Working with IAM Policies - AWS SDK for Ruby

Working with IAM Policies

An IAM policy is a document that specifies one or more permissions. For more information about IAM policies, see Overview of IAM Policies.

In this example, you use the AWS SDK for Ruby with IAM to:

  1. Create a policy, using Aws::IAM::Client#create_policy.

  2. Get information about the policy, using Aws::IAM::Client#get_policy.

  3. Attach the policy to a role, using Aws::IAM::Client#attach_role_policy.

  4. List policies attached to the role, using Aws::IAM::Client#list_attached_role_policies.

  5. Detach the policy from the role, using Aws::IAM::Client#detach_role_policy.

Prerequisites

Before running the example code, you need to install and configure the AWS SDK for Ruby, as described in:

You will also need to create the role (my-role) specified in the script. You can do this in the IAM console.

Example

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX - License - Identifier: Apache - 2.0 # The following code example shows how to: # 1. Create a policy in AWS Identity and Access Management (IAM). # 2. Attach the policy to a role. # 3. List the policies that are attached to the role. # 4. Detach the policy from the role. require 'aws-sdk-iam' # Creates a policy in AWS Identity and Access Management (IAM). # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param policy_name [String] A name for the policy. # @param policy_document [Hash] The policy definition. # @return [String] The new policy's Amazon Resource Name (ARN); # otherwise, the string 'Error'. # @example # puts create_policy( # Aws::IAM::Client.new, # 'my-policy', # { # 'Version': '2012-10-17', # 'Statement': [ # { # 'Effect': 'Allow', # 'Action': 's3:ListAllMyBuckets', # 'Resource': 'arn:aws:s3:::*' # } # ] # } # ) def create_policy(iam_client, policy_name, policy_document) response = iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) return response.policy.arn rescue StandardError => e puts "Error creating policy: #{e.message}" return 'Error' end # Attaches a policy to a role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role to attach the policy to. # @param policy_arn [String] The policy's Amazon Resource Name (ARN). # @return [Boolean] True if the policy was attached to the role; # otherwise, false. # @example # exit 1 unless policy_attached_to_role?( # Aws::IAM::Client.new, # 'my-role', # 'arn:aws:iam::111111111111:policy/my-policy' # ) def policy_attached_to_role?(iam_client, role_name, policy_arn) iam_client.attach_role_policy(role_name: role_name, policy_arn: policy_arn) return true rescue StandardError => e puts "Error attaching policy to role: #{e.message}" return false end # Displays a list of policy Amazon Resource Names (ARNs) that are attached to a # role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role. # @example # list_policy_arns_attached_to_role(Aws::IAM::Client.new, 'my-role') def list_policy_arns_attached_to_role(iam_client, role_name) response = iam_client.list_attached_role_policies(role_name: role_name) if response.key?('attached_policies') && response.attached_policies.count.positive? response.attached_policies.each do |attached_policy| puts " #{attached_policy.policy_arn}" end else puts 'No policies attached to role.' end rescue StandardError => e puts "Error checking for policies attached to role: #{e.message}" end # Detaches a policy from a role in AWS Identity and Access Management (IAM). # # Prerequisites: # - An existing role with an attached policy. # # @param iam_client [Aws::IAM::Client] An initialized IAM client. # @param role_name [String] The name of the role to detach the policy from. # @param policy_arn [String] The policy's Amazon Resource Name (ARN). # @return [Boolean] True if the policy was detached from the role; # otherwise, false. # @example # exit 1 unless policy_detached_from_role?( # Aws::IAM::Client.new, # 'my-role', # 'arn:aws:iam::111111111111:policy/my-policy' # ) def policy_detached_from_role?(iam_client, role_name, policy_arn) iam_client.detach_role_policy(role_name: role_name, policy_arn: policy_arn) return true rescue StandardError => e puts "Error detaching policy from role: #{e.message}" return false end # Full example call: def run_me role_name = 'my-role' policy_name = 'my-policy' # Allows the caller to get a list of all buckets in # Amazon Simple Storage Service (Amazon S3) that are owned by the caller. policy_document = { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': 's3:ListAllMyBuckets', 'Resource': 'arn:aws:s3:::*' } ] } detach_policy_from_role = true iam_client = Aws::IAM::Client.new puts "Attempting to create policy '#{policy_name}'..." policy_arn = create_policy(iam_client, policy_name, policy_document) if policy_arn == 'Error' puts 'Could not create policy. Stopping program.' exit 1 else puts 'Policy created.' end puts "Attempting to attach policy '#{policy_name}' " \ "to role '#{role_name}'..." if policy_attached_to_role?(iam_client, role_name, policy_arn) puts 'Policy attached.' else puts 'Could not attach policy to role.' detach_policy_from_role = false end puts "Policy ARNs attached to role '#{role_name}':" list_policy_arns_attached_to_role(iam_client, role_name) if detach_policy_from_role puts "Attempting to detach policy '#{policy_name}' " \ "from role '#{role_name}'..." if policy_detached_from_role?(iam_client, role_name, policy_arn) puts 'Policy detached.' else puts 'Could not detach policy from role. You must detach it yourself.' end end end run_me if $PROGRAM_NAME == __FILE__