本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用第 3 AWS SDK for PHP 版的 IAM 政策
您將授與建立政策的權限給使用者。政策為列出使用者可執行的動作以及這些動作可影響的資源之清單文件,在預設情況下,未明確允許的任何動作或資源將被拒絕。可建立政策並連接至使用者、使用者群組、使用者擔任的角色以及資源。
下列範例示範如何:
-
使用建立受管理的策略CreatePolicy。
-
使用將策略附加到角色AttachRolePolicy。
-
使用將策略附加到使用者AttachUserPolicy。
-
使用將原則附加至群組AttachGroupPolicy。
-
使用移除角色原則DetachRolePolicy。
-
使用移除使用者原則DetachUserPolicy。
-
使用移除群組原則DetachGroupPolicy。
-
使用刪除受管理的策略DeletePolicy。
-
使用刪除角色原則DeleteRolePolicy。
-
使用刪除使用者策略DeleteUserPolicy。
-
使用刪除群組原則DeleteGroupPolicy。
所有的範例程式碼都可以AWS SDK for PHP在這裡取
登入資料
在執行範例程式碼之前,請依照中的說明設定您的AWS認證憑證。然後匯入AWS SDK for PHP,如中所述基本使用。
建立政策
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $myManagedPolicy = '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "RESOURCE_ARN" }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": "RESOURCE_ARN" } ] }'; try { $result = $client->createPolicy(array( // PolicyName is required 'PolicyName' => 'myDynamoDBPolicy', // PolicyDocument is required 'PolicyDocument' => $myManagedPolicy )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
將政策連接至角色
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $roleName = 'ROLE_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedRolePolicies = $client->getIterator('ListAttachedRolePolicies', ([ 'RoleName' => $roleName, ])); if (count($attachedRolePolicies) > 0) { foreach ($attachedRolePolicies as $attachedRolePolicy) { if ($attachedRolePolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachRolePolicy(array( // RoleName is required 'RoleName' => $roleName, // PolicyArn is required 'PolicyArn' => $policyArn )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
將政策連接至使用者
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $userName = 'USER_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedUserPolicies = $client->getIterator('ListAttachedUserPolicies', ([ 'UserName' => $userName, ])); if (count($attachedUserPolicies) > 0) { foreach ($attachedUserPolicies as $attachedUserPolicy) { if ($attachedUserPolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachUserPolicy(array( // UserName is required 'UserName' => $userName, // PolicyArn is required 'PolicyArn' => $policyArn, )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
將原則附加至群組
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->attachGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
卸離使用者原則
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachUserPolicy([ // UserName is required 'UserName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
中斷連結群組原則
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachGroupPolicy([ // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
刪除政策
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deletePolicy(array( // PolicyArn is required 'PolicyArn' => 'string' )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
刪除角色政策
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteRolePolicy([ // RoleName is required 'RoleName' => 'string', // PolicyName is required 'PolicyName' => 'string' ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
刪除使用者策略
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteUserPolicy([ // UserName is required 'UserName' => 'string', // PolicyName is required 'PolicyName' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
刪除群組政策
匯入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
範例程式碼
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyName is required 'PolicyName' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }