Making requests using IAM user temporary credentials - AWS SDK for Ruby - Amazon Simple Storage Service

Making requests using IAM user temporary credentials - AWS SDK for Ruby

An IAM user or an AWS account can request temporary security credentials using AWS SDK for Ruby and use them to access Amazon S3. These credentials expire after the session duration.

By default, the session duration is one hour. If you use IAM user credentials, you can specify the duration when requesting the temporary security credentials from 15 minutes to the maximum session duration for the role. For more information about temporary security credentials, see Temporary Security Credentials in the IAM User Guide. For more information about making requests, see Making requests.

Note

If you obtain temporary security credentials using your AWS account security credentials, the temporary security credentials are valid for only one hour. You can specify session duration only if you use IAM user credentials to request a session.

The following Ruby example creates a temporary user to list the items in a specified bucket for one hour. To use this example, you must have AWS credentials that have the necessary permissions to create new AWS Security Token Service (AWS STS) clients, and list Amazon S3 buckets.

require 'aws-sdk-core' require 'aws-sdk-s3' require 'aws-sdk-iam' # Checks whether a user exists in IAM. # # @param iam [Aws::IAM::Client] An initialized IAM client. # @param user_name [String] The user's name. # @return [Boolean] true if the user exists; otherwise, false. # @example # iam_client = Aws::IAM::Client.new(region: 'us-east-1') # exit 1 unless user_exists?(iam_client, 'my-user') def user_exists?(iam_client, user_name) response = iam_client.get_user(user_name: user_name) return true if response.user.user_name rescue Aws::IAM::Errors::NoSuchEntity # User doesn't exist. rescue StandardError => e puts 'Error while determining whether the user ' \ "'#{user_name}' exists: #{e.message}" end # Creates a user in IAM. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param user_name [String] The user's name. # @return [AWS:IAM::Types::User] The new user. # @example # iam_client = Aws::IAM::Client.new(region: 'us-east-1') # user = create_user(iam_client, 'my-user') # exit 1 unless user.user_name def create_user(iam_client, user_name) response = iam_client.create_user(user_name: user_name) return response.user rescue StandardError => e puts "Error while creating the user '#{user_name}': #{e.message}" end # Gets a user in IAM. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param user_name [String] The user's name. # @return [AWS:IAM::Types::User] The existing user. # @example # iam_client = Aws::IAM::Client.new(region: 'us-east-1') # user = get_user(iam_client, 'my-user') # exit 1 unless user.user_name def get_user(iam_client, user_name) response = iam_client.get_user(user_name: user_name) return response.user rescue StandardError => e puts "Error while getting the user '#{user_name}': #{e.message}" end # Checks whether a role exists in IAM. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The role's name. # @return [Boolean] true if the role exists; otherwise, false. # @example # iam_client = Aws::IAM::Client.new(region: 'us-east-1') # exit 1 unless role_exists?(iam_client, 'my-role') def role_exists?(iam_client, role_name) response = iam_client.get_role(role_name: role_name) return true if response.role.role_name rescue StandardError => e puts 'Error while determining whether the role ' \ "'#{role_name}' exists: #{e.message}" end # Gets credentials for a role in IAM. # # @param sts_client [Aws::STS::Client] An initialized AWS STS client. # @param role_arn [String] The role's Amazon Resource Name (ARN). # @param role_session_name [String] A name for this role's session. # @param duration_seconds [Integer] The number of seconds this session is valid. # @return [AWS::AssumeRoleCredentials] The credentials. # @example # sts_client = Aws::STS::Client.new(region: 'us-east-1') # credentials = get_credentials( # sts_client, # 'arn:aws:iam::123456789012:role/AmazonS3ReadOnly', # 'ReadAmazonS3Bucket', # 3600 # ) # exit 1 if credentials.nil? def get_credentials(sts_client, role_arn, role_session_name, duration_seconds) Aws::AssumeRoleCredentials.new( client: sts_client, role_arn: role_arn, role_session_name: role_session_name, duration_seconds: duration_seconds ) rescue StandardError => e puts "Error while getting credentials: #{e.message}" end # Checks whether a bucket exists in Amazon S3. # # @param s3_client [Aws::S3::Client] An initialized Amazon S3 client. # @param bucket_name [String] The name of the bucket. # @return [Boolean] true if the bucket exists; otherwise, false. # @example # s3_client = Aws::S3::Client.new(region: 'us-east-1') # exit 1 unless bucket_exists?(s3_client, 'doc-example-bucket') def bucket_exists?(s3_client, bucket_name) response = s3_client.list_buckets response.buckets.each do |bucket| return true if bucket.name == bucket_name end rescue StandardError => e puts "Error while checking whether the bucket '#{bucket_name}' " \ "exists: #{e.message}" end # Lists the keys and ETags for the objects in an Amazon S3 bucket. # # @param s3_client [Aws::S3::Client] An initialized Amazon S3 client. # @param bucket_name [String] The bucket's name. # @return [Boolean] true if the objects were listed; otherwise, false. # @example # s3_client = Aws::S3::Client.new(region: 'us-east-1') # exit 1 unless list_objects_in_bucket?(s3_client, 'doc-example-bucket') def list_objects_in_bucket?(s3_client, bucket_name) puts "Accessing the contents of the bucket named '#{bucket_name}'..." response = s3_client.list_objects_v2( bucket: bucket_name, max_keys: 50 ) if response.count.positive? puts "Contents of the bucket named '#{bucket_name}' (first 50 objects):" puts 'Name => ETag' response.contents.each do |obj| puts "#{obj.key} => #{obj.etag}" end else puts "No objects in the bucket named '#{bucket_name}'." end return true rescue StandardError => e puts "Error while accessing the bucket named '#{bucket_name}': #{e.message}" end