本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用適用於 Kotlin 的 SDK 的 IAM 範例
下列程式碼範例示範如何使用適用於 Kotlin 的 AWS SDK 搭配 IAM 來執行動作和實作常見案例。
*基本概念*是程式碼範例,這些範例說明如何在服務內執行基本操作。
*Actions* 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境中查看內容中的動作。
每個範例均包含完整原始碼的連結,您可在連結中找到如何設定和執行內容中程式碼的相關指示。
**Topics**
+ [基本概念](#basics)
+ [動作](#actions)
## 基本概念
### 了解基本概念
下列程式碼範例示範如何建立使用者並擔任角色。
**警告**
為避免安全風險,在開發專用軟體或使用真實資料時,請勿使用 IAM 使用者進行身分驗證。相反地,搭配使用聯合功能和身分提供者,例如 [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)。
+ 建立沒有許可的使用者。
+ 建立一個可授予許可的角色,以列出帳戶的 Amazon S3 儲存貯體。
+ 新增政策,讓使用者擔任該角色。
+ 使用暫時憑證,擔任角色並列出 S3 儲存貯體,然後清理資源。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
建立可包裝 IAM 使用者動作的函數。
```
suspend fun main(args: Array) {
val usage = """
Usage:
Where:
username - The name of the IAM user to create.
policyName - The name of the policy to create.
roleName - The name of the role to create.
roleSessionName - The name of the session required for the assumeRole operation.
fileLocation - The file location to the JSON required to create the role (see Readme).
bucketName - The name of the Amazon S3 bucket from which objects are read.
"""
if (args.size != 6) {
println(usage)
exitProcess(1)
}
val userName = args[0]
val policyName = args[1]
val roleName = args[2]
val roleSessionName = args[3]
val fileLocation = args[4]
val bucketName = args[5]
createUser(userName)
println("$userName was successfully created.")
val polArn = createPolicy(policyName)
println("The policy $polArn was successfully created.")
val roleArn = createRole(roleName, fileLocation)
println("$roleArn was successfully created.")
attachRolePolicy(roleName, polArn)
println("*** Wait for 1 MIN so the resource is available.")
delay(60000)
assumeGivenRole(roleArn, roleSessionName, bucketName)
println("*** Getting ready to delete the AWS resources.")
deleteRole(roleName, polArn)
deleteUser(userName)
println("This IAM Scenario has successfully completed.")
}
suspend fun createUser(usernameVal: String?): String? {
val request =
CreateUserRequest {
userName = usernameVal
}
IamClient { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createUser(request)
return response.user?.userName
}
}
suspend fun createPolicy(policyNameVal: String?): String {
val policyDocumentValue = """
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
""".trimIndent()
val request =
CreatePolicyRequest {
policyName = policyNameVal
policyDocument = policyDocumentValue
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createPolicy(request)
return response.policy?.arn.toString()
}
}
suspend fun createRole(
rolenameVal: String?,
fileLocation: String?,
): String? {
val jsonObject = fileLocation?.let { readJsonSimpleDemo(it) } as JSONObject
val request =
CreateRoleRequest {
roleName = rolenameVal
assumeRolePolicyDocument = jsonObject.toJSONString()
description = "Created using the AWS SDK for Kotlin"
}
IamClient { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createRole(request)
return response.role?.arn
}
}
suspend fun attachRolePolicy(
roleNameVal: String,
policyArnVal: String,
) {
val request =
ListAttachedRolePoliciesRequest {
roleName = roleNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAttachedRolePolicies(request)
val attachedPolicies = response.attachedPolicies
// Ensure that the policy is not attached to this role.
val checkStatus: Int
if (attachedPolicies != null) {
checkStatus = checkMyList(attachedPolicies, policyArnVal)
if (checkStatus == -1) {
return
}
}
val policyRequest =
AttachRolePolicyRequest {
roleName = roleNameVal
policyArn = policyArnVal
}
iamClient.attachRolePolicy(policyRequest)
println("Successfully attached policy $policyArnVal to role $roleNameVal")
}
}
fun checkMyList(
attachedPolicies: List,
policyArnVal: String,
): Int {
for (policy in attachedPolicies) {
val polArn = policy.policyArn.toString()
if (polArn.compareTo(policyArnVal) == 0) {
println("The policy is already attached to this role.")
return -1
}
}
return 0
}
suspend fun assumeGivenRole(
roleArnVal: String?,
roleSessionNameVal: String?,
bucketName: String,
) {
val stsClient = StsClient.fromEnvironment { region = "us-east-1" }
val roleRequest =
AssumeRoleRequest {
roleArn = roleArnVal
roleSessionName = roleSessionNameVal
}
val roleResponse = stsClient.assumeRole(roleRequest)
val myCreds = roleResponse.credentials
val key = myCreds?.accessKeyId
val secKey = myCreds?.secretAccessKey
val secToken = myCreds?.sessionToken
val staticCredentials = StaticCredentialsProvider {
accessKeyId = key
secretAccessKey = secKey
sessionToken = secToken
}
// List all objects in an Amazon S3 bucket using the temp creds.
val s3 = S3Client.fromEnvironment {
region = "us-east-1"
credentialsProvider = staticCredentials
}
println("Created a S3Client using temp credentials.")
println("Listing objects in $bucketName")
val listObjects =
ListObjectsRequest {
bucket = bucketName
}
val response = s3.listObjects(listObjects)
response.contents?.forEach { myObject ->
println("The name of the key is ${myObject.key}")
println("The owner is ${myObject.owner}")
}
}
suspend fun deleteRole(
roleNameVal: String,
polArn: String,
) {
val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" }
// First the policy needs to be detached.
val rolePolicyRequest =
DetachRolePolicyRequest {
policyArn = polArn
roleName = roleNameVal
}
iam.detachRolePolicy(rolePolicyRequest)
// Delete the policy.
val request =
DeletePolicyRequest {
policyArn = polArn
}
iam.deletePolicy(request)
println("*** Successfully deleted $polArn")
// Delete the role.
val roleRequest =
DeleteRoleRequest {
roleName = roleNameVal
}
iam.deleteRole(roleRequest)
println("*** Successfully deleted $roleNameVal")
}
suspend fun deleteUser(userNameVal: String) {
val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" }
val request =
DeleteUserRequest {
userName = userNameVal
}
iam.deleteUser(request)
println("*** Successfully deleted $userNameVal")
}
@Throws(java.lang.Exception::class)
fun readJsonSimpleDemo(filename: String): Any? {
val reader = FileReader(filename)
val jsonParser = JSONParser()
return jsonParser.parse(reader)
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的下列主題。
+ [AttachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreatePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeletePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DetachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [PutUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
## 動作
### `AttachRolePolicy`
以下程式碼範例顯示如何使用 `AttachRolePolicy`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun attachIAMRolePolicy(
roleNameVal: String,
policyArnVal: String,
) {
val request =
ListAttachedRolePoliciesRequest {
roleName = roleNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAttachedRolePolicies(request)
val attachedPolicies = response.attachedPolicies
// Ensure that the policy is not attached to this role.
val checkStatus: Int
if (attachedPolicies != null) {
checkStatus = checkList(attachedPolicies, policyArnVal)
if (checkStatus == -1) {
return
}
}
val policyRequest =
AttachRolePolicyRequest {
roleName = roleNameVal
policyArn = policyArnVal
}
iamClient.attachRolePolicy(policyRequest)
println("Successfully attached policy $policyArnVal to role $roleNameVal")
}
}
fun checkList(
attachedPolicies: List,
policyArnVal: String,
): Int {
for (policy in attachedPolicies) {
val polArn = policy.policyArn.toString()
if (polArn.compareTo(policyArnVal) == 0) {
println("The policy is already attached to this role.")
return -1
}
}
return 0
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [AttachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `CreateAccessKey`
以下程式碼範例顯示如何使用 `CreateAccessKey`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun createIAMAccessKey(user: String?): String {
val request =
CreateAccessKeyRequest {
userName = user
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createAccessKey(request)
return response.accessKey?.accessKeyId.toString()
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [CreateAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `CreateAccountAlias`
以下程式碼範例顯示如何使用 `CreateAccountAlias`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun createIAMAccountAlias(alias: String) {
val request =
CreateAccountAliasRequest {
accountAlias = alias
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.createAccountAlias(request)
println("Successfully created account alias named $alias")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [CreateAccountAlias](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `CreatePolicy`
以下程式碼範例顯示如何使用 `CreatePolicy`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun createIAMPolicy(policyNameVal: String?): String {
val policyDocumentVal = """
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": "*"
}
]
}
""".trimIndent()
val request =
CreatePolicyRequest {
policyName = policyNameVal
policyDocument = policyDocumentVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createPolicy(request)
return response.policy?.arn.toString()
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [CreatePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `CreateUser`
以下程式碼範例顯示如何使用 `CreateUser`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun createIAMUser(usernameVal: String?): String? {
val request =
CreateUserRequest {
userName = usernameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createUser(request)
return response.user?.userName
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [CreateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `DeleteAccessKey`
以下程式碼範例顯示如何使用 `DeleteAccessKey`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun deleteKey(
userNameVal: String,
accessKey: String,
) {
val request =
DeleteAccessKeyRequest {
accessKeyId = accessKey
userName = userNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.deleteAccessKey(request)
println("Successfully deleted access key $accessKey from $userNameVal")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DeleteAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `DeleteAccountAlias`
以下程式碼範例顯示如何使用 `DeleteAccountAlias`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun deleteIAMAccountAlias(alias: String) {
val request =
DeleteAccountAliasRequest {
accountAlias = alias
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.deleteAccountAlias(request)
println("Successfully deleted account alias $alias")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DeleteAccountAlias](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `DeletePolicy`
以下程式碼範例顯示如何使用 `DeletePolicy`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun deleteIAMPolicy(policyARNVal: String?) {
val request =
DeletePolicyRequest {
policyArn = policyARNVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.deletePolicy(request)
println("Successfully deleted $policyARNVal")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DeletePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `DeleteUser`
以下程式碼範例顯示如何使用 `DeleteUser`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun deleteIAMUser(userNameVal: String) {
val request =
DeleteUserRequest {
userName = userNameVal
}
// To delete a user, ensure that the user's access keys are deleted first.
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.deleteUser(request)
println("Successfully deleted user $userNameVal")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DeleteUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `DetachRolePolicy`
以下程式碼範例顯示如何使用 `DetachRolePolicy`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun detachPolicy(
roleNameVal: String,
policyArnVal: String,
) {
val request =
DetachRolePolicyRequest {
roleName = roleNameVal
policyArn = policyArnVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.detachRolePolicy(request)
println("Successfully detached policy $policyArnVal from role $roleNameVal")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [DetachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `GetPolicy`
以下程式碼範例顯示如何使用 `GetPolicy`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun getIAMPolicy(policyArnVal: String?) {
val request =
GetPolicyRequest {
policyArn = policyArnVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.getPolicy(request)
println("Successfully retrieved policy ${response.policy?.policyName}")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [GetPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `ListAccessKeys`
以下程式碼範例顯示如何使用 `ListAccessKeys`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun listKeys(userNameVal: String?) {
val request =
ListAccessKeysRequest {
userName = userNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAccessKeys(request)
response.accessKeyMetadata?.forEach { md ->
println("Retrieved access key ${md.accessKeyId}")
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [ListAccessKeys](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `ListAccountAliases`
以下程式碼範例顯示如何使用 `ListAccountAliases`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun listAliases() {
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAccountAliases(ListAccountAliasesRequest {})
response.accountAliases?.forEach { alias ->
println("Retrieved account alias $alias")
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [ListAccountAliases](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `ListUsers`
以下程式碼範例顯示如何使用 `ListUsers`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun listAllUsers() {
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listUsers(ListUsersRequest { })
response.users?.forEach { user ->
println("Retrieved user ${user.userName}")
val permissionsBoundary = user.permissionsBoundary
if (permissionsBoundary != null) {
println("Permissions boundary details ${permissionsBoundary.permissionsBoundaryType}")
}
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [ListUsers](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
### `UpdateUser`
以下程式碼範例顯示如何使用 `UpdateUser`。
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中設定和執行。
```
suspend fun updateIAMUser(
curName: String?,
newName: String?,
) {
val request =
UpdateUserRequest {
userName = curName
newUserName = newName
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
iamClient.updateUser(request)
println("Successfully updated user to $newName")
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Kotlin API reference* 中的 [UpdateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。