Working with IAM policies - AWS SDK for Java

You can now use the Amazon S3 Transfer Manager (Developer Preview) in the AWS SDK for Java 2.x for accelerated file transfers. Give it a try and let us know what you think! By the way, the AWS SDK for Java team is hiring software development engineers!

Working with IAM policies

Create a policy

To create a new policy, provide the policy’s name and a JSON-formatted policy document in a CreatePolicyRequest to the IamClient’s createPolicy method.

Imports

import software.amazon.awssdk.core.waiters.WaiterResponse; import software.amazon.awssdk.services.iam.model.CreatePolicyRequest; import software.amazon.awssdk.services.iam.model.CreatePolicyResponse; import software.amazon.awssdk.services.iam.model.GetPolicyRequest; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.waiters.IamWaiter;

Code

public static String createIAMPolicy(IamClient iam, String policyName ) { try { // Create an IamWaiter object IamWaiter iamWaiter = iam.waiter(); CreatePolicyRequest request = CreatePolicyRequest.builder() .policyName(policyName) .policyDocument(PolicyDocument).build(); CreatePolicyResponse response = iam.createPolicy(request); // Wait until the policy is created GetPolicyRequest polRequest = GetPolicyRequest.builder() .policyArn(response.policy().arn()) .build(); WaiterResponse<GetPolicyResponse> waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest); waitUntilPolicyExists.matched().response().ifPresent(System.out::println); return response.policy().arn(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return "" ; }

See the complete example on GitHub.

Get a policy

To retrieve an existing policy, call the IamClient’s getPolicy method, providing the policy’s ARN within a GetPolicyRequest object.

Imports

import software.amazon.awssdk.services.iam.model.GetPolicyRequest; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException;

Code

public static void getIAMPolicy(IamClient iam, String policyArn) { try { GetPolicyRequest request = GetPolicyRequest.builder() .policyArn(policyArn).build(); GetPolicyResponse response = iam.getPolicy(request); System.out.format("Successfully retrieved policy %s", response.policy().policyName()); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } }

See the complete example on GitHub.

Attach a role policy

You can attach a policy to an IAM role by calling the IamClient’s attachRolePolicy method, providing it with the role name and policy ARN in an AttachRolePolicyRequest.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.List;

Code

public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn ) { try { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .build(); ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request); List<AttachedPolicy> attachedPolicies = response.attachedPolicies(); // Ensure that the policy is not attached to this role String polArn = ""; for (AttachedPolicy policy: attachedPolicies) { polArn = policy.policyArn(); if (polArn.compareTo(policyArn)==0) { System.out.println(roleName + " policy is already attached to this role."); return; } } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); }

See the complete example on GitHub.

List attached role policies

List attached policies on a role by calling the IamClient’s listAttachedRolePolicies method. It takes a ListAttachedRolePoliciesRequest object that contains the role name to list the policies for.

Call getAttachedPolicies on the returned ListAttachedRolePoliciesResponse object to get the list of attached policies. Results may be truncated; if the ListAttachedRolePoliciesResponse object’s isTruncated method returns true, call the ListAttachedRolePoliciesResponse object’s marker method. Use the marker returned to create a new request and use it to call listAttachedRolePolicies again to get the next batch of results.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.List;

Code

public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn ) { try { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .build(); ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request); List<AttachedPolicy> attachedPolicies = response.attachedPolicies(); // Ensure that the policy is not attached to this role String polArn = ""; for (AttachedPolicy policy: attachedPolicies) { polArn = policy.policyArn(); if (polArn.compareTo(policyArn)==0) { System.out.println(roleName + " policy is already attached to this role."); return; } } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); }

See the {https---github-com-awsdocs-aws-doc-sdk-examples-blob-master-javav2-example-code-iam-src-main-java-com-example-iam-AttachRolePolicy-java}[complete example] on GitHub.

Detach a role policy

To detach a policy from a role, call the IamClient’s detachRolePolicy method, providing it with the role name and policy ARN in a DetachRolePolicyRequest.

Imports

import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException;

Code

public static void detachPolicy(IamClient iam, String roleName, String policyArn ) { try { DetachRolePolicyRequest request = DetachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.detachRolePolicy(request); System.out.println("Successfully detached policy " + policyArn + " from role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } }

See the complete example on GitHub.

More information