AWS SDK for Java
Developer Guide

Working with IAM Policies

Important

This is a preview release and is not recommended for production environments.

Creating a Policy

To create a new policy, provide the policy's name and a JSON-formatted policy document in a CreatePolicyRequest to the IamClient's createPolicy method.

Imports

import software.amazon.awssdk.services.iam.model.CreatePolicyRequest; import software.amazon.awssdk.services.iam.model.CreatePolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); CreatePolicyRequest request = CreatePolicyRequest.builder() .policyName(policy_name) .policyDocument(POLICY_DOCUMENT).build(); CreatePolicyResponse response = iam.createPolicy(request); System.out.println("Successfully created policy: " + response.policy().policyName());

IAM policy documents are JSON strings with a well-documented syntax. Here is an example that provides access to make particular requests to DynamoDB.

public static final String POLICY_DOCUMENT = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"logs:CreateLogGroup\"," + " \"Resource\": \"%s\"" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"dynamodb:DeleteItem\"," + " \"dynamodb:GetItem\"," + " \"dynamodb:PutItem\"," + " \"dynamodb:Scan\"," + " \"dynamodb:UpdateItem\"" + " ]," + " \"Resource\": \"RESOURCE_ARN\"" + " }" + " ]" + "}";

See the complete example on GitHub.

Getting a Policy

To retrieve an existing policy, call the IamClient's getPolicy method, providing the policy's ARN within a GetPolicyRequest object.

Imports

import software.amazon.awssdk.services.iam.model.GetPolicyRequest; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); GetPolicyRequest request = GetPolicyRequest.builder() .policyArn(policy_arn).build(); GetPolicyResponse response = iam.getPolicy(request);

See the complete example on GitHub.

Attaching a Role Policy

You can attach a policy to an IAMrole by calling the IamClient's attachRolePolicy method, providing it with the role name and policy ARN in an AttachRolePolicyRequest.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); AttachRolePolicyRequest attach_request = AttachRolePolicyRequest.builder() .roleName(role_name) .policyArn(POLICY_ARN).build(); iam.attachRolePolicy(attach_request);

See the complete example on GitHub.

Listing Attached Role Policies

List attached policies on a role by calling the IamClient's listAttachedRolePolicies method. It takes a ListAttachedRolePoliciesRequest object that contains the role name to list the policies for.

Call getAttachedPolicies on the returned ListAttachedRolePoliciesResponse object to get the list of attached policies. Results may be truncated; if the ListAttachedRolePoliciesResponse object's isTruncated method returns true, call the ListAttachedRolePoliciesResponse object's marker method. Use the marker returned to create a new request and use it to call listAttachedRolePolicies again to get the next batch of results.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); List<AttachedPolicy> matching_policies = new ArrayList<>(); boolean done = false; String new_marker = null; while(!done) { ListAttachedRolePoliciesResponse response; if (new_marker == null) { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(role_name).build(); response = iam.listAttachedRolePolicies(request); } else { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(role_name) .marker(new_marker).build(); response = iam.listAttachedRolePolicies(request); } matching_policies.addAll( response.attachedPolicies() .stream() .filter(p -> p.policyName().equals(role_name)) .collect(Collectors.toList())); if(!response.isTruncated()) { done = true; } else { new_marker = response.marker(); } } if (matching_policies.size() > 0) { System.out.println(role_name + " policy is already attached to this role."); return; }

See the complete example on GitHub.

Detaching a Role Policy

To detach a policy from a role, call the IamClient's detachRolePolicy method, providing it with the role name and policy ARN in a DetachRolePolicyRequest.

Imports

import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.DetachRolePolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); DetachRolePolicyRequest request = DetachRolePolicyRequest.builder() .roleName(role_name) .policyArn(policy_arn).build(); DetachRolePolicyResponse response = iam.detachRolePolicy(request);

See the complete example on GitHub.

More Information