AWS Code Sample
Catalog

auth_federation_token_request_test.rb

auth_federation_token_request_test.rb allows a federated user with a limited set of permissions to lists keys in the specified bucket.

#** #* Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. #* #* This file is licensed under the Apache License, Version 2.0 (the "License"). #* You may not use this file except in compliance with the License. A copy of #* the License is located at #* #* http://aws.amazon.com/apache2.0/ #* #* This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR #* CONDITIONS OF ANY KIND, either express or implied. See the License for the #* specific language governing permissions and limitations under the License. #** require 'aws-sdk-s3' require 'aws-sdk-iam' USAGE = <<DOC Usage: ruby auth_federation_token_request_test.rb -b BUCKET -u USER [-r REGION] [-d] [-h] Creates a federated policy for USER to list items in BUCKET for one hour. BUCKET is required and must already exist. USER is required and if not found, is created. If REGION is not supplied, defaults to us-west-2. -d gives you extra (debugging) information. -h displays this message and quits. DOC def print_debug(debug, s) if debug puts s end end # Get the user if they exist, otherwise create them def get_user(region, user_name, debug) iam = Aws::IAM::Client.new(region: 'us-west-2') # See if user exists user = iam.user(user_name) # If user does not exist, create them if user == nil user = iam.create_user(user_name: user_name) iam.wait_until(:user_exists, user_name: user_name) print_debug(debug, "Created new user #{user_name}") else print_debug(debug, "Found user #{user_name} in region #{region}") end user end # main region = 'us-west-2' user_name = '' bucket_name = '' i = 0 while i < ARGV.length case ARGV[i] when '-b' i += 1 bucket_name = ARGV[i] when '-u' i += 1 user_name = ARGV[i] when '-r' i += 1 region = ARGV[i] when '-h' puts USAGE exit 0 else puts 'Unrecognized option: ' + ARGV[i] puts USAGE exit 1 end i += 1 end if bucket_name == '' puts 'You must supply a bucket name' puts USAGE exit 1 end if user_name == '' puts 'You must supply a user name' puts USAGE exit 1 end # Create a new STS client and get temporary credentials. sts = Aws::STS::Client.new(region: region) creds = sts.get_federation_token({ duration_seconds: 3600, name: user_name, policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::#{bucket_name}\"}]}", }) # Create an Amazon S3 resource with temporary credentials. s3 = Aws::S3::Resource.new(region: region, credentials: creds) puts "Contents of '%s':" % bucket_name puts ' Name => GUID' begin s3.bucket(bucket_name).objects.limit(50).each do |obj| puts " #{obj.key} => #{obj.etag}" end rescue StandardError => ex puts 'Caught exception accessing bucket ' + bucket_name + ':' puts ex.message end

Sample Details

Service: s3

Last tested: 2019-02-11

Author: AWS

Type: full-example

On this page: