該命令會傳回錯誤:`NoSuchEntity`。
不能使用此命令檢視密碼。如果密碼遺失,可以重設使用者的密碼 (`update-login-profile`)。或者,可以刪除使用者的登入設定檔 (`delete-login-profile`),然後建立新檔 (`create-login-profile`)。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的密碼](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-login-profile.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回密碼建立日期,以及 IAM 使用者 `David` 是否需要重設密碼。**
```
Get-IAMLoginProfile -UserName David
```
**輸出:**
```
CreateDate PasswordResetRequired UserName
---------- --------------------- --------
12/10/2014 3:39:44 PM False David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetLoginProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回密碼建立日期,以及 IAM 使用者 `David` 是否需要重設密碼。**
```
Get-IAMLoginProfile -UserName David
```
**輸出:**
```
CreateDate PasswordResetRequired UserName
---------- --------------------- --------
12/10/2014 3:39:44 PM False David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetLoginProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetOpenIdConnectProvider` 與 CLI
下列程式碼範例示範如何使用 `GetOpenIdConnectProvider`。
------
#### [ CLI ]
**AWS CLI**
**若要傳回指定 OpenID Connect 提供者的相關資訊**
此範例會傳回 ARN 為 `arn:aws:iam::123456789012:oidc-provider/server.example.com` 的 OpenID Connect 提供者的詳細資訊。
```
aws iam get-open-id-connect-provider \
--open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/server.example.com
```
輸出:
```
{
"Url": "server.example.com"
"CreateDate": "2015-06-16T19:41:48Z",
"ThumbprintList": [
"12345abcdefghijk67890lmnopqrst987example"
],
"ClientIDList": [
"example-application-ID"
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-open-id-connect-provider.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回 ARN 為 `arn:aws:iam::123456789012:oidc-provider/accounts.google.com` 的 OpenID Connect 提供者的詳細資訊。`ClientIDList` 屬性是一個集合,包含為此提供者定義的所有用戶端 ID。**
```
Get-IAMOpenIDConnectProvider -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/oidc.example.com
```
**輸出:**
```
ClientIDList CreateDate ThumbprintList Url
------------ ---------- -------------- ---
{MyOIDCApp} 2/3/2015 3:00:30 PM {12345abcdefghijk67890lmnopqrst98765uvwxy} oidc.example.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回 ARN 為 `arn:aws:iam::123456789012:oidc-provider/accounts.google.com` 的 OpenID Connect 提供者的詳細資訊。`ClientIDList` 屬性是一個集合,包含為此提供者定義的所有用戶端 ID。**
```
Get-IAMOpenIDConnectProvider -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/oidc.example.com
```
**輸出:**
```
ClientIDList CreateDate ThumbprintList Url
------------ ---------- -------------- ---
{MyOIDCApp} 2/3/2015 3:00:30 PM {12345abcdefghijk67890lmnopqrst98765uvwxy} oidc.example.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetPolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetPolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [使用 IAM 政策產生器 API](iam_example_iam_Scenario_IamPolicyBuilder_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Get information about an IAM policy.
///
/// The IAM policy to retrieve information for.
/// The IAM policy.
public async Task GetPolicyAsync(string policyArn)
{
var response = await _IAMService.GetPolicyAsync(new GetPolicyRequest { PolicyArn = policyArn });
return response.Policy;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [GetPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/GetPolicy)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::getPolicy(const Aws::String &policyArn,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::GetPolicyRequest request;
request.SetPolicyArn(policyArn);
auto outcome = iam.GetPolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error getting policy " << policyArn << ": " <<
outcome.GetError().GetMessage() << std::endl;
}
else {
const auto &policy = outcome.GetResult().GetPolicy();
std::cout << "Name: " << policy.GetPolicyName() << std::endl <<
"ID: " << policy.GetPolicyId() << std::endl << "Arn: " <<
policy.GetArn() << std::endl << "Description: " <<
policy.GetDescription() << std::endl << "CreateDate: " <<
policy.GetCreateDate().ToGmtString(Aws::Utils::DateFormat::ISO_8601)
<< std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [GetPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/GetPolicy)。
------
#### [ CLI ]
**AWS CLI**
**擷取指定受管政策的相關資訊**
此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 之受管政策的詳細資訊。
```
aws iam get-policy \
--policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy
```
輸出:
```
{
"Policy": {
"PolicyName": "MySamplePolicy",
"CreateDate": "2015-06-17T19:23;32Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "Z27SI6FQMGNQ2EXAMPLE1",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:policy/MySamplePolicy",
"UpdateDate": "2015-06-17T19:23:32Z"
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-policy.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions
// used in the examples.
// It contains an IAM service client that is used to perform policy actions.
type PolicyWrapper struct {
IamClient *iam.Client
}
// GetPolicy gets data about a policy.
func (wrapper PolicyWrapper) GetPolicy(ctx context.Context, policyArn string) (*types.Policy, error) {
var policy *types.Policy
result, err := wrapper.IamClient.GetPolicy(ctx, &iam.GetPolicyInput{
PolicyArn: aws.String(policyArn),
})
if err != nil {
log.Printf("Couldn't get policy %v. Here's why: %v\n", policyArn, err)
} else {
policy = result.Policy
}
return policy, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [GetPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.GetPolicy)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
取得政策。
```
import { GetPolicyCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} policyArn
*/
export const getPolicy = (policyArn) => {
const command = new GetPolicyCommand({
PolicyArn: policyArn,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-getting)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [GetPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetPolicyCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
PolicyArn: "arn:aws:iam::aws:policy/AWSLambdaExecute",
};
iam.getPolicy(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data.Policy.Description);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-getting)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [GetPolicy](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/GetPolicy)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun getIAMPolicy(policyArnVal: String?) {
val request =
GetPolicyRequest {
policyArn = policyArnVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.getPolicy(request)
println("Successfully retrieved policy ${response.policy?.policyName}")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [GetPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function getPolicy($policyArn)
{
return $this->customWaiter(function () use ($policyArn) {
return $this->iamClient->getPolicy(['PolicyArn' => $policyArn]);
});
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [GetPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/GetPolicy)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 之受管政策的詳細資訊。**
```
Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy
```
**輸出:**
```
Arn : arn:aws:iam::aws:policy/MySamplePolicy
AttachmentCount : 0
CreateDate : 2/6/2015 10:40:08 AM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : Z27SI6FQMGNQ2EXAMPLE1
PolicyName : MySamplePolicy
UpdateDate : 2/6/2015 10:40:08 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 之受管政策的詳細資訊。**
```
Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy
```
**輸出:**
```
Arn : arn:aws:iam::aws:policy/MySamplePolicy
AttachmentCount : 0
CreateDate : 2/6/2015 10:40:08 AM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : Z27SI6FQMGNQ2EXAMPLE1
PolicyName : MySamplePolicy
UpdateDate : 2/6/2015 10:40:08 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def get_default_policy_statement(policy_arn):
"""
Gets the statement of the default version of the specified policy.
:param policy_arn: The ARN of the policy to look up.
:return: The statement of the default policy version.
"""
try:
policy = iam.Policy(policy_arn)
# To get an attribute of a policy, the SDK first calls get_policy.
policy_doc = policy.default_version.document
policy_statement = policy_doc.get("Statement", None)
logger.info("Got default policy doc for %s.", policy.policy_name)
logger.info(policy_doc)
except ClientError:
logger.exception("Couldn't get default policy statement for %s.", policy_arn)
raise
else:
return policy_statement
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GetPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetPolicy)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Fetches an IAM policy by its ARN
# @param policy_arn [String] the ARN of the IAM policy to retrieve
# @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found
def get_policy(policy_arn)
response = @iam_client.get_policy(policy_arn: policy_arn)
policy = response.policy
@logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.")
policy
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.")
raise
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}")
raise
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [GetPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/GetPolicy)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->getpolicy( iv_policyarn = iv_policy_arn ).
MESSAGE 'Retrieved policy information.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Policy does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func getPolicy(arn: String) async throws -> IAMClientTypes.Policy {
let input = GetPolicyInput(
policyArn: arn
)
do {
let output = try await client.getPolicy(input: input)
guard let policy = output.policy else {
throw ServiceHandlerError.noSuchPolicy
}
return policy
} catch {
print("ERROR: getPolicy:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [GetPolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/getpolicy(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetPolicyVersion` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetPolicyVersion`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [使用 IAM 政策產生器 API](iam_example_iam_Scenario_IamPolicyBuilder_section.md)
------
#### [ CLI ]
**AWS CLI**
**擷取指定受管政策指定版本的相關資訊**
此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 之 v2 版本政策的政策文件。
```
aws iam get-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
--version-id v2
```
輸出:
```
{
"PolicyVersion": {
"Document": {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
},
"VersionId": "v2",
"IsDefaultVersion": true,
"CreateDate": "2023-04-11T00:22:54+00:00"
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetPolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-policy-version.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 之 `v2` 版本政策的政策文件。`Document` 屬性中的政策文件經過 URL 編碼,在此範例中使用 `UrlDecode` .NET 方法解碼。**
```
$results = Get-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyManagedPolicy -VersionId v2
$results
```
**輸出:**
```
CreateDate Document IsDefaultVersion VersionId
---------- -------- ---------------- ---------
2/12/2015 9:39:53 AM %7B%0A%20%20%22Version%22%3A%20%222012-10... True v2
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
$policy = [System.Web.HttpUtility]::UrlDecode($results.Document)
$policy
{
"Version":"2012-10-17",
"Statement":
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f"
]
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetPolicyVersion](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 之 `v2` 版本政策的政策文件。`Document` 屬性中的政策文件經過 URL 編碼,在此範例中使用 `UrlDecode` .NET 方法解碼。**
```
$results = Get-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyManagedPolicy -VersionId v2
$results
```
**輸出:**
```
CreateDate Document IsDefaultVersion VersionId
---------- -------- ---------------- ---------
2/12/2015 9:39:53 AM %7B%0A%20%20%22Version%22%3A%20%222012-10... True v2
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
$policy = [System.Web.HttpUtility]::UrlDecode($results.Document)
$policy
{
"Version":"2012-10-17",
"Statement":
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f"
]
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetPolicyVersion](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def get_default_policy_statement(policy_arn):
"""
Gets the statement of the default version of the specified policy.
:param policy_arn: The ARN of the policy to look up.
:return: The statement of the default policy version.
"""
try:
policy = iam.Policy(policy_arn)
# To get an attribute of a policy, the SDK first calls get_policy.
policy_doc = policy.default_version.document
policy_statement = policy_doc.get("Statement", None)
logger.info("Got default policy doc for %s.", policy.policy_name)
logger.info(policy_doc)
except ClientError:
logger.exception("Couldn't get default policy statement for %s.", policy_arn)
raise
else:
return policy_statement
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GetPolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetPolicyVersion)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->getpolicyversion(
iv_policyarn = iv_policy_arn
iv_versionid = iv_version_id ).
MESSAGE 'Retrieved policy version information.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Policy or version does not exist.' TYPE 'E'.
CATCH /aws1/cx_iaminvalidinputex.
MESSAGE 'Invalid input provided.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetPolicyVersion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetRole` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetRole`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [設定 Amazon ECS Service Connect](iam_example_ecs_ServiceConnect_085_section.md)
+ [為 Fargate 啟動類型建立 Amazon ECS Linux 任務](iam_example_ecs_GettingStarted_086_section.md)
+ [為 EC2 啟動類型建立 Amazon ECS 服務](iam_example_ecs_GettingStarted_018_section.md)
+ [開始使用 Redshift Serverless](iam_example_redshift_GettingStarted_038_section.md)
+ [Amazon EKS 入門](iam_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Amazon Redshift 佈建叢集入門](iam_example_redshift_GettingStarted_039_section.md)
+ [Amazon SageMaker Feature Store 入門](iam_example_iam_GettingStarted_028_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Get information about an IAM role.
///
/// The name of the IAM role to retrieve information
/// for.
/// The IAM role that was retrieved.
public async Task GetRoleAsync(string roleName)
{
var response = await _IAMService.GetRoleAsync(new GetRoleRequest
{
RoleName = roleName,
});
return response.Role;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [GetRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/GetRole)。
------
#### [ CLI ]
**AWS CLI**
**取得 IAM 角色的相關資訊**
下列 `get-role` 命令會取得名為 `Test-Role` 之角色的相關資訊。
```
aws iam get-role \
--role-name Test-Role
```
輸出:
```
{
"Role": {
"Description": "Test Role",
"AssumeRolePolicyDocument":"",
"MaxSessionDuration": 3600,
"RoleId": "AROA1234567890EXAMPLE",
"CreateDate": "2019-11-13T16:45:56Z",
"RoleName": "Test-Role",
"Path": "/",
"RoleLastUsed": {
"Region": "us-east-1",
"LastUsedDate": "2019-11-13T17:14:00Z"
},
"Arn": "arn:aws:iam::123456789012:role/Test-Role"
}
}
```
該命令會顯示連接至角色的信任政策。若要列出連接至角色的許可政策,請使用 `list-role-policies` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-role.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// GetRole gets data about a role.
func (wrapper RoleWrapper) GetRole(ctx context.Context, roleName string) (*types.Role, error) {
var role *types.Role
result, err := wrapper.IamClient.GetRole(ctx,
&iam.GetRoleInput{RoleName: aws.String(roleName)})
if err != nil {
log.Printf("Couldn't get role %v. Here's why: %v\n", roleName, err)
} else {
role = result.Role
}
return role, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [GetRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.GetRole)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
取得角色。
```
import { GetRoleCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} roleName
*/
export const getRole = (roleName) => {
const command = new GetRoleCommand({
RoleName: roleName,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [GetRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetRoleCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function getRole($roleName)
{
return $this->customWaiter(function () use ($roleName) {
return $this->iamClient->getRole(['RoleName' => $roleName]);
});
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [GetRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/GetRole)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回 `lamda_exec_role` 的詳細資訊。其中包含指定誰可以擔任此角色的信任政策文件。政策文件經過 URL 編碼,可以使用 .NET `UrlDecode` 方法解碼。在此範例中,原始政策在上傳至政策之前已移除所有空格。若要查看決定擔任該角色之人員可以執行的動作的許可政策文件,請將 `Get-IAMRolePolicy` 用於內嵌政策,並將 `Get-IAMPolicyVersion` 用於連接的受管政策。**
```
$results = Get-IamRole -RoleName lambda_exec_role
$results | Format-List
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:role/lambda_exec_role
AssumeRolePolicyDocument : %7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22
%3A%22%22%2C%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service
%22%3A%22lambda.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole
%22%7D%5D%7D
CreateDate : 4/2/2015 9:16:11 AM
Path : /
RoleId : 2YBIKAIBHNKB4EXAMPLE1
RoleName : lambda_exec_role
```
```
$policy = [System.Web.HttpUtility]::UrlDecode($results.AssumeRolePolicyDocument)
$policy
```
**輸出:**
```
{"Version":"2012-10-17", "Statement":[{"Sid":"","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回 `lamda_exec_role` 的詳細資訊。其中包含指定誰可以擔任此角色的信任政策文件。政策文件經過 URL 編碼,可以使用 .NET `UrlDecode` 方法解碼。在此範例中,原始政策在上傳至政策之前已移除所有空格。若要查看決定擔任該角色之人員可以執行的動作的許可政策文件,請將 `Get-IAMRolePolicy` 用於內嵌政策,並將 `Get-IAMPolicyVersion` 用於連接的受管政策。**
```
$results = Get-IamRole -RoleName lambda_exec_role
$results | Format-List
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:role/lambda_exec_role
AssumeRolePolicyDocument : %7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22
%3A%22%22%2C%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service
%22%3A%22lambda.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole
%22%7D%5D%7D
CreateDate : 4/2/2015 9:16:11 AM
Path : /
RoleId : 2YBIKAIBHNKB4EXAMPLE1
RoleName : lambda_exec_role
```
```
$policy = [System.Web.HttpUtility]::UrlDecode($results.AssumeRolePolicyDocument)
$policy
```
**輸出:**
```
{"Version":"2012-10-17", "Statement":[{"Sid":"","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def get_role(role_name):
"""
Gets a role by name.
:param role_name: The name of the role to retrieve.
:return: The specified role.
"""
try:
role = iam.Role(role_name)
role.load() # calls GetRole to load attributes
logger.info("Got role with arn %s.", role.arn)
except ClientError:
logger.exception("Couldn't get role named %s.", role_name)
raise
else:
return role
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [GetRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetRole)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Gets data about a role.
#
# @param name [String] The name of the role to look up.
# @return [Aws::IAM::Role] The retrieved role.
def get_role(name)
role = @iam_client.get_role({
role_name: name
}).role
puts("Got data for role '#{role.role_name}'. Its ARN is '#{role.arn}'.")
rescue Aws::Errors::ServiceError => e
puts("Couldn't get data for role '#{name}' Here's why:")
puts("\t#{e.code}: #{e.message}")
raise
else
role
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [GetRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/GetRole)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn get_role(
client: &iamClient,
role_name: String,
) -> Result> {
let response = client.get_role().role_name(role_name).send().await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [GetRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.get_role)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->getrole( iv_rolename = iv_role_name ).
MESSAGE 'Retrieved role information.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Role does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetRole](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func getRole(name: String) async throws -> IAMClientTypes.Role {
let input = GetRoleInput(
roleName: name
)
do {
let output = try await client.getRole(input: input)
guard let role = output.role else {
throw ServiceHandlerError.noSuchRole
}
return role
} catch {
print("ERROR: getRole:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [GetRole](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/getrole(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetRolePolicy` 與 CLI
下列程式碼範例示範如何使用 `GetRolePolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要取得連接到 IAM 角色的政策的相關資訊**
下列 `get-role-policy` 命令會取得連接到名為 `Test-Role` 的角色之指定政策的相關資訊。
```
aws iam get-role-policy \
--role-name Test-Role \
--policy-name ExamplePolicy
```
輸出:
```
{
"RoleName": "Test-Role",
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:Put*",
"s3:Get*",
"s3:*MultipartUpload*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "1"
}
]
}
"PolicyName": "ExamplePolicy"
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-role-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回內嵌在 IAM 角色 `lamda_exec_role` 中的名為 `oneClick_lambda_exec_role_policy` 之政策的許可政策文件。產生的政策文件經過 URL 編碼。在此範例中,它會使用 `UrlDecode` .NET 方法解碼。**
```
$results = Get-IAMRolePolicy -RoleName lambda_exec_role -PolicyName oneClick_lambda_exec_role_policy
$results
```
**輸出:**
```
PolicyDocument PolicyName UserName
-------------- ---------- --------
%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%... oneClick_lambda_exec_role_policy lambda_exec_role
```
```
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
[System.Web.HttpUtility]::UrlDecode($results.PolicyDocument)
```
**輸出:**
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:us-east-1:555555555555:log-group:/aws/lambda/aws-example-function:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回內嵌在 IAM 角色 `lamda_exec_role` 中的名為 `oneClick_lambda_exec_role_policy` 之政策的許可政策文件。產生的政策文件經過 URL 編碼。在此範例中,它會使用 `UrlDecode` .NET 方法解碼。**
```
$results = Get-IAMRolePolicy -RoleName lambda_exec_role -PolicyName oneClick_lambda_exec_role_policy
$results
```
**輸出:**
```
PolicyDocument PolicyName UserName
-------------- ---------- --------
%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%... oneClick_lambda_exec_role_policy lambda_exec_role
```
```
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
[System.Web.HttpUtility]::UrlDecode($results.PolicyDocument)
```
**輸出:**
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:us-east-1:555555555555:log-group:/aws/lambda/aws-example-function:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetSamlProvider` 與 CLI
下列程式碼範例示範如何使用 `GetSamlProvider`。
------
#### [ CLI ]
**AWS CLI**
**若要擷取 SAML 提供者中繼資料文件**
此範例會擷取 ARM 為 `arn:aws:iam::123456789012:saml-provider/SAMLADFS` 的 SAML 2.0 提供者的詳細資訊。回應包含您從身分提供者取得以建立 AWS SAML 提供者實體的中繼資料文件,以及建立和過期日期。
```
aws iam get-saml-provider \
--saml-provider-arn arn:aws:iam::123456789012:saml-provider/SAMLADFS
```
輸出:
```
{
"SAMLMetadataDocument": "...SAMLMetadataDocument-XML...",
"CreateDate": "2017-03-06T22:29:46+00:00",
"ValidUntil": "2117-03-06T22:29:46.433000+00:00",
"Tags": [
{
"Key": "DeptID",
"Value": "123456"
},
{
"Key": "Department",
"Value": "Accounting"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM SAML 身分提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetSamlProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-saml-provider.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取 ARM 為 arn:aws:iam::123456789012:saml-provider/SAMLADFS 的 SAML 2.0 提供者的詳細資訊。回應包含您從身分提供者取得以建立 AWS SAML 提供者實體的中繼資料文件,以及建立和過期日期。**
```
Get-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFS
```
**輸出:**
```
CreateDate SAMLMetadataDocument ValidUntil
---------- -------------------- ----------
12/23/2014 12:16:55 PM
下列程式碼範例示範如何使用 `GetServerCertificate`。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::getServerCertificate(const Aws::String &certificateName,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::GetServerCertificateRequest request;
request.SetServerCertificateName(certificateName);
auto outcome = iam.GetServerCertificate(request);
bool result = true;
if (!outcome.IsSuccess()) {
if (outcome.GetError().GetErrorType() != Aws::IAM::IAMErrors::NO_SUCH_ENTITY) {
std::cerr << "Error getting server certificate " << certificateName <<
": " << outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Certificate '" << certificateName
<< "' not found." << std::endl;
}
}
else {
const auto &certificate = outcome.GetResult().GetServerCertificate();
std::cout << "Name: " <<
certificate.GetServerCertificateMetadata().GetServerCertificateName()
<< std::endl << "Body: " << certificate.GetCertificateBody() <<
std::endl << "Chain: " << certificate.GetCertificateChain() <<
std::endl;
}
return result;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [GetServerCertificate](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/GetServerCertificate)。
------
#### [ CLI ]
**AWS CLI**
**取得您 AWS 帳戶中伺服器憑證的詳細資訊**
下列`get-server-certificate`命令會擷取您 AWS 帳戶中指定伺服器憑證的所有詳細資訊。
```
aws iam get-server-certificate \
--server-certificate-name myUpdatedServerCertificate
```
輸出:
```
{
"ServerCertificate": {
"ServerCertificateMetadata": {
"Path": "/",
"ServerCertificateName": "myUpdatedServerCertificate",
"ServerCertificateId": "ASCAEXAMPLE123EXAMPLE",
"Arn": "arn:aws:iam::123456789012:server-certificate/myUpdatedServerCertificate",
"UploadDate": "2019-04-22T21:13:44+00:00",
"Expiration": "2019-10-15T22:23:16+00:00"
},
"CertificateBody": "-----BEGIN CERTIFICATE-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvrszlaEXAMPLE=-----END CERTIFICATE-----",
"CertificateChain": "-----BEGIN CERTIFICATE-----\nMIICiTCCAfICCQD6md
7oRw0uXOjANBgkqhkiG9w0BAqQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AldBMRAwDgYDVQQHEwdTZWF0drGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAs
TC0lBTSBDb25zb2xlMRIwEAYDVsQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQ
jb20wHhcNMTEwNDI1MjA0NTIxWhtcNMTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBh
MCVVMxCzAJBgNVBAgTAldBMRAwDgsYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBb
WF6b24xFDASBgNVBAsTC0lBTSBDb2d5zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMx
HzAdBgkqhkiG9w0BCQEWEG5vb25lQGfFtYXpvbi5jb20wgZ8wDQYJKoZIhvcNAQE
BBQADgY0AMIGJAoGBAMaK0dn+a4GmWIgWJ21uUSfwfEvySWtC2XADZ4nB+BLYgVI
k60CpiwsZ3G93vUEIO3IyNoH/f0wYK8mh9TrDHudUZg3qX4waLG5M43q7Wgc/MbQ
ITxOUSQv7c7ugFFDzQGBzZswY6786m86gjpEIbb3OhjZnzcvQAaRHhdlQWIMm2nr
AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCku4nUhVVxYUntneD9+h8Mg9q6q+auN
KyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0FlkbFFBjvSfpJIlJ00zbhNYS5f6Guo
EDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjS;TbNYiytVbZPQUQ5Yaxu2jXnimvw
3rrszlaEWEG5vb25lQGFtsYXpvbiEXAMPLE=\n-----END CERTIFICATE-----"
}
}
```
若要列出您 AWS 帳戶中可用的伺服器憑證,請使用 `list-server-certificates`命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 IAM 中管理伺服器憑證](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetServerCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-server-certificate.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
獲取伺服器憑證。
```
import { GetServerCertificateCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} certName
* @returns
*/
export const getServerCertificate = async (certName) => {
const command = new GetServerCertificateCommand({
ServerCertificateName: certName,
});
const response = await client.send(command);
console.log(response);
return response;
};
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-getting](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-getting)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [GetServerCertificate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetServerCertificateCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
iam.getServerCertificate(
{ ServerCertificateName: "CERTIFICATE_NAME" },
function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
}
);
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-getting](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-getting)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [GetServerCertificate](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/GetServerCertificate)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取名為 `MyServerCertificate` 之伺服器憑證的詳細資訊。可以在 `CertificateBody` 和 `ServerCertificateMetadata` 屬性中找到憑證詳細資訊。**
```
$result = Get-IAMServerCertificate -ServerCertificateName MyServerCertificate
$result | format-list
```
**輸出:**
```
CertificateBody : -----BEGIN CERTIFICATE-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
-----END CERTIFICATE-----
CertificateChain :
ServerCertificateMetadata : Amazon.IdentityManagement.Model.ServerCertificateMetadata
```
```
$result.ServerCertificateMetadata
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate
Expiration : 1/14/2018 9:52:36 AM
Path : /Org1/Org2/
ServerCertificateId : ASCAJIFEXAMPLE17HQZYW
ServerCertificateName : MyServerCertificate
UploadDate : 4/21/2015 11:14:16 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetServerCertificate](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取名為 `MyServerCertificate` 之伺服器憑證的詳細資訊。可以在 `CertificateBody` 和 `ServerCertificateMetadata` 屬性中找到憑證詳細資訊。**
```
$result = Get-IAMServerCertificate -ServerCertificateName MyServerCertificate
$result | format-list
```
**輸出:**
```
CertificateBody : -----BEGIN CERTIFICATE-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
-----END CERTIFICATE-----
CertificateChain :
ServerCertificateMetadata : Amazon.IdentityManagement.Model.ServerCertificateMetadata
```
```
$result.ServerCertificateMetadata
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate
Expiration : 1/14/2018 9:52:36 AM
Path : /Org1/Org2/
ServerCertificateId : ASCAJIFEXAMPLE17HQZYW
ServerCertificateName : MyServerCertificate
UploadDate : 4/21/2015 11:14:16 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetServerCertificate](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetServiceLastAccessedDetails` 與 CLI
下列程式碼範例示範如何使用 `GetServiceLastAccessedDetails`。
------
#### [ CLI ]
**AWS CLI**
**若要擷取服務存取報告**
下列 `get-service-last-accessed-details` 範例將擷取先前產生的報告,其中有列出 IAM 實體存取的服務。若要產生報告,請使用 `generate-service-last-accessed-details` 命令。
```
aws iam get-service-last-accessed-details \
--job-id 2eb6c2b8-7b4c-3xmp-3c13-03b72c8cdfdc
```
輸出:
```
{
"JobStatus": "COMPLETED",
"JobCreationDate": "2019-10-01T03:50:35.929Z",
"ServicesLastAccessed": [
...
{
"ServiceName": "AWS Lambda",
"LastAuthenticated": "2019-09-30T23:02:00Z",
"ServiceNamespace": "lambda",
"LastAuthenticatedEntity": "arn:aws:iam::123456789012:user/admin",
"TotalAuthenticatedEntities": 6
},
]
}
```
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[AWS 使用上次存取資訊在 中精簡許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetServiceLastAccessedDetails](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-service-last-accessed-details.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例提供請求呼叫中關聯之 IAM 實體 (使用者、群組、角色或政策) 上次存取的服務詳細資訊。**
```
Request-IAMServiceLastAccessedDetail -Arn arn:aws:iam::123456789012:user/TestUser
```
**輸出:**
```
f0b7a819-eab0-929b-dc26-ca598911cb9f
```
```
Get-IAMServiceLastAccessedDetail -JobId f0b7a819-eab0-929b-dc26-ca598911cb9f
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetServiceLastAccessedDetails](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例提供請求呼叫中關聯之 IAM 實體 (使用者、群組、角色或政策) 上次存取的服務詳細資訊。**
```
Request-IAMServiceLastAccessedDetail -Arn arn:aws:iam::123456789012:user/TestUser
```
**輸出:**
```
f0b7a819-eab0-929b-dc26-ca598911cb9f
```
```
Get-IAMServiceLastAccessedDetail -JobId f0b7a819-eab0-929b-dc26-ca598911cb9f
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetServiceLastAccessedDetails](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetServiceLastAccessedDetailsWithEntities` 與 CLI
下列程式碼範例示範如何使用 `GetServiceLastAccessedDetailsWithEntities`。
------
#### [ CLI ]
**AWS CLI**
**若要擷取包含服務詳細資訊的服務存取報告**
下列 `get-service-last-accessed-details-with-entities` 範例會擷取包含 IAM 使用者和其他存取指定服務之實體詳細資訊的報告。若要產生報告,請使用 `generate-service-last-accessed-details` 命令。若要取得使用命名空間存取之服務的清單,請使用 `get-service-last-accessed-details`。
```
aws iam get-service-last-accessed-details-with-entities \
--job-id 78b6c2ba-d09e-6xmp-7039-ecde30b26916 \
--service-namespace lambda
```
輸出:
```
{
"JobStatus": "COMPLETED",
"JobCreationDate": "2019-10-01T03:55:41.756Z",
"JobCompletionDate": "2019-10-01T03:55:42.533Z",
"EntityDetailsList": [
{
"EntityInfo": {
"Arn": "arn:aws:iam::123456789012:user/admin",
"Name": "admin",
"Type": "USER",
"Id": "AIDAIO2XMPLENQEXAMPLE",
"Path": "/"
},
"LastAuthenticated": "2019-09-30T23:02:00Z"
},
{
"EntityInfo": {
"Arn": "arn:aws:iam::123456789012:user/developer",
"Name": "developer",
"Type": "USER",
"Id": "AIDAIBEYXMPL2YEXAMPLE",
"Path": "/"
},
"LastAuthenticated": "2019-09-16T19:34:00Z"
}
]
}
```
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[AWS 使用上次存取資訊在 中精簡許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetServiceLastAccessedDetailsWithEntities](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-service-last-accessed-details-with-entities.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例提供在請求中,該個別 IAM 實體上次存取服務的時間戳記。**
```
$results = Get-IAMServiceLastAccessedDetailWithEntity -JobId f0b7a819-eab0-929b-dc26-ca598911cb9f -ServiceNamespace ec2
$results
```
**輸出:**
```
EntityDetailsList : {Amazon.IdentityManagement.Model.EntityDetails}
Error :
IsTruncated : False
JobCompletionDate : 12/29/19 11:19:31 AM
JobCreationDate : 12/29/19 11:19:31 AM
JobStatus : COMPLETED
Marker :
```
```
$results.EntityDetailsList
```
**輸出:**
```
EntityInfo LastAuthenticated
---------- -----------------
Amazon.IdentityManagement.Model.EntityInfo 11/16/19 3:47:00 PM
```
```
$results.EntityInfo
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/TestUser
Id : AIDA4NBK5CXF5TZHU1234
Name : TestUser
Path : /
Type : USER
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例提供在請求中,該個別 IAM 實體上次存取服務的時間戳記。**
```
$results = Get-IAMServiceLastAccessedDetailWithEntity -JobId f0b7a819-eab0-929b-dc26-ca598911cb9f -ServiceNamespace ec2
$results
```
**輸出:**
```
EntityDetailsList : {Amazon.IdentityManagement.Model.EntityDetails}
Error :
IsTruncated : False
JobCompletionDate : 12/29/19 11:19:31 AM
JobCreationDate : 12/29/19 11:19:31 AM
JobStatus : COMPLETED
Marker :
```
```
$results.EntityDetailsList
```
**輸出:**
```
EntityInfo LastAuthenticated
---------- -----------------
Amazon.IdentityManagement.Model.EntityInfo 11/16/19 3:47:00 PM
```
```
$results.EntityInfo
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/TestUser
Id : AIDA4NBK5CXF5TZHU1234
Name : TestUser
Path : /
Type : USER
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetServiceLinkedRoleDeletionStatus` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetServiceLinkedRoleDeletionStatus`。
------
#### [ CLI ]
**AWS CLI**
**檢查刪除服務連結角色的請求狀態**
下列 `get-service-linked-role-deletion-status` 範例會顯示刪除服務連結角色之先前請求的狀態。刪除操作會以非同步方式發生。提出請求時,就會取得您提供作為此命令參數的 `DeletionTaskId` 值。
```
aws iam get-service-linked-role-deletion-status \
--deletion-task-id task/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots/1a2b3c4d-1234-abcd-7890-abcdeEXAMPLE
```
輸出:
```
{
"Status": "SUCCEEDED"
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用服務連結角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetServiceLinkedRoleDeletionStatus](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-service-linked-role-deletion-status.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import {
GetServiceLinkedRoleDeletionStatusCommand,
IAMClient,
} from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} deletionTaskId
*/
export const getServiceLinkedRoleDeletionStatus = (deletionTaskId) => {
const command = new GetServiceLinkedRoleDeletionStatusCommand({
DeletionTaskId: deletionTaskId,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [GetServiceLinkedRoleDeletionStatus](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetServiceLinkedRoleDeletionStatusCommand)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetUser` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `GetUser`。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Get information about an IAM user.
///
/// The username of the user.
/// An IAM user object.
public async Task GetUserAsync(string userName)
{
var response = await _IAMService.GetUserAsync(new GetUserRequest { UserName = userName });
return response.User;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [GetUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/GetUser)。
------
#### [ Bash ]
**AWS CLI 使用 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_user_exists
#
# This function checks to see if the specified AWS Identity and Access Management (IAM) user already exists.
#
# Parameters:
# $1 - The name of the IAM user to check.
#
# Returns:
# 0 - If the user already exists.
# 1 - If the user doesn't exist.
###############################################################################
function iam_user_exists() {
local user_name
user_name=$1
# Check whether the IAM user already exists.
# We suppress all output - we're interested only in the return code.
local errors
errors=$(aws iam get-user \
--user-name "$user_name" 2>&1 >/dev/null)
local error_code=${?}
if [[ $error_code -eq 0 ]]; then
return 0 # 0 in Bash script means true.
else
if [[ $errors != *"error"*"(NoSuchEntity)"* ]]; then
aws_cli_error_log $error_code
errecho "Error calling iam get-user $errors"
fi
return 1 # 1 in Bash script means false.
fi
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetUser)。
------
#### [ CLI ]
**AWS CLI**
**取得關於 IAM 使用者的資訊**
下列 `get-user` 命令會取得名為 `Paulo` 之 IAM 使用者的相關資訊。
```
aws iam get-user \
--user-name Paulo
```
輸出:
```
{
"User": {
"UserName": "Paulo",
"Path": "/",
"CreateDate": "2019-09-21T23:03:13Z",
"UserId": "AIDA123456789EXAMPLE",
"Arn": "arn:aws:iam::123456789012:user/Paulo"
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-user.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// GetUser gets data about a user.
func (wrapper UserWrapper) GetUser(ctx context.Context, userName string) (*types.User, error) {
var user *types.User
result, err := wrapper.IamClient.GetUser(ctx, &iam.GetUserInput{
UserName: aws.String(userName),
})
if err != nil {
var apiError smithy.APIError
if errors.As(err, &apiError) {
switch apiError.(type) {
case *types.NoSuchEntityException:
log.Printf("User %v does not exist.\n", userName)
err = nil
default:
log.Printf("Couldn't get user %v. Here's why: %v\n", userName, err)
}
}
} else {
user = result.User
}
return user, err
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [GetUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.GetUser)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取名為 `David` 之使用者的詳細資訊。**
```
Get-IAMUser -UserName David
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/David
CreateDate : 12/10/2014 3:39:27 PM
PasswordLastUsed : 3/19/2015 8:44:04 AM
Path : /
UserId : Y4FKWQCXTA52QEXAMPLE1
UserName : David
```
**範例 2:此範例會擷取目前登入之 IAM 使用者的詳細資訊。**
```
Get-IAMUser
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Bob
CreateDate : 10/16/2014 9:03:09 AM
PasswordLastUsed : 3/4/2015 12:12:33 PM
Path : /
UserId : 7K3GJEANSKZF2EXAMPLE2
UserName : Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetUser](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取名為 `David` 之使用者的詳細資訊。**
```
Get-IAMUser -UserName David
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/David
CreateDate : 12/10/2014 3:39:27 PM
PasswordLastUsed : 3/19/2015 8:44:04 AM
Path : /
UserId : Y4FKWQCXTA52QEXAMPLE1
UserName : David
```
**範例 2:此範例會擷取目前登入之 IAM 使用者的詳細資訊。**
```
Get-IAMUser
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Bob
CreateDate : 10/16/2014 9:03:09 AM
PasswordLastUsed : 3/4/2015 12:12:33 PM
Path : /
UserId : 7K3GJEANSKZF2EXAMPLE2
UserName : Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetUser](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Retrieves a user's details
#
# @param user_name [String] The name of the user to retrieve
# @return [Aws::IAM::Types::User, nil] The user object if found, or nil if an error occurred
def get_user(user_name)
response = @iam_client.get_user(user_name: user_name)
response.user
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("User '#{user_name}' not found.")
nil
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error retrieving user '#{user_name}': #{e.message}")
nil
end
```
+ 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》**中的 [GetUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/GetUser)。
------
#### [ Swift ]
**SDK for Swift**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func getUser(name: String? = nil) async throws -> IAMClientTypes.User {
let input = GetUserInput(
userName: name
)
do {
let output = try await iamClient.getUser(input: input)
guard let user = output.user else {
throw ServiceHandlerError.noSuchUser
}
return user
} catch {
print("ERROR: getUser:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [GetUser](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/getuser(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetUserPolicy` 與 CLI
下列程式碼範例示範如何使用 `GetUserPolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要列出 IAM 使用者的政策詳細資訊**
下列 `get-user-policy` 命令會列出連接至名為 `Bob` 之 IAM 使用者的指定政策的詳細資訊。
```
aws iam get-user-policy \
--user-name Bob \
--policy-name ExamplePolicy
```
輸出:
```
{
"UserName": "Bob",
"PolicyName": "ExamplePolicy",
"PolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
}
```
若要取得 IAM 使用者的政策清單,請使用 `list-user-policies` 命令。
如需詳細資訊,請參閱「 IAM 使用者指南」*AWS *中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-user-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取內嵌在名為 `David` 之 IAM 使用者中的內嵌政策 `Davids_IAM_Admin_Policy` 的詳細資訊。政策文件經過 URL 編碼。**
```
$results = Get-IAMUserPolicy -PolicyName Davids_IAM_Admin_Policy -UserName David
$results
```
**輸出:**
```
PolicyDocument PolicyName UserName
-------------- ---------- --------
%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%... Davids_IAM_Admin_Policy David
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
[System.Web.HttpUtility]::UrlDecode($results.PolicyDocument)
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:ListUsers"
],
"Resource": [
"arn:aws:iam::111122223333:user/*"
]
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取內嵌在名為 `David` 之 IAM 使用者中的內嵌政策 `Davids_IAM_Admin_Policy` 的詳細資訊。政策文件經過 URL 編碼。**
```
$results = Get-IAMUserPolicy -PolicyName Davids_IAM_Admin_Policy -UserName David
$results
```
**輸出:**
```
PolicyDocument PolicyName UserName
-------------- ---------- --------
%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%... Davids_IAM_Admin_Policy David
[System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility")
[System.Web.HttpUtility]::UrlDecode($results.PolicyDocument)
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:ListUsers"
],
"Resource": [
"arn:aws:iam::111122223333:user/*"
]
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListAccessKeys` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListAccessKeys`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理存取金鑰](iam_example_iam_Scenario_ManageAccessKeys_section.md)
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_list_access_keys
#
# This function lists the access keys for the specified user.
#
# Parameters:
# -u user_name -- The name of the IAM user.
#
# Returns:
# access_key_ids
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_list_access_keys() {
# bashsupport disable=BP5008
function usage() {
echo "function iam_list_access_keys"
echo "Lists the AWS Identity and Access Management (IAM) access key IDs for the specified user."
echo " -u user_name The name of the IAM user."
echo ""
}
local user_name response
local option OPTARG # Required to use getopts command in a function.
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
response=$(aws iam list-access-keys \
--user-name "$user_name" \
--output text \
--query 'AccessKeyMetadata[].AccessKeyId')
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports list-access-keys operation failed.$response"
return 1
fi
echo "$response"
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListAccessKeys](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/ListAccessKeys)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::listAccessKeys(const Aws::String &userName,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::ListAccessKeysRequest request;
request.SetUserName(userName);
bool done = false;
bool header = false;
while (!done) {
auto outcome = iam.ListAccessKeys(request);
if (!outcome.IsSuccess()) {
std::cerr << "Failed to list access keys for user " << userName
<< ": " << outcome.GetError().GetMessage() << std::endl;
return false;
}
if (!header) {
std::cout << std::left << std::setw(32) << "UserName" <<
std::setw(30) << "KeyID" << std::setw(20) << "Status" <<
std::setw(20) << "CreateDate" << std::endl;
header = true;
}
const auto &keys = outcome.GetResult().GetAccessKeyMetadata();
const Aws::String DATE_FORMAT = "%Y-%m-%d";
for (const auto &key: keys) {
Aws::String statusString =
Aws::IAM::Model::StatusTypeMapper::GetNameForStatusType(
key.GetStatus());
std::cout << std::left << std::setw(32) << key.GetUserName() <<
std::setw(30) << key.GetAccessKeyId() << std::setw(20) <<
statusString << std::setw(20) <<
key.GetCreateDate().ToGmtString(DATE_FORMAT.c_str()) << std::endl;
}
if (outcome.GetResult().GetIsTruncated()) {
request.SetMarker(outcome.GetResult().GetMarker());
}
else {
done = true;
}
}
return true;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [ListAccessKeys](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListAccessKeys)。
------
#### [ CLI ]
**AWS CLI**
**列出 IAM 使用者的存取金鑰 ID**
下列 `list-access-keys` 命令會列出名為 `Bob` 之 IAM 使用者的存取金鑰 ID。
```
aws iam list-access-keys \
--user-name Bob
```
輸出:
```
{
"AccessKeyMetadata": [
{
"UserName": "Bob",
"Status": "Active",
"CreateDate": "2013-06-04T18:17:34Z",
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE"
},
{
"UserName": "Bob",
"Status": "Inactive",
"CreateDate": "2013-06-06T20:42:26Z",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE"
}
]
}
```
您無法列出 IAM 使用者的私密存取金鑰。如果私密存取金鑰遺失,您必須使用 `create-access-keys` 命令建立新的存取金鑰。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的存取金鑰](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListAccessKeys](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-access-keys.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// ListAccessKeys lists the access keys for the specified user.
func (wrapper UserWrapper) ListAccessKeys(ctx context.Context, userName string) ([]types.AccessKeyMetadata, error) {
var keys []types.AccessKeyMetadata
result, err := wrapper.IamClient.ListAccessKeys(ctx, &iam.ListAccessKeysInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't list access keys for user %v. Here's why: %v\n", userName, err)
} else {
keys = result.AccessKeyMetadata
}
return keys, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListAccessKeys](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListAccessKeys)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.AccessKeyMetadata;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.ListAccessKeysRequest;
import software.amazon.awssdk.services.iam.model.ListAccessKeysResponse;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class ListAccessKeys {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
userName - The name of the user for which access keys are retrieved.\s
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String userName = args[0];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
listKeys(iam, userName);
System.out.println("Done");
iam.close();
}
public static void listKeys(IamClient iam, String userName) {
try {
boolean done = false;
String newMarker = null;
while (!done) {
ListAccessKeysResponse response;
if (newMarker == null) {
ListAccessKeysRequest request = ListAccessKeysRequest.builder()
.userName(userName)
.build();
response = iam.listAccessKeys(request);
} else {
ListAccessKeysRequest request = ListAccessKeysRequest.builder()
.userName(userName)
.marker(newMarker)
.build();
response = iam.listAccessKeys(request);
}
for (AccessKeyMetadata metadata : response.accessKeyMetadata()) {
System.out.format("Retrieved access key %s", metadata.accessKeyId());
}
if (!response.isTruncated()) {
done = true;
} else {
newMarker = response.marker();
}
}
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [ListAccessKeys](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/ListAccessKeys)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出存取金鑰。
```
import { ListAccessKeysCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
* A generator function that handles paginated results.
* The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this.
*
* @param {string} userName
*/
export async function* listAccessKeys(userName) {
const command = new ListAccessKeysCommand({
MaxItems: 5,
UserName: userName,
});
/**
* @type {import("@aws-sdk/client-iam").ListAccessKeysCommandOutput | undefined}
*/
let response = await client.send(command);
while (response?.AccessKeyMetadata?.length) {
for (const key of response.AccessKeyMetadata) {
yield key;
}
if (response.IsTruncated) {
response = await client.send(
new ListAccessKeysCommand({
Marker: response.Marker,
}),
);
} else {
break;
}
}
}
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-listing)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListAccessKeys](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListAccessKeysCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
MaxItems: 5,
UserName: "IAM_USER_NAME",
};
iam.listAccessKeys(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iiam-examples-managing-access-keys-listing)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListAccessKeys](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/ListAccessKeys)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun listKeys(userNameVal: String?) {
val request =
ListAccessKeysRequest {
userName = userNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAccessKeys(request)
response.accessKeyMetadata?.forEach { md ->
println("Retrieved access key ${md.accessKeyId}")
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [ListAccessKeys](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會列出名為 `Bob` 之 IAM 使用者的存取金鑰。請注意,IAM 使用者的私密存取金鑰無法列出。如果私密存取金鑰遺失,必須使用 `New-IAMAccessKey` cmdlet 建立新的存取金鑰。**
```
Get-IAMAccessKey -UserName "Bob"
```
**輸出:**
```
AccessKeyId CreateDate Status UserName
----------- ---------- ------ --------
AKIAIOSFODNN7EXAMPLE 12/3/2014 10:53:41 AM Active Bob
AKIAI44QH8DHBEXAMPLE 6/6/2013 8:42:26 PM Inactive Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListAccessKeys](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會列出名為 `Bob` 之 IAM 使用者的存取金鑰。請注意,IAM 使用者的私密存取金鑰無法列出。如果私密存取金鑰遺失,必須使用 `New-IAMAccessKey` cmdlet 建立新的存取金鑰。**
```
Get-IAMAccessKey -UserName "Bob"
```
**輸出:**
```
AccessKeyId CreateDate Status UserName
----------- ---------- ------ --------
AKIAIOSFODNN7EXAMPLE 12/3/2014 10:53:41 AM Active Bob
AKIAI44QH8DHBEXAMPLE 6/6/2013 8:42:26 PM Inactive Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListAccessKeys](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_keys(user_name):
"""
Lists the keys owned by the specified user.
:param user_name: The name of the user.
:return: The list of keys owned by the user.
"""
try:
keys = list(iam.User(user_name).access_keys.all())
logger.info("Got %s access keys for %s.", len(keys), user_name)
except ClientError:
logger.exception("Couldn't get access keys for %s.", user_name)
raise
else:
return keys
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListAccessKeys](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAccessKeys)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
此範例模組會列出、建立、停用和刪除存取金鑰。
```
# Manages access keys for IAM users
class AccessKeyManager
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'AccessKeyManager'
end
# Lists access keys for a user
#
# @param user_name [String] The name of the user.
def list_access_keys(user_name)
response = @iam_client.list_access_keys(user_name: user_name)
if response.access_key_metadata.empty?
@logger.info("No access keys found for user '#{user_name}'.")
else
response.access_key_metadata.map(&:access_key_id)
end
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Error listing access keys: cannot find user '#{user_name}'.")
[]
rescue StandardError => e
@logger.error("Error listing access keys: #{e.message}")
[]
end
# Creates an access key for a user
#
# @param user_name [String] The name of the user.
# @return [Boolean]
def create_access_key(user_name)
response = @iam_client.create_access_key(user_name: user_name)
access_key = response.access_key
@logger.info("Access key created for user '#{user_name}': #{access_key.access_key_id}")
access_key
rescue Aws::IAM::Errors::LimitExceeded
@logger.error('Error creating access key: limit exceeded. Cannot create more.')
nil
rescue StandardError => e
@logger.error("Error creating access key: #{e.message}")
nil
end
# Deactivates an access key
#
# @param user_name [String] The name of the user.
# @param access_key_id [String] The ID for the access key.
# @return [Boolean]
def deactivate_access_key(user_name, access_key_id)
@iam_client.update_access_key(
user_name: user_name,
access_key_id: access_key_id,
status: 'Inactive'
)
true
rescue StandardError => e
@logger.error("Error deactivating access key: #{e.message}")
false
end
# Deletes an access key
#
# @param user_name [String] The name of the user.
# @param access_key_id [String] The ID for the access key.
# @return [Boolean]
def delete_access_key(user_name, access_key_id)
@iam_client.delete_access_key(
user_name: user_name,
access_key_id: access_key_id
)
true
rescue StandardError => e
@logger.error("Error deleting access key: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListAccessKeys](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListAccessKeys)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listaccesskeys(
iv_username = iv_user_name ).
MESSAGE 'Retrieved access key list.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'User does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListAccessKeys](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListAccountAliases` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListAccountAliases`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool
AwsDoc::IAM::listAccountAliases(const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::ListAccountAliasesRequest request;
bool done = false;
bool header = false;
while (!done) {
auto outcome = iam.ListAccountAliases(request);
if (!outcome.IsSuccess()) {
std::cerr << "Failed to list account aliases: " <<
outcome.GetError().GetMessage() << std::endl;
return false;
}
const auto &aliases = outcome.GetResult().GetAccountAliases();
if (!header) {
if (aliases.size() == 0) {
std::cout << "Account has no aliases" << std::endl;
break;
}
std::cout << std::left << std::setw(32) << "Alias" << std::endl;
header = true;
}
for (const auto &alias: aliases) {
std::cout << std::left << std::setw(32) << alias << std::endl;
}
if (outcome.GetResult().GetIsTruncated()) {
request.SetMarker(outcome.GetResult().GetMarker());
}
else {
done = true;
}
}
return true;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [ListAccountAliases](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListAccountAliases)。
------
#### [ CLI ]
**AWS CLI**
**列出帳戶別名**
下列 `list-account-aliases` 命令會列出目前帳戶的別名。
```
aws iam list-account-aliases
```
輸出:
```
{
"AccountAliases": [
"mycompany"
]
}
```
如需詳細資訊,請參閱《*AWS IAM 使用者指南*》中的[AWS 您的帳戶 ID 及其別名](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListAccountAliases](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-account-aliases.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.ListAccountAliasesResponse;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class ListAccountAliases {
public static void main(String[] args) {
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
listAliases(iam);
System.out.println("Done");
iam.close();
}
public static void listAliases(IamClient iam) {
try {
ListAccountAliasesResponse response = iam.listAccountAliases();
for (String alias : response.accountAliases()) {
System.out.printf("Retrieved account alias %s", alias);
}
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [ListAccountAliases](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/ListAccountAliases)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出帳戶別名。
```
import { ListAccountAliasesCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
* A generator function that handles paginated results.
* The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this.
*/
export async function* listAccountAliases() {
const command = new ListAccountAliasesCommand({ MaxItems: 5 });
let response = await client.send(command);
while (response.AccountAliases?.length) {
for (const alias of response.AccountAliases) {
yield alias;
}
if (response.IsTruncated) {
response = await client.send(
new ListAccountAliasesCommand({
Marker: response.Marker,
MaxItems: 5,
}),
);
} else {
break;
}
}
}
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-listing)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListAccountAliases](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListAccountAliasesCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
iam.listAccountAliases({ MaxItems: 10 }, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-listing)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListAccountAliases](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/ListAccountAliases)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun listAliases() {
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAccountAliases(ListAccountAliasesRequest {})
response.accountAliases?.forEach { alias ->
println("Retrieved account alias $alias")
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [ListAccountAliases](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會傳回 AWS 帳戶的帳戶別名。**
```
Get-IAMAccountAlias
```
**輸出:**
```
ExampleCo
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListAccountAliases](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會傳回 AWS 帳戶的帳戶別名。**
```
Get-IAMAccountAlias
```
**輸出:**
```
ExampleCo
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListAccountAliases](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_aliases():
"""
Gets the list of aliases for the current account. An account has at most one alias.
:return: The list of aliases for the account.
"""
try:
response = iam.meta.client.list_account_aliases()
aliases = response["AccountAliases"]
if len(aliases) > 0:
logger.info("Got aliases for your account: %s.", ",".join(aliases))
else:
logger.info("Got no aliases for your account.")
except ClientError:
logger.exception("Couldn't list aliases for your account.")
raise
else:
return response["AccountAliases"]
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListAccountAliases](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAccountAliases)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
列出、建立和刪除帳戶別名。
```
class IAMAliasManager
# Initializes the IAM client and logger
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client.
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
end
# Lists available AWS account aliases.
def list_aliases
response = @iam_client.list_account_aliases
if response.account_aliases.count.positive?
@logger.info('Account aliases are:')
response.account_aliases.each { |account_alias| @logger.info(" #{account_alias}") }
else
@logger.info('No account aliases found.')
end
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing account aliases: #{e.message}")
end
# Creates an AWS account alias.
#
# @param account_alias [String] The name of the account alias to create.
# @return [Boolean] true if the account alias was created; otherwise, false.
def create_account_alias(account_alias)
@iam_client.create_account_alias(account_alias: account_alias)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating account alias: #{e.message}")
false
end
# Deletes an AWS account alias.
#
# @param account_alias [String] The name of the account alias to delete.
# @return [Boolean] true if the account alias was deleted; otherwise, false.
def delete_account_alias(account_alias)
@iam_client.delete_account_alias(account_alias: account_alias)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting account alias: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListAccountAliases](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListAccountAliases)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listaccountaliases( ).
MESSAGE 'Retrieved account alias list.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when listing account aliases.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListAccountAliases](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListAttachedGroupPolicies` 與 CLI
下列程式碼範例示範如何使用 `ListAttachedGroupPolicies`。
------
#### [ CLI ]
**AWS CLI**
**若要列出連接至指定群組所有受管政策**
此範例會傳回連接到`Admins` AWS 帳戶中名為 之 IAM 群組的受管政策的名稱和 ARNs。
```
aws iam list-attached-group-policies \
--group-name Admins
```
輸出:
```
{
"AttachedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
},
{
"PolicyName": "SecurityAudit",
"PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"
}
],
"IsTruncated": false
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListAttachedGroupPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-attached-group-policies.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會傳回連接到`Admins` AWS 帳戶中名為 之 IAM 群組的受管政策的名稱和 ARNs。若要查看內嵌在群組中的內嵌政策的清單,請使用 `Get-IAMGroupPolicyList` 命令。**
```
Get-IAMAttachedGroupPolicyList -GroupName "Admins"
```
**輸出:**
```
PolicyArn PolicyName
--------- ----------
arn:aws:iam::aws:policy/SecurityAudit SecurityAudit
arn:aws:iam::aws:policy/AdministratorAccess AdministratorAccess
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListAttachedGroupPolicies](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會傳回連接到`Admins` AWS 帳戶中名為 之 IAM 群組的受管政策的名稱和 ARNs。若要查看內嵌在群組中的內嵌政策的清單,請使用 `Get-IAMGroupPolicyList` 命令。**
```
Get-IAMAttachedGroupPolicyList -GroupName "Admins"
```
**輸出:**
```
PolicyArn PolicyName
--------- ----------
arn:aws:iam::aws:policy/SecurityAudit SecurityAudit
arn:aws:iam::aws:policy/AdministratorAccess AdministratorAccess
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListAttachedGroupPolicies](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListAttachedRolePolicies` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListAttachedRolePolicies`。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// List the IAM role policies that are attached to an IAM role.
///
/// The IAM role to list IAM policies for.
/// A list of the IAM policies attached to the IAM role.
public async Task> ListAttachedRolePoliciesAsync(string roleName)
{
var attachedPolicies = new List();
var attachedRolePoliciesPaginator = _IAMService.Paginators.ListAttachedRolePolicies(new ListAttachedRolePoliciesRequest { RoleName = roleName });
await foreach (var response in attachedRolePoliciesPaginator.Responses)
{
attachedPolicies.AddRange(response.AttachedPolicies);
}
return attachedPolicies;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListAttachedRolePolicies)。
------
#### [ CLI ]
**AWS CLI**
**列出連接至指定角色的所有受管政策**
此命令會傳回連接到`SecurityAuditRole` AWS 帳戶中名為 之 IAM 角色的受管政策的名稱和 ARNs。
```
aws iam list-attached-role-policies \
--role-name SecurityAuditRole
```
輸出:
```
{
"AttachedPolicies": [
{
"PolicyName": "SecurityAudit",
"PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"
}
],
"IsTruncated": false
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListAttachedRolePolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-attached-role-policies.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// ListAttachedRolePolicies lists the policies that are attached to the specified role.
func (wrapper RoleWrapper) ListAttachedRolePolicies(ctx context.Context, roleName string) ([]types.AttachedPolicy, error) {
var policies []types.AttachedPolicy
result, err := wrapper.IamClient.ListAttachedRolePolicies(ctx, &iam.ListAttachedRolePoliciesInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't list attached policies for role %v. Here's why: %v\n", roleName, err)
} else {
policies = result.AttachedPolicies
}
return policies, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListAttachedRolePolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListAttachedRolePolicies)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出連接至角色的政策。
```
import {
ListAttachedRolePoliciesCommand,
IAMClient,
} from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
* A generator function that handles paginated results.
* The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this.
* @param {string} roleName
*/
export async function* listAttachedRolePolicies(roleName) {
const command = new ListAttachedRolePoliciesCommand({
RoleName: roleName,
});
let response = await client.send(command);
while (response.AttachedPolicies?.length) {
for (const policy of response.AttachedPolicies) {
yield policy;
}
if (response.IsTruncated) {
response = await client.send(
new ListAttachedRolePoliciesCommand({
RoleName: roleName,
Marker: response.Marker,
}),
);
} else {
break;
}
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListAttachedRolePoliciesCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function listAttachedRolePolicies($roleName, $pathPrefix = "", $marker = "", $maxItems = 0)
{
$listAttachRolePoliciesArguments = ['RoleName' => $roleName];
if ($pathPrefix) {
$listAttachRolePoliciesArguments['PathPrefix'] = $pathPrefix;
}
if ($marker) {
$listAttachRolePoliciesArguments['Marker'] = $marker;
}
if ($maxItems) {
$listAttachRolePoliciesArguments['MaxItems'] = $maxItems;
}
return $this->iamClient->listAttachedRolePolicies($listAttachRolePoliciesArguments);
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListAttachedRolePolicies)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會傳回連接至 AWS 帳戶中名為 `SecurityAuditRole` 之 IAM 角色的受管政策的名稱和 ARN。若要查看內嵌在角色中的內嵌政策清單,請使用 `Get-IAMRolePolicyList` 命令。**
```
Get-IAMAttachedRolePolicyList -RoleName "SecurityAuditRole"
```
**輸出:**
```
PolicyArn PolicyName
--------- ----------
arn:aws:iam::aws:policy/SecurityAudit SecurityAudit
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會傳回連接至 AWS 帳戶中名為 `SecurityAuditRole` 之 IAM 角色的受管政策的名稱和 ARN。若要查看內嵌在角色中的內嵌政策清單,請使用 `Get-IAMRolePolicyList` 命令。**
```
Get-IAMAttachedRolePolicyList -RoleName "SecurityAuditRole"
```
**輸出:**
```
PolicyArn PolicyName
--------- ----------
arn:aws:iam::aws:policy/SecurityAudit SecurityAudit
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_attached_policies(role_name):
"""
Lists policies attached to a role.
:param role_name: The name of the role to query.
"""
try:
role = iam.Role(role_name)
for policy in role.attached_policies.all():
logger.info("Got policy %s.", policy.arn)
except ClientError:
logger.exception("Couldn't list attached policies for %s.", role_name)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAttachedRolePolicies)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
此範例模組會列出、建立、連接和分離角色政策。
```
# Manages policies in AWS Identity and Access Management (IAM)
class RolePolicyManager
# Initialize with an AWS IAM client
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'PolicyManager'
end
# Creates a policy
#
# @param policy_name [String] The name of the policy
# @param policy_document [Hash] The policy document
# @return [String] The policy ARN if successful, otherwise nil
def create_policy(policy_name, policy_document)
response = @iam_client.create_policy(
policy_name: policy_name,
policy_document: policy_document.to_json
)
response.policy.arn
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating policy: #{e.message}")
nil
end
# Fetches an IAM policy by its ARN
# @param policy_arn [String] the ARN of the IAM policy to retrieve
# @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found
def get_policy(policy_arn)
response = @iam_client.get_policy(policy_arn: policy_arn)
policy = response.policy
@logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.")
policy
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.")
raise
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}")
raise
end
# Attaches a policy to a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def attach_policy_to_role(role_name, policy_arn)
@iam_client.attach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error attaching policy to role: #{e.message}")
false
end
# Lists policy ARNs attached to a role
#
# @param role_name [String] The name of the role
# @return [Array] List of policy ARNs
def list_attached_policy_arns(role_name)
response = @iam_client.list_attached_role_policies(role_name: role_name)
response.attached_policies.map(&:policy_arn)
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing policies attached to role: #{e.message}")
[]
end
# Detaches a policy from a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def detach_policy_from_role(role_name, policy_arn)
@iam_client.detach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error detaching policy from role: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListAttachedRolePolicies)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn list_attached_role_policies(
client: &iamClient,
role_name: String,
path_prefix: Option,
marker: Option,
max_items: Option,
) -> Result> {
let response = client
.list_attached_role_policies()
.role_name(role_name)
.set_path_prefix(path_prefix)
.set_marker(marker)
.set_max_items(max_items)
.send()
.await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [ListAttachedRolePolicies](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_attached_role_policies)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listattachedrolepolicies(
iv_rolename = iv_role_name ).
MESSAGE 'Retrieved attached policy list for role.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Role does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListAttachedRolePolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
/// Returns a list of AWS Identity and Access Management (IAM) policies
/// that are attached to the role.
///
/// - Parameter role: The IAM role to return the policy list for.
///
/// - Returns: An array of `IAMClientTypes.AttachedPolicy` objects
/// describing each managed policy that's attached to the role.
public func listAttachedRolePolicies(role: String) async throws -> [IAMClientTypes.AttachedPolicy] {
var policyList: [IAMClientTypes.AttachedPolicy] = []
// Use "Paginated" to get all the attached role polices.
// This lets the SDK handle the 'isTruncated' in "ListAttachedRolePoliciesOutput".
let input = ListAttachedRolePoliciesInput(
roleName: role
)
let output = client.listAttachedRolePoliciesPaginated(input: input)
do {
for try await page in output {
guard let attachedPolicies = page.attachedPolicies else {
print("Error: no attached policies returned.")
continue
}
for attachedPolicy in attachedPolicies {
policyList.append(attachedPolicy)
}
}
} catch {
print("ERROR: listAttachedRolePolicies:", dump(error))
throw error
}
return policyList
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [ListAttachedRolePolicies](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listattachedrolepolicies(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListAttachedUserPolicies` 與 CLI
下列程式碼範例示範如何使用 `ListAttachedUserPolicies`。
------
#### [ CLI ]
**AWS CLI**
**若要列出連接至指定使用者的所有受管政策**
此命令會傳回 AWS 帳戶中名為 之 IAM 使用者`Bob`之受管政策的名稱和 ARNs。
```
aws iam list-attached-user-policies \
--user-name Bob
```
輸出:
```
{
"AttachedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
},
{
"PolicyName": "SecurityAudit",
"PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"
}
],
"IsTruncated": false
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListAttachedUserPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-attached-user-policies.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此命令會傳回`Bob` AWS 帳戶中名為 的 IAM 使用者之受管政策的名稱和 ARNs。若要查看內嵌在 IAM 使用者中的內嵌政策的清單,請使用 `Get-IAMUserPolicyList` 命令。**
```
Get-IAMAttachedUserPolicyList -UserName "Bob"
```
**輸出:**
```
PolicyArn PolicyName
--------- ----------
arn:aws:iam::aws:policy/TesterPolicy TesterPolicy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListAttachedUserPolicies](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此命令會傳回`Bob` AWS 帳戶中名為 的 IAM 使用者之受管政策的名稱和 ARNs。若要查看內嵌在 IAM 使用者中的內嵌政策的清單,請使用 `Get-IAMUserPolicyList` 命令。**
```
Get-IAMAttachedUserPolicyList -UserName "Bob"
```
**輸出:**
```
PolicyArn PolicyName
--------- ----------
arn:aws:iam::aws:policy/TesterPolicy TesterPolicy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListAttachedUserPolicies](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListEntitiesForPolicy` 與 CLI
下列程式碼範例示範如何使用 `ListEntitiesForPolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要列出指定受管政策所連接的所有使用者、群組和角色**
此範例會傳回已連接政策 `arn:aws:iam::123456789012:policy/TestPolicy` 的 IAM 群組、角色和使用者的清單。
```
aws iam list-entities-for-policy \
--policy-arn arn:aws:iam::123456789012:policy/TestPolicy
```
輸出:
```
{
"PolicyGroups": [
{
"GroupName": "Admins",
"GroupId": "AGPACKCEVSQ6C2EXAMPLE"
}
],
"PolicyUsers": [
{
"UserName": "Alice",
"UserId": "AIDACKCEVSQ6C2EXAMPLE"
}
],
"PolicyRoles": [
{
"RoleName": "DevRole",
"RoleId": "AROADBQP57FF2AEXAMPLE"
}
],
"IsTruncated": false
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListEntitiesForPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-entities-for-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回已連接政策 `arn:aws:iam::123456789012:policy/TestPolicy` 的 IAM 群組、角色和使用者的清單。**
```
Get-IAMEntitiesForPolicy -PolicyArn "arn:aws:iam::123456789012:policy/TestPolicy"
```
**輸出:**
```
IsTruncated : False
Marker :
PolicyGroups : {}
PolicyRoles : {testRole}
PolicyUsers : {Bob, Theresa}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListEntitiesForPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回已連接政策 `arn:aws:iam::123456789012:policy/TestPolicy` 的 IAM 群組、角色和使用者的清單。**
```
Get-IAMEntitiesForPolicy -PolicyArn "arn:aws:iam::123456789012:policy/TestPolicy"
```
**輸出:**
```
IsTruncated : False
Marker :
PolicyGroups : {}
PolicyRoles : {testRole}
PolicyUsers : {Bob, Theresa}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListEntitiesForPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListGroupPolicies` 與 CLI
下列程式碼範例示範如何使用 `ListGroupPolicies`。
------
#### [ CLI ]
**AWS CLI**
**若要列出連接至指定群組的所有內嵌政策**
下列 `list-group-policies` 命令會列出連接至目前帳戶中名為 `Admins` 之 IAM 群組的內嵌政策名稱。
```
aws iam list-group-policies \
--group-name Admins
```
輸出:
```
{
"PolicyNames": [
"AdminRoot",
"ExamplePolicy"
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListGroupPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-group-policies.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回內嵌在群組 `Testers` 中的內嵌政策清單。若要取得連接到群組的受管政策,請使用 `Get-IAMAttachedGroupPolicyList` 命令。**
```
Get-IAMGroupPolicyList -GroupName Testers
```
**輸出:**
```
Deny-Assume-S3-Role-In-Production
PowerUserAccess-Testers
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListGroupPolicies](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回內嵌在群組 `Testers` 中的內嵌政策清單。若要取得連接到群組的受管政策,請使用 `Get-IAMAttachedGroupPolicyList` 命令。**
```
Get-IAMGroupPolicyList -GroupName Testers
```
**輸出:**
```
Deny-Assume-S3-Role-In-Production
PowerUserAccess-Testers
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListGroupPolicies](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListGroups` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListGroups`。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// List IAM groups.
///
/// A list of IAM groups.
public async Task> ListGroupsAsync()
{
var groupsPaginator = _IAMService.Paginators.ListGroups(new ListGroupsRequest());
var groups = new List();
await foreach (var response in groupsPaginator.Responses)
{
groups.AddRange(response.Groups);
}
return groups;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListGroups](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListGroups)。
------
#### [ CLI ]
**AWS CLI**
**列出目前帳戶的 IAM 群組**
下列 `list-groups` 命令會列出目前帳戶中的 IAM 群組。
```
aws iam list-groups
```
輸出:
```
{
"Groups": [
{
"Path": "/",
"CreateDate": "2013-06-04T20:27:27.972Z",
"GroupId": "AIDACKCEVSQ6C2EXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/Admins",
"GroupName": "Admins"
},
{
"Path": "/",
"CreateDate": "2013-04-16T20:30:42Z",
"GroupId": "AIDGPMS9RO4H3FEXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/S3-Admins",
"GroupName": "S3-Admins"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者群組](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListGroups](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-groups.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// GroupWrapper encapsulates AWS Identity and Access Management (IAM) group actions
// used in the examples.
// It contains an IAM service client that is used to perform group actions.
type GroupWrapper struct {
IamClient *iam.Client
}
// ListGroups lists up to maxGroups number of groups.
func (wrapper GroupWrapper) ListGroups(ctx context.Context, maxGroups int32) ([]types.Group, error) {
var groups []types.Group
result, err := wrapper.IamClient.ListGroups(ctx, &iam.ListGroupsInput{
MaxItems: aws.Int32(maxGroups),
})
if err != nil {
log.Printf("Couldn't list groups. Here's why: %v\n", err)
} else {
groups = result.Groups
}
return groups, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListGroups](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListGroups)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出群組。
```
import { ListGroupsCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
* A generator function that handles paginated results.
* The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this.
*/
export async function* listGroups() {
const command = new ListGroupsCommand({
MaxItems: 10,
});
let response = await client.send(command);
while (response.Groups?.length) {
for (const group of response.Groups) {
yield group;
}
if (response.IsTruncated) {
response = await client.send(
new ListGroupsCommand({
Marker: response.Marker,
MaxItems: 10,
}),
);
} else {
break;
}
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListGroups](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListGroupsCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function listGroups($pathPrefix = "", $marker = "", $maxItems = 0)
{
$listGroupsArguments = [];
if ($pathPrefix) {
$listGroupsArguments["PathPrefix"] = $pathPrefix;
}
if ($marker) {
$listGroupsArguments["Marker"] = $marker;
}
if ($maxItems) {
$listGroupsArguments["MaxItems"] = $maxItems;
}
return $this->iamClient->listGroups($listGroupsArguments);
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [ListGroups](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListGroups)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回目前 中定義之所有 IAM 群組的集合 AWS 帳戶。**
```
Get-IAMGroupList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:group/Administrators
CreateDate : 10/20/2014 10:06:24 AM
GroupId : 6WCH4TRY3KIHIEXAMPLE1
GroupName : Administrators
Path : /
Arn : arn:aws:iam::123456789012:group/Developers
CreateDate : 12/10/2014 3:38:55 PM
GroupId : ZU2EOWMK6WBZOEXAMPLE2
GroupName : Developers
Path : /
Arn : arn:aws:iam::123456789012:group/Testers
CreateDate : 12/10/2014 3:39:11 PM
GroupId : RHNZZGQJ7QHMAEXAMPLE3
GroupName : Testers
Path : /
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListGroups](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回目前 中定義之所有 IAM 群組的集合 AWS 帳戶。**
```
Get-IAMGroupList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:group/Administrators
CreateDate : 10/20/2014 10:06:24 AM
GroupId : 6WCH4TRY3KIHIEXAMPLE1
GroupName : Administrators
Path : /
Arn : arn:aws:iam::123456789012:group/Developers
CreateDate : 12/10/2014 3:38:55 PM
GroupId : ZU2EOWMK6WBZOEXAMPLE2
GroupName : Developers
Path : /
Arn : arn:aws:iam::123456789012:group/Testers
CreateDate : 12/10/2014 3:39:11 PM
GroupId : RHNZZGQJ7QHMAEXAMPLE3
GroupName : Testers
Path : /
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListGroups](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_groups(count):
"""
Lists the specified number of groups for the account.
:param count: The number of groups to list.
"""
try:
for group in iam.groups.limit(count):
logger.info("Group: %s", group.name)
except ClientError:
logger.exception("Couldn't list groups for the account.")
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListGroups](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListGroups)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# A class to manage IAM operations via the AWS SDK client
class IamGroupManager
# Initializes the IamGroupManager class
# @param iam_client [Aws::IAM::Client] An instance of the IAM client
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
end
# Lists up to a specified number of groups for the account.
# @param count [Integer] The maximum number of groups to list.
# @return [Aws::IAM::Client::Response]
def list_groups(count)
response = @iam_client.list_groups(max_items: count)
response.groups.each do |group|
@logger.info("\t#{group.group_name}")
end
response
rescue Aws::Errors::ServiceError => e
@logger.error("Couldn't list groups for the account. Here's why:")
@logger.error("\t#{e.code}: #{e.message}")
raise
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListGroups](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListGroups)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn list_groups(
client: &iamClient,
path_prefix: Option,
marker: Option,
max_items: Option,
) -> Result> {
let response = client
.list_groups()
.set_path_prefix(path_prefix)
.set_marker(marker)
.set_max_items(max_items)
.send()
.await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [ListGroups](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_groups)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listgroups( ).
MESSAGE 'Retrieved group list.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when listing groups.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListGroups](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func listGroups() async throws -> [String] {
var groupList: [String] = []
// Use "Paginated" to get all the groups.
// This lets the SDK handle the 'isTruncated' property in "ListGroupsOutput".
let input = ListGroupsInput()
let pages = client.listGroupsPaginated(input: input)
do {
for try await page in pages {
guard let groups = page.groups else {
print("Error: no groups returned.")
continue
}
for group in groups {
if let name = group.groupName {
groupList.append(name)
}
}
}
} catch {
print("ERROR: listGroups:", dump(error))
throw error
}
return groupList
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [ListGroups](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listgroups(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListGroupsForUser` 與 CLI
下列程式碼範例示範如何使用 `ListGroupsForUser`。
------
#### [ CLI ]
**AWS CLI**
**若要列出 IAM 使用者所屬的群組**
下列 `list-groups-for-user` 命令顯示名為 `Bob` 之 IAM 使用者所屬的群組。
```
aws iam list-groups-for-user \
--user-name Bob
```
輸出:
```
{
"Groups": [
{
"Path": "/",
"CreateDate": "2013-05-06T01:18:08Z",
"GroupId": "AKIAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/Admin",
"GroupName": "Admin"
},
{
"Path": "/",
"CreateDate": "2013-05-06T01:37:28Z",
"GroupId": "AKIAI44QH8DHBEXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/s3-Users",
"GroupName": "s3-Users"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者群組](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListGroupsForUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-groups-for-user.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回 IAM 使用者 `David` 所屬之 IAM 群組的清單。**
```
Get-IAMGroupForUser -UserName David
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:group/Administrators
CreateDate : 10/20/2014 10:06:24 AM
GroupId : 6WCH4TRY3KIHIEXAMPLE1
GroupName : Administrators
Path : /
Arn : arn:aws:iam::123456789012:group/Testers
CreateDate : 12/10/2014 3:39:11 PM
GroupId : RHNZZGQJ7QHMAEXAMPLE2
GroupName : Testers
Path : /
Arn : arn:aws:iam::123456789012:group/Developers
CreateDate : 12/10/2014 3:38:55 PM
GroupId : ZU2EOWMK6WBZOEXAMPLE3
GroupName : Developers
Path : /
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListGroupsForUser](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回 IAM 使用者 `David` 所屬之 IAM 群組的清單。**
```
Get-IAMGroupForUser -UserName David
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:group/Administrators
CreateDate : 10/20/2014 10:06:24 AM
GroupId : 6WCH4TRY3KIHIEXAMPLE1
GroupName : Administrators
Path : /
Arn : arn:aws:iam::123456789012:group/Testers
CreateDate : 12/10/2014 3:39:11 PM
GroupId : RHNZZGQJ7QHMAEXAMPLE2
GroupName : Testers
Path : /
Arn : arn:aws:iam::123456789012:group/Developers
CreateDate : 12/10/2014 3:38:55 PM
GroupId : ZU2EOWMK6WBZOEXAMPLE3
GroupName : Developers
Path : /
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListGroupsForUser](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListInstanceProfiles` 與 CLI
下列程式碼範例示範如何使用 `ListInstanceProfiles`。
------
#### [ CLI ]
**AWS CLI**
**若要列出帳戶的執行個體設定檔**
下列 `list-instance-profiles` 命令列出與目前帳戶關聯的執行個體設定檔。
```
aws iam list-instance-profiles
```
輸出:
```
{
"InstanceProfiles": [
{
"Path": "/",
"InstanceProfileName": "example-dev-role",
"InstanceProfileId": "AIPAIXEU4NUHUPEXAMPLE",
"Arn": "arn:aws:iam::123456789012:instance-profile/example-dev-role",
"CreateDate": "2023-09-21T18:17:41+00:00",
"Roles": [
{
"Path": "/",
"RoleName": "example-dev-role",
"RoleId": "AROAJ52OTH4H7LEXAMPLE",
"Arn": "arn:aws:iam::123456789012:role/example-dev-role",
"CreateDate": "2023-09-21T18:17:40+00:00",
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
]
},
{
"Path": "/",
"InstanceProfileName": "example-s3-role",
"InstanceProfileId": "AIPAJVJVNRIQFREXAMPLE",
"Arn": "arn:aws:iam::123456789012:instance-profile/example-s3-role",
"CreateDate": "2023-09-21T18:18:50+00:00",
"Roles": [
{
"Path": "/",
"RoleName": "example-s3-role",
"RoleId": "AROAINUBC5O7XLEXAMPLE",
"Arn": "arn:aws:iam::123456789012:role/example-s3-role",
"CreateDate": "2023-09-21T18:18:49+00:00",
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
]
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用執行個體設定檔](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListInstanceProfiles](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-instance-profiles.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回目前 中定義的執行個體描述檔集合 AWS 帳戶。**
```
Get-IAMInstanceProfileList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole
CreateDate : 2/17/2015 2:49:04 PM
InstanceProfileId : HH36PTZQJUR32EXAMPLE1
InstanceProfileName : ec2instancerole
Path : /
Roles : {ec2instancerole}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListInstanceProfiles](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回目前 中定義的執行個體描述檔集合 AWS 帳戶。**
```
Get-IAMInstanceProfileList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole
CreateDate : 2/17/2015 2:49:04 PM
InstanceProfileId : HH36PTZQJUR32EXAMPLE1
InstanceProfileName : ec2instancerole
Path : /
Roles : {ec2instancerole}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListInstanceProfiles](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListInstanceProfilesForRole` 與 CLI
下列程式碼範例示範如何使用 `ListInstanceProfilesForRole`。
------
#### [ CLI ]
**AWS CLI**
**若要列出 IAM 角色的執行個體設定檔**
下列 `list-instance-profiles-for-role` 命令會列出與角色 `Test-Role` 關聯的執行個體設定檔。
```
aws iam list-instance-profiles-for-role \
--role-name Test-Role
```
輸出:
```
{
"InstanceProfiles": [
{
"InstanceProfileId": "AIDGPMS9RO4H3FEXAMPLE",
"Roles": [
{
"AssumeRolePolicyDocument": "",
"RoleId": "AIDACKCEVSQ6C2EXAMPLE",
"CreateDate": "2013-06-07T20:42:15Z",
"RoleName": "Test-Role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/Test-Role"
}
],
"CreateDate": "2013-06-07T21:05:24Z",
"InstanceProfileName": "ExampleInstanceProfile",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:instance-profile/ExampleInstanceProfile"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用執行個體設定檔](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListInstanceProfilesForRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-instance-profiles-for-role.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回與角色 `ec2instancerole` 關聯之執行個體設定檔的詳細資訊。**
```
Get-IAMInstanceProfileForRole -RoleName ec2instancerole
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole
CreateDate : 2/17/2015 2:49:04 PM
InstanceProfileId : HH36PTZQJUR32EXAMPLE1
InstanceProfileName : ec2instancerole
Path : /
Roles : {ec2instancerole}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListInstanceProfilesForRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回與角色 `ec2instancerole` 關聯之執行個體設定檔的詳細資訊。**
```
Get-IAMInstanceProfileForRole -RoleName ec2instancerole
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole
CreateDate : 2/17/2015 2:49:04 PM
InstanceProfileId : HH36PTZQJUR32EXAMPLE1
InstanceProfileName : ec2instancerole
Path : /
Roles : {ec2instancerole}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListInstanceProfilesForRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListMfaDevices` 與 CLI
下列程式碼範例示範如何使用 `ListMfaDevices`。
------
#### [ CLI ]
**AWS CLI**
**若要列出指定使用者的所有 MFA 裝置**
此範例會傳回指派給 IAM 使用者 `Bob` 之 MFA 裝置的詳細資訊。
```
aws iam list-mfa-devices \
--user-name Bob
```
輸出:
```
{
"MFADevices": [
{
"UserName": "Bob",
"SerialNumber": "arn:aws:iam::123456789012:mfa/Bob",
"EnableDate": "2019-10-28T20:37:09+00:00"
},
{
"UserName": "Bob",
"SerialNumber": "GAKT12345678",
"EnableDate": "2023-02-18T21:44:42+00:00"
},
{
"UserName": "Bob",
"SerialNumber": "arn:aws:iam::123456789012:u2f/user/Bob/fidosecuritykey1-7XNL7NFNLZ123456789EXAMPLE",
"EnableDate": "2023-09-19T02:25:35+00:00"
},
{
"UserName": "Bob",
"SerialNumber": "arn:aws:iam::123456789012:u2f/user/Bob/fidosecuritykey2-VDRQTDBBN5123456789EXAMPLE",
"EnableDate": "2023-09-19T01:49:18+00:00"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 AWS中使用多重要素驗證 (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListMfaDevices](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-mfa-devices.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回指派給 IAM 使用者 `David` 之 MFA 裝置的詳細資訊。在此範例中,您可以確定這是虛擬裝置,因為 `SerialNumber` 是 ARN,而不是實體裝置的實際序號。**
```
Get-IAMMFADevice -UserName David
```
**輸出:**
```
EnableDate SerialNumber UserName
---------- ------------ --------
4/8/2015 9:41:10 AM arn:aws:iam::123456789012:mfa/David David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListMfaDevices](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回指派給 IAM 使用者 `David` 之 MFA 裝置的詳細資訊。在此範例中,您可以確定這是虛擬裝置,因為 `SerialNumber` 是 ARN,而不是實體裝置的實際序號。**
```
Get-IAMMFADevice -UserName David
```
**輸出:**
```
EnableDate SerialNumber UserName
---------- ------------ --------
4/8/2015 9:41:10 AM arn:aws:iam::123456789012:mfa/David David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListMfaDevices](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListOpenIdConnectProviders` 與 CLI
下列程式碼範例示範如何使用 `ListOpenIdConnectProviders`。
------
#### [ CLI ]
**AWS CLI**
**列出 AWS 帳戶中 OpenID Connect 供應商的相關資訊**
此範例會傳回目前 AWS 帳戶中定義之所有 OpenID Connect 供應商的 ARNS 清單。
```
aws iam list-open-id-connect-providers
```
輸出:
```
{
"OpenIDConnectProviderList": [
{
"Arn": "arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListOpenIdConnectProviders](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-open-id-connect-providers.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回目前的 AWS 帳戶中定義之所有 OpenID Connect 提供者的 ARNS 清單。**
```
Get-IAMOpenIDConnectProviderList
```
**輸出:**
```
Arn
---
arn:aws:iam::123456789012:oidc-provider/server.example.com
arn:aws:iam::123456789012:oidc-provider/another.provider.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListOpenIdConnectProviders](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回目前的 AWS 帳戶中定義之所有 OpenID Connect 提供者的 ARNS 清單。**
```
Get-IAMOpenIDConnectProviderList
```
**輸出:**
```
Arn
---
arn:aws:iam::123456789012:oidc-provider/server.example.com
arn:aws:iam::123456789012:oidc-provider/another.provider.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListOpenIdConnectProviders](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListPolicies` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListPolicies`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// List IAM policies.
///
/// A list of the IAM policies.
public async Task> ListPoliciesAsync()
{
var listPoliciesPaginator = _IAMService.Paginators.ListPolicies(new ListPoliciesRequest());
var policies = new List();
await foreach (var response in listPoliciesPaginator.Responses)
{
policies.AddRange(response.Policies);
}
return policies;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListPolicies)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::listPolicies(const Aws::Client::ClientConfiguration &clientConfig) {
const Aws::String DATE_FORMAT("%Y-%m-%d");
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::ListPoliciesRequest request;
bool done = false;
bool header = false;
while (!done) {
auto outcome = iam.ListPolicies(request);
if (!outcome.IsSuccess()) {
std::cerr << "Failed to list iam policies: " <<
outcome.GetError().GetMessage() << std::endl;
return false;
}
if (!header) {
std::cout << std::left << std::setw(55) << "Name" <<
std::setw(30) << "ID" << std::setw(80) << "Arn" <<
std::setw(64) << "Description" << std::setw(12) <<
"CreateDate" << std::endl;
header = true;
}
const auto &policies = outcome.GetResult().GetPolicies();
for (const auto &policy: policies) {
std::cout << std::left << std::setw(55) <<
policy.GetPolicyName() << std::setw(30) <<
policy.GetPolicyId() << std::setw(80) << policy.GetArn() <<
std::setw(64) << policy.GetDescription() << std::setw(12) <<
policy.GetCreateDate().ToGmtString(DATE_FORMAT.c_str()) <<
std::endl;
}
if (outcome.GetResult().GetIsTruncated()) {
request.SetMarker(outcome.GetResult().GetMarker());
}
else {
done = true;
}
}
return true;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListPolicies)。
------
#### [ CLI ]
**AWS CLI**
**列出可供您 AWS 帳戶使用的受管政策**
此範例會傳回目前 AWS 帳戶中可用的前兩個受管政策的集合。
```
aws iam list-policies \
--max-items 3
```
輸出:
```
{
"Policies": [
{
"PolicyName": "AWSCloudTrailAccessPolicy",
"PolicyId": "ANPAXQE2B5PJ7YEXAMPLE",
"Arn": "arn:aws:iam::123456789012:policy/AWSCloudTrailAccessPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2019-09-04T17:43:42+00:00",
"UpdateDate": "2019-09-04T17:43:42+00:00"
},
{
"PolicyName": "AdministratorAccess",
"PolicyId": "ANPAIWMBCKSKIEE64ZLYK",
"Arn": "arn:aws:iam::aws:policy/AdministratorAccess",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 6,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2015-02-06T18:39:46+00:00",
"UpdateDate": "2015-02-06T18:39:46+00:00"
},
{
"PolicyName": "PowerUserAccess",
"PolicyId": "ANPAJYRXTHIB4FOVS3ZXS",
"Arn": "arn:aws:iam::aws:policy/PowerUserAccess",
"Path": "/",
"DefaultVersionId": "v5",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2015-02-06T18:39:47+00:00",
"UpdateDate": "2023-07-06T22:04:00+00:00"
}
],
"NextToken": "EXAMPLErZXIiOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiA4fQ=="
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-policies.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions
// used in the examples.
// It contains an IAM service client that is used to perform policy actions.
type PolicyWrapper struct {
IamClient *iam.Client
}
// ListPolicies gets up to maxPolicies policies.
func (wrapper PolicyWrapper) ListPolicies(ctx context.Context, maxPolicies int32) ([]types.Policy, error) {
var policies []types.Policy
result, err := wrapper.IamClient.ListPolicies(ctx, &iam.ListPoliciesInput{
MaxItems: aws.Int32(maxPolicies),
})
if err != nil {
log.Printf("Couldn't list policies. Here's why: %v\n", err)
} else {
policies = result.Policies
}
return policies, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListPolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListPolicies)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出政策。
```
import { ListPoliciesCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
* A generator function that handles paginated results.
* The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this.
*
*/
export async function* listPolicies() {
const command = new ListPoliciesCommand({
MaxItems: 10,
OnlyAttached: false,
// List only the customer managed policies in your Amazon Web Services account.
Scope: "Local",
});
let response = await client.send(command);
while (response.Policies?.length) {
for (const policy of response.Policies) {
yield policy;
}
if (response.IsTruncated) {
response = await client.send(
new ListPoliciesCommand({
Marker: response.Marker,
MaxItems: 10,
OnlyAttached: false,
Scope: "Local",
}),
);
} else {
break;
}
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListPolicies](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListPoliciesCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function listPolicies($pathPrefix = "", $marker = "", $maxItems = 0)
{
$listPoliciesArguments = [];
if ($pathPrefix) {
$listPoliciesArguments["PathPrefix"] = $pathPrefix;
}
if ($marker) {
$listPoliciesArguments["Marker"] = $marker;
}
if ($maxItems) {
$listPoliciesArguments["MaxItems"] = $maxItems;
}
return $this->iamClient->listPolicies($listPoliciesArguments);
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListPolicies)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回目前 AWS 帳戶中可用的前三個受管政策的集合。由於 `-scope` 未指定,因此預設為 `all`,並同時包含 AWS 受管和客戶受管政策。**
```
Get-IAMPolicyList -MaxItem 3
```
**輸出:**
```
Arn : arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess
AttachmentCount : 0
CreateDate : 2/6/2015 10:40:08 AM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : Z27SI6FQMGNQ2EXAMPLE1
PolicyName : AWSDirectConnectReadOnlyAccess
UpdateDate : 2/6/2015 10:40:08 AM
Arn : arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess
AttachmentCount : 0
CreateDate : 2/6/2015 10:40:27 AM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : NJKMU274MET4EEXAMPLE2
PolicyName : AmazonGlacierReadOnlyAccess
UpdateDate : 2/6/2015 10:40:27 AM
Arn : arn:aws:iam::aws:policy/AWSMarketplaceFullAccess
AttachmentCount : 0
CreateDate : 2/11/2015 9:21:45 AM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : 5ULJSO2FYVPYGEXAMPLE3
PolicyName : AWSMarketplaceFullAccess
UpdateDate : 2/11/2015 9:21:45 AM
```
**範例 2:此範例會傳回目前 AWS 帳戶中可用的前兩個客戶受管政策的集合。它使用 `-Scope local` 將輸出限制為僅限客戶管理政策。**
```
Get-IAMPolicyList -Scope local -MaxItem 2
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:policy/MyLocalPolicy
AttachmentCount : 0
CreateDate : 2/12/2015 9:39:09 AM
DefaultVersionId : v2
Description :
IsAttachable : True
Path : /
PolicyId : SQVCBLC4VAOUCEXAMPLE4
PolicyName : MyLocalPolicy
UpdateDate : 2/12/2015 9:39:53 AM
Arn : arn:aws:iam::123456789012:policy/policyforec2instancerole
AttachmentCount : 1
CreateDate : 2/17/2015 2:51:38 PM
DefaultVersionId : v11
Description :
IsAttachable : True
Path : /
PolicyId : X5JPBLJH2Z2SOEXAMPLE5
PolicyName : policyforec2instancerole
UpdateDate : 2/18/2015 8:52:31 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListPolicies](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回目前 AWS 帳戶中可用的前三個受管政策的集合。由於 `-scope` 未指定,因此預設為 `all`,並同時包含 AWS 受管和客戶受管政策。**
```
Get-IAMPolicyList -MaxItem 3
```
**輸出:**
```
Arn : arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess
AttachmentCount : 0
CreateDate : 2/6/2015 10:40:08 AM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : Z27SI6FQMGNQ2EXAMPLE1
PolicyName : AWSDirectConnectReadOnlyAccess
UpdateDate : 2/6/2015 10:40:08 AM
Arn : arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess
AttachmentCount : 0
CreateDate : 2/6/2015 10:40:27 AM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : NJKMU274MET4EEXAMPLE2
PolicyName : AmazonGlacierReadOnlyAccess
UpdateDate : 2/6/2015 10:40:27 AM
Arn : arn:aws:iam::aws:policy/AWSMarketplaceFullAccess
AttachmentCount : 0
CreateDate : 2/11/2015 9:21:45 AM
DefaultVersionId : v1
Description :
IsAttachable : True
Path : /
PolicyId : 5ULJSO2FYVPYGEXAMPLE3
PolicyName : AWSMarketplaceFullAccess
UpdateDate : 2/11/2015 9:21:45 AM
```
**範例 2:此範例會傳回目前 AWS 帳戶中可用的前兩個客戶受管政策的集合。它使用 `-Scope local` 將輸出限制為僅限客戶管理政策。**
```
Get-IAMPolicyList -Scope local -MaxItem 2
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:policy/MyLocalPolicy
AttachmentCount : 0
CreateDate : 2/12/2015 9:39:09 AM
DefaultVersionId : v2
Description :
IsAttachable : True
Path : /
PolicyId : SQVCBLC4VAOUCEXAMPLE4
PolicyName : MyLocalPolicy
UpdateDate : 2/12/2015 9:39:53 AM
Arn : arn:aws:iam::123456789012:policy/policyforec2instancerole
AttachmentCount : 1
CreateDate : 2/17/2015 2:51:38 PM
DefaultVersionId : v11
Description :
IsAttachable : True
Path : /
PolicyId : X5JPBLJH2Z2SOEXAMPLE5
PolicyName : policyforec2instancerole
UpdateDate : 2/18/2015 8:52:31 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListPolicies](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_policies(scope):
"""
Lists the policies in the current account.
:param scope: Limits the kinds of policies that are returned. For example,
'Local' specifies that only locally managed policies are returned.
:return: The list of policies.
"""
try:
policies = list(iam.policies.filter(Scope=scope))
logger.info("Got %s policies in scope '%s'.", len(policies), scope)
except ClientError:
logger.exception("Couldn't get policies for scope '%s'.", scope)
raise
else:
return policies
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListPolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListPolicies)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
此範例模組會列出、建立、連接和分離角色政策。
```
# Manages policies in AWS Identity and Access Management (IAM)
class RolePolicyManager
# Initialize with an AWS IAM client
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'PolicyManager'
end
# Creates a policy
#
# @param policy_name [String] The name of the policy
# @param policy_document [Hash] The policy document
# @return [String] The policy ARN if successful, otherwise nil
def create_policy(policy_name, policy_document)
response = @iam_client.create_policy(
policy_name: policy_name,
policy_document: policy_document.to_json
)
response.policy.arn
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error creating policy: #{e.message}")
nil
end
# Fetches an IAM policy by its ARN
# @param policy_arn [String] the ARN of the IAM policy to retrieve
# @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found
def get_policy(policy_arn)
response = @iam_client.get_policy(policy_arn: policy_arn)
policy = response.policy
@logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.")
policy
rescue Aws::IAM::Errors::NoSuchEntity
@logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.")
raise
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}")
raise
end
# Attaches a policy to a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def attach_policy_to_role(role_name, policy_arn)
@iam_client.attach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error attaching policy to role: #{e.message}")
false
end
# Lists policy ARNs attached to a role
#
# @param role_name [String] The name of the role
# @return [Array] List of policy ARNs
def list_attached_policy_arns(role_name)
response = @iam_client.list_attached_role_policies(role_name: role_name)
response.attached_policies.map(&:policy_arn)
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing policies attached to role: #{e.message}")
[]
end
# Detaches a policy from a role
#
# @param role_name [String] The name of the role
# @param policy_arn [String] The policy ARN
# @return [Boolean] true if successful, false otherwise
def detach_policy_from_role(role_name, policy_arn)
@iam_client.detach_role_policy(
role_name: role_name,
policy_arn: policy_arn
)
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error detaching policy from role: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》中的 [ListPolicies](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListPolicies)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn list_policies(
client: iamClient,
path_prefix: String,
) -> Result, SdkError> {
let list_policies = client
.list_policies()
.path_prefix(path_prefix)
.scope(PolicyScopeType::Local)
.into_paginator()
.items()
.send()
.try_collect()
.await?;
let policy_names = list_policies
.into_iter()
.map(|p| {
let name = p
.policy_name
.unwrap_or_else(|| "Missing Policy Name".to_string());
println!("{}", name);
name
})
.collect();
Ok(policy_names)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [ListPolicies](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_policies)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listpolicies( iv_scope = iv_scope ).
MESSAGE 'Retrieved policy list.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when listing policies.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListPolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func listPolicies() async throws -> [MyPolicyRecord] {
var policyList: [MyPolicyRecord] = []
// Use "Paginated" to get all the policies.
// This lets the SDK handle the 'isTruncated' in "ListPoliciesOutput".
let input = ListPoliciesInput()
let output = client.listPoliciesPaginated(input: input)
do {
for try await page in output {
guard let policies = page.policies else {
print("Error: no policies returned.")
continue
}
for policy in policies {
guard let name = policy.policyName,
let id = policy.policyId,
let arn = policy.arn
else {
throw ServiceHandlerError.noSuchPolicy
}
policyList.append(MyPolicyRecord(name: name, id: id, arn: arn))
}
}
} catch {
print("ERROR: listPolicies:", dump(error))
throw error
}
return policyList
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [ListPolicies](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listpolicies(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListPolicyVersions` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListPolicyVersions`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [復原政策版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md)
------
#### [ CLI ]
**AWS CLI**
**若要列出指定受管政策的版本相關資訊**
此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MySamplePolicy` 之政策的可用版本清單。
```
aws iam list-policy-versions \
--policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy
```
輸出:
```
{
"IsTruncated": false,
"Versions": [
{
"VersionId": "v2",
"IsDefaultVersion": true,
"CreateDate": "2015-06-02T23:19:44Z"
},
{
"VersionId": "v1",
"IsDefaultVersion": false,
"CreateDate": "2015-06-02T22:30:47Z"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱 *AWS CLI Command Reference* 中的 [ListPolicyVersions](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-policy-versions.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 之政策的可用版本清單。若要取得特定版本的政策文件,請使用 `Get-IAMPolicyVersion` 命令並指定想要文件的 `VersionId`。**
```
Get-IAMPolicyVersionList -PolicyArn arn:aws:iam::123456789012:policy/MyManagedPolicy
```
**輸出:**
```
CreateDate Document IsDefaultVersion VersionId
---------- -------- ---------------- ---------
2/12/2015 9:39:53 AM True v2
2/12/2015 9:39:09 AM False v1
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListPolicyVersions](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回 ARN 為 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 之政策的可用版本清單。若要取得特定版本的政策文件,請使用 `Get-IAMPolicyVersion` 命令並指定想要文件的 `VersionId`。**
```
Get-IAMPolicyVersionList -PolicyArn arn:aws:iam::123456789012:policy/MyManagedPolicy
```
**輸出:**
```
CreateDate Document IsDefaultVersion VersionId
---------- -------- ---------------- ---------
2/12/2015 9:39:53 AM True v2
2/12/2015 9:39:09 AM False v1
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListPolicyVersions](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listpolicyversions(
iv_policyarn = iv_policy_arn ).
MESSAGE 'Retrieved policy versions list.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Policy does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when listing policy versions.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListPolicyVersions](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListRolePolicies` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListRolePolicies`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// List IAM role policies.
///
/// The IAM role for which to list IAM policies.
/// A list of IAM policy names.
public async Task> ListRolePoliciesAsync(string roleName)
{
var listRolePoliciesPaginator = _IAMService.Paginators.ListRolePolicies(new ListRolePoliciesRequest { RoleName = roleName });
var policyNames = new List();
await foreach (var response in listRolePoliciesPaginator.Responses)
{
policyNames.AddRange(response.PolicyNames);
}
return policyNames;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListRolePolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListRolePolicies)。
------
#### [ CLI ]
**AWS CLI**
**列出連接至 IAM 角色的政策**
下列 `list-role-policies` 命令會列出指定 IAM 角色的許可政策名稱。
```
aws iam list-role-policies \
--role-name Test-Role
```
輸出:
```
{
"PolicyNames": [
"ExamplePolicy"
]
}
```
若要查看連接至角色的信任政策,請使用 `get-role` 命令。若要查看許可政策的詳細資訊,請使用 `get-role-policy` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListRolePolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-role-policies.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// ListRolePolicies lists the inline policies for a role.
func (wrapper RoleWrapper) ListRolePolicies(ctx context.Context, roleName string) ([]string, error) {
var policies []string
result, err := wrapper.IamClient.ListRolePolicies(ctx, &iam.ListRolePoliciesInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't list policies for role %v. Here's why: %v\n", roleName, err)
} else {
policies = result.PolicyNames
}
return policies, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListRolePolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListRolePolicies)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出政策。
```
import { ListRolePoliciesCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
* A generator function that handles paginated results.
* The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this.
*
* @param {string} roleName
*/
export async function* listRolePolicies(roleName) {
const command = new ListRolePoliciesCommand({
RoleName: roleName,
MaxItems: 10,
});
let response = await client.send(command);
while (response.PolicyNames?.length) {
for (const policyName of response.PolicyNames) {
yield policyName;
}
if (response.IsTruncated) {
response = await client.send(
new ListRolePoliciesCommand({
RoleName: roleName,
MaxItems: 10,
Marker: response.Marker,
}),
);
} else {
break;
}
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListRolePolicies](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListRolePoliciesCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function listRolePolicies($roleName, $marker = "", $maxItems = 0)
{
$listRolePoliciesArguments = ['RoleName' => $roleName];
if ($marker) {
$listRolePoliciesArguments['Marker'] = $marker;
}
if ($maxItems) {
$listRolePoliciesArguments['MaxItems'] = $maxItems;
}
return $this->customWaiter(function () use ($listRolePoliciesArguments) {
return $this->iamClient->listRolePolicies($listRolePoliciesArguments);
});
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [ListRolePolicies](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListRolePolicies)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會傳回內嵌在 IAM 角色 `lamda_exec_role` 中之內嵌政策的名稱清單。若要查看內嵌政策的詳細資訊,請使用 `Get-IAMRolePolicy` 命令。**
```
Get-IAMRolePolicyList -RoleName lambda_exec_role
```
**輸出:**
```
oneClick_lambda_exec_role_policy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListRolePolicies](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會傳回內嵌在 IAM 角色 `lamda_exec_role` 中之內嵌政策的名稱清單。若要查看內嵌政策的詳細資訊,請使用 `Get-IAMRolePolicy` 命令。**
```
Get-IAMRolePolicyList -RoleName lambda_exec_role
```
**輸出:**
```
oneClick_lambda_exec_role_policy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListRolePolicies](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_policies(role_name):
"""
Lists inline policies for a role.
:param role_name: The name of the role to query.
"""
try:
role = iam.Role(role_name)
for policy in role.policies.all():
logger.info("Got inline policy %s.", policy.name)
except ClientError:
logger.exception("Couldn't list inline policies for %s.", role_name)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListRolePolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListRolePolicies)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Lists policy ARNs attached to a role
#
# @param role_name [String] The name of the role
# @return [Array] List of policy ARNs
def list_attached_policy_arns(role_name)
response = @iam_client.list_attached_role_policies(role_name: role_name)
response.attached_policies.map(&:policy_arn)
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing policies attached to role: #{e.message}")
[]
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListRolePolicies](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListRolePolicies)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn list_role_policies(
client: &iamClient,
role_name: &str,
marker: Option,
max_items: Option,
) -> Result> {
let response = client
.list_role_policies()
.role_name(role_name)
.set_marker(marker)
.set_max_items(max_items)
.send()
.await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [ListRolePolicies](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_role_policies)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listrolepolicies(
iv_rolename = iv_role_name ).
MESSAGE 'Retrieved inline policy list for role.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Role does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListRolePolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func listRolePolicies(role: String) async throws -> [String] {
var policyList: [String] = []
// Use "Paginated" to get all the role policies.
// This lets the SDK handle the 'isTruncated' in "ListRolePoliciesOutput".
let input = ListRolePoliciesInput(
roleName: role
)
let pages = client.listRolePoliciesPaginated(input: input)
do {
for try await page in pages {
guard let policies = page.policyNames else {
print("Error: no role policies returned.")
continue
}
for policy in policies {
policyList.append(policy)
}
}
} catch {
print("ERROR: listRolePolicies:", dump(error))
throw error
}
return policyList
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [ListRolePolicies](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listrolepolicies(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListRoleTags` 與 CLI
下列程式碼範例示範如何使用 `ListRoleTags`。
------
#### [ CLI ]
**AWS CLI**
**若要列出連接至角色的標籤**
下列 `list-role-tags` 命令會擷取與指定角色關聯的標籤之清單。
```
aws iam list-role-tags \
--role-name production-role
```
輸出:
```
{
"Tags": [
{
"Key": "Department",
"Value": "Accounting"
},
{
"Key": "DeptID",
"Value": "12345"
}
],
"IsTruncated": false
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListRoleTags](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-role-tags.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取與角色關聯的標籤。**
```
Get-IAMRoleTagList -RoleName MyRoleName
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListRoleTags](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取與角色關聯的標籤。**
```
Get-IAMRoleTagList -RoleName MyRoleName
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListRoleTags](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListRoles` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListRoles`。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// List IAM roles.
///
/// A list of IAM roles.
public async Task> ListRolesAsync()
{
var listRolesPaginator = _IAMService.Paginators.ListRoles(new ListRolesRequest());
var roles = new List();
await foreach (var response in listRolesPaginator.Responses)
{
roles.AddRange(response.Roles);
}
return roles;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListRoles](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListRoles)。
------
#### [ CLI ]
**AWS CLI**
**列出目前帳戶的 IAM 角色**
下列 `list-roles` 命令會列出目前帳戶的 IAM 角色。
```
aws iam list-roles
```
輸出:
```
{
"Roles": [
{
"Path": "/",
"RoleName": "ExampleRole",
"RoleId": "AROAJ52OTH4H7LEXAMPLE",
"Arn": "arn:aws:iam::123456789012:role/ExampleRole",
"CreateDate": "2017-09-12T19:23:36+00:00",
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/example_path/",
"RoleName": "ExampleRoleWithPath",
"RoleId": "AROAI4QRP7UFT7EXAMPLE",
"Arn": "arn:aws:iam::123456789012:role/example_path/ExampleRoleWithPath",
"CreateDate": "2023-09-21T20:29:38+00:00",
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListRoles](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-roles.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// ListRoles gets up to maxRoles roles.
func (wrapper RoleWrapper) ListRoles(ctx context.Context, maxRoles int32) ([]types.Role, error) {
var roles []types.Role
result, err := wrapper.IamClient.ListRoles(ctx,
&iam.ListRolesInput{MaxItems: aws.Int32(maxRoles)},
)
if err != nil {
log.Printf("Couldn't list roles. Here's why: %v\n", err)
} else {
roles = result.Roles
}
return roles, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListRoles](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListRoles)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出角色。
```
import { ListRolesCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
* A generator function that handles paginated results.
* The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this.
*
*/
export async function* listRoles() {
const command = new ListRolesCommand({
MaxItems: 10,
});
/**
* @type {import("@aws-sdk/client-iam").ListRolesCommandOutput | undefined}
*/
let response = await client.send(command);
while (response?.Roles?.length) {
for (const role of response.Roles) {
yield role;
}
if (response.IsTruncated) {
response = await client.send(
new ListRolesCommand({
Marker: response.Marker,
}),
);
} else {
break;
}
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListRoles](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListRolesCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
/**
* @param string $pathPrefix
* @param string $marker
* @param int $maxItems
* @return Result
* $roles = $service->listRoles();
*/
public function listRoles($pathPrefix = "", $marker = "", $maxItems = 0)
{
$listRolesArguments = [];
if ($pathPrefix) {
$listRolesArguments["PathPrefix"] = $pathPrefix;
}
if ($marker) {
$listRolesArguments["Marker"] = $marker;
}
if ($maxItems) {
$listRolesArguments["MaxItems"] = $maxItems;
}
return $this->iamClient->listRoles($listRolesArguments);
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [ListRoles](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListRoles)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取 AWS 帳戶中所有 IAM 角色的清單。**
```
Get-IAMRoleList
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListRoles](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取 AWS 帳戶中所有 IAM 角色的清單。**
```
Get-IAMRoleList
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListRoles](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_roles(count):
"""
Lists the specified number of roles for the account.
:param count: The number of roles to list.
"""
try:
roles = list(iam.roles.limit(count=count))
for role in roles:
logger.info("Role: %s", role.name)
except ClientError:
logger.exception("Couldn't list roles for the account.")
raise
else:
return roles
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListRoles](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListRoles)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Lists IAM roles up to a specified count.
# @param count [Integer] the maximum number of roles to list.
# @return [Array] the names of the roles.
def list_roles(count)
role_names = []
roles_counted = 0
@iam_client.list_roles.each_page do |page|
page.roles.each do |role|
break if roles_counted >= count
@logger.info("\t#{roles_counted + 1}: #{role.role_name}")
role_names << role.role_name
roles_counted += 1
end
break if roles_counted >= count
end
role_names
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't list roles for the account. Here's why:")
@logger.error("\t#{e.code}: #{e.message}")
raise
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListRoles](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListRoles)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn list_roles(
client: &iamClient,
path_prefix: Option,
marker: Option,
max_items: Option,
) -> Result> {
let response = client
.list_roles()
.set_path_prefix(path_prefix)
.set_marker(marker)
.set_max_items(max_items)
.send()
.await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [ListRoles](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_roles)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listroles( ).
MESSAGE 'Retrieved role list.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when listing roles.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListRoles](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func listRoles() async throws -> [String] {
var roleList: [String] = []
// Use "Paginated" to get all the roles.
// This lets the SDK handle the 'isTruncated' in "ListRolesOutput".
let input = ListRolesInput()
let pages = client.listRolesPaginated(input: input)
do {
for try await page in pages {
guard let roles = page.roles else {
print("Error: no roles returned.")
continue
}
for role in roles {
if let name = role.roleName {
roleList.append(name)
}
}
}
} catch {
print("ERROR: listRoles:", dump(error))
throw error
}
return roleList
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [ListRoles](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listroles(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListSAMLProviders` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListSAMLProviders`。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// List SAML authentication providers.
///
/// A list of SAML providers.
public async Task> ListSAMLProvidersAsync()
{
var response = await _IAMService.ListSAMLProvidersAsync(new ListSAMLProvidersRequest());
return response.SAMLProviderList;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListSAMLProviders](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListSAMLProviders)。
------
#### [ CLI ]
**AWS CLI**
**列出 AWS 帳戶中的 SAML 供應商**
此範例會擷取目前 AWS 帳戶中建立的 SAML 2.0 供應商清單。
```
aws iam list-saml-providers
```
輸出:
```
{
"SAMLProviderList": [
{
"Arn": "arn:aws:iam::123456789012:saml-provider/SAML-ADFS",
"ValidUntil": "2015-06-05T22:45:14Z",
"CreateDate": "2015-06-05T22:45:14Z"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM SAML 身分提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListSAMLProviders](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-saml-providers.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// AccountWrapper encapsulates AWS Identity and Access Management (IAM) account actions
// used in the examples.
// It contains an IAM service client that is used to perform account actions.
type AccountWrapper struct {
IamClient *iam.Client
}
// ListSAMLProviders gets the SAML providers for the account.
func (wrapper AccountWrapper) ListSAMLProviders(ctx context.Context) ([]types.SAMLProviderListEntry, error) {
var providers []types.SAMLProviderListEntry
result, err := wrapper.IamClient.ListSAMLProviders(ctx, &iam.ListSAMLProvidersInput{})
if err != nil {
log.Printf("Couldn't list SAML providers. Here's why: %v\n", err)
} else {
providers = result.SAMLProviderList
}
return providers, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListSAMLProviders](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListSAMLProviders)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出 SAML 供應商。
```
import { ListSAMLProvidersCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
export const listSamlProviders = async () => {
const command = new ListSAMLProvidersCommand({});
const response = await client.send(command);
console.log(response);
return response;
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListSAMLProviders](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListSAMLProvidersCommand)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function listSAMLProviders()
{
return $this->iamClient->listSAMLProviders();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [ListSAMLProviders](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListSAMLProviders)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取在目前 AWS 帳戶中建立的 SAML 2.0 提供者的清單。它會傳回每個 SAML 提供者的 ARN、建立日期和過期日期。**
```
Get-IAMSAMLProviderList
```
**輸出:**
```
Arn CreateDate ValidUntil
--- ---------- ----------
arn:aws:iam::123456789012:saml-provider/SAMLADFS 12/23/2014 12:16:55 PM 12/23/2114 12:16:54 PM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListSAMLProviders](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取在目前 AWS 帳戶中建立的 SAML 2.0 提供者的清單。它會傳回每個 SAML 提供者的 ARN、建立日期和過期日期。**
```
Get-IAMSAMLProviderList
```
**輸出:**
```
Arn CreateDate ValidUntil
--- ---------- ----------
arn:aws:iam::123456789012:saml-provider/SAMLADFS 12/23/2014 12:16:55 PM 12/23/2114 12:16:54 PM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListSAMLProviders](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_saml_providers(count):
"""
Lists the SAML providers for the account.
:param count: The maximum number of providers to list.
"""
try:
found = 0
for provider in iam.saml_providers.limit(count):
logger.info("Got SAML provider %s.", provider.arn)
found += 1
if found == 0:
logger.info("Your account has no SAML providers.")
except ClientError:
logger.exception("Couldn't list SAML providers.")
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListSAMLProviders](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListSAMLProviders)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
class SamlProviderLister
# Initializes the SamlProviderLister with IAM client and a logger.
# @param iam_client [Aws::IAM::Client] The IAM client object.
# @param logger [Logger] The logger object for logging output.
def initialize(iam_client, logger = Logger.new($stdout))
@iam_client = iam_client
@logger = logger
end
# Lists up to a specified number of SAML providers for the account.
# @param count [Integer] The maximum number of providers to list.
# @return [Aws::IAM::Client::Response]
def list_saml_providers(count)
response = @iam_client.list_saml_providers
response.saml_provider_list.take(count).each do |provider|
@logger.info("\t#{provider.arn}")
end
response
rescue Aws::Errors::ServiceError => e
@logger.error("Couldn't list SAML providers. Here's why:")
@logger.error("\t#{e.code}: #{e.message}")
raise
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListSAMLProviders](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListSAMLProviders)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn list_saml_providers(
client: &Client,
) -> Result> {
let response = client.list_saml_providers().send().await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [ListSAMLProviders](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_saml_providers)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listsamlproviders( ).
MESSAGE 'Retrieved SAML provider list.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when listing SAML providers.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListSAMLProviders](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListServerCertificates` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListServerCertificates`。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::listServerCertificates(
const Aws::Client::ClientConfiguration &clientConfig) {
const Aws::String DATE_FORMAT = "%Y-%m-%d";
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::ListServerCertificatesRequest request;
bool done = false;
bool header = false;
while (!done) {
auto outcome = iam.ListServerCertificates(request);
if (!outcome.IsSuccess()) {
std::cerr << "Failed to list server certificates: " <<
outcome.GetError().GetMessage() << std::endl;
return false;
}
if (!header) {
std::cout << std::left << std::setw(55) << "Name" <<
std::setw(30) << "ID" << std::setw(80) << "Arn" <<
std::setw(14) << "UploadDate" << std::setw(14) <<
"ExpirationDate" << std::endl;
header = true;
}
const auto &certificates =
outcome.GetResult().GetServerCertificateMetadataList();
for (const auto &certificate: certificates) {
std::cout << std::left << std::setw(55) <<
certificate.GetServerCertificateName() << std::setw(30) <<
certificate.GetServerCertificateId() << std::setw(80) <<
certificate.GetArn() << std::setw(14) <<
certificate.GetUploadDate().ToGmtString(DATE_FORMAT.c_str()) <<
std::setw(14) <<
certificate.GetExpiration().ToGmtString(DATE_FORMAT.c_str()) <<
std::endl;
}
if (outcome.GetResult().GetIsTruncated()) {
request.SetMarker(outcome.GetResult().GetMarker());
}
else {
done = true;
}
}
return true;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [ListServerCertificates](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListServerCertificates)。
------
#### [ CLI ]
**AWS CLI**
**列出您 AWS 帳戶中的伺服器憑證**
下列`list-server-certificates`命令會列出您 AWS 帳戶中存放和可使用的所有伺服器憑證。
```
aws iam list-server-certificates
```
輸出:
```
{
"ServerCertificateMetadataList": [
{
"Path": "/",
"ServerCertificateName": "myUpdatedServerCertificate",
"ServerCertificateId": "ASCAEXAMPLE123EXAMPLE",
"Arn": "arn:aws:iam::123456789012:server-certificate/myUpdatedServerCertificate",
"UploadDate": "2019-04-22T21:13:44+00:00",
"Expiration": "2019-10-15T22:23:16+00:00"
},
{
"Path": "/cloudfront/",
"ServerCertificateName": "MyTestCert",
"ServerCertificateId": "ASCAEXAMPLE456EXAMPLE",
"Arn": "arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyTestCert",
"UploadDate": "2015-04-21T18:14:16+00:00",
"Expiration": "2018-01-14T17:52:36+00:00"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 IAM 中管理伺服器憑證](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListServerCertificates](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-server-certificates.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出憑證。
```
import { ListServerCertificatesCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
* A generator function that handles paginated results.
* The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this.
*
*/
export async function* listServerCertificates() {
const command = new ListServerCertificatesCommand({});
let response = await client.send(command);
while (response.ServerCertificateMetadataList?.length) {
for await (const cert of response.ServerCertificateMetadataList) {
yield cert;
}
if (response.IsTruncated) {
response = await client.send(new ListServerCertificatesCommand({}));
} else {
break;
}
}
}
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-listing](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-listing)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListServerCertificates](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListServerCertificatesCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
iam.listServerCertificates({}, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-listing](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-listing)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListServerCertificates](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/ListServerCertificates)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取已上傳至目前 AWS 帳戶的伺服器憑證的清單。**
```
Get-IAMServerCertificateList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate
Expiration : 1/14/2018 9:52:36 AM
Path : /Org1/Org2/
ServerCertificateId : ASCAJIFEXAMPLE17HQZYW
ServerCertificateName : MyServerCertificate
UploadDate : 4/21/2015 11:14:16 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListServerCertificates](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取已上傳至目前 AWS 帳戶的伺服器憑證的清單。**
```
Get-IAMServerCertificateList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate
Expiration : 1/14/2018 9:52:36 AM
Path : /Org1/Org2/
ServerCertificateId : ASCAJIFEXAMPLE17HQZYW
ServerCertificateName : MyServerCertificate
UploadDate : 4/21/2015 11:14:16 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListServerCertificates](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
列出、更新和刪除伺服器憑證。
```
class ServerCertificateManager
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'ServerCertificateManager'
end
# Creates a new server certificate.
# @param name [String] the name of the server certificate
# @param certificate_body [String] the contents of the certificate
# @param private_key [String] the private key contents
# @return [Boolean] returns true if the certificate was successfully created
def create_server_certificate(name, certificate_body, private_key)
@iam_client.upload_server_certificate({
server_certificate_name: name,
certificate_body: certificate_body,
private_key: private_key
})
true
rescue Aws::IAM::Errors::ServiceError => e
puts "Failed to create server certificate: #{e.message}"
false
end
# Lists available server certificate names.
def list_server_certificate_names
response = @iam_client.list_server_certificates
if response.server_certificate_metadata_list.empty?
@logger.info('No server certificates found.')
return
end
response.server_certificate_metadata_list.each do |certificate_metadata|
@logger.info("Certificate Name: #{certificate_metadata.server_certificate_name}")
end
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing server certificates: #{e.message}")
end
# Updates the name of a server certificate.
def update_server_certificate_name(current_name, new_name)
@iam_client.update_server_certificate(
server_certificate_name: current_name,
new_server_certificate_name: new_name
)
@logger.info("Server certificate name updated from '#{current_name}' to '#{new_name}'.")
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error updating server certificate name: #{e.message}")
false
end
# Deletes a server certificate.
def delete_server_certificate(name)
@iam_client.delete_server_certificate(server_certificate_name: name)
@logger.info("Server certificate '#{name}' deleted.")
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting server certificate: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListServerCertificates](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListServerCertificates)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListSigningCertificates` 與 CLI
下列程式碼範例示範如何使用 `ListSigningCertificates`。
------
#### [ CLI ]
**AWS CLI**
**若要列出 IAM 使用者的簽署憑證**
下列 `list-signing-certificates` 命令列出名為 `Bob` 之 IAM 使用者的簽署憑證。
```
aws iam list-signing-certificates \
--user-name Bob
```
輸出:
```
{
"Certificates": [
{
"UserName": "Bob",
"Status": "Inactive",
"CertificateBody": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----",
"CertificateId": "TA7SMP42TDN5Z26OBPJE7EXAMPLE",
"UploadDate": "2013-06-06T21:40:08Z"
}
]
}
```
如需詳細資訊,請參閱《Amazon EC2 使用者指南》**中的[管理簽署憑證](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-up-ami-tools.html#ami-tools-managing-certs)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListSigningCertificates](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-signing-certificates.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例擷取與名為 `Bob` 之使用者關聯的簽署憑證的詳細資訊。**
```
Get-IAMSigningCertificate -UserName Bob
```
**輸出:**
```
CertificateBody : -----BEGIN CERTIFICATE-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
-----END CERTIFICATE-----
CertificateId : Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU
Status : Active
UploadDate : 4/20/2015 1:26:01 PM
UserName : Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListSigningCertificates](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例擷取與名為 `Bob` 之使用者關聯的簽署憑證的詳細資訊。**
```
Get-IAMSigningCertificate -UserName Bob
```
**輸出:**
```
CertificateBody : -----BEGIN CERTIFICATE-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
-----END CERTIFICATE-----
CertificateId : Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU
Status : Active
UploadDate : 4/20/2015 1:26:01 PM
UserName : Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListSigningCertificates](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListUserPolicies` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListUserPolicies`。
------
#### [ CLI ]
**AWS CLI**
**列出 IAM 使用者的政策**
下列 `list-user-policies` 命令會列出連接至名為 `Bob` 之 IAM 使用者的政策。
```
aws iam list-user-policies \
--user-name Bob
```
輸出:
```
{
"PolicyNames": [
"ExamplePolicy",
"TestPolicy"
]
}
```
如需詳細資訊,請參閱《[IAM 使用者指南》中的在 AWS 帳戶中建立](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) *AWS IAM* 使用者。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListUserPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// ListUserPolicies lists the inline policies for the specified user.
func (wrapper UserWrapper) ListUserPolicies(ctx context.Context, userName string) ([]string, error) {
var policies []string
result, err := wrapper.IamClient.ListUserPolicies(ctx, &iam.ListUserPoliciesInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't list policies for user %v. Here's why: %v\n", userName, err)
} else {
policies = result.PolicyNames
}
return policies, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListUserPolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListUserPolicies)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取內嵌在名為 `David` 之 IAM 使用者中的內嵌政策的名稱清單。**
```
Get-IAMUserPolicyList -UserName David
```
**輸出:**
```
Davids_IAM_Admin_Policy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListUserPolicies](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取內嵌在名為 `David` 之 IAM 使用者中的內嵌政策的名稱清單。**
```
Get-IAMUserPolicyList -UserName David
```
**輸出:**
```
Davids_IAM_Admin_Policy
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListUserPolicies](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListUserTags` 與 CLI
下列程式碼範例示範如何使用 `ListUserTags`。
------
#### [ CLI ]
**AWS CLI**
**若要列出連接至使用者的標籤**
下列 `list-user-tags` 命令會擷取與指定 IAM 使用者關聯的標籤之清單。
```
aws iam list-user-tags \
--user-name alice
```
輸出:
```
{
"Tags": [
{
"Key": "Department",
"Value": "Accounting"
},
{
"Key": "DeptID",
"Value": "12345"
}
],
"IsTruncated": false
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的 [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ListUserTags](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-tags.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取與使用者關聯的標籤。**
```
Get-IAMUserTagList -UserName joe
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListUserTags](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取與使用者關聯的標籤。**
```
Get-IAMUserTagList -UserName joe
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListUserTags](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListUsers` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListUsers`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// List IAM users.
///
/// A list of IAM users.
public async Task> ListUsersAsync()
{
var listUsersPaginator = _IAMService.Paginators.ListUsers(new ListUsersRequest());
var users = new List();
await foreach (var response in listUsersPaginator.Responses)
{
users.AddRange(response.Users);
}
return users;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListUsers)。
------
#### [ Bash ]
**AWS CLI 使用 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function iam_list_users
#
# List the IAM users in the account.
#
# Returns:
# The list of users names
# And:
# 0 - If the user already exists.
# 1 - If the user doesn't exist.
###############################################################################
function iam_list_users() {
local option OPTARG # Required to use getopts command in a function.
local error_code
# bashsupport disable=BP5008
function usage() {
echo "function iam_list_users"
echo "Lists the AWS Identity and Access Management (IAM) user in the account."
echo ""
}
# Retrieve the calling parameters.
while getopts "h" option; do
case "${option}" in
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
local response
response=$(aws iam list-users \
--output text \
--query "Users[].UserName")
error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports list-users operation failed.$response"
return 1
fi
echo "$response"
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListUsers](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/ListUsers)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::listUsers(const Aws::Client::ClientConfiguration &clientConfig) {
const Aws::String DATE_FORMAT = "%Y-%m-%d";
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::ListUsersRequest request;
bool done = false;
bool header = false;
while (!done) {
auto outcome = iam.ListUsers(request);
if (!outcome.IsSuccess()) {
std::cerr << "Failed to list iam users:" <<
outcome.GetError().GetMessage() << std::endl;
return false;
}
if (!header) {
std::cout << std::left << std::setw(32) << "Name" <<
std::setw(30) << "ID" << std::setw(64) << "Arn" <<
std::setw(20) << "CreateDate" << std::endl;
header = true;
}
const auto &users = outcome.GetResult().GetUsers();
for (const auto &user: users) {
std::cout << std::left << std::setw(32) << user.GetUserName() <<
std::setw(30) << user.GetUserId() << std::setw(64) <<
user.GetArn() << std::setw(20) <<
user.GetCreateDate().ToGmtString(DATE_FORMAT.c_str())
<< std::endl;
}
if (outcome.GetResult().GetIsTruncated()) {
request.SetMarker(outcome.GetResult().GetMarker());
}
else {
done = true;
}
}
return true;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListUsers)。
------
#### [ CLI ]
**AWS CLI**
**列出 IAM 使用者**
下列 `list-users` 命令會列出目前帳戶中的 IAM 使用者。
```
aws iam list-users
```
輸出:
```
{
"Users": [
{
"UserName": "Adele",
"Path": "/",
"CreateDate": "2013-03-07T05:14:48Z",
"UserId": "AKIAI44QH8DHBEXAMPLE",
"Arn": "arn:aws:iam::123456789012:user/Adele"
},
{
"UserName": "Bob",
"Path": "/",
"CreateDate": "2012-09-21T23:03:13Z",
"UserId": "AKIAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::123456789012:user/Bob"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[列出 IAM 使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_manage_list)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListUsers](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// ListUsers gets up to maxUsers number of users.
func (wrapper UserWrapper) ListUsers(ctx context.Context, maxUsers int32) ([]types.User, error) {
var users []types.User
result, err := wrapper.IamClient.ListUsers(ctx, &iam.ListUsersInput{
MaxItems: aws.Int32(maxUsers),
})
if err != nil {
log.Printf("Couldn't list users. Here's why: %v\n", err)
} else {
users = result.Users
}
return users, err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [ListUsers](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListUsers)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.AttachedPermissionsBoundary;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.ListUsersRequest;
import software.amazon.awssdk.services.iam.model.ListUsersResponse;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.User;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class ListUsers {
public static void main(String[] args) {
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
listAllUsers(iam);
System.out.println("Done");
iam.close();
}
public static void listAllUsers(IamClient iam) {
try {
boolean done = false;
String newMarker = null;
while (!done) {
ListUsersResponse response;
if (newMarker == null) {
ListUsersRequest request = ListUsersRequest.builder().build();
response = iam.listUsers(request);
} else {
ListUsersRequest request = ListUsersRequest.builder()
.marker(newMarker)
.build();
response = iam.listUsers(request);
}
for (User user : response.users()) {
System.out.format("\n Retrieved user %s", user.userName());
AttachedPermissionsBoundary permissionsBoundary = user.permissionsBoundary();
if (permissionsBoundary != null)
System.out.format("\n Permissions boundary details %s",
permissionsBoundary.permissionsBoundaryTypeAsString());
}
if (!response.isTruncated()) {
done = true;
} else {
newMarker = response.marker();
}
}
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/ListUsers)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
列出使用者。
```
import { ListUsersCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
export const listUsers = async () => {
const command = new ListUsersCommand({ MaxItems: 10 });
const response = await client.send(command);
for (const { UserName, CreateDate } of response.Users) {
console.log(`${UserName} created on: ${CreateDate}`);
}
return response;
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-listing-users)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListUsers](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListUsersCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
MaxItems: 10,
};
iam.listUsers(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
var users = data.Users || [];
users.forEach(function (user) {
console.log("User " + user.UserName + " created", user.CreateDate);
});
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-listing-users)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [ListUsers](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/ListUsers)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun listAllUsers() {
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listUsers(ListUsersRequest { })
response.users?.forEach { user ->
println("Retrieved user ${user.userName}")
val permissionsBoundary = user.permissionsBoundary
if (permissionsBoundary != null) {
println("Permissions boundary details ${permissionsBoundary.permissionsBoundaryType}")
}
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [ListUsers](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PHP ]
**SDK for PHP**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中設定和執行。
```
$uuid = uniqid();
$service = new IAMService();
public function listUsers($pathPrefix = "", $marker = "", $maxItems = 0)
{
$listUsersArguments = [];
if ($pathPrefix) {
$listUsersArguments["PathPrefix"] = $pathPrefix;
}
if ($marker) {
$listUsersArguments["Marker"] = $marker;
}
if ($maxItems) {
$listUsersArguments["MaxItems"] = $maxItems;
}
return $this->iamClient->listUsers($listUsersArguments);
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListUsers)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取目前 中的使用者集合 AWS 帳戶。**
```
Get-IAMUserList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Administrator
CreateDate : 10/16/2014 9:03:09 AM
PasswordLastUsed : 3/4/2015 12:12:33 PM
Path : /
UserId : 7K3GJEANSKZF2EXAMPLE1
UserName : Administrator
Arn : arn:aws:iam::123456789012:user/Bob
CreateDate : 4/6/2015 12:54:42 PM
PasswordLastUsed : 1/1/0001 12:00:00 AM
Path : /
UserId : L3EWNONDOM3YUEXAMPLE2
UserName : bab
Arn : arn:aws:iam::123456789012:user/David
CreateDate : 12/10/2014 3:39:27 PM
PasswordLastUsed : 3/19/2015 8:44:04 AM
Path : /
UserId : Y4FKWQCXTA52QEXAMPLE3
UserName : David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListUsers](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取目前 中的使用者集合 AWS 帳戶。**
```
Get-IAMUserList
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:user/Administrator
CreateDate : 10/16/2014 9:03:09 AM
PasswordLastUsed : 3/4/2015 12:12:33 PM
Path : /
UserId : 7K3GJEANSKZF2EXAMPLE1
UserName : Administrator
Arn : arn:aws:iam::123456789012:user/Bob
CreateDate : 4/6/2015 12:54:42 PM
PasswordLastUsed : 1/1/0001 12:00:00 AM
Path : /
UserId : L3EWNONDOM3YUEXAMPLE2
UserName : bab
Arn : arn:aws:iam::123456789012:user/David
CreateDate : 12/10/2014 3:39:27 PM
PasswordLastUsed : 3/19/2015 8:44:04 AM
Path : /
UserId : Y4FKWQCXTA52QEXAMPLE3
UserName : David
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListUsers](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def list_users():
"""
Lists the users in the current account.
:return: The list of users.
"""
try:
users = list(iam.users.all())
logger.info("Got %s users.", len(users))
except ClientError:
logger.exception("Couldn't get users.")
raise
else:
return users
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListUsers)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Lists all users in the AWS account
#
# @return [Array] An array of user objects
def list_users
users = []
@iam_client.list_users.each_page do |page|
page.users.each do |user|
users << user
end
end
users
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing users: #{e.message}")
[]
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListUsers)。
------
#### [ Rust ]
**SDK for Rust**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中設定和執行。
```
pub async fn list_users(
client: &iamClient,
path_prefix: Option,
marker: Option,
max_items: Option,
) -> Result> {
let response = client
.list_users()
.set_path_prefix(path_prefix)
.set_marker(marker)
.set_max_items(max_items)
.send()
.await?;
Ok(response)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Rust API reference* 中的 [ListUsers](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_users)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
oo_result = lo_iam->listusers( ).
MESSAGE 'Retrieved user list.' TYPE 'I'.
CATCH /aws1/cx_iamservicefailureex.
MESSAGE 'Service failure when listing users.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListUsers](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
public func listUsers() async throws -> [MyUserRecord] {
var userList: [MyUserRecord] = []
// Use "Paginated" to get all the users.
// This lets the SDK handle the 'isTruncated' in "ListUsersOutput".
let input = ListUsersInput()
let output = client.listUsersPaginated(input: input)
do {
for try await page in output {
guard let users = page.users else {
continue
}
for user in users {
if let id = user.userId, let name = user.userName {
userList.append(MyUserRecord(id: id, name: name))
}
}
}
}
catch {
print("ERROR: listUsers:", dump(error))
throw error
}
return userList
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [ListUsers](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listusers(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ListVirtualMfaDevices` 與 CLI
下列程式碼範例示範如何使用 `ListVirtualMfaDevices`。
------
#### [ CLI ]
**AWS CLI**
**若要列出虛擬 MFA 裝置**
下列 `list-virtual-mfa-devices` 命令會列出已為目前帳戶設定的虛擬 MFA 裝置。
```
aws iam list-virtual-mfa-devices
```
輸出:
```
{
"VirtualMFADevices": [
{
"SerialNumber": "arn:aws:iam::123456789012:mfa/ExampleMFADevice"
},
{
"SerialNumber": "arn:aws:iam::123456789012:mfa/Fred"
}
]
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[啟用虛擬多重要素驗證 (MFA) 裝置](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListVirtualMfaDevices](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-virtual-mfa-devices.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取指派給 AWS 帳戶中使用者的虛擬 MFA 裝置集合。每個裝置的 `User` 屬性是一個物件,包含裝置被分派給的 IAM 使用者的詳細資訊。**
```
Get-IAMVirtualMFADevice -AssignmentStatus Assigned
```
**輸出:**
```
Base32StringSeed :
EnableDate : 4/13/2015 12:03:42 PM
QRCodePNG :
SerialNumber : arn:aws:iam::123456789012:mfa/David
User : Amazon.IdentityManagement.Model.User
Base32StringSeed :
EnableDate : 4/13/2015 12:06:41 PM
QRCodePNG :
SerialNumber : arn:aws:iam::123456789012:mfa/root-account-mfa-device
User : Amazon.IdentityManagement.Model.User
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListVirtualMfaDevices](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取指派給 AWS 帳戶中使用者的虛擬 MFA 裝置集合。每個裝置的 `User` 屬性是一個物件,包含裝置被分派給的 IAM 使用者的詳細資訊。**
```
Get-IAMVirtualMFADevice -AssignmentStatus Assigned
```
**輸出:**
```
Base32StringSeed :
EnableDate : 4/13/2015 12:03:42 PM
QRCodePNG :
SerialNumber : arn:aws:iam::123456789012:mfa/David
User : Amazon.IdentityManagement.Model.User
Base32StringSeed :
EnableDate : 4/13/2015 12:06:41 PM
QRCodePNG :
SerialNumber : arn:aws:iam::123456789012:mfa/root-account-mfa-device
User : Amazon.IdentityManagement.Model.User
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListVirtualMfaDevices](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `PutGroupPolicy` 與 CLI
下列程式碼範例示範如何使用 `PutGroupPolicy`。
------
#### [ CLI ]
**AWS CLI**
**將政策新增至群組**
下列 `put-group-policy` 命令會將政策新增至名為 `Admins` 的 IAM 群組。
```
aws iam put-group-policy \
--group-name Admins \
--policy-document file://AdminPolicy.json \
--policy-name AdminRoot
```
此命令不會產生輸出。
會在 *AdminPolicy.json* 檔案中將此政策定義為 JSON 文件。(檔案名稱和副檔名沒有意義。)
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [PutGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-group-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立名為 `AppTesterPolicy` 的內嵌政策,並將其內嵌在 IAM 群組 `AppTesters` 中。如果已存在同名的內嵌政策,其會被覆寫。JSON 政策內容來自 `apptesterpolicy.json` 檔案。請注意,必須使用 `-Raw` 參數,才能成功處理 JSON 檔案的內容。**
```
Write-IAMGroupPolicy -GroupName AppTesters -PolicyName AppTesterPolicy -PolicyDocument (Get-Content -Raw apptesterpolicy.json)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [PutGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立名為 `AppTesterPolicy` 的內嵌政策,並將其內嵌在 IAM 群組 `AppTesters` 中。如果已存在同名的內嵌政策,其會被覆寫。JSON 政策內容來自 `apptesterpolicy.json` 檔案。請注意,必須使用 `-Raw` 參數,才能成功處理 JSON 檔案的內容。**
```
Write-IAMGroupPolicy -GroupName AppTesters -PolicyName AppTesterPolicy -PolicyDocument (Get-Content -Raw apptesterpolicy.json)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [PutGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `PutRolePermissionsBoundary` 與 CLI
下列程式碼範例示範如何使用 `PutRolePermissionsBoundary`。
------
#### [ CLI ]
**AWS CLI**
**範例 1:根據自訂政策將許可界限套用至 IAM 角色**
下列 `put-role-permissions-boundary` 範例會將名為 `intern-boundary` 的自訂政策套用為指定 IAM 角色的許可界限。
```
aws iam put-role-permissions-boundary \
--permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary \
--role-name lambda-application-role
```
此命令不會產生輸出。
**範例 2:根據 AWS 受管政策將許可界限套用至 IAM 角色**
下列`put-role-permissions-boundary`範例會將 AWS 受管`PowerUserAccess`政策套用為指定 IAM 角色的許可界限。
```
aws iam put-role-permissions-boundary \
--permissions-boundary arn:aws:iam::aws:policy/PowerUserAccess \
--role-name x-account-admin
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [PutRolePermissionsBoundary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-permissions-boundary.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例示範如何設定 IAM 角色的許可界限。您可以將 AWS 受管政策或自訂政策設定為許可界限。**
```
Set-IAMRolePermissionsBoundary -RoleName MyRoleName -PermissionsBoundary arn:aws:iam::123456789012:policy/intern-boundary
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [PutRolePermissionsBoundary](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例示範如何設定 IAM 角色的許可界限。您可以將 AWS 受管政策或自訂政策設定為許可界限。**
```
Set-IAMRolePermissionsBoundary -RoleName MyRoleName -PermissionsBoundary arn:aws:iam::123456789012:policy/intern-boundary
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [PutRolePermissionsBoundary](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `PutRolePolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `PutRolePolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [開始使用 Redshift Serverless](iam_example_redshift_GettingStarted_038_section.md)
+ [Amazon Redshift 佈建叢集入門](iam_example_redshift_GettingStarted_039_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中設定和執行。
```
///
/// Update the inline policy document embedded in a role.
///
/// The name of the policy to embed.
/// The name of the role to update.
/// The policy document that defines the role.
/// A Boolean value indicating the success of the action.
public async Task PutRolePolicyAsync(string policyName, string roleName, string policyDocument)
{
var request = new PutRolePolicyRequest
{
PolicyName = policyName,
RoleName = roleName,
PolicyDocument = policyDocument
};
var response = await _IAMService.PutRolePolicyAsync(request);
return response.HttpStatusCode == HttpStatusCode.OK;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [PutRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/PutRolePolicy)。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::putRolePolicy(
const Aws::String &roleName,
const Aws::String &policyName,
const Aws::String &policyDocument,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iamClient(clientConfig);
Aws::IAM::Model::PutRolePolicyRequest request;
request.SetRoleName(roleName);
request.SetPolicyName(policyName);
request.SetPolicyDocument(policyDocument);
Aws::IAM::Model::PutRolePolicyOutcome outcome = iamClient.PutRolePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error putting policy on role. " <<
outcome.GetError().GetMessage() << std::endl;
}
else {
std::cout << "Successfully put the role policy." << std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [PutRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/PutRolePolicy)。
------
#### [ CLI ]
**AWS CLI**
**將許可政策連接至 IAM 角色**
下列 `put-role-policy` 命令會將許可政策連接到名為 `Test-Role` 的角色。
```
aws iam put-role-policy \
--role-name Test-Role \
--policy-name ExamplePolicy \
--policy-document file://AdminPolicy.json
```
此命令不會產生輸出。
會在 *AdminPolicy.json* 檔案中將此政策定義為 JSON 文件。(檔案名稱和副檔名沒有意義。)
若要將信任政策連接至角色,請使用 `update-assume-role-policy` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [PutRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-policy.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { PutRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam";
const examplePolicyDocument = JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Sid: "VisualEditor0",
Effect: "Allow",
Action: [
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:ListMultipartUploadParts",
],
Resource: "arn:aws:s3:::amzn-s3-demo-bucket",
},
{
Sid: "VisualEditor1",
Effect: "Allow",
Action: [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:ListMultiRegionAccessPoints",
],
Resource: "*",
},
],
});
const client = new IAMClient({});
/**
*
* @param {string} roleName
* @param {string} policyName
* @param {string} policyDocument
*/
export const putRolePolicy = async (roleName, policyName, policyDocument) => {
const command = new PutRolePolicyCommand({
RoleName: roleName,
PolicyName: policyName,
PolicyDocument: policyDocument,
});
const response = await client.send(command);
console.log(response);
return response;
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [PutRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/PutRolePolicyCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立名為 `FedTesterRolePolicy` 的內嵌政策,並將其內嵌在 IAM 角色 `FedTesterRole` 中。如果已存在同名的內嵌政策,其會被覆寫。JSON 政策內容來自 `FedTesterPolicy.json` 檔案。請注意,必須使用 `-Raw` 參數,才能成功處理 JSON 檔案的內容。**
```
Write-IAMRolePolicy -RoleName FedTesterRole -PolicyName FedTesterRolePolicy -PolicyDocument (Get-Content -Raw FedTesterPolicy.json)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [PutRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立名為 `FedTesterRolePolicy` 的內嵌政策,並將其內嵌在 IAM 角色 `FedTesterRole` 中。如果已存在同名的內嵌政策,其會被覆寫。JSON 政策內容來自 `FedTesterPolicy.json` 檔案。請注意,必須使用 `-Raw` 參數,才能成功處理 JSON 檔案的內容。**
```
Write-IAMRolePolicy -RoleName FedTesterRole -PolicyName FedTesterRolePolicy -PolicyDocument (Get-Content -Raw FedTesterPolicy.json)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [PutRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `PutUserPermissionsBoundary` 與 CLI
下列程式碼範例示範如何使用 `PutUserPermissionsBoundary`。
------
#### [ CLI ]
**AWS CLI**
**範例 1:根據自訂政策將許可界限套用至 IAM 使用者**
下列 `put-user-permissions-boundary` 範例會將名為 `intern-boundary` 的自訂政策套用為指定 IAM 使用者的許可界限。
```
aws iam put-user-permissions-boundary \
--permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary \
--user-name intern
```
此命令不會產生輸出。
**範例 2:根據 AWS 受管政策將許可界限套用至 IAM 使用者**
下列`put-user-permissions-boundary`範例會套用名為 的 AWS 受管污染,`PowerUserAccess`做為指定 IAM 使用者的許可界限。
```
aws iam put-user-permissions-boundary \
--permissions-boundary arn:aws:iam::aws:policy/PowerUserAccess \
--user-name developer
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[新增和移除 IAM 身分許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [PutUserPermissionsBoundary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-user-permissions-boundary.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例示範如何設定使用者的許可界限。您可以將 AWS 受管政策或自訂政策設定為許可界限。 **
```
Set-IAMUserPermissionsBoundary -UserName joe -PermissionsBoundary arn:aws:iam::123456789012:policy/intern-boundary
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [PutUserPermissionsBoundary](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例示範如何設定使用者的許可界限。您可以將 AWS 受管政策或自訂政策設定為許可界限。 **
```
Set-IAMUserPermissionsBoundary -UserName joe -PermissionsBoundary arn:aws:iam::123456789012:policy/intern-boundary
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [PutUserPermissionsBoundary](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `PutUserPolicy` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `PutUserPolicy`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [了解基本概念](iam_example_iam_Scenario_CreateUserAssumeRole_section.md)
------
#### [ CLI ]
**AWS CLI**
**將政策連接至 IAM 使用者**
下列 `put-user-policy` 命令會將政策連接至名為 `Bob` 的 IAM 使用者。
```
aws iam put-user-policy \
--user-name Bob \
--policy-name ExamplePolicy \
--policy-document file://AdminPolicy.json
```
此命令不會產生輸出。
會在 *AdminPolicy.json* 檔案中將此政策定義為 JSON 文件。(檔案名稱和副檔名沒有意義。)
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[新增和移除 IAM 身分許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [PutUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-user-policy.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中設定和執行。
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// CreateUserPolicy adds an inline policy to a user. This example creates a policy that
// grants a list of actions on a specified role.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper UserWrapper) CreateUserPolicy(ctx context.Context, userName string, policyName string, actions []string,
roleArn string) error {
policyDoc := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Action: actions,
Resource: aws.String(roleArn),
}},
}
policyBytes, err := json.Marshal(policyDoc)
if err != nil {
log.Printf("Couldn't create policy document for %v. Here's why: %v\n", roleArn, err)
return err
}
_, err = wrapper.IamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{
PolicyDocument: aws.String(string(policyBytes)),
PolicyName: aws.String(policyName),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't create policy for user %v. Here's why: %v\n", userName, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [PutUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.PutUserPolicy)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會建立名為 `EC2AccessPolicy` 的內嵌政策,並將其內嵌在 IAM 使用者 `Bob` 中。如果已存在同名的內嵌政策,其會被覆寫。JSON 政策內容來自 `EC2AccessPolicy.json` 檔案。請注意,必須使用 `-Raw` 參數,才能成功處理 JSON 檔案的內容。**
```
Write-IAMUserPolicy -UserName Bob -PolicyName EC2AccessPolicy -PolicyDocument (Get-Content -Raw EC2AccessPolicy.json)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [PutUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會建立名為 `EC2AccessPolicy` 的內嵌政策,並將其內嵌在 IAM 使用者 `Bob` 中。如果已存在同名的內嵌政策,其會被覆寫。JSON 政策內容來自 `EC2AccessPolicy.json` 檔案。請注意,必須使用 `-Raw` 參數,才能成功處理 JSON 檔案的內容。**
```
Write-IAMUserPolicy -UserName Bob -PolicyName EC2AccessPolicy -PolicyDocument (Get-Content -Raw EC2AccessPolicy.json)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [PutUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Creates an inline policy for a specified user.
# @param username [String] The name of the IAM user.
# @param policy_name [String] The name of the policy to create.
# @param policy_document [String] The JSON policy document.
# @return [Boolean]
def create_user_policy(username, policy_name, policy_document)
@iam_client.put_user_policy({
user_name: username,
policy_name: policy_name,
policy_document: policy_document
})
@logger.info("Policy #{policy_name} created for user #{username}.")
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Couldn't create policy #{policy_name} for user #{username}. Here's why:")
@logger.error("\t#{e.code}: #{e.message}")
false
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/PutUserPolicy)。
------
#### [ Swift ]
**SDK for Swift**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中設定和執行。
```
import AWSIAM
import AWSS3
func putUserPolicy(policyDocument: String, policyName: String, user: IAMClientTypes.User) async throws {
let input = PutUserPolicyInput(
policyDocument: policyDocument,
policyName: policyName,
userName: user.userName
)
do {
_ = try await iamClient.putUserPolicy(input: input)
} catch {
print("ERROR: putUserPolicy:", dump(error))
throw error
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [PutUserPolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/putuserpolicy(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `RemoveClientIdFromOpenIdConnectProvider` 與 CLI
下列程式碼範例示範如何使用 `RemoveClientIdFromOpenIdConnectProvider`。
------
#### [ CLI ]
**AWS CLI**
**若要從已向指定 IAM OpenID Connect 提供者註冊的用戶端 ID 清單中移除指定的用戶端 ID**
此範例會從與 ARN 為 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 的 IAM OIDC 提供者關聯的用戶端 ID 清單中移除用戶端 ID `My-TestApp-3`。
```
aws iam remove-client-id-from-open-id-connect-provider
--client-id My-TestApp-3 \
--open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com
```
此命令不會產生輸出。
如需詳細資訊,請參閱 *AWS IAM User Guide* 中的 [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [RemoveClientIdFromOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/remove-client-id-from-open-id-connect-provider.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從與 ARN 為 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 的 IAM OIDC 提供者關聯的用戶端 ID 清單中移除用戶端 ID `My-TestApp-3`。**
```
Remove-IAMClientIDFromOpenIDConnectProvider -ClientID My-TestApp-3 -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [RemoveClientIdFromOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從與 ARN 為 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 的 IAM OIDC 提供者關聯的用戶端 ID 清單中移除用戶端 ID `My-TestApp-3`。**
```
Remove-IAMClientIDFromOpenIDConnectProvider -ClientID My-TestApp-3 -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [RemoveClientIdFromOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `RemoveRoleFromInstanceProfile` 與 CLI
下列程式碼範例示範如何使用 `RemoveRoleFromInstanceProfile`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
------
#### [ CLI ]
**AWS CLI**
**若要從執行個體設定檔中移除角色**
下列 `remove-role-from-instance-profile` 命令會將名為 `Test-Role` 的角色從名為 `ExampleInstanceProfile` 的執行個體設定檔中移除。
```
aws iam remove-role-from-instance-profile \
--instance-profile-name ExampleInstanceProfile \
--role-name Test-Role
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[使用執行個體設定檔](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [RemoveRoleFromInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/remove-role-from-instance-profile.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將名為 `MyNewRole` 的角色從名為 `MyNewRole` 的 EC2 執行個體設定檔中刪除。在 IAM 主控台中建立的執行個體設定檔一律與角色同名,如本範例中所示。如果您在 API 或 CLI 中建立它們,則它們可以有不同的名稱。**
```
Remove-IAMRoleFromInstanceProfile -InstanceProfileName MyNewRole -RoleName MyNewRole -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [RemoveRoleFromInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將名為 `MyNewRole` 的角色從名為 `MyNewRole` 的 EC2 執行個體設定檔中刪除。在 IAM 主控台中建立的執行個體設定檔一律與角色同名,如本範例中所示。如果您在 API 或 CLI 中建立它們,則它們可以有不同的名稱。**
```
Remove-IAMRoleFromInstanceProfile -InstanceProfileName MyNewRole -RoleName MyNewRole -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [RemoveRoleFromInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `RemoveUserFromGroup` 與 CLI
下列程式碼範例示範如何使用 `RemoveUserFromGroup`。
------
#### [ CLI ]
**AWS CLI**
**從 IAM 群組移除使用者**
下列 `remove-user-from-group` 命令會將名為 `Bob` 的使用者從名為 `Admins` 的 IAM 群組中移除。
```
aws iam remove-user-from-group \
--user-name Bob \
--group-name Admins
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 IAM 使用者群組中新增和移除使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [RemoveUserFromGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/remove-user-from-group.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從 `Testers` 群組中移除 IAM 使用者 `Bob`。**
```
Remove-IAMUserFromGroup -GroupName Testers -UserName Bob
```
**範例 2:此範例會尋找 IAM 使用者 `Theresa` 所屬的任意群組,然後從這些群組中移除 `Theresa`。**
```
$groups = Get-IAMGroupForUser -UserName Theresa
foreach ($group in $groups) { Remove-IAMUserFromGroup -GroupName $group.GroupName -UserName Theresa -Force }
```
**範例 3:此範例顯示從 `Testers` 群組中移除 IAM 使用者 `Bob` 的替代方式。**
```
Get-IAMGroupForUser -UserName Bob | Remove-IAMUserFromGroup -UserName Bob -GroupName Testers -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [RemoveUserFromGroup](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從 `Testers` 群組中移除 IAM 使用者 `Bob`。**
```
Remove-IAMUserFromGroup -GroupName Testers -UserName Bob
```
**範例 2:此範例會尋找 IAM 使用者 `Theresa` 所屬的任意群組,然後從這些群組中移除 `Theresa`。**
```
$groups = Get-IAMGroupForUser -UserName Theresa
foreach ($group in $groups) { Remove-IAMUserFromGroup -GroupName $group.GroupName -UserName Theresa -Force }
```
**範例 3:此範例顯示從 `Testers` 群組中移除 IAM 使用者 `Bob` 的替代方式。**
```
Get-IAMGroupForUser -UserName Bob | Remove-IAMUserFromGroup -UserName Bob -GroupName Testers -Force
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [RemoveUserFromGroup](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `ResyncMfaDevice` 與 CLI
下列程式碼範例示範如何使用 `ResyncMfaDevice`。
------
#### [ CLI ]
**AWS CLI**
**若要同步 MFA 裝置**
下列 `resync-mfa-device` 範例會將與 IAM 使用者 `Bob` 關聯且 ARN 為 `arn:aws:iam::123456789012:mfa/BobsMFADevice` 的 MFA 裝置,與提供兩個驗證碼的身分驗證器程式同步。
```
aws iam resync-mfa-device \
--user-name Bob \
--serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \
--authentication-code1 123456 \
--authentication-code2 987654
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 AWS中使用多重要素驗證 (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ResyncMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/resync-mfa-device.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將與 IAM 使用者 `Bob` 關聯且 ARN 為 `arn:aws:iam::123456789012:mfa/bob` 的 MFA 裝置,與提供兩個驗證碼的身分驗證器程式同步。**
```
Sync-IAMMFADevice -SerialNumber arn:aws:iam::123456789012:mfa/theresa -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Bob
```
**範例 2:此範例會將與 IAM 使用者 `Theresa` 關聯的 IAM MFA 裝置,與序號為 `ABCD12345678` 並提供兩個驗證碼的實體裝置同步。**
```
Sync-IAMMFADevice -SerialNumber ABCD12345678 -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Theresa
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ResyncMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將與 IAM 使用者 `Bob` 關聯且 ARN 為 `arn:aws:iam::123456789012:mfa/bob` 的 MFA 裝置,與提供兩個驗證碼的身分驗證器程式同步。**
```
Sync-IAMMFADevice -SerialNumber arn:aws:iam::123456789012:mfa/theresa -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Bob
```
**範例 2:此範例會將與 IAM 使用者 `Theresa` 關聯的 IAM MFA 裝置,與序號為 `ABCD12345678` 並提供兩個驗證碼的實體裝置同步。**
```
Sync-IAMMFADevice -SerialNumber ABCD12345678 -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Theresa
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ResyncMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `SetDefaultPolicyVersion` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `SetDefaultPolicyVersion`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [復原政策版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md)
------
#### [ CLI ]
**AWS CLI**
**若要將指定政策的指定版本設定為政策的預設版本。**
此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/MyPolicy` 的政策的 `v2` 版本設定為預設的作用中版本。
```
aws iam set-default-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
--version-id v2
```
如需詳細資訊,請參閱「 IAM 使用者指南」*AWS *中的 [IAM 中的政策和許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ 如需 API 詳細資訊,請參閱 *AWS CLI Command Reference* 中的 [SetDefaultPolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/set-default-policy-version.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/MyPolicy` 的政策的 `v2` 版本設定為預設的作用中版本。**
```
Set-IAMDefaultPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyPolicy -VersionId v2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [SetDefaultPolicyVersion](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將 ARN 為 `arn:aws:iam::123456789012:policy/MyPolicy` 的政策的 `v2` 版本設定為預設的作用中版本。**
```
Set-IAMDefaultPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyPolicy -VersionId v2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [SetDefaultPolicyVersion](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->setdefaultpolicyversion(
iv_policyarn = iv_policy_arn
iv_versionid = iv_version_id ).
MESSAGE 'Default policy version set successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Policy or version does not exist.' TYPE 'E'.
CATCH /aws1/cx_iaminvalidinputex.
MESSAGE 'Invalid input provided.' TYPE 'E'.
CATCH /aws1/cx_iamlimitexceededex.
MESSAGE 'Limit exceeded.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [SetDefaultPolicyVersion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `TagRole` 與 CLI
下列程式碼範例示範如何使用 `TagRole`。
------
#### [ CLI ]
**AWS CLI**
**若要將標籤新增至角色**
下列 `tag-role` 命令會將含部門名稱的標籤新增至指定角色。
```
aws iam tag-role --role-name my-role \
--tags '{"Key": "Department", "Value": "Accounting"}'
```
此命令不會產生輸出。
如需詳細資訊,請參閱 *AWS IAM User Guide* 中的 [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [TagRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/tag-role.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會標籤新增至 Identity Management Service 中的角色**
```
Add-IAMRoleTag -RoleName AdminRoleacess -Tag @{ Key = 'abac'; Value = 'testing'}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [TagRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會標籤新增至 Identity Management Service 中的角色**
```
Add-IAMRoleTag -RoleName AdminRoleacess -Tag @{ Key = 'abac'; Value = 'testing'}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [TagRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `TagUser` 與 CLI
下列程式碼範例示範如何使用 `TagUser`。
------
#### [ CLI ]
**AWS CLI**
**若要將標籤新增至使用者**
下列 `tag-user` 命令將含關聯部門的標籤新增至指定使用者。
```
aws iam tag-user \
--user-name alice \
--tags '{"Key": "Department", "Value": "Accounting"}'
```
此命令不會產生輸出。
如需詳細資訊,請參閱 *AWS IAM User Guide* 中的 [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [TagUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/tag-user.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會標籤新增至 Identity Management Service 中的使用者**
```
Add-IAMUserTag -UserName joe -Tag @{ Key = 'abac'; Value = 'testing'}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [TagUser](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會標籤新增至 Identity Management Service 中的使用者**
```
Add-IAMUserTag -UserName joe -Tag @{ Key = 'abac'; Value = 'testing'}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [TagUser](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UntagRole` 與 CLI
下列程式碼範例示範如何使用 `UntagRole`。
------
#### [ CLI ]
**AWS CLI**
**若要從角色中移除標籤**
下列 `untag-role` 命令會從指定的角色移除任何金鑰名稱為「Department」的標籤。
```
aws iam untag-role \
--role-name my-role \
--tag-keys Department
```
此命令不會產生輸出。
如需詳細資訊,請參閱 *AWS IAM User Guide* 中的 [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UntagRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/untag-role.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從名為「MyRoleName」且標籤索引鍵為「abac」的角色中移除標籤。若要移除多個標籤,請提供以逗號分隔的標籤索引鍵清單。**
```
Remove-IAMRoleTag -RoleName MyRoleName -TagKey "abac","xyzw"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UntagRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從名為「MyRoleName」且標籤索引鍵為「abac」的角色中移除標籤。若要移除多個標籤,請提供以逗號分隔的標籤索引鍵清單。**
```
Remove-IAMRoleTag -RoleName MyRoleName -TagKey "abac","xyzw"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UntagRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UntagUser` 與 CLI
下列程式碼範例示範如何使用 `UntagUser`。
------
#### [ CLI ]
**AWS CLI**
**若要從使用者中移除標籤**
下列 `untag-user` 命令會從指定的使用者移除任何金鑰名稱為「Department」的標籤。
```
aws iam untag-user \
--user-name alice \
--tag-keys Department
```
此命令不會產生輸出。
如需詳細資訊,請參閱 *AWS IAM User Guide* 中的 [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UntagUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/untag-user.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會從名為「joe」且標籤索引鍵為「abac」和「xyzw」的使用者中移除標籤。若要移除多個標籤,請提供以逗號分隔的標籤索引鍵清單。**
```
Remove-IAMUserTag -UserName joe -TagKey "abac","xyzw"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UntagUser](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會從名為「joe」且標籤索引鍵為「abac」和「xyzw」的使用者中移除標籤。若要移除多個標籤,請提供以逗號分隔的標籤索引鍵清單。**
```
Remove-IAMUserTag -UserName joe -TagKey "abac","xyzw"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UntagUser](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `UpdateAccessKey` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `UpdateAccessKey`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [管理存取金鑰](iam_example_iam_Scenario_ManageAccessKeys_section.md)
------
#### [ Bash ]
**AWS CLI 搭配 Bash 指令碼**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中設定和執行。
```
###############################################################################
# function iam_update_access_key
#
# This function can activate or deactivate an IAM access key for the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user.
# -k access_key -- The access key to update.
# -a -- Activate the selected access key.
# -d -- Deactivate the selected access key.
#
# Example:
# # To deactivate the selected access key for IAM user Bob
# iam_update_access_key -u Bob -k AKIAIOSFODNN7EXAMPLE -d
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_update_access_key() {
local user_name access_key status response
local option OPTARG # Required to use getopts command in a function.
local activate_flag=false deactivate_flag=false
# bashsupport disable=BP5008
function usage() {
echo "function iam_update_access_key"
echo "Updates the status of an AWS Identity and Access Management (IAM) access key for the specified IAM user"
echo " -u user_name The name of the user."
echo " -k access_key The access key to update."
echo " -a Activate the access key."
echo " -d Deactivate the access key."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:k:adh" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
k) access_key="${OPTARG}" ;;
a) activate_flag=true ;;
d) deactivate_flag=true ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
# Validate input parameters
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
if [[ -z "$access_key" ]]; then
errecho "ERROR: You must provide an access key with the -k parameter."
usage
return 1
fi
# Ensure that only -a or -d is specified
if [[ "$activate_flag" == true && "$deactivate_flag" == true ]]; then
errecho "ERROR: You cannot specify both -a (activate) and -d (deactivate) at the same time."
usage
return 1
fi
# If neither -a nor -d is provided, return an error
if [[ "$activate_flag" == false && "$deactivate_flag" == false ]]; then
errecho "ERROR: You must specify either -a (activate) or -d (deactivate)."
usage
return 1
fi
# Determine the status based on the flag
if [[ "$activate_flag" == true ]]; then
status="Active"
elif [[ "$deactivate_flag" == true ]]; then
status="Inactive"
fi
iecho "Parameters:\n"
iecho " Username: $user_name"
iecho " Access key: $access_key"
iecho " New status: $status"
iecho ""
# Update the access key status
response=$(aws iam update-access-key \
--user-name "$user_name" \
--access-key-id "$access_key" \
--status "$status" 2>&1)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports update-access-key operation failed.\n$response"
return 1
fi
iecho "update-access-key response: $response"
iecho
return 0
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [UpdateAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/UpdateAccessKey)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::updateAccessKey(const Aws::String &userName,
const Aws::String &accessKeyID,
Aws::IAM::Model::StatusType status,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::UpdateAccessKeyRequest request;
request.SetUserName(userName);
request.SetAccessKeyId(accessKeyID);
request.SetStatus(status);
auto outcome = iam.UpdateAccessKey(request);
if (outcome.IsSuccess()) {
std::cout << "Successfully updated status of access key "
<< accessKeyID << " for user " << userName << std::endl;
}
else {
std::cerr << "Error updated status of access key " << accessKeyID <<
" for user " << userName << ": " <<
outcome.GetError().GetMessage() << std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [UpdateAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/UpdateAccessKey)。
------
#### [ CLI ]
**AWS CLI**
**啟用或停用 IAM 使用者的存取金鑰**
下列 `update-access-key` 命令會為名為 `Bob` 的 IAM 使用者停用指定的存取金鑰 (存取金鑰 ID 與私密存取金鑰)。
```
aws iam update-access-key \
--access-key-id AKIAIOSFODNN7EXAMPLE \
--status Inactive \
--user-name Bob
```
此命令不會產生輸出。
停用金鑰表示它無法用於程式設計存取 AWS。但是,金鑰仍然可用,並且可以重新啟用。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的存取金鑰](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [UpdateAccessKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-access-key.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.StatusType;
import software.amazon.awssdk.services.iam.model.UpdateAccessKeyRequest;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class UpdateAccessKey {
private static StatusType statusType;
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
username - The name of the user whose key you want to update.\s
accessId - The access key ID of the secret access key you want to update.\s
status - The status you want to assign to the secret access key.\s
""";
if (args.length != 3) {
System.out.println(usage);
System.exit(1);
}
String username = args[0];
String accessId = args[1];
String status = args[2];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
updateKey(iam, username, accessId, status);
System.out.println("Done");
iam.close();
}
public static void updateKey(IamClient iam, String username, String accessId, String status) {
try {
if (status.toLowerCase().equalsIgnoreCase("active")) {
statusType = StatusType.ACTIVE;
} else if (status.toLowerCase().equalsIgnoreCase("inactive")) {
statusType = StatusType.INACTIVE;
} else {
statusType = StatusType.UNKNOWN_TO_SDK_VERSION;
}
UpdateAccessKeyRequest request = UpdateAccessKeyRequest.builder()
.accessKeyId(accessId)
.userName(username)
.status(statusType)
.build();
iam.updateAccessKey(request);
System.out.printf("Successfully updated the status of access key %s to" +
"status %s for user %s", accessId, status, username);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [UpdateAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/UpdateAccessKey)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
更新存取金鑰。
```
import {
UpdateAccessKeyCommand,
IAMClient,
StatusType,
} from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} userName
* @param {string} accessKeyId
*/
export const updateAccessKey = (userName, accessKeyId) => {
const command = new UpdateAccessKeyCommand({
AccessKeyId: accessKeyId,
Status: StatusType.Inactive,
UserName: userName,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-updating](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-updating)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [UpdateAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/UpdateAccessKeyCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
AccessKeyId: "ACCESS_KEY_ID",
Status: "Active",
UserName: "USER_NAME",
};
iam.updateAccessKey(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-updating](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-updating)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [UpdateAccessKey](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/UpdateAccessKey)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將名為 `Bob` 之 IAM 使用者的存取金鑰 `AKIAIOSFODNN7EXAMPLE` 的狀態變更為`Inactive`。**
```
Update-IAMAccessKey -UserName Bob -AccessKeyId AKIAIOSFODNN7EXAMPLE -Status Inactive
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateAccessKey](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將名為 `Bob` 之 IAM 使用者的存取金鑰 `AKIAIOSFODNN7EXAMPLE` 的狀態變更為`Inactive`。**
```
Update-IAMAccessKey -UserName Bob -AccessKeyId AKIAIOSFODNN7EXAMPLE -Status Inactive
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateAccessKey](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def update_key(user_name, key_id, activate):
"""
Updates the status of a key.
:param user_name: The user that owns the key.
:param key_id: The ID of the key to update.
:param activate: When True, the key is activated. Otherwise, the key is deactivated.
"""
try:
key = iam.User(user_name).AccessKey(key_id)
if activate:
key.activate()
else:
key.deactivate()
logger.info("%s key %s.", "Activated" if activate else "Deactivated", key_id)
except ClientError:
logger.exception(
"Couldn't %s key %s.", "Activate" if activate else "Deactivate", key_id
)
raise
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [UpdateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/UpdateAccessKey)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->updateaccesskey(
iv_accesskeyid = iv_access_key_id
iv_status = iv_status
iv_username = iv_user_name ).
MESSAGE 'Access key updated successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'Access key or user does not exist.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [UpdateAccessKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateAccountPasswordPolicy` 與 CLI
下列程式碼範例示範如何使用 `UpdateAccountPasswordPolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要設定或變更目前的帳戶密碼政策**
下列 `update-account-password-policy` 命令會設定密碼政策,要求密碼最小長度為 8 個字元,且必須包含一個或多個數字。
```
aws iam update-account-password-policy \
--minimum-password-length 8 \
--require-numbers
```
此命令不會產生輸出。
變更帳戶的密碼政策會影響為帳戶中的 IAM 使用者建立的任何新密碼。密碼政策變更不影響現有密碼。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[設定 IAM 使用者的帳戶密碼政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateAccountPasswordPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-account-password-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會使用指定設定更新帳戶的密碼政策。請注意,命令中未包含的任何參數都不會保持不變。相反,它們會重設為預設值。**
```
Update-IAMAccountPasswordPolicy -AllowUsersToChangePasswords $true -HardExpiry $false -MaxPasswordAge 90 -MinimumPasswordLength 8 -PasswordReusePrevention 20 -RequireLowercaseCharacters $true -RequireNumbers $true -RequireSymbols $true -RequireUppercaseCharacters $true
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會使用指定設定更新帳戶的密碼政策。請注意,命令中未包含的任何參數都不會保持不變。相反,它們會重設為預設值。**
```
Update-IAMAccountPasswordPolicy -AllowUsersToChangePasswords $true -HardExpiry $false -MaxPasswordAge 90 -MinimumPasswordLength 8 -PasswordReusePrevention 20 -RequireLowercaseCharacters $true -RequireNumbers $true -RequireSymbols $true -RequireUppercaseCharacters $true
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateAssumeRolePolicy` 與 CLI
下列程式碼範例示範如何使用 `UpdateAssumeRolePolicy`。
------
#### [ CLI ]
**AWS CLI**
**若要更新 IAM 角色的信任政策**
下列 `update-assume-role-policy` 命令會更新名為 `Test-Role` 之角色的信任政策。
```
aws iam update-assume-role-policy \
--role-name Test-Role \
--policy-document file://Test-Role-Trust-Policy.json
```
此命令不會產生輸出。
在 *Test-Role-Trust-Policy.json* 檔案中,將信任政策定義為 JSON 文件。(檔案名稱和副檔名沒有意義。) 信任政策必須指定主體。
若要更新角色的許可政策,請使用 `put-role-policy` 命令。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateAssumeRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會使用新的信任政策更新名為 `ClientRole` 的 IAM 角色,其內容來自 `ClientRolePolicy.json` 檔案。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 檔案的內容。**
```
Update-IAMAssumeRolePolicy -RoleName ClientRole -PolicyDocument (Get-Content -raw ClientRolePolicy.json)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateAssumeRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會使用新的信任政策更新名為 `ClientRole` 的 IAM 角色,其內容來自 `ClientRolePolicy.json` 檔案。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 檔案的內容。**
```
Update-IAMAssumeRolePolicy -RoleName ClientRole -PolicyDocument (Get-Content -raw ClientRolePolicy.json)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateAssumeRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateGroup` 與 CLI
下列程式碼範例示範如何使用 `UpdateGroup`。
------
#### [ CLI ]
**AWS CLI**
**若要重新命名 IAM 群組**
下列 `update-group` 命令會將 IAM 群組 `Test` 的名稱變更為 `Test-1`。
```
aws iam update-group \
--group-name Test \
--new-group-name Test-1
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[重新命名 IAM 使用者群組](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_rename.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-group.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將 IAM 群組 `Testers` 重新命名為 `AppTesters`。**
```
Update-IAMGroup -GroupName Testers -NewGroupName AppTesters
```
**範例 2:此範例會將 IAM 群組 `AppTesters` 的路徑變更為 `/Org1/Org2/`。這會將群組的 ARN 變更為 `arn:aws:iam::123456789012:group/Org1/Org2/AppTesters`。**
```
Update-IAMGroup -GroupName AppTesters -NewPath /Org1/Org2/
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateGroup](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將 IAM 群組 `Testers` 重新命名為 `AppTesters`。**
```
Update-IAMGroup -GroupName Testers -NewGroupName AppTesters
```
**範例 2:此範例會將 IAM 群組 `AppTesters` 的路徑變更為 `/Org1/Org2/`。這會將群組的 ARN 變更為 `arn:aws:iam::123456789012:group/Org1/Org2/AppTesters`。**
```
Update-IAMGroup -GroupName AppTesters -NewPath /Org1/Org2/
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateGroup](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateLoginProfile` 與 CLI
下列程式碼範例示範如何使用 `UpdateLoginProfile`。
------
#### [ CLI ]
**AWS CLI**
**若要更新 IAM 使用者的密碼**
下列 `update-login-profile` 命令會為名為 `Bob` 的 IAM 使用者建立新的密碼。
```
aws iam update-login-profile \
--user-name Bob \
--password
```
此命令不會產生輸出。
若要設定帳戶的密碼政策,請使用 `update-account-password-policy` 命令。如果新密碼違反帳戶密碼政策,則命令會傳回 `PasswordPolicyViolation` 錯誤。
如果帳戶密碼政策允許,IAM 使用者可以使用 `change-password` 命令變更自己的密碼。
將密碼存放於安全處。密碼一旦遺失,便無法復原,您必須使用 `create-login-profile` 命令建立新密碼。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[管理 IAM 使用者的密碼](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-login-profile.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會為 IAM 使用者 `Bob` 設定新的臨時密碼,並在使用者下次登入時要求其變更密碼。**
```
Update-IAMLoginProfile -UserName Bob -Password "P@ssw0rd1234" -PasswordResetRequired $true
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateLoginProfile](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會為 IAM 使用者 `Bob` 設定新的臨時密碼,並在使用者下次登入時要求其變更密碼。**
```
Update-IAMLoginProfile -UserName Bob -Password "P@ssw0rd1234" -PasswordResetRequired $true
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateLoginProfile](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateOpenIdConnectProviderThumbprint` 與 CLI
下列程式碼範例示範如何使用 `UpdateOpenIdConnectProviderThumbprint`。
------
#### [ CLI ]
**AWS CLI**
**若要以新清單取代現有的伺服器憑證指紋清單**
此範例會更新 ARN 為 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 之 OIDC 提供者的憑證指紋清單,以使用新指紋。
```
aws iam update-open-id-connect-provider-thumbprint \
--open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com \
--thumbprint-list 7359755EXAMPLEabc3060bce3EXAMPLEec4542a3
```
此命令不會產生輸出。
如需詳細資訊,請參閱 *AWS IAM User Guide* 中的 [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateOpenIdConnectProviderThumbprint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-open-id-connect-provider-thumbprint.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會更新 ARN 為 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 之 OIDC 提供者的憑證指紋清單,以使用新指紋。當與提供者關聯之憑證變更時,OIDC 提供者會共用新值。**
```
Update-IAMOpenIDConnectProviderThumbprint -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com -ThumbprintList 7359755EXAMPLEabc3060bce3EXAMPLEec4542a3
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateOpenIdConnectProviderThumbprint](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會更新 ARN 為 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 之 OIDC 提供者的憑證指紋清單,以使用新指紋。當與提供者關聯之憑證變更時,OIDC 提供者會共用新值。**
```
Update-IAMOpenIDConnectProviderThumbprint -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com -ThumbprintList 7359755EXAMPLEabc3060bce3EXAMPLEec4542a3
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateOpenIdConnectProviderThumbprint](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateRole` 與 CLI
下列程式碼範例示範如何使用 `UpdateRole`。
------
#### [ CLI ]
**AWS CLI**
**若要變更 IAM 角色的描述或工作階段持續時間**
下列 `update-role` 命令會將 IAM 角色 `production-role` 的描述變更為 `Main production role`,並將工作階段持續時間上限設定為 12 小時。
```
aws iam update-role \
--role-name production-role \
--description 'Main production role' \
--max-session-duration 43200
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-role.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會更新角色描述,以及可以請求角色工作階段的工作階段持續時間值上限 (以秒為單位)。**
```
Update-IAMRole -RoleName MyRoleName -Description "My testing role" -MaxSessionDuration 43200
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateRole](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會更新角色描述,以及可以請求角色工作階段的工作階段持續時間值上限 (以秒為單位)。**
```
Update-IAMRole -RoleName MyRoleName -Description "My testing role" -MaxSessionDuration 43200
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateRole](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateRoleDescription` 與 CLI
下列程式碼範例示範如何使用 `UpdateRoleDescription`。
------
#### [ CLI ]
**AWS CLI**
**變更 IAM 角色的描述**
下列 `update-role` 命令會將 IAM 角色的描述從 `production-role` 變更為 `Main production role`。
```
aws iam update-role-description \
--role-name production-role \
--description 'Main production role'
```
輸出:
```
{
"Role": {
"Path": "/",
"RoleName": "production-role",
"RoleId": "AROA1234567890EXAMPLE",
"Arn": "arn:aws:iam::123456789012:role/production-role",
"CreateDate": "2017-12-06T17:16:37+00:00",
"AssumeRolePolicyDocument": {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
},
"Description": "Main production role"
}
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateRoleDescription](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-role-description.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會更新您的帳戶中 IAM 角色的描述。**
```
Update-IAMRoleDescription -RoleName MyRoleName -Description "My testing role"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateRoleDescription](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會更新您的帳戶中 IAM 角色的描述。**
```
Update-IAMRoleDescription -RoleName MyRoleName -Description "My testing role"
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateRoleDescription](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateSamlProvider` 與 CLI
下列程式碼範例示範如何使用 `UpdateSamlProvider`。
------
#### [ CLI ]
**AWS CLI**
**若要更新現有 SAML 提供者的中繼資料文件**
此範例會更新 IAM 中 ARN 為 `arn:aws:iam::123456789012:saml-provider/SAMLADFS`、使用檔案 `SAMLMetaData.xml` 中的新 SAML 中繼資料文件的 SAML 提供者。
```
aws iam update-saml-provider \
--saml-metadata-document file://SAMLMetaData.xml \
--saml-provider-arn arn:aws:iam::123456789012:saml-provider/SAMLADFS
```
輸出:
```
{
"SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/SAMLADFS"
}
```
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[建立 IAM SAML 身分提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateSamlProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-saml-provider.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會更新 IAM 中 ARN 為 `arn:aws:iam::123456789012:saml-provider/SAMLADFS`、使用檔案 `SAMLMetaData.xml` 中的新 SAML 中繼資料文件的 SAML 提供者。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 檔案的內容。**
```
Update-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFS -SAMLMetadataDocument (Get-Content -Raw SAMLMetaData.xml)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateSamlProvider](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會更新 IAM 中 ARN 為 `arn:aws:iam::123456789012:saml-provider/SAMLADFS`、使用檔案 `SAMLMetaData.xml` 中的新 SAML 中繼資料文件的 SAML 提供者。請注意,必須使用 `-Raw` 切換參數,才能成功處理 JSON 檔案的內容。**
```
Update-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFS -SAMLMetadataDocument (Get-Content -Raw SAMLMetaData.xml)
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateSamlProvider](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `UpdateServerCertificate` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `UpdateServerCertificate`。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::updateServerCertificate(const Aws::String ¤tCertificateName,
const Aws::String &newCertificateName,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::UpdateServerCertificateRequest request;
request.SetServerCertificateName(currentCertificateName);
request.SetNewServerCertificateName(newCertificateName);
auto outcome = iam.UpdateServerCertificate(request);
bool result = true;
if (outcome.IsSuccess()) {
std::cout << "Server certificate " << currentCertificateName
<< " successfully renamed as " << newCertificateName
<< std::endl;
}
else {
if (outcome.GetError().GetErrorType() != Aws::IAM::IAMErrors::NO_SUCH_ENTITY) {
std::cerr << "Error changing name of server certificate " <<
currentCertificateName << " to " << newCertificateName << ":" <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Certificate '" << currentCertificateName
<< "' not found." << std::endl;
}
}
return result;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [UpdateServerCertificate](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/UpdateServerCertificate)。
------
#### [ CLI ]
**AWS CLI**
**變更 AWS 帳戶中伺服器憑證的路徑或名稱**
下列 `update-server-certificate` 命令會將憑證名稱從 `myServerCertificate` 變更為 `myUpdatedServerCertificate`。該命令也會將路徑變更為 `/cloudfront/`,這樣 Amazon CloudFront 服務就可以存取該路徑。此命令不會產生輸出。您可以透過執行 `list-server-certificates` 命令來查看更新的結果。
```
aws-iam update-server-certificate \
--server-certificate-name myServerCertificate \
--new-server-certificate-name myUpdatedServerCertificate \
--new-path /cloudfront/
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[在 IAM 中管理伺服器憑證](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [UpdateServerCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-server-certificate.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
更新伺服器憑證。
```
import { UpdateServerCertificateCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} currentName
* @param {string} newName
*/
export const updateServerCertificate = (currentName, newName) => {
const command = new UpdateServerCertificateCommand({
ServerCertificateName: currentName,
NewServerCertificateName: newName,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-updating](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-updating)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [UpdateServerCertificate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/UpdateServerCertificateCommand)。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
ServerCertificateName: "CERTIFICATE_NAME",
NewServerCertificateName: "NEW_CERTIFICATE_NAME",
};
iam.updateServerCertificate(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK 開發人員指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-updating](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-updating)。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 [UpdateServerCertificate](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/UpdateServerCertificate)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將名為 `MyServerCertificate` 的憑證重新命名為 `MyRenamedServerCertificate`。**
```
Update-IAMServerCertificate -ServerCertificateName MyServerCertificate -NewServerCertificateName MyRenamedServerCertificate
```
**範例 2:此範例會將名為 `MyServerCertificate` 的憑證移至路徑 /Org1/Org2/。這會將資源的 ARN 變更為 `arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate`。**
```
Update-IAMServerCertificate -ServerCertificateName MyServerCertificate -NewPath /Org1/Org2/
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateServerCertificate](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將名為 `MyServerCertificate` 的憑證重新命名為 `MyRenamedServerCertificate`。**
```
Update-IAMServerCertificate -ServerCertificateName MyServerCertificate -NewServerCertificateName MyRenamedServerCertificate
```
**範例 2:此範例會將名為 `MyServerCertificate` 的憑證移至路徑 /Org1/Org2/。這會將資源的 ARN 變更為 `arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate`。**
```
Update-IAMServerCertificate -ServerCertificateName MyServerCertificate -NewPath /Org1/Org2/
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateServerCertificate](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
列出、更新和刪除伺服器憑證。
```
class ServerCertificateManager
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
@logger.progname = 'ServerCertificateManager'
end
# Creates a new server certificate.
# @param name [String] the name of the server certificate
# @param certificate_body [String] the contents of the certificate
# @param private_key [String] the private key contents
# @return [Boolean] returns true if the certificate was successfully created
def create_server_certificate(name, certificate_body, private_key)
@iam_client.upload_server_certificate({
server_certificate_name: name,
certificate_body: certificate_body,
private_key: private_key
})
true
rescue Aws::IAM::Errors::ServiceError => e
puts "Failed to create server certificate: #{e.message}"
false
end
# Lists available server certificate names.
def list_server_certificate_names
response = @iam_client.list_server_certificates
if response.server_certificate_metadata_list.empty?
@logger.info('No server certificates found.')
return
end
response.server_certificate_metadata_list.each do |certificate_metadata|
@logger.info("Certificate Name: #{certificate_metadata.server_certificate_name}")
end
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error listing server certificates: #{e.message}")
end
# Updates the name of a server certificate.
def update_server_certificate_name(current_name, new_name)
@iam_client.update_server_certificate(
server_certificate_name: current_name,
new_server_certificate_name: new_name
)
@logger.info("Server certificate name updated from '#{current_name}' to '#{new_name}'.")
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error updating server certificate name: #{e.message}")
false
end
# Deletes a server certificate.
def delete_server_certificate(name)
@iam_client.delete_server_certificate(server_certificate_name: name)
@logger.info("Server certificate '#{name}' deleted.")
true
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting server certificate: #{e.message}")
false
end
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [UpdateServerCertificate](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/UpdateServerCertificate)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateSigningCertificate` 與 CLI
下列程式碼範例示範如何使用 `UpdateSigningCertificate`。
------
#### [ CLI ]
**AWS CLI**
**若要啟用或停用 IAM 使用者的簽署憑證**
下列 `update-signing-certificate` 命令將停用名為 `Bob` 之 IAM 使用者的指定簽署憑證。
```
aws iam update-signing-certificate \
--certificate-id TA7SMP42TDN5Z26OBPJE7EXAMPLE \
--status Inactive \
--user-name Bob
```
若要取得簽署憑證的 ID,請使用 `list-signing-certificates` 命令。
如需詳細資訊,請參閱《Amazon EC2 使用者指南》**中的[管理簽署憑證](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-up-ami-tools.html#ami-tools-managing-certs)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UpdateSigningCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-signing-certificate.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會更新與名為 `Bob`、憑證 ID 為 `Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU` 的 IAM 使用者關聯的憑證,將其標示為非作用中。**
```
Update-IAMSigningCertificate -CertificateId Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU -UserName Bob -Status Inactive
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateSigningCertificate](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會更新與名為 `Bob`、憑證 ID 為 `Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU` 的 IAM 使用者關聯的憑證,將其標示為非作用中。**
```
Update-IAMSigningCertificate -CertificateId Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU -UserName Bob -Status Inactive
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateSigningCertificate](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `UpdateUser` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `UpdateUser`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中設定和執行。
```
bool AwsDoc::IAM::updateUser(const Aws::String ¤tUserName,
const Aws::String &newUserName,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient iam(clientConfig);
Aws::IAM::Model::UpdateUserRequest request;
request.SetUserName(currentUserName);
request.SetNewUserName(newUserName);
auto outcome = iam.UpdateUser(request);
if (outcome.IsSuccess()) {
std::cout << "IAM user " << currentUserName <<
" successfully updated with new user name " << newUserName <<
std::endl;
}
else {
std::cerr << "Error updating user name for IAM user " << currentUserName <<
":" << outcome.GetError().GetMessage() << std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [UpdateUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/UpdateUser)。
------
#### [ CLI ]
**AWS CLI**
**變更 IAM 使用者的名稱**
下列 `update-user` 命令會將 IAM 使用者名稱從 `Bob` 變更為 `Robert`。
```
aws iam update-user \
--user-name Bob \
--new-user-name Robert
```
此命令不會產生輸出。
如需詳細資訊,請參閱《AWS IAM 使用者指南》**中的[重新命名 IAM 使用者群組](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_rename.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [UpdateUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-user.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.IamException;
import software.amazon.awssdk.services.iam.model.UpdateUserRequest;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class UpdateUser {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
curName - The current user name.\s
newName - An updated user name.\s
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String curName = args[0];
String newName = args[1];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
updateIAMUser(iam, curName, newName);
System.out.println("Done");
iam.close();
}
public static void updateIAMUser(IamClient iam, String curName, String newName) {
try {
UpdateUserRequest request = UpdateUserRequest.builder()
.userName(curName)
.newUserName(newName)
.build();
iam.updateUser(request);
System.out.printf("Successfully updated user to username %s", newName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [UpdateUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/UpdateUser)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
更新使用者。
```
import { UpdateUserCommand, IAMClient } from "@aws-sdk/client-iam";
const client = new IAMClient({});
/**
*
* @param {string} currentUserName
* @param {string} newUserName
*/
export const updateUser = (currentUserName, newUserName) => {
const command = new UpdateUserCommand({
UserName: currentUserName,
NewUserName: newUserName,
});
return client.send(command);
};
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-updating-users)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 *UpdateUser*。
**SDK for JavaScript (v2)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中設定和執行。
```
// Load the AWS SDK for Node.js
var AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
// Create the IAM service object
var iam = new AWS.IAM({ apiVersion: "2010-05-08" });
var params = {
UserName: process.argv[2],
NewUserName: process.argv[3],
};
iam.updateUser(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
```
+ 如需詳細資訊,請參閱《[適用於 JavaScript 的 AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-updating-users)》。
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》中的 *UpdateUser*。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun updateIAMUser(
curName: String?,
newName: String?,
) {
val request =
UpdateUserRequest {
userName = curName
newUserName = newName
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.updateUser(request)
println("Successfully updated user to $newName")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [UpdateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將 IAM 使用者 `Bob` 重新命名為 `Robert`。**
```
Update-IAMUser -UserName Bob -NewUserName Robert
```
**範例 2:此範例會將 IAM 使用者 `Bob` 的路徑變更為 `/Org1/Org2/`,這可有效地將使用者的 ARN 變更為 `arn:aws:iam::123456789012:user/Org1/Org2/bob`。**
```
Update-IAMUser -UserName Bob -NewPath /Org1/Org2/
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateUser](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將 IAM 使用者 `Bob` 重新命名為 `Robert`。**
```
Update-IAMUser -UserName Bob -NewUserName Robert
```
**範例 2:此範例會將 IAM 使用者 `Bob` 的路徑變更為 `/Org1/Org2/`,這可有效地將使用者的 ARN 變更為 `arn:aws:iam::123456789012:user/Org1/Org2/bob`。**
```
Update-IAMUser -UserName Bob -NewPath /Org1/Org2/
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateUser](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。
```
def update_user(user_name, new_user_name):
"""
Updates a user's name.
:param user_name: The current name of the user to update.
:param new_user_name: The new name to assign to the user.
:return: The updated user.
"""
try:
user = iam.User(user_name)
user.update(NewUserName=new_user_name)
logger.info("Renamed %s to %s.", user_name, new_user_name)
except ClientError:
logger.exception("Couldn't update name for user %s.", user_name)
raise
return user
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [UpdateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/UpdateUser)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中設定和執行。
```
# Updates an IAM user's name
#
# @param current_name [String] The current name of the user
# @param new_name [String] The new name of the user
def update_user_name(current_name, new_name)
@iam_client.update_user(user_name: current_name, new_user_name: new_name)
true
rescue StandardError => e
@logger.error("Error updating user name from '#{current_name}' to '#{new_name}': #{e.message}")
false
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API Reference* 中的 [UpdateUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/UpdateUser)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中設定和執行。
```
TRY.
lo_iam->updateuser(
iv_username = iv_user_name
iv_newusername = iv_new_user_name ).
MESSAGE 'User updated successfully.' TYPE 'I'.
CATCH /aws1/cx_iamnosuchentityex.
MESSAGE 'User does not exist.' TYPE 'E'.
CATCH /aws1/cx_iamentityalrdyexex.
MESSAGE 'New user name already exists.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [UpdateUser](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `UploadServerCertificate` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `UploadServerCertificate`。
------
#### [ CLI ]
**AWS CLI**
**將伺服器憑證上傳至 AWS 您的帳戶**
下列 **upload-server-certificate** 命令會將伺服器憑證上傳至 AWS 您的帳戶。在此範例中,憑證位於檔案 `public_key_cert_file.pem` 中,相關聯的私密金鑰位於檔案 `my_private_key.pem` 中,而憑證授權機構 (CA) 提供的憑證鏈結位於 `my_certificate_chain_file.pem` 檔案中。檔案上傳完成後,其就會以 *myServerCertificate* 名稱提供使用。以 `file://` 開頭的參數會告訴命令讀取檔案的內容,並將其用作參數值 (而不是檔案名稱本身)。
```
aws iam upload-server-certificate \
--server-certificate-name myServerCertificate \
--certificate-body file://public_key_cert_file.pem \
--private-key file://my_private_key.pem \
--certificate-chain file://my_certificate_chain_file.pem
```
輸出:
```
{
"ServerCertificateMetadata": {
"Path": "/",
"ServerCertificateName": "myServerCertificate",
"ServerCertificateId": "ASCAEXAMPLE123EXAMPLE",
"Arn": "arn:aws:iam::1234567989012:server-certificate/myServerCertificate",
"UploadDate": "2019-04-22T21:13:44+00:00",
"Expiration": "2019-10-15T22:23:16+00:00"
}
}
```
如需詳細資訊,請參閱《使用 IAM 指南》**中的「建立、上傳和刪除伺服器憑證」。
+ 如需 API 詳細資訊,請參閱 *AWS CLI Command Reference* 中的 [UploadServrCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/upload-server-certificate.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中設定和執行。
```
import { UploadServerCertificateCommand, IAMClient } from "@aws-sdk/client-iam";
import { readFileSync } from "node:fs";
import { dirnameFromMetaUrl } from "@aws-doc-sdk-examples/lib/utils/util-fs.js";
import * as path from "node:path";
const client = new IAMClient({});
const certMessage = `Generate a certificate and key with the following command, or the equivalent for your system.
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"
`;
const getCertAndKey = () => {
try {
const cert = readFileSync(
path.join(dirnameFromMetaUrl(import.meta.url), "./example.crt"),
);
const key = readFileSync(
path.join(dirnameFromMetaUrl(import.meta.url), "./example.key"),
);
return { cert, key };
} catch (err) {
if (err.code === "ENOENT") {
throw new Error(
`Certificate and/or private key not found. ${certMessage}`,
);
}
throw err;
}
};
/**
*
* @param {string} certificateName
*/
export const uploadServerCertificate = (certificateName) => {
const { cert, key } = getCertAndKey();
const command = new UploadServerCertificateCommand({
ServerCertificateName: certificateName,
CertificateBody: cert.toString(),
PrivateKey: key.toString(),
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [UploadServerCertificate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/UploadServerCertificateCommand)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會將新伺服器憑證上傳至 IAM 帳戶。包含憑證內文、私有金鑰和 (可選) 憑證鏈的檔案全都必須採用 PEM 編碼。請注意,參數需要檔案的實際內容,而不是檔案名稱。必須使用 `-Raw` 切換參數,才能成功處理檔案內容。**
```
Publish-IAMServerCertificate -ServerCertificateName MyTestCert -CertificateBody (Get-Content -Raw server.crt) -PrivateKey (Get-Content -Raw server.key)
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:server-certificate/MyTestCert
Expiration : 1/14/2018 9:52:36 AM
Path : /
ServerCertificateId : ASCAJIEXAMPLE7J7HQZYW
ServerCertificateName : MyTestCert
UploadDate : 4/21/2015 11:14:16 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UploadServerCertificate](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會將新伺服器憑證上傳至 IAM 帳戶。包含憑證內文、私有金鑰和 (可選) 憑證鏈的檔案全都必須採用 PEM 編碼。請注意,參數需要檔案的實際內容,而不是檔案名稱。必須使用 `-Raw` 切換參數,才能成功處理檔案內容。**
```
Publish-IAMServerCertificate -ServerCertificateName MyTestCert -CertificateBody (Get-Content -Raw server.crt) -PrivateKey (Get-Content -Raw server.key)
```
**輸出:**
```
Arn : arn:aws:iam::123456789012:server-certificate/MyTestCert
Expiration : 1/14/2018 9:52:36 AM
Path : /
ServerCertificateId : ASCAJIEXAMPLE7J7HQZYW
ServerCertificateName : MyTestCert
UploadDate : 4/21/2015 11:14:16 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UploadServerCertificate](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UploadSigningCertificate` 與 CLI
下列程式碼範例示範如何使用 `UploadSigningCertificate`。
------
#### [ CLI ]
**AWS CLI**
**若要上傳 IAM 使用者的簽署憑證**
下列 `upload-signing-certificate` 命令會上傳名為 `Bob` 之 IAM 使用者的簽署憑證。
```
aws iam upload-signing-certificate \
--user-name Bob \
--certificate-body file://certificate.pem
```
輸出:
```
{
"Certificate": {
"UserName": "Bob",
"Status": "Active",
"CertificateBody": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----",
"CertificateId": "TA7SMP42TDN5Z26OBPJE7EXAMPLE",
"UploadDate": "2013-06-06T21:40:08.121Z"
}
}
```
憑證位於名為 *certificate.pem* 的 PEM 格式的檔案中。
如需詳細資訊,請參閱《IAM 使用指南》**中的「建立和上傳使用者簽署憑證」。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [UploadSigningCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/upload-signing-certificate.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會上傳新的 X.509 簽署憑證,並將其與名為 `Bob` 的 IAM 使用者關聯起來。包含憑證內文的檔案經過 PEM 編碼。`CertificateBody` 參數需要憑證檔案的實際內容,而不是檔案名稱。必須使用 `-Raw` 切換參數才能成功處理檔案。**
```
Publish-IAMSigningCertificate -UserName Bob -CertificateBody (Get-Content -Raw SampleSigningCert.pem)
```
**輸出:**
```
CertificateBody : -----BEGIN CERTIFICATE-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
-----END CERTIFICATE-----
CertificateId : Y3EK7RMEXAMPLESV33FCEXAMPLEHMJLU
Status : Active
UploadDate : 4/20/2015 1:26:01 PM
UserName : Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UploadSigningCertificate](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會上傳新的 X.509 簽署憑證,並將其與名為 `Bob` 的 IAM 使用者關聯起來。包含憑證內文的檔案經過 PEM 編碼。`CertificateBody` 參數需要憑證檔案的實際內容,而不是檔案名稱。必須使用 `-Raw` 切換參數才能成功處理檔案。**
```
Publish-IAMSigningCertificate -UserName Bob -CertificateBody (Get-Content -Raw SampleSigningCert.pem)
```
**輸出:**
```
CertificateBody : -----BEGIN CERTIFICATE-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
-----END CERTIFICATE-----
CertificateId : Y3EK7RMEXAMPLESV33FCEXAMPLEHMJLU
Status : Active
UploadDate : 4/20/2015 1:26:01 PM
UserName : Bob
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UploadSigningCertificate](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 AWS SDKs IAM 案例
下列程式碼範例示範如何在 IAM AWS SDKs 中實作常見案例。這些案例會向您展示如何呼叫 IAM 中的多個函數或與其他 AWS 服務組合來完成特定任務。每個案例均包含完整原始碼的連結,您可在連結中找到如何設定和執行程式碼的相關指示。
案例的目標是獲得中等水平的經驗,協助您了解內容中的服務動作。
**Topics**
+ [建置及管理彈性服務](iam_example_cross_ResilientService_section.md)
+ [設定 Amazon ECS Service Connect](iam_example_ecs_ServiceConnect_085_section.md)
+ [使用 Lambda 代理整合建立 REST API](iam_example_api_gateway_GettingStarted_087_section.md)
+ [為 Fargate 啟動類型建立 Amazon ECS Linux 任務](iam_example_ecs_GettingStarted_086_section.md)
+ [建立唯讀和讀寫的使用者](iam_example_iam_Scenario_UserPolicies_section.md)
+ [使用函數名稱做為變數建立 CloudWatch 儀表板](iam_example_cloudwatch_GettingStarted_031_section.md)
+ [為 EC2 啟動類型建立 Amazon ECS 服務](iam_example_ecs_GettingStarted_018_section.md)
+ [建立 Amazon Managed Grafana 工作區](iam_example_iam_GettingStarted_044_section.md)
+ [建立您的第一個 Lambda 函數](iam_example_lambda_GettingStarted_019_section.md)
+ [開始使用 Redshift Serverless](iam_example_redshift_GettingStarted_038_section.md)
+ [IoT Device Defender 入門](iam_example_iot_GettingStarted_079_section.md)
+ [Amazon EKS 入門](iam_example_eks_GettingStarted_034_section.md)
+ [Amazon MSK 入門](iam_example_ec2_GettingStarted_057_section.md)
+ [Amazon Redshift 佈建叢集入門](iam_example_redshift_GettingStarted_039_section.md)
+ [Amazon SageMaker Feature Store 入門](iam_example_iam_GettingStarted_028_section.md)
+ [Config 入門](iam_example_config_service_GettingStarted_053_section.md)
+ [Step Functions 入門](iam_example_iam_GettingStarted_080_section.md)
+ [管理存取金鑰](iam_example_iam_Scenario_ManageAccessKeys_section.md)
+ [管理政策](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [管理角色](iam_example_iam_Scenario_RoleManagement_section.md)
+ [管理您的帳戶](iam_example_iam_Scenario_AccountManagement_section.md)
+ [將硬式編碼秘密移至 Secrets Manager](iam_example_secrets_manager_GettingStarted_073_section.md)
+ [許可政策允許 AWS Compute Optimizer 自動化套用建議的動作](iam_example_iam-policies.AWSMettleDocs.latest.userguide.managed-policies.xml.10_section.md)
+ [在整個組織中啟用自動化的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.2_section.md)
+ [為您的帳戶啟用自動化的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.1_section.md)
+ [授予組織管理帳戶 Compute Optimizer Automation 完整存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.5_section.md)
+ [授予獨立 AWS 帳戶 Compute Optimizer Automation 完整存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.3_section.md)
+ [授予組織管理帳戶 Compute Optimizer Automation 唯讀存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.6_section.md)
+ [授予獨立 AWS 帳戶 Compute Optimizer Automation 唯讀存取權的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.4_section.md)
+ [授予運算最佳化自動化服務連結角色許可的許可政策](iam_example_iam-policies.AWSMettleDocs.latest.userguide.slr-automation.xml.1_section.md)
+ [復原政策版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md)
+ [使用 FIS 在 EC2 執行個體上執行 CPU 壓力測試](iam_example_iam_GettingStarted_069_section.md)
+ [設定屬性型存取控制](iam_example_dynamodb_Scenario_ABACSetup_section.md)
+ [設定 Systems Manager](iam_example_iam_GettingStarted_046_section.md)
+ [在 CloudWatch 儀表板中使用屬性變數來監控多個 Lambda 函數](iam_example_iam_GettingStarted_032_section.md)
+ [使用串流和存留時間](iam_example_dynamodb_Scenario_StreamsAndTTL_section.md)
+ [使用 IAM 政策產生器 API](iam_example_iam_Scenario_IamPolicyBuilder_section.md)
# 使用 AWS SDK 建置和管理彈性服務
下列程式碼範例示範如何建立負載平衡的 Web 服務,以傳回書籍、影片和歌曲建議。此範例顯示服務如何回應失故障,以及如何在發生故障時重組服務以提高復原能力。
+ 使用 Amazon EC2 Auto Scaling 群組根據啟動範本建立 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體,並將執行個體數量保持在指定範圍內。
+ 使用 Elastic Load Balancing 處理和分發 HTTP 請求。
+ 監控 Auto Scaling 群組中執行個體的運作狀態,並且只將請求轉送給運作良好的執行個體。
+ 在每個 EC2 執行個體上執行一個 Python Web 伺服器來處理 HTTP 請求。Web 伺服器會回應建議和運作狀態檢查。
+ 使用 Amazon DynamoDB 資料表模擬建議服務。
+ 透過更新 AWS Systems Manager 參數來控制 Web 伺服器對請求和運作狀態檢查的回應。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/cross-service/ResilientService#code-examples)中設定和執行。
在命令提示中執行互動式案例。
```
static async Task Main(string[] args)
{
_configuration = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("settings.json") // Load settings from .json file.
.AddJsonFile("settings.local.json",
true) // Optionally, load local settings.
.Build();
// Set up dependency injection for the AWS services.
using var host = Host.CreateDefaultBuilder(args)
.ConfigureLogging(logging =>
logging.AddFilter("System", LogLevel.Debug)
.AddFilter("Microsoft", LogLevel.Information)
.AddFilter("Microsoft", LogLevel.Trace))
.ConfigureServices((_, services) =>
services.AddAWSService()
.AddAWSService()
.AddAWSService()
.AddAWSService()
.AddAWSService()
.AddAWSService()
.AddTransient()
.AddTransient()
.AddTransient()
.AddTransient()
.AddSingleton(_configuration)
)
.Build();
ServicesSetup(host);
ResourcesSetup();
try
{
Console.WriteLine(new string('-', 80));
Console.WriteLine("Welcome to the Resilient Architecture Example Scenario.");
Console.WriteLine(new string('-', 80));
await Deploy(true);
Console.WriteLine("Now let's begin the scenario.");
Console.WriteLine(new string('-', 80));
await Demo(true);
Console.WriteLine(new string('-', 80));
Console.WriteLine("Finally, let's clean up our resources.");
Console.WriteLine(new string('-', 80));
await DestroyResources(true);
Console.WriteLine(new string('-', 80));
Console.WriteLine("Resilient Architecture Example Scenario is complete.");
Console.WriteLine(new string('-', 80));
}
catch (Exception ex)
{
Console.WriteLine(new string('-', 80));
Console.WriteLine($"There was a problem running the scenario: {ex.Message}");
await DestroyResources(true);
Console.WriteLine(new string('-', 80));
}
}
///
/// Setup any common resources, also used for integration testing.
///
public static void ResourcesSetup()
{
_httpClient = new HttpClient();
}
///
/// Populate the services for use within the console application.
///
/// The services host.
private static void ServicesSetup(IHost host)
{
_elasticLoadBalancerWrapper = host.Services.GetRequiredService();
_iamClient = host.Services.GetRequiredService();
_recommendations = host.Services.GetRequiredService();
_autoScalerWrapper = host.Services.GetRequiredService();
_smParameterWrapper = host.Services.GetRequiredService();
}
///
/// Deploy necessary resources for the scenario.
///
/// True to run as interactive.
/// True if successful.
public static async Task Deploy(bool interactive)
{
var protocol = "HTTP";
var port = 80;
var sshPort = 22;
Console.WriteLine(
"\nFor this demo, we'll use the AWS SDK for .NET to create several AWS resources\n" +
"to set up a load-balanced web service endpoint and explore some ways to make it resilient\n" +
"against various kinds of failures.\n\n" +
"Some of the resources create by this demo are:\n");
Console.WriteLine(
"\t* A DynamoDB table that the web service depends on to provide book, movie, and song recommendations.");
Console.WriteLine(
"\t* An EC2 launch template that defines EC2 instances that each contain a Python web server.");
Console.WriteLine(
"\t* An EC2 Auto Scaling group that manages EC2 instances across several Availability Zones.");
Console.WriteLine(
"\t* An Elastic Load Balancing (ELB) load balancer that targets the Auto Scaling group to distribute requests.");
Console.WriteLine(new string('-', 80));
Console.WriteLine("Press Enter when you're ready to start deploying resources.");
if (interactive)
Console.ReadLine();
// Create and populate the DynamoDB table.
var databaseTableName = _configuration["databaseName"];
var recommendationsPath = Path.Join(_configuration["resourcePath"],
"recommendations_objects.json");
Console.WriteLine($"Creating and populating a DynamoDB table named {databaseTableName}.");
await _recommendations.CreateDatabaseWithName(databaseTableName);
await _recommendations.PopulateDatabase(databaseTableName, recommendationsPath);
Console.WriteLine(new string('-', 80));
// Create the EC2 Launch Template.
Console.WriteLine(
$"Creating an EC2 launch template that runs 'server_startup_script.sh' when an instance starts.\n"
+ "\nThis script starts a Python web server defined in the `server.py` script. The web server\n"
+ "listens to HTTP requests on port 80 and responds to requests to '/' and to '/healthcheck'.\n"
+ "For demo purposes, this server is run as the root user. In production, the best practice is to\n"
+ "run a web server, such as Apache, with least-privileged credentials.");
Console.WriteLine(
"\nThe template also defines an IAM policy that each instance uses to assume a role that grants\n"
+ "permissions to access the DynamoDB recommendation table and Systems Manager parameters\n"
+ "that control the flow of the demo.");
var startupScriptPath = Path.Join(_configuration["resourcePath"],
"server_startup_script.sh");
var instancePolicyPath = Path.Join(_configuration["resourcePath"],
"instance_policy.json");
await _autoScalerWrapper.CreateTemplate(startupScriptPath, instancePolicyPath);
Console.WriteLine(new string('-', 80));
Console.WriteLine(
"Creating an EC2 Auto Scaling group that maintains three EC2 instances, each in a different\n"
+ "Availability Zone.\n");
var zones = await _autoScalerWrapper.DescribeAvailabilityZones();
await _autoScalerWrapper.CreateGroupOfSize(3, _autoScalerWrapper.GroupName, zones);
Console.WriteLine(new string('-', 80));
Console.WriteLine(
"At this point, you have EC2 instances created. Once each instance starts, it listens for\n"
+ "HTTP requests. You can see these instances in the console or continue with the demo.\n");
Console.WriteLine(new string('-', 80));
Console.WriteLine("Press Enter when you're ready to continue.");
if (interactive)
Console.ReadLine();
Console.WriteLine("Creating variables that control the flow of the demo.");
await _smParameterWrapper.Reset();
Console.WriteLine(
"\nCreating an Elastic Load Balancing target group and load balancer. The target group\n"
+ "defines how the load balancer connects to instances. The load balancer provides a\n"
+ "single endpoint where clients connect and dispatches requests to instances in the group.");
var defaultVpc = await _autoScalerWrapper.GetDefaultVpc();
var subnets = await _autoScalerWrapper.GetAllVpcSubnetsForZones(defaultVpc.VpcId, zones);
var subnetIds = subnets.Select(s => s.SubnetId).ToList();
var targetGroup = await _elasticLoadBalancerWrapper.CreateTargetGroupOnVpc(_elasticLoadBalancerWrapper.TargetGroupName, protocol, port, defaultVpc.VpcId);
await _elasticLoadBalancerWrapper.CreateLoadBalancerAndListener(_elasticLoadBalancerWrapper.LoadBalancerName, subnetIds, targetGroup);
await _autoScalerWrapper.AttachLoadBalancerToGroup(_autoScalerWrapper.GroupName, targetGroup.TargetGroupArn);
Console.WriteLine("\nVerifying access to the load balancer endpoint...");
var endPoint = await _elasticLoadBalancerWrapper.GetEndpointForLoadBalancerByName(_elasticLoadBalancerWrapper.LoadBalancerName);
var loadBalancerAccess = await _elasticLoadBalancerWrapper.VerifyLoadBalancerEndpoint(endPoint);
if (!loadBalancerAccess)
{
Console.WriteLine("\nCouldn't connect to the load balancer, verifying that the port is open...");
var ipString = await _httpClient.GetStringAsync("https://checkip.amazonaws.com");
ipString = ipString.Trim();
var defaultSecurityGroup = await _autoScalerWrapper.GetDefaultSecurityGroupForVpc(defaultVpc);
var portIsOpen = _autoScalerWrapper.VerifyInboundPortForGroup(defaultSecurityGroup, port, ipString);
var sshPortIsOpen = _autoScalerWrapper.VerifyInboundPortForGroup(defaultSecurityGroup, sshPort, ipString);
if (!portIsOpen)
{
Console.WriteLine(
"\nFor this example to work, the default security group for your default VPC must\n"
+ "allows access from this computer. You can either add it automatically from this\n"
+ "example or add it yourself using the AWS Management Console.\n");
if (!interactive || GetYesNoResponse(
"Do you want to add a rule to the security group to allow inbound traffic from your computer's IP address?"))
{
await _autoScalerWrapper.OpenInboundPort(defaultSecurityGroup.GroupId, port, ipString);
}
}
if (!sshPortIsOpen)
{
if (!interactive || GetYesNoResponse(
"Do you want to add a rule to the security group to allow inbound SSH traffic for debugging from your computer's IP address?"))
{
await _autoScalerWrapper.OpenInboundPort(defaultSecurityGroup.GroupId, sshPort, ipString);
}
}
loadBalancerAccess = await _elasticLoadBalancerWrapper.VerifyLoadBalancerEndpoint(endPoint);
}
if (loadBalancerAccess)
{
Console.WriteLine("Your load balancer is ready. You can access it by browsing to:");
Console.WriteLine($"\thttp://{endPoint}\n");
}
else
{
Console.WriteLine(
"\nCouldn't get a successful response from the load balancer endpoint. Troubleshoot by\n"
+ "manually verifying that your VPC and security group are configured correctly and that\n"
+ "you can successfully make a GET request to the load balancer endpoint:\n");
Console.WriteLine($"\thttp://{endPoint}\n");
}
Console.WriteLine(new string('-', 80));
Console.WriteLine("Press Enter when you're ready to continue with the demo.");
if (interactive)
Console.ReadLine();
return true;
}
///
/// Demonstrate the steps of the scenario.
///
/// True to run as an interactive scenario.
