Work with IAM policies - AWS SDK for Java version 2

Work with IAM policies

Create a policy

To create a new policy, provide the policy’s name and a JSON-formatted policy document in a CreatePolicyRequest to the IamClient’s createPolicy method.

Imports

import software.amazon.awssdk.services.iam.model.CreatePolicyRequest; import software.amazon.awssdk.services.iam.model.CreatePolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException;

Code

public static String createIAMPolicy(IamClient iam, String policyName ) { try { CreatePolicyRequest request = CreatePolicyRequest.builder() .policyName(policyName) .policyDocument(PolicyDocument).build(); CreatePolicyResponse response = iam.createPolicy(request); return response.policy().arn(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return "" ; }

See the complete example on GitHub.

Get a policy

To retrieve an existing policy, call the IamClient’s getPolicy method, providing the policy’s ARN within a GetPolicyRequest object.

Imports

import software.amazon.awssdk.services.iam.model.GetPolicyRequest; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException;

Code

public static void getIAMPolicy(IamClient iam, String policyArn) { try { GetPolicyRequest request = GetPolicyRequest.builder() .policyArn(policyArn).build(); GetPolicyResponse response = iam.getPolicy(request); System.out.format("Successfully retrieved policy %s", response.policy().policyName()); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); }

See the complete example on GitHub.

Attach a role policy

You can attach a policy to an IAMrole by calling the IamClient’s attachRolePolicy method, providing it with the role name and policy ARN in an AttachRolePolicyRequest.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;

Code

public static void attachIAMRolePolicy(IamClient iam,String roleName, String policyArn ) { try { List<AttachedPolicy> matchingPolicies = new ArrayList<>(); boolean done = false; String newMarker = null; while(!done) { ListAttachedRolePoliciesResponse response; if (newMarker == null) { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName).build(); response = iam.listAttachedRolePolicies(request); } else { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .marker(newMarker).build(); response = iam.listAttachedRolePolicies(request); } matchingPolicies.addAll( response.attachedPolicies() .stream() .filter(p -> p.policyName().equals(roleName)) .collect(Collectors.toList())); if(!response.isTruncated()) { done = true; } else { newMarker = response.marker(); } } if (matchingPolicies.size() > 0) { System.out.println(roleName + " policy is already attached to this role."); return; } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn).build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); }

See the complete example on GitHub.

List attached role policies

List attached policies on a role by calling the IamClient’s listAttachedRolePolicies method. It takes a ListAttachedRolePoliciesRequest object that contains the role name to list the policies for.

Call getAttachedPolicies on the returned ListAttachedRolePoliciesResponse object to get the list of attached policies. Results may be truncated; if the ListAttachedRolePoliciesResponse object’s isTruncated method returns true, call the ListAttachedRolePoliciesResponse object’s marker method. Use the marker returned to create a new request and use it to call listAttachedRolePolicies again to get the next batch of results.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;

Code

public static void attachIAMRolePolicy(IamClient iam,String roleName, String policyArn ) { try { List<AttachedPolicy> matchingPolicies = new ArrayList<>(); boolean done = false; String newMarker = null; while(!done) { ListAttachedRolePoliciesResponse response; if (newMarker == null) { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName).build(); response = iam.listAttachedRolePolicies(request); } else { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .marker(newMarker).build(); response = iam.listAttachedRolePolicies(request); } matchingPolicies.addAll( response.attachedPolicies() .stream() .filter(p -> p.policyName().equals(roleName)) .collect(Collectors.toList())); if(!response.isTruncated()) { done = true; } else { newMarker = response.marker(); } } if (matchingPolicies.size() > 0) { System.out.println(roleName + " policy is already attached to this role."); return; } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn).build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); }

See the complete example on GitHub.

Detach a role policy

To detach a policy from a role, call the IamClient’s detachRolePolicy method, providing it with the role name and policy ARN in a DetachRolePolicyRequest.

Imports

import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.DetachRolePolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException;

Code

public static void detachPolicy(IamClient iam, String roleName, String policyArn ) { try { DetachRolePolicyRequest request = DetachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn).build(); DetachRolePolicyResponse response = iam.detachRolePolicy(request); System.out.println("Successfully detached policy " + policyArn + " from role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); }

See the complete example on GitHub.

More information