AWS Code Sample


auth_federation_token_request_test.rb allows a federated user with a limited set of permissions to lists keys in the specified bucket.

#** #* Copyright 2010-2019, Inc. or its affiliates. All Rights Reserved. #* #* This file is licensed under the Apache License, Version 2.0 (the "License"). #* You may not use this file except in compliance with the License. A copy of #* the License is located at #* #* #* #* This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR #* CONDITIONS OF ANY KIND, either express or implied. See the License for the #* specific language governing permissions and limitations under the License. #** require 'aws-sdk-s3' require 'aws-sdk-iam' USAGE = <<DOC Usage: ruby auth_federation_token_request_test.rb -b BUCKET -u USER [-r REGION] [-d] [-h] Creates a federated policy for USER to list items in BUCKET for one hour. BUCKET is required and must already exist. USER is required and if not found, is created. If REGION is not supplied, defaults to us-west-2. -d gives you extra (debugging) information. -h displays this message and quits. DOC def print_debug(debug, s) if debug puts s end end # Get the user if they exist, otherwise create them def get_user(region, user_name, debug) iam = 'us-west-2') # See if user exists user = iam.user(user_name) # If user does not exist, create them if user == nil user = iam.create_user(user_name: user_name) iam.wait_until(:user_exists, user_name: user_name) print_debug(debug, "Created new user #{user_name}") else print_debug(debug, "Found user #{user_name} in region #{region}") end user end # main region = 'us-west-2' user_name = '' bucket_name = '' debug = false i = 0 while i < ARGV.length case ARGV[i] when '-b' i += 1 bucket_name = ARGV[i] when '-u' i += 1 user_name = ARGV[i] when '-r' i += 1 region = ARGV[i] when '-d' puts 'Debugging enabled' debug = true when '-h' puts USAGE exit 0 else puts 'Unrecognized option: ' + ARGV[i] puts USAGE exit 1 end i += 1 end if bucket_name == '' puts 'You must supply a bucket name' puts USAGE exit 1 end if user_name == '' puts 'You must supply a user name' puts USAGE exit 1 end # Identify the IAM user we allow to list Amazon S3 bucket items for an hour. user = get_user(region, user_name, debug) # Create a new STS client and get temporary credentials. sts = region) creds = sts.get_federation_token({ duration_seconds: 3600, name: user_name, policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::#{bucket_name}\"}]}", }) # Create an Amazon S3 resource with temporary credentials. s3 = region, credentials: creds) puts "Contents of '%s':" % bucket_name puts ' Name => GUID' begin s3.bucket(bucket_name).objects.limit(50).each do |obj| puts " #{obj.key} => #{obj.etag}" end rescue Exception => ex puts 'Caught exception accessing bucket ' + bucket_name + ':' puts ex.message end

Sample Details

Service: s3

Last tested: 2019-02-11

Author: AWS

Type: full-example

On this page: