Menu
AWS SDK for Java
Developer Guide

Working with IAM Policies

Creating a Policy

To create a new policy, provide the policy's name and a JSON-formatted policy document in a CreatePolicyRequest to the AmazonIdentityManagementClient's createPolicy method.

Imports

Copy
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.CreatePolicyRequest; import com.amazonaws.services.identitymanagement.model.CreatePolicyResult;

Code

Copy
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); CreatePolicyRequest request = new CreatePolicyRequest() .withPolicyName(policy_name) .withPolicyDocument(POLICY_DOCUMENT); CreatePolicyResult response = iam.createPolicy(request);

IAM policy documents are JSON strings with a well-documented syntax. Here is an example that provides access to make particular requests to DynamoDB.

Copy
public static final String POLICY_DOCUMENT = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"logs:CreateLogGroup\"," + " \"Resource\": \"%s\"" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"dynamodb:DeleteItem\"," + " \"dynamodb:GetItem\"," + " \"dynamodb:PutItem\"," + " \"dynamodb:Scan\"," + " \"dynamodb:UpdateItem\"" + " ]," + " \"Resource\": \"RESOURCE_ARN\"" + " }" + " ]" + "}";

See the complete example.

Getting a Policy

To retrieve an existing policy, call the AmazonIdentityManagementClient's getPolicy method, providing the policy's ARN within a GetPolicyRequest object.

Imports

Copy
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.GetPolicyRequest; import com.amazonaws.services.identitymanagement.model.GetPolicyResult;

Code

Copy
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); GetPolicyRequest request = new GetPolicyRequest() .withPolicyArn(policy_arn); GetPolicyResult response = iam.getPolicy(request);

See the complete example.

Attaching a Role Policy

You can attach a policy to an IAMrole by calling the AmazonIdentityManagementClient's attachRolePolicy method, providing it with the role name and policy ARN in an AttachRolePolicyRequest.

Imports

Copy
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.AttachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.AttachedPolicy;

Code

Copy
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); AttachRolePolicyRequest attach_request = new AttachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(POLICY_ARN); iam.attachRolePolicy(attach_request);

See the complete example.

Listing Attached Role Policies

List attached policies on a role by calling the AmazonIdentityManagementClient's listAttachedRolePolicies method. It takes a ListAttachedRolePoliciesRequest object that contains the role name to list the policies for.

Call getAttachedPolicies on the returned ListAttachedRolePoliciesResult object to get the list of attached policies. Results may be truncated; if the ListAttachedRolePoliciesResult object's getIsTruncated method returns true, call the ListAttachedRolePoliciesRequest object's setMarker method and use it to call listAttachedRolePolicies again to get the next batch of results.

Imports

Copy
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesRequest; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesResult; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;

Code

Copy
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); ListAttachedRolePoliciesRequest request = new ListAttachedRolePoliciesRequest() .withRoleName(role_name); List<AttachedPolicy> matching_policies = new ArrayList<>(); boolean done = false; while(!done) { ListAttachedRolePoliciesResult response = iam.listAttachedRolePolicies(request); matching_policies.addAll( response.getAttachedPolicies() .stream() .filter(p -> p.getPolicyName().equals(role_name)) .collect(Collectors.toList())); if(!response.getIsTruncated()) { done = true; } request.setMarker(response.getMarker()); }

See the complete example.

Detaching a Role Policy

To detach a policy from a role, call the AmazonIdentityManagementClient's detachRolePolicy method, providing it with the role name and policy ARN in a DetachRolePolicyRequest.

Imports

Copy
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyResult;

Code

Copy
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); DetachRolePolicyRequest request = new DetachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(policy_arn); DetachRolePolicyResult response = iam.detachRolePolicy(request);

See the complete example.

More Information