Menu
AWS SDK for C++
Developer Guide

Working with IAM Policies

Note

These code snippets assume that you understand the material in Getting Started Using the AWS SDK for C++ and have configured default AWS credentials using the information in Providing AWS Credentials.

Creating a Policy

To create a new policy, provide the policy's name and a JSON-formatted policy document in a CreatePolicyRequest to the IAMClient's CreatePolicy function.

Includes:

Copy
#include <aws/core/Aws.h> #include <aws/iam/IAMClient.h> #include <aws/iam/model/CreatePolicyRequest.h> #include <aws/iam/model/CreatePolicyResult.h> #include <iostream>

Code:

Copy
Aws::IAM::IAMClient iam; Aws::IAM::Model::CreatePolicyRequest request; request.SetPolicyName(policy_name); request.SetPolicyDocument(BuildSamplePolicyDocument(rsrc_arn)); auto outcome = iam.CreatePolicy(request); if (!outcome.IsSuccess()) { std::cout << "Error creating policy " << policy_name << ": " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully created policy " << policy_name << std::endl; }

IAM policy documents are JSON strings with a well-documented syntax. Here is an example that provides access to make particular requests to DynamoDB. It takes the policy ARN as a passed-in variable.

Copy
static const char* const POLICY_TEMPLATE = "{" " \"Version\": \"2012-10-17\"," " \"Statement\": [" " {" " \"Effect\": \"Allow\"," " \"Action\": \"logs:CreateLogGroup\"," " \"Resource\": \"%s\"" " }," " {" " \"Effect\": \"Allow\"," " \"Action\": [" " \"dynamodb:DeleteItem\"," " \"dynamodb:GetItem\"," " \"dynamodb:PutItem\"," " \"dynamodb:Scan\"," " \"dynamodb:UpdateItem\"" " ]," " \"Resource\": \"%s\"" " }" " ]" "}"; Aws::String BuildSamplePolicyDocument(const Aws::String& rsrc_arn) { char policyBuffer[512]; #ifdef WIN32 sprintf_s(policyBuffer, POLICY_TEMPLATE, rsrc_arn.c_str(), rsrc_arn.c_str()); #else sprintf(policyBuffer, POLICY_TEMPLATE, rsrc_arn.c_str(), rsrc_arn.c_str()); #endif // WIN32 return Aws::String(policyBuffer); }

See the complete example.

Getting a Policy

To retrieve an existing policy, call the IAMClient's GetPolicy function, providing the policy's ARN within a GetPolicyRequest object.

Includes:

Copy
#include <aws/core/Aws.h> #include <aws/iam/IAMClient.h> #include <aws/iam/model/GetPolicyRequest.h> #include <aws/iam/model/GetPolicyResult.h> #include <iostream>

Code:

Copy
Aws::IAM::IAMClient iam; Aws::IAM::Model::GetPolicyRequest request; request.SetPolicyArn(policy_arn); auto outcome = iam.GetPolicy(request); if (!outcome.IsSuccess()) { std::cout << "Error getting policy " << policy_arn << ": " << outcome.GetError().GetMessage() << std::endl; } else { const auto &policy = outcome.GetResult().GetPolicy(); std::cout << "Name: " << policy.GetPolicyName() << std::endl << "ID: " << policy.GetPolicyId() << std::endl << "Arn: " << policy.GetArn() << std::endl << "Description: " << policy.GetDescription() << std::endl << "CreateDate: " << policy.GetCreateDate().ToGmtString(Aws::Utils::DateFormat::ISO_8601) << std::endl; }

See the complete example.

Deleting a Policy

To delete a policy, provide the policy's ARN in a DeletePolicyRequest to the IAMClient's DeletePolicy function.

Includes:

Copy
#include <aws/core/Aws.h> #include <aws/iam/IAMClient.h> #include <aws/iam/model/DeletePolicyRequest.h> #include <iostream>

Code:

Copy
Aws::IAM::IAMClient iam; Aws::IAM::Model::DeletePolicyRequest request; request.SetPolicyArn(policy_arn); auto outcome = iam.DeletePolicy(request); if (!outcome.IsSuccess()) { std::cout << "Error deleting policy with arn " << policy_arn << ": " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully deleted policy with arn " << policy_arn << std::endl; }

See the complete example.

Attaching a Policy

You can attach a policy to an IAMrole by calling the IAMClient's AttachRolePolicy function, providing it with the role name and policy ARN in an AttachRolePolicyRequest.

Includes:

Copy
#include <aws/core/Aws.h> #include <aws/iam/IAMClient.h> #include <aws/iam/model/AttachRolePolicyRequest.h> #include <aws/iam/model/ListAttachedRolePoliciesRequest.h> #include <aws/iam/model/ListAttachedRolePoliciesResult.h> #include <iostream> #include <iomanip>

Code:

Copy
Aws::IAM::IAMClient iam; Aws::IAM::Model::ListAttachedRolePoliciesRequest list_request; list_request.SetRoleName(role_name); bool done = false; while (!done) { auto list_outcome = iam.ListAttachedRolePolicies(list_request); if (!list_outcome.IsSuccess()) { std::cout << "Failed to list attached policies of role " << role_name << ": " << list_outcome.GetError().GetMessage() << std::endl; return; } const auto& policies = list_outcome.GetResult().GetAttachedPolicies(); if (std::any_of(policies.cbegin(), policies.cend(), [=](const Aws::IAM::Model::AttachedPolicy& policy) { return policy.GetPolicyArn() == policy_arn; })) { std::cout << "Policy " << policy_arn << " is already attached to role " << role_name << std::endl; return; } done = !list_outcome.GetResult().GetIsTruncated(); list_request.SetMarker(list_outcome.GetResult().GetMarker()); } Aws::IAM::Model::AttachRolePolicyRequest request; request.SetRoleName(role_name); request.SetPolicyArn(policy_arn); auto outcome = iam.AttachRolePolicy(request); if (!outcome.IsSuccess()) { std::cout << "Failed to attach policy " << policy_arn << " to role " << role_name << ": " << outcome.GetError().GetMessage() << std::endl; return; } std::cout << "Successfully attached policy " << policy_arn << " to role " << role_name << std::endl;

See the complete example.

Listing Attached Policies

List attached policies on a role by calling the IAMClient's ListAttachedRolePolicies function. It takes a ListAttachedRolePoliciesRequest object that contains the role name to list the policies for.

Call GetAttachedPolicies on the returned ListAttachedRolePoliciesResult object to get the list of attached policies. Results may be truncated; if the ListAttachedRolePoliciesResult object's GetIsTruncated function returns true, call the ListAttachedRolePoliciesRequest object's SetMarker function and use it to call ListAttachedRolePolicies again to get the next batch of results.

Includes:

Copy
#include <aws/core/Aws.h> #include <aws/iam/IAMClient.h> #include <aws/iam/model/ListPoliciesRequest.h> #include <aws/iam/model/ListPoliciesResult.h> #include <iostream> #include <iomanip>

Code:

Copy
Aws::IAM::IAMClient iam; Aws::IAM::Model::ListPoliciesRequest request; bool done = false; bool header = false; while (!done) { auto outcome = iam.ListPolicies(request); if (!outcome.IsSuccess()) { std::cout << "Failed to list iam policies: " << outcome.GetError().GetMessage() << std::endl; break; } if (!header) { std::cout << std::left << std::setw(55) << "Name" << std::setw(30) << "ID" << std::setw(80) << "Arn" << std::setw(64) << "Description" << std::setw(12) << "CreateDate" << std::endl; header = true; } const auto &policies = outcome.GetResult().GetPolicies(); for (const auto &policy : policies) { std::cout << std::left << std::setw(55) << policy.GetPolicyName() << std::setw(30) << policy.GetPolicyId() << std::setw(80) << policy.GetArn() << std::setw(64) << policy.GetDescription() << std::setw(12) << policy.GetCreateDate().ToGmtString(DATE_FORMAT) << std::endl; } if (outcome.GetResult().GetIsTruncated()) { request.SetMarker(outcome.GetResult().GetMarker()); } else { done = true; } }

See the complete example.

Detaching a Policy

To detach a policy from a role, call the IAMClient's DetachRolePolicy function, providing it with the role name and policy ARN in a DetachRolePolicyRequest.

Includes:

Copy
#include <aws/core/Aws.h> #include <aws/iam/IAMClient.h> #include <aws/iam/model/DetachRolePolicyRequest.h> #include <aws/iam/model/ListAttachedRolePoliciesRequest.h> #include <aws/iam/model/ListAttachedRolePoliciesResult.h> #include <iostream>

Code:

Copy
Aws::IAM::IAMClient iam; Aws::IAM::Model::DetachRolePolicyRequest detach_request; detach_request.SetRoleName(role_name); detach_request.SetPolicyArn(policy_arn); auto detach_outcome = iam.DetachRolePolicy(detach_request); if (!detach_outcome.IsSuccess()) { std::cout << "Failed to detach policy " << policy_arn << " from role " << role_name << ": " << detach_outcome.GetError().GetMessage() << std::endl; return; }

See the complete example.

More Information