/// Async task.
public static async Task Demo(bool interactive)
{
var ssmOnlyPolicy = Path.Join(_configuration["resourcePath"],
"ssm_only_policy.json");
Console.WriteLine(new string('-', 80));
Console.WriteLine("Resetting parameters to starting values for demo.");
await _smParameterWrapper.Reset();
Console.WriteLine("\nThis part of the demonstration shows how to toggle different parts of the system\n" +
"to create situations where the web service fails, and shows how using a resilient\n" +
"architecture can keep the web service running in spite of these failures.");
Console.WriteLine(new string('-', 88));
Console.WriteLine("At the start, the load balancer endpoint returns recommendations and reports that all targets are healthy.");
if (interactive)
await DemoActionChoices();
Console.WriteLine($"The web service running on the EC2 instances gets recommendations by querying a DynamoDB table.\n" +
$"The table name is contained in a Systems Manager parameter named '{_smParameterWrapper.TableParameter}'.\n" +
$"To simulate a failure of the recommendation service, let's set this parameter to name a non-existent table.\n");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.TableParameter, "this-is-not-a-table");
Console.WriteLine("\nNow, sending a GET request to the load balancer endpoint returns a failure code. But, the service reports as\n" +
"healthy to the load balancer because shallow health checks don't check for failure of the recommendation service.");
if (interactive)
await DemoActionChoices();
Console.WriteLine("Instead of failing when the recommendation service fails, the web service can return a static response.");
Console.WriteLine("While this is not a perfect solution, it presents the customer with a somewhat better experience than failure.");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.FailureResponseParameter, "static");
Console.WriteLine("\nNow, sending a GET request to the load balancer endpoint returns a static response.");
Console.WriteLine("The service still reports as healthy because health checks are still shallow.");
if (interactive)
await DemoActionChoices();
Console.WriteLine("Let's reinstate the recommendation service.\n");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.TableParameter, _smParameterWrapper.TableName);
Console.WriteLine(
"\nLet's also substitute bad credentials for one of the instances in the target group so that it can't\n" +
"access the DynamoDB recommendation table.\n"
);
await _autoScalerWrapper.CreateInstanceProfileWithName(
_autoScalerWrapper.BadCredsPolicyName,
_autoScalerWrapper.BadCredsRoleName,
_autoScalerWrapper.BadCredsProfileName,
ssmOnlyPolicy,
new List { "AmazonSSMManagedInstanceCore" }
);
var instances = await _autoScalerWrapper.GetInstancesByGroupName(_autoScalerWrapper.GroupName);
var badInstanceId = instances.First();
var instanceProfile = await _autoScalerWrapper.GetInstanceProfile(badInstanceId);
Console.WriteLine(
$"Replacing the profile for instance {badInstanceId} with a profile that contains\n" +
"bad credentials...\n"
);
await _autoScalerWrapper.ReplaceInstanceProfile(
badInstanceId,
_autoScalerWrapper.BadCredsProfileName,
instanceProfile.AssociationId
);
Console.WriteLine(
"Now, sending a GET request to the load balancer endpoint returns either a recommendation or a static response,\n" +
"depending on which instance is selected by the load balancer.\n"
);
if (interactive)
await DemoActionChoices();
Console.WriteLine("\nLet's implement a deep health check. For this demo, a deep health check tests whether");
Console.WriteLine("the web service can access the DynamoDB table that it depends on for recommendations. Note that");
Console.WriteLine("the deep health check is only for ELB routing and not for Auto Scaling instance health.");
Console.WriteLine("This kind of deep health check is not recommended for Auto Scaling instance health, because it");
Console.WriteLine("risks accidental termination of all instances in the Auto Scaling group when a dependent service fails.");
Console.WriteLine("\nBy implementing deep health checks, the load balancer can detect when one of the instances is failing");
Console.WriteLine("and take that instance out of rotation.");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.HealthCheckParameter, "deep");
Console.WriteLine($"\nNow, checking target health indicates that the instance with bad credentials ({badInstanceId})");
Console.WriteLine("is unhealthy. Note that it might take a minute or two for the load balancer to detect the unhealthy");
Console.WriteLine("instance. Sending a GET request to the load balancer endpoint always returns a recommendation, because");
Console.WriteLine("the load balancer takes unhealthy instances out of its rotation.");
if (interactive)
await DemoActionChoices();
Console.WriteLine("\nBecause the instances in this demo are controlled by an auto scaler, the simplest way to fix an unhealthy");
Console.WriteLine("instance is to terminate it and let the auto scaler start a new instance to replace it.");
await _autoScalerWrapper.TryTerminateInstanceById(badInstanceId);
Console.WriteLine($"\nEven while the instance is terminating and the new instance is starting, sending a GET");
Console.WriteLine("request to the web service continues to get a successful recommendation response because");
Console.WriteLine("starts and reports as healthy, it is included in the load balancing rotation.");
Console.WriteLine("Note that terminating and replacing an instance typically takes several minutes, during which time you");
Console.WriteLine("can see the changing health check status until the new instance is running and healthy.");
if (interactive)
await DemoActionChoices();
Console.WriteLine("\nIf the recommendation service fails now, deep health checks mean all instances report as unhealthy.");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.TableParameter, "this-is-not-a-table");
Console.WriteLine($"\nWhen all instances are unhealthy, the load balancer continues to route requests even to");
Console.WriteLine("unhealthy instances, allowing them to fail open and return a static response rather than fail");
Console.WriteLine("closed and report failure to the customer.");
if (interactive)
await DemoActionChoices();
await _smParameterWrapper.Reset();
Console.WriteLine(new string('-', 80));
return true;
}
///
/// Clean up the resources from the scenario.
///
/// True to ask the user for cleanup.
/// Async task.
public static async Task DestroyResources(bool interactive)
{
Console.WriteLine(new string('-', 80));
Console.WriteLine(
"To keep things tidy and to avoid unwanted charges on your account, we can clean up all AWS resources\n" +
"that were created for this demo."
);
if (!interactive || GetYesNoResponse("Do you want to clean up all demo resources? (y/n) "))
{
await _elasticLoadBalancerWrapper.DeleteLoadBalancerByName(_elasticLoadBalancerWrapper.LoadBalancerName);
await _elasticLoadBalancerWrapper.DeleteTargetGroupByName(_elasticLoadBalancerWrapper.TargetGroupName);
await _autoScalerWrapper.TerminateAndDeleteAutoScalingGroupWithName(_autoScalerWrapper.GroupName);
await _autoScalerWrapper.DeleteKeyPairByName(_autoScalerWrapper.KeyPairName);
await _autoScalerWrapper.DeleteTemplateByName(_autoScalerWrapper.LaunchTemplateName);
await _autoScalerWrapper.DeleteInstanceProfile(
_autoScalerWrapper.BadCredsProfileName,
_autoScalerWrapper.BadCredsRoleName
);
await _recommendations.DestroyDatabaseByName(_recommendations.TableName);
}
else
{
Console.WriteLine(
"Ok, we'll leave the resources intact.\n" +
"Don't forget to delete them when you're done with them or you might incur unexpected charges."
);
}
Console.WriteLine(new string('-', 80));
return true;
}
```
建立包裝 Auto Scaling 和 Amazon EC2 動作的類別。
```
///
/// Encapsulates Amazon EC2 Auto Scaling and EC2 management methods.
///
public class AutoScalerWrapper
{
private readonly IAmazonAutoScaling _amazonAutoScaling;
private readonly IAmazonEC2 _amazonEc2;
private readonly IAmazonSimpleSystemsManagement _amazonSsm;
private readonly IAmazonIdentityManagementService _amazonIam;
private readonly ILogger _logger;
private readonly string _instanceType = "";
private readonly string _amiParam = "";
private readonly string _launchTemplateName = "";
private readonly string _groupName = "";
private readonly string _instancePolicyName = "";
private readonly string _instanceRoleName = "";
private readonly string _instanceProfileName = "";
private readonly string _badCredsProfileName = "";
private readonly string _badCredsRoleName = "";
private readonly string _badCredsPolicyName = "";
private readonly string _keyPairName = "";
public string GroupName => _groupName;
public string KeyPairName => _keyPairName;
public string LaunchTemplateName => _launchTemplateName;
public string InstancePolicyName => _instancePolicyName;
public string BadCredsProfileName => _badCredsProfileName;
public string BadCredsRoleName => _badCredsRoleName;
public string BadCredsPolicyName => _badCredsPolicyName;
///
/// Constructor for the AutoScalerWrapper.
///
/// The injected AutoScaling client.
/// The injected EC2 client.
/// The injected IAM client.
/// The injected SSM client.
public AutoScalerWrapper(
IAmazonAutoScaling amazonAutoScaling,
IAmazonEC2 amazonEc2,
IAmazonSimpleSystemsManagement amazonSsm,
IAmazonIdentityManagementService amazonIam,
IConfiguration configuration,
ILogger logger)
{
_amazonAutoScaling = amazonAutoScaling;
_amazonEc2 = amazonEc2;
_amazonSsm = amazonSsm;
_amazonIam = amazonIam;
_logger = logger;
var prefix = configuration["resourcePrefix"];
_instanceType = configuration["instanceType"];
_amiParam = configuration["amiParam"];
_launchTemplateName = prefix + "-template";
_groupName = prefix + "-group";
_instancePolicyName = prefix + "-pol";
_instanceRoleName = prefix + "-role";
_instanceProfileName = prefix + "-prof";
_badCredsPolicyName = prefix + "-bc-pol";
_badCredsRoleName = prefix + "-bc-role";
_badCredsProfileName = prefix + "-bc-prof";
_keyPairName = prefix + "-key-pair";
}
///
/// Create a policy, role, and profile that is associated with instances with a specified name.
/// An instance's associated profile defines a role that is assumed by the
/// instance.The role has attached policies that specify the AWS permissions granted to
/// clients that run on the instance.
///
/// Name to use for the policy.
/// Name to use for the role.
/// Name to use for the profile.
/// Path to a policy file for SSM.
/// AWS Managed policies to be attached to the role.
/// The Arn of the profile.
public async Task CreateInstanceProfileWithName(
string policyName,
string roleName,
string profileName,
string ssmOnlyPolicyFile,
List? awsManagedPolicies = null)
{
var assumeRoleDoc = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
"\"Service\": [" +
"\"ec2.amazonaws.com\"" +
"]" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
var policyDocument = await File.ReadAllTextAsync(ssmOnlyPolicyFile);
var policyArn = "";
try
{
var createPolicyResult = await _amazonIam.CreatePolicyAsync(
new CreatePolicyRequest
{
PolicyName = policyName,
PolicyDocument = policyDocument
});
policyArn = createPolicyResult.Policy.Arn;
}
catch (EntityAlreadyExistsException)
{
// The policy already exists, so we look it up to get the Arn.
var policiesPaginator = _amazonIam.Paginators.ListPolicies(
new ListPoliciesRequest()
{
Scope = PolicyScopeType.Local
});
// Get the entire list using the paginator.
await foreach (var policy in policiesPaginator.Policies)
{
if (policy.PolicyName.Equals(policyName))
{
policyArn = policy.Arn;
}
}
if (policyArn == null)
{
throw new InvalidOperationException("Policy not found");
}
}
try
{
await _amazonIam.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = roleName,
AssumeRolePolicyDocument = assumeRoleDoc,
});
await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
RoleName = roleName,
PolicyArn = policyArn
});
if (awsManagedPolicies != null)
{
foreach (var awsPolicy in awsManagedPolicies)
{
await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
PolicyArn = $"arn:aws:iam::aws:policy/{awsPolicy}",
RoleName = roleName
});
}
}
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine("Role already exists.");
}
string profileArn = "";
try
{
var profileCreateResponse = await _amazonIam.CreateInstanceProfileAsync(
new CreateInstanceProfileRequest()
{
InstanceProfileName = profileName
});
// Allow time for the profile to be ready.
profileArn = profileCreateResponse.InstanceProfile.Arn;
Thread.Sleep(10000);
await _amazonIam.AddRoleToInstanceProfileAsync(
new AddRoleToInstanceProfileRequest()
{
InstanceProfileName = profileName,
RoleName = roleName
});
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine("Policy already exists.");
var profileGetResponse = await _amazonIam.GetInstanceProfileAsync(
new GetInstanceProfileRequest()
{
InstanceProfileName = profileName
});
profileArn = profileGetResponse.InstanceProfile.Arn;
}
return profileArn;
}
///
/// Create a new key pair and save the file.
///
/// The name of the new key pair.
/// Async task.
public async Task CreateKeyPair(string newKeyPairName)
{
try
{
var keyResponse = await _amazonEc2.CreateKeyPairAsync(
new CreateKeyPairRequest() { KeyName = newKeyPairName });
await File.WriteAllTextAsync($"{newKeyPairName}.pem",
keyResponse.KeyPair.KeyMaterial);
Console.WriteLine($"Created key pair {newKeyPairName}.");
}
catch (AlreadyExistsException)
{
Console.WriteLine("Key pair already exists.");
}
}
///
/// Delete the key pair and file by name.
///
/// The key pair to delete.
/// Async task.
public async Task DeleteKeyPairByName(string deleteKeyPairName)
{
try
{
await _amazonEc2.DeleteKeyPairAsync(
new DeleteKeyPairRequest() { KeyName = deleteKeyPairName });
File.Delete($"{deleteKeyPairName}.pem");
}
catch (FileNotFoundException)
{
Console.WriteLine($"Key pair {deleteKeyPairName} not found.");
}
}
///
/// Creates an Amazon EC2 launch template to use with Amazon EC2 Auto Scaling.
/// The launch template specifies a Bash script in its user data field that runs after
/// the instance is started. This script installs the Python packages and starts a Python
/// web server on the instance.
///
/// The path to a Bash script file that is run.
/// The path to a permissions policy to create and attach to the profile.
/// The template object.
public async Task CreateTemplate(string startupScriptPath, string instancePolicyPath)
{
try
{
await CreateKeyPair(_keyPairName);
await CreateInstanceProfileWithName(_instancePolicyName, _instanceRoleName,
_instanceProfileName, instancePolicyPath);
var startServerText = await File.ReadAllTextAsync(startupScriptPath);
var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(startServerText);
var amiLatest = await _amazonSsm.GetParameterAsync(
new GetParameterRequest() { Name = _amiParam });
var amiId = amiLatest.Parameter.Value;
var launchTemplateResponse = await _amazonEc2.CreateLaunchTemplateAsync(
new CreateLaunchTemplateRequest()
{
LaunchTemplateName = _launchTemplateName,
LaunchTemplateData = new RequestLaunchTemplateData()
{
InstanceType = _instanceType,
ImageId = amiId,
IamInstanceProfile =
new
LaunchTemplateIamInstanceProfileSpecificationRequest()
{
Name = _instanceProfileName
},
KeyName = _keyPairName,
UserData = System.Convert.ToBase64String(plainTextBytes)
}
});
return launchTemplateResponse.LaunchTemplate;
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidLaunchTemplateName.AlreadyExistsException")
{
_logger.LogError($"Could not create the template, the name {_launchTemplateName} already exists. " +
$"Please try again with a unique name.");
}
throw;
}
catch (Exception ex)
{
_logger.LogError($"An error occurred while creating the template.: {ex.Message}");
throw;
}
}
///
/// Get a list of Availability Zones in the AWS Region of the Amazon EC2 Client.
///
/// A list of availability zones.
public async Task> DescribeAvailabilityZones()
{
try
{
var zoneResponse = await _amazonEc2.DescribeAvailabilityZonesAsync(
new DescribeAvailabilityZonesRequest());
return zoneResponse.AvailabilityZones.Select(z => z.ZoneName).ToList();
}
catch (AmazonEC2Exception ec2Exception)
{
_logger.LogError($"An Amazon EC2 error occurred while listing availability zones.: {ec2Exception.Message}");
throw;
}
catch (Exception ex)
{
_logger.LogError($"An error occurred while listing availability zones.: {ex.Message}");
throw;
}
}
///
/// Create an EC2 Auto Scaling group of a specified size and name.
///
/// The size for the group.
/// The name for the group.
/// The availability zones for the group.
/// Async task.
public async Task CreateGroupOfSize(int groupSize, string groupName, List availabilityZones)
{
try
{
await _amazonAutoScaling.CreateAutoScalingGroupAsync(
new CreateAutoScalingGroupRequest()
{
AutoScalingGroupName = groupName,
AvailabilityZones = availabilityZones,
LaunchTemplate =
new Amazon.AutoScaling.Model.LaunchTemplateSpecification()
{
LaunchTemplateName = _launchTemplateName,
Version = "$Default"
},
MaxSize = groupSize,
MinSize = groupSize
});
Console.WriteLine($"Created EC2 Auto Scaling group {groupName} with size {groupSize}.");
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine($"EC2 Auto Scaling group {groupName} already exists.");
}
}
///
/// Get the default VPC for the account.
///
/// The default VPC object.
public async Task GetDefaultVpc()
{
try
{
var vpcResponse = await _amazonEc2.DescribeVpcsAsync(
new DescribeVpcsRequest()
{
Filters = new List()
{
new("is-default", new List() { "true" })
}
});
return vpcResponse.Vpcs[0];
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "UnauthorizedOperation")
{
_logger.LogError(ec2Exception, $"You do not have the necessary permissions to describe VPCs.");
}
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, $"An error occurred while describing the vpcs.: {ex.Message}");
throw;
}
}
///
/// Get all the subnets for a Vpc in a set of availability zones.
///
/// The Id of the Vpc.
/// The list of availability zones.
/// The collection of subnet objects.
public async Task> GetAllVpcSubnetsForZones(string vpcId, List availabilityZones)
{
try
{
var subnets = new List();
var subnetPaginator = _amazonEc2.Paginators.DescribeSubnets(
new DescribeSubnetsRequest()
{
Filters = new List()
{
new("vpc-id", new List() { vpcId }),
new("availability-zone", availabilityZones),
new("default-for-az", new List() { "true" })
}
});
// Get the entire list using the paginator.
await foreach (var subnet in subnetPaginator.Subnets)
{
subnets.Add(subnet);
}
return subnets;
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidVpcID.NotFound")
{
_logger.LogError(ec2Exception, $"The specified VPC ID {vpcId} does not exist.");
}
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, $"An error occurred while describing the subnets.: {ex.Message}");
throw;
}
}
///
/// Delete a launch template by name.
///
/// The name of the template to delete.
/// Async task.
public async Task DeleteTemplateByName(string templateName)
{
try
{
await _amazonEc2.DeleteLaunchTemplateAsync(
new DeleteLaunchTemplateRequest()
{
LaunchTemplateName = templateName
});
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidLaunchTemplateName.NotFoundException")
{
_logger.LogError(
$"Could not delete the template, the name {_launchTemplateName} was not found.");
}
throw;
}
catch (Exception ex)
{
_logger.LogError($"An error occurred while deleting the template.: {ex.Message}");
throw;
}
}
///
/// Detaches a role from an instance profile, detaches policies from the role,
/// and deletes all the resources.
///
/// The name of the profile to delete.
/// The name of the role to delete.
/// Async task.
public async Task DeleteInstanceProfile(string profileName, string roleName)
{
try
{
await _amazonIam.RemoveRoleFromInstanceProfileAsync(
new RemoveRoleFromInstanceProfileRequest()
{
InstanceProfileName = profileName,
RoleName = roleName
});
await _amazonIam.DeleteInstanceProfileAsync(
new DeleteInstanceProfileRequest() { InstanceProfileName = profileName });
var attachedPolicies = await _amazonIam.ListAttachedRolePoliciesAsync(
new ListAttachedRolePoliciesRequest() { RoleName = roleName });
foreach (var policy in attachedPolicies.AttachedPolicies)
{
await _amazonIam.DetachRolePolicyAsync(
new DetachRolePolicyRequest()
{
RoleName = roleName,
PolicyArn = policy.PolicyArn
});
// Delete the custom policies only.
if (!policy.PolicyArn.StartsWith("arn:aws:iam::aws"))
{
await _amazonIam.DeletePolicyAsync(
new Amazon.IdentityManagement.Model.DeletePolicyRequest()
{
PolicyArn = policy.PolicyArn
});
}
}
await _amazonIam.DeleteRoleAsync(
new DeleteRoleRequest() { RoleName = roleName });
}
catch (NoSuchEntityException)
{
Console.WriteLine($"Instance profile {profileName} does not exist.");
}
}
///
/// Gets data about the instances in an EC2 Auto Scaling group by its group name.
///
/// The name of the auto scaling group.
/// A collection of instance Ids.
public async Task> GetInstancesByGroupName(string group)
{
var instanceResponse = await _amazonAutoScaling.DescribeAutoScalingGroupsAsync(
new DescribeAutoScalingGroupsRequest()
{
AutoScalingGroupNames = new List() { group }
});
var instanceIds = instanceResponse.AutoScalingGroups.SelectMany(
g => g.Instances.Select(i => i.InstanceId));
return instanceIds;
}
///
/// Get the instance profile association data for an instance.
///
/// The Id of the instance.
/// Instance profile associations data.
public async Task GetInstanceProfile(string instanceId)
{
try
{
var response = await _amazonEc2.DescribeIamInstanceProfileAssociationsAsync(
new DescribeIamInstanceProfileAssociationsRequest()
{
Filters = new List()
{
new("instance-id", new List() { instanceId })
},
});
return response.IamInstanceProfileAssociations[0];
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidInstanceID.NotFound")
{
_logger.LogError(ec2Exception, $"Instance {instanceId} not found");
}
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, $"An error occurred while creating the template.: {ex.Message}");
throw;
}
}
///
/// Replace the profile associated with a running instance. After the profile is replaced, the instance
/// is rebooted to ensure that it uses the new profile. When the instance is ready, Systems Manager is
/// used to restart the Python web server.
///
/// The Id of the instance to update.
/// The name of the new profile to associate with the specified instance.
/// The Id of the existing profile association for the instance.
/// Async task.
public async Task ReplaceInstanceProfile(string instanceId, string credsProfileName, string associationId)
{
try
{
await _amazonEc2.ReplaceIamInstanceProfileAssociationAsync(
new ReplaceIamInstanceProfileAssociationRequest()
{
AssociationId = associationId,
IamInstanceProfile = new IamInstanceProfileSpecification()
{
Name = credsProfileName
}
});
// Allow time before resetting.
Thread.Sleep(25000);
await _amazonEc2.RebootInstancesAsync(
new RebootInstancesRequest(new List() { instanceId }));
Thread.Sleep(25000);
var instanceReady = false;
var retries = 5;
while (retries-- > 0 && !instanceReady)
{
var instancesPaginator =
_amazonSsm.Paginators.DescribeInstanceInformation(
new DescribeInstanceInformationRequest());
// Get the entire list using the paginator.
await foreach (var instance in instancesPaginator.InstanceInformationList)
{
instanceReady = instance.InstanceId == instanceId;
if (instanceReady)
{
break;
}
}
}
Console.WriteLine("Waiting for instance to be running.");
await WaitForInstanceState(instanceId, InstanceStateName.Running);
Console.WriteLine("Instance ready.");
Console.WriteLine($"Sending restart command to instance {instanceId}");
await _amazonSsm.SendCommandAsync(
new SendCommandRequest()
{
InstanceIds = new List() { instanceId },
DocumentName = "AWS-RunShellScript",
Parameters = new Dictionary>()
{
{
"commands",
new List() { "cd / && sudo python3 server.py 80" }
}
}
});
Console.WriteLine($"Restarted the web server on instance {instanceId}");
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidInstanceID.NotFound")
{
_logger.LogError(ec2Exception, $"Instance {instanceId} not found");
}
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, $"An error occurred while replacing the template.: {ex.Message}");
throw;
}
}
///
/// Try to terminate an instance by its Id.
///
/// The Id of the instance to terminate.
/// Async task.
public async Task TryTerminateInstanceById(string instanceId)
{
var stopping = false;
Console.WriteLine($"Stopping {instanceId}...");
while (!stopping)
{
try
{
await _amazonAutoScaling.TerminateInstanceInAutoScalingGroupAsync(
new TerminateInstanceInAutoScalingGroupRequest()
{
InstanceId = instanceId,
ShouldDecrementDesiredCapacity = false
});
stopping = true;
}
catch (ScalingActivityInProgressException)
{
Console.WriteLine($"Scaling activity in progress for {instanceId}. Waiting...");
Thread.Sleep(10000);
}
}
}
///
/// Tries to delete the EC2 Auto Scaling group. If the group is in use or in progress,
/// waits and retries until the group is successfully deleted.
///
/// The name of the group to try to delete.
/// Async task.
public async Task TryDeleteGroupByName(string groupName)
{
var stopped = false;
while (!stopped)
{
try
{
await _amazonAutoScaling.DeleteAutoScalingGroupAsync(
new DeleteAutoScalingGroupRequest()
{
AutoScalingGroupName = groupName
});
stopped = true;
}
catch (Exception e)
when ((e is ScalingActivityInProgressException)
|| (e is Amazon.AutoScaling.Model.ResourceInUseException))
{
Console.WriteLine($"Some instances are still running. Waiting...");
Thread.Sleep(10000);
}
}
}
///
/// Terminate instances and delete the Auto Scaling group by name.
///
/// The name of the group to delete.
/// Async task.
public async Task TerminateAndDeleteAutoScalingGroupWithName(string groupName)
{
var describeGroupsResponse = await _amazonAutoScaling.DescribeAutoScalingGroupsAsync(
new DescribeAutoScalingGroupsRequest()
{
AutoScalingGroupNames = new List() { groupName }
});
if (describeGroupsResponse.AutoScalingGroups.Any())
{
// Update the size to 0.
await _amazonAutoScaling.UpdateAutoScalingGroupAsync(
new UpdateAutoScalingGroupRequest()
{
AutoScalingGroupName = groupName,
MinSize = 0
});
var group = describeGroupsResponse.AutoScalingGroups[0];
foreach (var instance in group.Instances)
{
await TryTerminateInstanceById(instance.InstanceId);
}
await TryDeleteGroupByName(groupName);
}
else
{
Console.WriteLine($"No groups found with name {groupName}.");
}
}
///
/// Get the default security group for a specified Vpc.
///
/// The Vpc to search.
/// The default security group.
public async Task GetDefaultSecurityGroupForVpc(Vpc vpc)
{
var groupResponse = await _amazonEc2.DescribeSecurityGroupsAsync(
new DescribeSecurityGroupsRequest()
{
Filters = new List()
{
new ("group-name", new List() { "default" }),
new ("vpc-id", new List() { vpc.VpcId })
}
});
return groupResponse.SecurityGroups[0];
}
///
/// Verify the default security group of a Vpc allows ingress from the calling computer.
/// This can be done by allowing ingress from this computer's IP address.
/// In some situations, such as connecting from a corporate network, you must instead specify
/// a prefix list Id. You can also temporarily open the port to any IP address while running this example.
/// If you do, be sure to remove public access when you're done.
///
/// The group to check.
/// The port to verify.
/// This computer's IP address.
/// True if the ip address is allowed on the group.
public bool VerifyInboundPortForGroup(SecurityGroup group, int port, string ipAddress)
{
var portIsOpen = false;
foreach (var ipPermission in group.IpPermissions)
{
if (ipPermission.FromPort == port)
{
foreach (var ipRange in ipPermission.Ipv4Ranges)
{
var cidr = ipRange.CidrIp;
if (cidr.StartsWith(ipAddress) || cidr == "0.0.0.0/0")
{
portIsOpen = true;
}
}
if (ipPermission.PrefixListIds.Any())
{
portIsOpen = true;
}
if (!portIsOpen)
{
Console.WriteLine("The inbound rule does not appear to be open to either this computer's IP\n" +
"address, to all IP addresses (0.0.0.0/0), or to a prefix list ID.");
}
else
{
break;
}
}
}
return portIsOpen;
}
///
/// Add an ingress rule to the specified security group that allows access on the
/// specified port from the specified IP address.
///
/// The Id of the security group to modify.
/// The port to open.
/// The IP address to allow access.
/// Async task.
public async Task OpenInboundPort(string groupId, int port, string ipAddress)
{
await _amazonEc2.AuthorizeSecurityGroupIngressAsync(
new AuthorizeSecurityGroupIngressRequest()
{
GroupId = groupId,
IpPermissions = new List()
{
new IpPermission()
{
FromPort = port,
ToPort = port,
IpProtocol = "tcp",
Ipv4Ranges = new List()
{
new IpRange() { CidrIp = $"{ipAddress}/32" }
}
}
}
});
}
///
/// Attaches an Elastic Load Balancing (ELB) target group to this EC2 Auto Scaling group.
/// The
///
/// The name of the Auto Scaling group.
/// The Arn for the target group.
/// Async task.
public async Task AttachLoadBalancerToGroup(string autoScalingGroupName, string targetGroupArn)
{
await _amazonAutoScaling.AttachLoadBalancerTargetGroupsAsync(
new AttachLoadBalancerTargetGroupsRequest()
{
AutoScalingGroupName = autoScalingGroupName,
TargetGroupARNs = new List() { targetGroupArn }
});
}
///
/// Wait until an EC2 instance is in a specified state.
///
/// The instance Id.
/// The state to wait for.
/// A Boolean value indicating the success of the action.
public async Task WaitForInstanceState(string instanceId, InstanceStateName stateName)
{
var request = new DescribeInstancesRequest
{
InstanceIds = new List { instanceId }
};
// Wait until the instance is in the specified state.
var hasState = false;
do
{
// Wait 5 seconds.
Thread.Sleep(5000);
// Check for the desired state.
var response = await _amazonEc2.DescribeInstancesAsync(request);
var instance = response.Reservations[0].Instances[0];
hasState = instance.State.Name == stateName;
Console.Write(". ");
} while (!hasState);
return hasState;
}
}
```
建立包裝 Elastic Load Balancing 動作的類別。
```
///
/// Encapsulates Elastic Load Balancer actions.
///
public class ElasticLoadBalancerWrapper
{
private readonly IAmazonElasticLoadBalancingV2 _amazonElasticLoadBalancingV2;
private string? _endpoint = null;
private readonly string _targetGroupName = "";
private readonly string _loadBalancerName = "";
HttpClient _httpClient = new();
public string TargetGroupName => _targetGroupName;
public string LoadBalancerName => _loadBalancerName;
///
/// Constructor for the Elastic Load Balancer wrapper.
///
/// The injected load balancing v2 client.
/// The injected configuration.
public ElasticLoadBalancerWrapper(
IAmazonElasticLoadBalancingV2 amazonElasticLoadBalancingV2,
IConfiguration configuration)
{
_amazonElasticLoadBalancingV2 = amazonElasticLoadBalancingV2;
var prefix = configuration["resourcePrefix"];
_targetGroupName = prefix + "-tg";
_loadBalancerName = prefix + "-lb";
}
///
/// Get the HTTP Endpoint of a load balancer by its name.
///
/// The name of the load balancer.
/// The HTTP endpoint.
public async Task GetEndpointForLoadBalancerByName(string loadBalancerName)
{
if (_endpoint == null)
{
var endpointResponse =
await _amazonElasticLoadBalancingV2.DescribeLoadBalancersAsync(
new DescribeLoadBalancersRequest()
{
Names = new List() { loadBalancerName }
});
_endpoint = endpointResponse.LoadBalancers[0].DNSName;
}
return _endpoint;
}
///
/// Return the GET response for an endpoint as text.
///
/// The endpoint for the request.
/// The request response.
public async Task GetEndPointResponse(string endpoint)
{
var endpointResponse = await _httpClient.GetAsync($"http://{endpoint}");
var textResponse = await endpointResponse.Content.ReadAsStringAsync();
return textResponse!;
}
///
/// Get the target health for a group by name.
///
/// The name of the group.
/// The collection of health descriptions.
public async Task> CheckTargetHealthForGroup(string groupName)
{
List