Working with IAM policies - AWS SDK for JavaScript

Help us improve the AWS SDK for JavaScript version 3 (V3) documentation by providing feedback using the Feedback link, or create an issue or pull request on GitHub.

The AWS SDK for JavaScript V3 API Reference Guide describes in detail all the API operations for the AWS SDK for JavaScript version 3 (V3).

Working with IAM policies

JavaScript code example that applies to Node.js execution

This Node.js code example shows:

  • How to create and delete IAM policies.

  • How to attach and detach IAM policies from roles.

The scenario

You grant permissions to a user by creating a policy, which is a document that lists the actions that a user can perform and the resources those actions can affect. Any actions or resources that are not explicitly allowed are denied by default. Policies can be created and attached to users, groups of users, roles assumed by users, and resources.

In this example, a series of Node.js modules are used to manage policies in IAM. The Node.js modules use the SDK for JavaScript to create and delete policies as well as attaching and detaching role policies using these methods of the IAM client class:

For more information about IAM users, see Overview of access management: Permissions and policies in the IAM User Guide.

Prerequisite tasks

To set up and run this example, you must first complete these tasks:

  • Set up the project environment to run these Node TypeScript examples, and install the required AWS SDK for JavaScript and third-party modules. Follow the instructions on GitHub.

  • Create a shared configurations file with your user credentials. For more information about providing a shared credentials file, see Loading credentials in Node.js from the shared credentials file.

  • Create an IAM role to which you can attach policies. For more information about creating roles, see Creating IAM roles in the IAM User Guide.

Important

These examples demonstrate how to import/export client service objects and command using ECMAScript6 (ES6).

Creating an IAM policy

Create a libs directory, and create a Node.js module with the file name iamClient.js. Copy and paste the code below into it, which creates the IAM client object. Replace REGION with your AWS Region.

import { IAMClient } from "@aws-sdk/client-iam"; // Set the AWS Region. const REGION = "REGION"; //e.g. "us-east-1" // Create an IAM service client object. const iamClient = new IAMClient({ region: REGION }); export { iamClient };

This example code can be found here on GitHub.

Create a Node.js module with the file name iam_createpolicy.js. Be sure to configure the SDK as previously shown, including downloading the required clients and packages. Create two JSON objects, one containing the policy document to create and the other containing the parameters needed to create the policy, which includes the policy JSON and the name to give the policy. Be sure to stringify the policy JSON object in the parameters. Call the CreatePolicyCommand method of the IAM client service object.

Note

Replace RESOURCE_ARN with the Amazon Resource Name (ARN) of the resource you want to grant the permissions to, and DYNAMODB_POLICY_NAME with the name of the DynamoDB policy name.

// Import required AWS SDK clients and commands for Node.js import { iamClient } from "./libs/iamClient.js"; import { CreatePolicyCommand } from "@aws-sdk/client-iam"; // Set the parameters const myManagedPolicy = { Version: "2012-10-17", Statement: [ { Effect: "Allow", Action: "logs:CreateLogGroup", Resource: "RESOURCE_ARN", // RESOURCE_ARN }, { Effect: "Allow", Action: [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem", ], Resource: "DYNAMODB_POLICY_NAME", // DYNAMODB_POLICY_NAME; e.g., "myDynamoDBName" }, ], }; const params = { PolicyDocument: JSON.stringify(myManagedPolicy), PolicyName: process.argv[4], }; const run = async () => { try { const data = await iamClient.send(new CreatePolicyCommand(params)); console.log("Success", data); return data; } catch (err) { console.log("Error", err); } }; run();

To run the example, enter the following at the command prompt.

node iam_createpolicy.js

This example code can be found here on GitHub.

Getting an IAM policy

Create a libs directory, and create a Node.js module with the file name iamClient.js. Copy and paste the code below into it, which creates the IAM client object. Replace REGION with your AWS Region.

import { IAMClient } from "@aws-sdk/client-iam"; // Set the AWS Region. const REGION = "REGION"; //e.g. "us-east-1" // Create an IAM service client object. const iamClient = new IAMClient({ region: REGION }); export { iamClient };

This example code can be found here on GitHub.

Create a Node.js module with the file name iam_getpolicy.js. Be sure to configure the SDK as previously shown, including downloading the required clients and packages. Create a JSON object containing the parameters needed retrieve a policy, which is the ARN of the policy to get. Call the GetPolicyCommand method of the IAM client service object. Write the policy description to the console.

