Bekerja dengan Kebijakan IAM - AWS SDK for Ruby

Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.

Bekerja dengan Kebijakan IAM

Kebijakan IAM adalah dokumen yang menentukan satu atau beberapa izin. Untuk informasi selengkapnya tentang kebijakan IAM, lihat Ikhtisar Kebijakan IAM.

Dalam contoh ini, Anda menggunakan AWS SDK for Ruby dengan IAM untuk:

  1. Buat kebijakan, menggunakan Aws: :IAM: :Client #create_policy.

  2. Dapatkan informasi tentang kebijakan, menggunakan Aws: :IAM: :Client #get_policy.

  3. Lampirkan kebijakan ke peran, menggunakan Aws: :IAM: :Client #attach_role_policy.

  4. Buat daftar kebijakan yang dilampirkan pada peran, menggunakan Aws: :IAM: :Client #list_attached_role_policies.

  5. Lepaskan kebijakan dari peran, menggunakan Aws: :IAM: :Client #detach_role_policy.


Sebelum menjalankan kode contoh, Anda perlu menginstal dan mengkonfigurasi AWS SDK for Ruby, seperti yang dijelaskan dalam:

Anda juga perlu membuat peran (peran saya) yang ditentukan dalam skrip. Anda dapat melakukan ini di konsol IAM.


# Copyright, Inc. or its affiliates. All Rights Reserved. # SPDX - License - Identifier: Apache - 2.0 # The following code example shows how to: # 1. Create a policy in AWS Identity and Access Management (IAM). # 2. Attach the policy to a role. # 3. List the policies that are attached to the role. # 4. Detach the policy from the role. require 'aws-sdk-iam' # Creates a policy in AWS Identity and Access Management (IAM). # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param policy_name [String] A name for the policy. # @param policy_document [Hash] The policy definition. # @return [String] The new policy's Amazon Resource Name (ARN); # otherwise, the string 'Error'. # @example # puts create_policy( #, # 'my-policy', # { # 'Version': '2012-10-17', # 'Statement': [ # { # 'Effect': 'Allow', # 'Action': 's3:ListAllMyBuckets', # 'Resource': 'arn:aws:s3:::*' # } # ] # } # ) def create_policy(iam_client, policy_name, policy_document) response = iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) return response.policy.arn rescue StandardError => e puts "Error creating policy: #{e.message}" return 'Error' end # Attaches a policy to a role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role to attach the policy to. # @param policy_arn [String] The policy's Amazon Resource Name (ARN). # @return [Boolean] True if the policy was attached to the role; # otherwise, false. # @example # exit 1 unless policy_attached_to_role?( #, # 'my-role', # 'arn:aws:iam::111111111111:policy/my-policy' # ) def policy_attached_to_role?(iam_client, role_name, policy_arn) iam_client.attach_role_policy(role_name: role_name, policy_arn: policy_arn) return true rescue StandardError => e puts "Error attaching policy to role: #{e.message}" return false end # Displays a list of policy Amazon Resource Names (ARNs) that are attached to a # role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role. # @example # list_policy_arns_attached_to_role(, 'my-role') def list_policy_arns_attached_to_role(iam_client, role_name) response = iam_client.list_attached_role_policies(role_name: role_name) if response.key?('attached_policies') && response.attached_policies.count.positive? response.attached_policies.each do |attached_policy| puts " #{attached_policy.policy_arn}" end else puts 'No policies attached to role.' end rescue StandardError => e puts "Error checking for policies attached to role: #{e.message}" end # Detaches a policy from a role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role with an attached policy. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role to detach the policy from. # @param policy_arn [String] The policy's Amazon Resource Name (ARN). # @return [Boolean] True if the policy was detached from the role; # otherwise, false. # @example # exit 1 unless policy_detached_from_role?( #, # 'my-role', # 'arn:aws:iam::111111111111:policy/my-policy' # ) def policy_detached_from_role?(iam_client, role_name, policy_arn) iam_client.detach_role_policy(role_name: role_name, policy_arn: policy_arn) return true rescue StandardError => e puts "Error detaching policy from role: #{e.message}" return false end # Full example call: def run_me role_name = 'my-role' policy_name = 'my-policy' # Allows the caller to get a list of all buckets in # Amazon Simple Storage Service (Amazon S3) that are owned by the caller. policy_document = { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': 's3:ListAllMyBuckets', 'Resource': 'arn:aws:s3:::*' } ] } detach_policy_from_role = true iam_client = puts "Attempting to create policy '#{policy_name}'..." policy_arn = create_policy(iam_client, policy_name, policy_document) if policy_arn == 'Error' puts 'Could not create policy. Stopping program.' exit 1 else puts 'Policy created.' end puts "Attempting to attach policy '#{policy_name}' " \ "to role '#{role_name}'..." if policy_attached_to_role?(iam_client, role_name, policy_arn) puts 'Policy attached.' else puts 'Could not attach policy to role.' detach_policy_from_role = false end puts "Policy ARNs attached to role '#{role_name}':" list_policy_arns_attached_to_role(iam_client, role_name) if detach_policy_from_role puts "Attempting to detach policy '#{policy_name}' " \ "from role '#{role_name}'..." if policy_detached_from_role?(iam_client, role_name, policy_arn) puts 'Policy detached.' else puts 'Could not detach policy from role. You must detach it yourself.' end end end run_me if $PROGRAM_NAME == __FILE__