// Import required AWS SDK clients and commands for Node.js import { iamClient } from "./libs/iamClient.js"; import { GetPolicyCommand } from "@aws-sdk/client-iam"; // Set the parameters const params = { PolicyArn: "arn:aws:iam::aws:policy/AWSLambdaExecute", }; const run = async () => { try { const data = await iamClient.send(new GetPolicyCommand(params)); console.log("Success", data); return data; } catch (err) { console.log("Error", err); } }; run();

To run the example, enter the following at the command prompt.

node iam_getpolicy.js

This example code can be found here on GitHub.

Attaching a managed role policy

Create a libs directory, and create a Node.js module with the file name iamClient.js. Copy and paste the code below into it, which creates the IAM client object. Replace REGION with your AWS Region.

import { IAMClient } from "@aws-sdk/client-iam"; // Set the AWS Region. const REGION = "REGION"; //e.g. "us-east-1" // Create an IAM service client object. const iamClient = new IAMClient({ region: REGION }); export { iamClient };

This example code can be found here on GitHub.

Create a Node.js module with the file name iam_attachrolepolicy.js. Be sure to configure the SDK as previously shown, including downloading the required clients and packages. Create a JSON object containing the parameters needed to get a list of managed IAM policies attached to a role, which consists of the name of the role. Provide the role name as a command-line parameter. Call the ListAttachedRolePoliciesCommand method of the IAM client service object, which returns an array of managed policies to the callback function.

Check the array members to see if the policy to attach to the role is already attached. If the policy is not attached, call the AttachRolePolicyCommand method to attach it.

Note

Replace ROLE_NAME with the name of the role to attach.

// Import required AWS SDK clients and commands for Node.js import { iamClient } from "./libs/iamClient.js"; import { ListAttachedRolePoliciesCommand, AttachRolePolicyCommand, } from "@aws-sdk/client-iam"; // Set the parameters const ROLENAME = "ROLE_NAME"; const paramsRoleList = { RoleName: ROLENAME }; //ROLE_NAME const params = { PolicyArn: "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess", RoleName: ROLENAME, }; const run = async () => { try { const data = await iamClient.send( new ListAttachedRolePoliciesCommand(paramsRoleList) ); return data; const myRolePolicies = data.AttachedPolicies; myRolePolicies.forEach(function (val, index, array) { if (myRolePolicies[index].PolicyName === "AmazonDynamoDBFullAccess") { console.log( "AmazonDynamoDBFullAccess is already attached to this role." ); process.exit(); } }); try { const data = await iamClient.send(new AttachRolePolicyCommand(params)); console.log("Role attached successfully"); return data; } catch (err) { console.log("Error", err); } } catch (err) { console.log("Error", err); } }; run();

To run the example, enter the following at the command prompt.

node iam_attachrolepolicy.js

This example code can be found here on GitHub.

Detaching a managed role policy

Create a libs directory, and create a Node.js module with the file name iamClient.js. Copy and paste the code below into it, which creates the IAM client object. Replace REGION with your AWS Region.

import { IAMClient } from "@aws-sdk/client-iam"; // Set the AWS Region. const REGION = "REGION"; //e.g. "us-east-1" // Create an IAM service client object. const iamClient = new IAMClient({ region: REGION }); export { iamClient };

This example code can be found here on GitHub.

Create a Node.js module with the file name iam_detachrolepolicy.js. Be sure to configure the SDK as previously shown, including downloading the required clients and packages. Create a JSON object containing the parameters needed to get a list of managed IAM policies attached to a role, which consists of the name of the role. Provide the role name as a command-line parameter. Call the ListAttachedRolePoliciesCommand method of the IAM client service object, which returns an array of managed policies in the callback function.

Check the array members to see if the policy to detach from the role is attached. If the policy is attached, call the DetachRolePolicyCommand method to detach it.

Note

Replace ROLE_NAME with the name of the role to detach.

// Import required AWS SDK clients and commands for Node.js import { iamClient } from "./libs/iamClient.js"; import { ListAttachedRolePoliciesCommand, DetachRolePolicyCommand, } from "@aws-sdk/client-iam"; // Set the parameters const params = { RoleName: "ROLE_NAME" }; //ROLE_NAME const run = async () => { try { const data = await iamClient.send( new ListAttachedRolePoliciesCommand(params) ); return data; const myRolePolicies = data.AttachedPolicies; myRolePolicies.forEach(function (val, index, array) { if (myRolePolicies[index].PolicyName === "AmazonDynamoDBFullAccess") { const params = { PolicyArn: "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess", paramsRoleList, }; try { const results = iamClient.send( new DetachRolePolicyCommand(paramsRoleList) ); console.log("Policy detached from role successfully"); process.exit(); } catch (err) { console.log("Unable to detach policy from role", err); } } else { } }); } catch (err) { console.log("User " + process.argv[2] + " does not exist."); } }; run();

To run the example, enter the following at the command prompt.

node iam_detachrolepolicy.js

This example code can be found here on GitHub.