# Making requests using the AWS SDKs
**Topics**
+ [Making requests using AWS account or IAM user credentials](AuthUsingAcctOrUserCredentials.md)
+ [Making requests using IAM user temporary credentials](AuthUsingTempSessionToken.md)
+ [Making requests using federated user temporary credentials](AuthUsingTempFederationToken.md)
You can send authenticated requests to Amazon S3 using either the AWS SDK or by making the REST API calls directly in your application. The AWS SDK API uses the credentials that you provide to compute the signature for authentication. If you use the REST API directly in your applications, you must write the necessary code to compute the signature for authenticating your request. For a list of available AWS SDKs go to, [Sample Code and Libraries](https://aws.amazon.com/code/).
# Making requests using AWS account or IAM user credentials
You can use your AWS account or IAM user security credentials to send authenticated requests to Amazon S3. This section provides examples of how you can send authenticated requests using the AWS SDK for Java, AWS SDK for .NET, and AWS SDK for PHP. For a list of available AWS SDKs, go to [Sample Code and Libraries](https://aws.amazon.com/code/).
Each of these AWS SDKs uses an SDK-specific credentials provider chain to find and use credentials and perform actions on behalf of the credentials owner. What all these credentials provider chains have in common is that they all look for your local AWS credentials file.
For more information, see the topics below:
**Topics**
+ [To create a local AWS credentials file](#create-local-aws-credentials-file)
+ [Sending authenticated requests using the AWS SDKs](#send-authenticated-request-SDKs)
## To create a local AWS credentials file
The easiest way to configure credentials for your AWS SDKs is to use an AWS credentials file. If you use the AWS Command Line Interface (AWS CLI), you may already have a local AWS credentials file configured. Otherwise, use the following procedure to set up a credentials file:
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Create a new user with permissions limited to the services and actions that you want your code to have access to. For more information about creating a new user, see [Creating IAM users (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console), and follow the instructions through step 8.
1. Choose **Download .csv** to save a local copy of your AWS credentials.
1. On your computer, navigate to your home directory, and create an `.aws` directory. On Unix-based systems, such as Linux or OS X, this is in the following location:
```
~/.aws
```
On Windows, this is in the following location:
```
%HOMEPATH%\.aws
```
1. In the `.aws` directory, create a new file named `credentials`.
1. Open the credentials `.csv` file that you downloaded from the IAM console, and copy its contents into the `credentials` file using the following format:
```
[default]
aws_access_key_id = your_access_key_id
aws_secret_access_key = your_secret_access_key
```
1. Save the `credentials` file, and delete the `.csv` file that you downloaded in step 3.
Your shared credentials file is now configured on your local computer, and it's ready to be used with the AWS SDKs.
## Sending authenticated requests using the AWS SDKs
Use the AWS SDKs to send authenticated requests. For more information about sending authenticated requests, see [AWS security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html) or [IAM Identity Center Authentication](https://docs.aws.amazon.com//sdkref/latest/guide/access-sso.html).
------
#### [ Java ]
For information about authenticating requests using the AWS SDK for Java, see [Using shared config and credentials files to globally configure AWS SDKs and tools](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html) and [Authentication and access using AWS SDKs and tools](https://docs.aws.amazon.com/sdkref/latest/guide/access.html) in the AWS SDKs and Tools Reference Guide.
------
#### [ .NET ]
To send authenticated requests using your AWS account or IAM user credentials:
+ Create an instance of the `AmazonS3Client` class.
+ Run one of the `AmazonS3Client` methods to send requests to Amazon S3. The client generates the necessary signature from the credentials that you provide and includes it in the request it sends to Amazon S3.
For more information, see [Making requests using AWS account or IAM user credentials ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/AuthUsingAcctOrUserCredentials.html)>.
**Note**
You can create the `AmazonS3Client` client without providing your security credentials. Requests sent using this client are anonymous requests, without a signature. Amazon S3 returns an error if you send anonymous requests for a resource that is not publicly available.
You can create an AWS account and create the required users. You can also manage credentials for those users. You need these credentials to perform the task in the following example. For more information, see [Configure AWS credentials](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/net-dg-config-creds.html) in the *SDK for .NET Developer Guide*.
You can then also configure your application to actively retrieve profiles and credentials, and then explicitly use those credentials when creating an AWS service client. For more information, see [Accessing credentials and profiles in an application](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/creds-locate.html) in the *SDK for .NET Developer Guide*.
The following C\$1 example shows how to perform the preceding tasks. For information about setting up and running the code examples, see [Getting Started with the AWS SDK for .NET](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/net-dg-setup.html) in the *AWS SDK for .NET Developer Guide*.
**Example**
```
using Amazon;
using Amazon.S3;
using Amazon.S3.Model;
using System;
using System.Threading.Tasks;
namespace Amazon.DocSamples.S3
{
class MakeS3RequestTest
{
private const string bucketName = "*** bucket name ***";
// Specify your bucket region (an example region is shown).
private static readonly RegionEndpoint bucketRegion = RegionEndpoint.USWest2;
private static IAmazonS3 client;
public static void Main()
{
using (client = new AmazonS3Client(bucketRegion))
{
Console.WriteLine("Listing objects stored in a bucket");
ListingObjectsAsync().Wait();
}
}
static async Task ListingObjectsAsync()
{
try
{
ListObjectsRequest request = new ListObjectsRequest
{
BucketName = bucketName,
MaxKeys = 2
};
do
{
ListObjectsResponse response = await client.ListObjectsAsync(request);
// Process the response.
foreach (S3Object entry in response.S3Objects)
{
Console.WriteLine("key = {0} size = {1}",
entry.Key, entry.Size);
}
// If the response is truncated, set the marker to get the next
// set of keys.
if (response.IsTruncated)
{
request.Marker = response.NextMarker;
}
else
{
request = null;
}
} while (request != null);
}
catch (AmazonS3Exception e)
{
Console.WriteLine("Error encountered on server. Message:'{0}' when writing an object", e.Message);
}
catch (Exception e)
{
Console.WriteLine("Unknown encountered on server. Message:'{0}' when writing an object", e.Message);
}
}
}
}
```
------
#### [ PHP ]
The following PHP example shows how the client makes a request using your security credentials to list all of the buckets for your account.
**Example**
```
require 'vendor/autoload.php';
use Aws\S3\Exception\S3Exception;
use Aws\S3\S3Client;
$bucket = '*** Your Bucket Name ***';
$s3 = new S3Client([
'region' => 'us-east-1',
'version' => 'latest',
]);
// Retrieve the list of buckets.
$result = $s3->listBuckets();
try {
// Retrieve a paginator for listing objects.
$objects = $s3->getPaginator('ListObjects', [
'Bucket' => $bucket
]);
echo "Keys retrieved!" . PHP_EOL;
// Print the list of objects to the page.
foreach ($objects as $object) {
echo $object['Key'] . PHP_EOL;
}
} catch (S3Exception $e) {
echo $e->getMessage() . PHP_EOL;
}
```
**Note**
You can create the `S3Client` client without providing your security credentials. Requests sent using this client are anonymous requests, without a signature. Amazon S3 returns an error if you send anonymous requests for a resource that is not publicly available. For more information, see [Creating Anonymous Clients](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_anonymous.html) in the [AWS SDK for PHP Documentation](http://aws.amazon.com/documentation/sdk-for-php/).
------
#### [ Ruby ]
Before you can use version 3 of the AWS SDK for Ruby to make calls to Amazon S3, you must set the AWS access credentials that the SDK uses to verify your access to your buckets and objects. If you have shared credentials set up in the AWS credentials profile on your local system, version 3 of the SDK for Ruby can use those credentials without your having to declare them in your code. For more information about setting up shared credentials, see [Making requests using AWS account or IAM user credentials ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/AuthUsingAcctOrUserCredentials.html).
The following Ruby code snippet uses the credentials in a shared AWS credentials file on a local computer to authenticate a request to get all of the object key names in a specific bucket. It does the following:
1. Creates an instance of the `Aws::S3::Client` class.
1. Makes a request to Amazon S3 by enumerating objects in a bucket using the `list_objects_v2` method of `Aws::S3::Client`. The client generates the necessary signature value from the credentials in the AWS credentials file on your computer, and includes it in the request it sends to Amazon S3.
1. Prints the array of object key names to the terminal.
**Example**
```
# Prerequisites:
# - An existing Amazon S3 bucket.
require 'aws-sdk-s3'
# @param s3_client [Aws::S3::Client] An initialized Amazon S3 client.
# @param bucket_name [String] The bucket's name.
# @return [Boolean] true if all operations succeed; otherwise, false.
# @example
# s3_client = Aws::S3::Client.new(region: 'us-west-2')
# exit 1 unless list_bucket_objects?(s3_client, 'amzn-s3-demo-bucket')
def list_bucket_objects?(s3_client, bucket_name)
puts "Accessing the bucket named '#{bucket_name}'..."
objects = s3_client.list_objects_v2(
bucket: bucket_name,
max_keys: 50
)
if objects.count.positive?
puts 'The object keys in this bucket are (first 50 objects):'
objects.contents.each do |object|
puts object.key
end
else
puts 'No objects found in this bucket.'
end
true
rescue StandardError => e
puts "Error while accessing the bucket named '#{bucket_name}': #{e.message}"
false
end
# Example usage:
def run_me
region = 'us-west-2'
bucket_name = 'BUCKET_NAME'
s3_client = Aws::S3::Client.new(region: region)
exit 1 unless list_bucket_objects?(s3_client, bucket_name)
end
run_me if $PROGRAM_NAME == __FILE__
```
If you don't have a local AWS credentials file, you can still create the `Aws::S3::Client` resource and run code against Amazon S3 buckets and objects. Requests that are sent using version 3 of the SDK for Ruby are anonymous, with no signature by default. Amazon S3 returns an error if you send anonymous requests for a resource that's not publicly available.
You can use and expand the previous code snippet for SDK for Ruby applications, as in the following more robust example.
```
# Prerequisites:
# - An existing Amazon S3 bucket.
require 'aws-sdk-s3'
# @param s3_client [Aws::S3::Client] An initialized Amazon S3 client.
# @param bucket_name [String] The bucket's name.
# @return [Boolean] true if all operations succeed; otherwise, false.
# @example
# s3_client = Aws::S3::Client.new(region: 'us-west-2')
# exit 1 unless list_bucket_objects?(s3_client, 'amzn-s3-demo-bucket')
def list_bucket_objects?(s3_client, bucket_name)
puts "Accessing the bucket named '#{bucket_name}'..."
objects = s3_client.list_objects_v2(
bucket: bucket_name,
max_keys: 50
)
if objects.count.positive?
puts 'The object keys in this bucket are (first 50 objects):'
objects.contents.each do |object|
puts object.key
end
else
puts 'No objects found in this bucket.'
end
true
rescue StandardError => e
puts "Error while accessing the bucket named '#{bucket_name}': #{e.message}"
false
end
# Example usage:
def run_me
region = 'us-west-2'
bucket_name = 'BUCKET_NAME'
s3_client = Aws::S3::Client.new(region: region)
exit 1 unless list_bucket_objects?(s3_client, bucket_name)
end
run_me if $PROGRAM_NAME == __FILE__
```
------
#### [ Go ]
**Example**
The following example uses AWS credentials automatically loaded by the SDK for Go from the shared credentials file.
```
package main
import (
"context"
"errors"
"fmt"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/smithy-go"
)
// main uses the AWS SDK for Go V2 to create an Amazon Simple Storage Service
// (Amazon S3) client and list up to 10 buckets in your account.
// This example uses the default settings specified in your shared credentials
// and config files.
func main() {
ctx := context.Background()
sdkConfig, err := config.LoadDefaultConfig(ctx)
if err != nil {
fmt.Println("Couldn't load default configuration. Have you set up your AWS account?")
fmt.Println(err)
return
}
s3Client := s3.NewFromConfig(sdkConfig)
count := 10
fmt.Printf("Let's list up to %v buckets for your account.\n", count)
result, err := s3Client.ListBuckets(ctx, &s3.ListBucketsInput{})
if err != nil {
var ae smithy.APIError
if errors.As(err, &ae) && ae.ErrorCode() == "AccessDenied" {
fmt.Println("You don't have permission to list buckets for this account.")
} else {
fmt.Printf("Couldn't list buckets for your account. Here's why: %v\n", err)
}
return
}
if len(result.Buckets) == 0 {
fmt.Println("You don't have any buckets!")
} else {
if count > len(result.Buckets) {
count = len(result.Buckets)
}
for _, bucket := range result.Buckets[:count] {
fmt.Printf("\t%v\n", *bucket.Name)
}
}
}
```
------
# Making requests using IAM user temporary credentials
An AWS account or an IAM user can request temporary security credentials and use them to send authenticated requests to Amazon S3. This section provides examples of how to use the AWS SDK for Java, .NET, and PHP to obtain temporary security credentials and use them to authenticate your requests to Amazon S3.
------
#### [ Java ]
An IAM user or an AWS account can request temporary security credentials (see [Making requests](MakingRequests.md)) using the AWS SDK for Java and use them to access Amazon S3. These credentials expire after the specified session duration.
By default, the session duration is one hour. If you use IAM user credentials, you can specify the duration when requesting the temporary security credentials from 15 minutes to the maximum session duration for the role. For more information about temporary security credentials, see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*. For more information about making requests, see [Making requests](MakingRequests.md).
**To get temporary security credentials and access Amazon S3**
1. Create an instance of the `AWSSecurityTokenService` class.
1. Retrieve the temporary security credentials for the desired role by calling the `assumeRole()` method of the Security Token Service (STS) client.
1. Package the temporary security credentials into a `BasicSessionCredentials` object. You use this object to provide the temporary security credentials to your Amazon S3 client.
1. Create an instance of the `AmazonS3Client` class using the temporary security credentials. You send requests to Amazon S3 using this client. If you send requests using expired credentials, Amazon S3 will return an error.
The following example lists a set of object keys in the specified bucket. The example obtains temporary security credentials for a session and uses them to send an authenticated request to Amazon S3.
If you want to test the sample by using IAM user credentials, you must create an IAM user under your AWS account. For more information about how to create an IAM user, see [Creating Your First IAM user and Administrators Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*.
For instructions on creating and testing a working sample, see [Getting Started](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/getting-started.html) in the AWS SDK for Java Developer Guide.
```
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.ObjectListing;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.Credentials;
public class MakingRequestsWithIAMTempCredentials {
public static void main(String[] args) {
String clientRegion = "*** Client region ***";
String roleARN = "*** ARN for role to be assumed ***";
String roleSessionName = "*** Role session name ***";
String bucketName = "*** Bucket name ***";
try {
// Creating the STS client is part of your trusted code. It has
// the security credentials you use to obtain temporary security credentials.
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
// Obtain credentials for the IAM role. Note that you cannot assume the role of
// an AWS root account;
// Amazon S3 will deny access. You must use credentials for an IAM user or an
// IAM role.
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
// Create a BasicSessionCredentials object that contains the credentials you
// just retrieved.
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
sessionCredentials.getAccessKeyId(),
sessionCredentials.getSecretAccessKey(),
sessionCredentials.getSessionToken());
// Provide temporary security credentials so that the Amazon S3 client
// can send authenticated requests to Amazon S3. You create the client
// using the sessionCredentials object.
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withRegion(clientRegion)
.build();
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);
System.out.println("No. of Objects: " + objects.getObjectSummaries().size());
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but Amazon S3 couldn't process
// it, so it returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// Amazon S3 couldn't be contacted for a response, or the client
// couldn't parse the response from Amazon S3.
e.printStackTrace();
}
}
}
```
------
#### [ .NET ]
An IAM user or an AWS account can request temporary security credentials using the AWS SDK for .NET and use them to access Amazon S3. These credentials expire after the session duration.
By default, the session duration is one hour. If you use IAM user credentials, you can specify the duration when requesting the temporary security credentials from 15 minutes to the maximum session duration for the role. For more information about temporary security credentials, see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*. For more information about making requests, see [Making requests](MakingRequests.md).
**To get temporary security credentials and access Amazon S3**
1. Create an instance of the AWS Security Token Service client, `AmazonSecurityTokenServiceClient`.
1. Start a session by calling the `GetSessionToken` method of the STS client you created in the preceding step. You provide session information to this method using a `GetSessionTokenRequest` object.
The method returns your temporary security credentials.
1. Package the temporary security credentials in an instance of the `SessionAWSCredentials` object. You use this object to provide the temporary security credentials to your Amazon S3 client.
1. Create an instance of the `AmazonS3Client` class by passing in the temporary security credentials. You send requests to Amazon S3 using this client. If you send requests using expired credentials, Amazon S3 returns an error.
The following C\$1 example lists object keys in the specified bucket. For illustration, the example obtains temporary security credentials for a default one-hour session and uses them to send authenticated request to Amazon S3.
If you want to test the sample by using IAM user credentials, you must create an IAM user under your AWS account. For more information about how to create an IAM user, see [Creating Your First IAM user and Administrators Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*. For more information about making requests, see [Making requests](MakingRequests.md).
For information about setting up and running the code examples, see [Getting Started with the AWS SDK for .NET](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/net-dg-setup.html) in the *AWS SDK for .NET Developer Guide*.
```
using Amazon;
using Amazon.Runtime;
using Amazon.S3;
using Amazon.S3.Model;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
namespace Amazon.DocSamples.S3
{
class TempCredExplicitSessionStartTest
{
private const string bucketName = "*** bucket name ***";
// Specify your bucket region (an example region is shown).
private static readonly RegionEndpoint bucketRegion = RegionEndpoint.USWest2;
private static IAmazonS3 s3Client;
public static void Main()
{
ListObjectsAsync().Wait();
}
private static async Task ListObjectsAsync()
{
try
{
// Credentials use the default AWS SDK for .NET credential search chain.
// On local development machines, this is your default profile.
Console.WriteLine("Listing objects stored in a bucket");
SessionAWSCredentials tempCredentials = await GetTemporaryCredentialsAsync();
// Create a client by providing temporary security credentials.
using (s3Client = new AmazonS3Client(tempCredentials, bucketRegion))
{
var listObjectRequest = new ListObjectsRequest
{
BucketName = bucketName
};
// Send request to Amazon S3.
ListObjectsResponse response = await s3Client.ListObjectsAsync(listObjectRequest);
List objects = response.S3Objects;
Console.WriteLine("Object count = {0}", objects.Count);
}
}
catch (AmazonS3Exception s3Exception)
{
Console.WriteLine(s3Exception.Message, s3Exception.InnerException);
}
catch (AmazonSecurityTokenServiceException stsException)
{
Console.WriteLine(stsException.Message, stsException.InnerException);
}
}
private static async Task GetTemporaryCredentialsAsync()
{
using (var stsClient = new AmazonSecurityTokenServiceClient())
{
var getSessionTokenRequest = new GetSessionTokenRequest
{
DurationSeconds = 7200 // seconds
};
GetSessionTokenResponse sessionTokenResponse =
await stsClient.GetSessionTokenAsync(getSessionTokenRequest);
Credentials credentials = sessionTokenResponse.Credentials;
var sessionCredentials =
new SessionAWSCredentials(credentials.AccessKeyId,
credentials.SecretAccessKey,
credentials.SessionToken);
return sessionCredentials;
}
}
}
}
```
------
#### [ PHP ]
For more information about the AWS SDK for Ruby API, go to [AWS SDK for Ruby - Version 2](https://docs.aws.amazon.com/sdkforruby/api/index.html).
An IAM user or an AWS account can request temporary security credentials using version 3 of the AWS SDK for PHP. It can then use the temporary credentials to access Amazon S3. The credentials expire when the session duration expires.
By default, the session duration is one hour. If you use IAM user credentials, you can specify the duration when requesting the temporary security credentials from 15 minutes to the maximum session duration for the role. For more information about temporary security credentials, see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*. For more information about making requests, see [Making requests](MakingRequests.md).
**Example**
The following PHP example lists object keys in the specified bucket using temporary security credentials. The example obtains temporary security credentials for a default one-hour session, and uses them to send authenticated request to Amazon S3. For more information about the AWS SDK for Ruby API, go to [AWS SDK for Ruby - Version 2](https://docs.aws.amazon.com/sdkforruby/api/index.html).
If you want to test the example by using IAM user credentials, you must create an IAM user under your AWS account. For information about how to create an IAM user, see [Creating Your First IAM user and Administrators Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*. For examples of setting the session duration when using IAM user credentials to request a session, see [Making requests using IAM user temporary credentials](#AuthUsingTempSessionToken).
```
require 'vendor/autoload.php';
use Aws\S3\Exception\S3Exception;
use Aws\S3\S3Client;
use Aws\Sts\StsClient;
$bucket = '*** Your Bucket Name ***';
$sts = new StsClient([
'version' => 'latest',
'region' => 'us-east-1'
]);
$sessionToken = $sts->getSessionToken();
$s3 = new S3Client([
'region' => 'us-east-1',
'version' => 'latest',
'credentials' => [
'key' => $sessionToken['Credentials']['AccessKeyId'],
'secret' => $sessionToken['Credentials']['SecretAccessKey'],
'token' => $sessionToken['Credentials']['SessionToken']
]
]);
$result = $s3->listBuckets();
try {
// Retrieve a paginator for listing objects.
$objects = $s3->getPaginator('ListObjects', [
'Bucket' => $bucket
]);
echo "Keys retrieved!" . PHP_EOL;
// List objects
foreach ($objects as $object) {
echo $object['Key'] . PHP_EOL;
}
} catch (S3Exception $e) {
echo $e->getMessage() . PHP_EOL;
}
```
------
#### [ Ruby ]
An IAM user or an AWS account can request temporary security credentials using AWS SDK for Ruby and use them to access Amazon S3. These credentials expire after the session duration.
By default, the session duration is one hour. If you use IAM user credentials, you can specify the duration when requesting the temporary security credentials from 15 minutes to the maximum session duration for the role. For more information about temporary security credentials, see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*. For more information about making requests, see [Making requests](MakingRequests.md).
The following Ruby example creates a temporary user to list the items in a specified bucket for one hour. To use this example, you must have AWS credentials that have the necessary permissions to create new AWS Security Token Service (AWS STS) clients, and list Amazon S3 buckets.
```
# Prerequisites:
# - A user in AWS Identity and Access Management (IAM). This user must
# be able to assume the following IAM role. You must run this code example
# within the context of this user.
# - An existing role in IAM that allows all of the Amazon S3 actions for all of the
# resources in this code example. This role must also trust the preceding IAM user.
# - An existing S3 bucket.
require 'aws-sdk-core'
require 'aws-sdk-s3'
require 'aws-sdk-iam'
# Checks whether a user exists in IAM.
#
# @param iam [Aws::IAM::Client] An initialized IAM client.
# @param user_name [String] The user's name.
# @return [Boolean] true if the user exists; otherwise, false.
# @example
# iam_client = Aws::IAM::Client.new(region: 'us-west-2')
# exit 1 unless user_exists?(iam_client, 'my-user')
def user_exists?(iam_client, user_name)
response = iam_client.get_user(user_name: user_name)
return true if response.user.user_name
rescue Aws::IAM::Errors::NoSuchEntity
# User doesn't exist.
rescue StandardError => e
puts 'Error while determining whether the user ' \
"'#{user_name}' exists: #{e.message}"
end
# Creates a user in IAM.
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client.
# @param user_name [String] The user's name.
# @return [AWS:IAM::Types::User] The new user.
# @example
# iam_client = Aws::IAM::Client.new(region: 'us-west-2')
# user = create_user(iam_client, 'my-user')
# exit 1 unless user.user_name
def create_user(iam_client, user_name)
response = iam_client.create_user(user_name: user_name)
response.user
rescue StandardError => e
puts "Error while creating the user '#{user_name}': #{e.message}"
end
# Gets a user in IAM.
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client.
# @param user_name [String] The user's name.
# @return [AWS:IAM::Types::User] The existing user.
# @example
# iam_client = Aws::IAM::Client.new(region: 'us-west-2')
# user = get_user(iam_client, 'my-user')
# exit 1 unless user.user_name
def get_user(iam_client, user_name)
response = iam_client.get_user(user_name: user_name)
response.user
rescue StandardError => e
puts "Error while getting the user '#{user_name}': #{e.message}"
end
# Checks whether a role exists in IAM.
#
# @param iam_client [Aws::IAM::Client] An initialized IAM client.
# @param role_name [String] The role's name.
# @return [Boolean] true if the role exists; otherwise, false.
# @example
# iam_client = Aws::IAM::Client.new(region: 'us-west-2')
# exit 1 unless role_exists?(iam_client, 'my-role')
def role_exists?(iam_client, role_name)
response = iam_client.get_role(role_name: role_name)
return true if response.role.role_name
rescue StandardError => e
puts 'Error while determining whether the role ' \
"'#{role_name}' exists: #{e.message}"
end
# Gets credentials for a role in IAM.
#
# @param sts_client [Aws::STS::Client] An initialized AWS STS client.
# @param role_arn [String] The role's Amazon Resource Name (ARN).
# @param role_session_name [String] A name for this role's session.
# @param duration_seconds [Integer] The number of seconds this session is valid.
# @return [AWS::AssumeRoleCredentials] The credentials.
# @example
# sts_client = Aws::STS::Client.new(region: 'us-west-2')
# credentials = get_credentials(
# sts_client,
# 'arn:aws:iam::123456789012:role/AmazonS3ReadOnly',
# 'ReadAmazonS3Bucket',
# 3600
# )
# exit 1 if credentials.nil?
def get_credentials(sts_client, role_arn, role_session_name, duration_seconds)
Aws::AssumeRoleCredentials.new(
client: sts_client,
role_arn: role_arn,
role_session_name: role_session_name,
duration_seconds: duration_seconds
)
rescue StandardError => e
puts "Error while getting credentials: #{e.message}"
end
# Checks whether a bucket exists in Amazon S3.
#
# @param s3_client [Aws::S3::Client] An initialized Amazon S3 client.
# @param bucket_name [String] The name of the bucket.
# @return [Boolean] true if the bucket exists; otherwise, false.
# @example
# s3_client = Aws::S3::Client.new(region: 'us-west-2')
# exit 1 unless bucket_exists?(s3_client, 'amzn-s3-demo-bucket')
def bucket_exists?(s3_client, bucket_name)
response = s3_client.list_buckets
response.buckets.each do |bucket|
return true if bucket.name == bucket_name
end
rescue StandardError => e
puts "Error while checking whether the bucket '#{bucket_name}' " \
"exists: #{e.message}"
end
# Lists the keys and ETags for the objects in an Amazon S3 bucket.
#
# @param s3_client [Aws::S3::Client] An initialized Amazon S3 client.
# @param bucket_name [String] The bucket's name.
# @return [Boolean] true if the objects were listed; otherwise, false.
# @example
# s3_client = Aws::S3::Client.new(region: 'us-west-2')
# exit 1 unless list_objects_in_bucket?(s3_client, 'amzn-s3-demo-bucket')
def list_objects_in_bucket?(s3_client, bucket_name)
puts "Accessing the contents of the bucket named '#{bucket_name}'..."
response = s3_client.list_objects_v2(
bucket: bucket_name,
max_keys: 50
)
if response.count.positive?
puts "Contents of the bucket named '#{bucket_name}' (first 50 objects):"
puts 'Name => ETag'
response.contents.each do |obj|
puts "#{obj.key} => #{obj.etag}"
end
else
puts "No objects in the bucket named '#{bucket_name}'."
end
true
rescue StandardError => e
puts "Error while accessing the bucket named '#{bucket_name}': #{e.message}"
end
```
------
# Making requests using federated user temporary credentials
You can request temporary security credentials and provide them to your federated users or applications who need to access your AWS resources. This section provides examples of how you can use the AWS SDK to obtain temporary security credentials for your federated users or applications and send authenticated requests to Amazon S3 using those credentials. For a list of available AWS SDKs, see [Sample Code and Libraries](https://aws.amazon.com/code/).
**Note**
Both the AWS account and an IAM user can request temporary security credentials for federated users. However, for added security, only an IAM user with the necessary permissions should request these temporary credentials to ensure that the federated user gets at most the permissions of the requesting IAM user. In some applications, you might find it suitable to create an IAM user with specific permissions for the sole purpose of granting temporary security credentials to your federated users and applications.
------
#### [ Java ]
You can provide temporary security credentials for your federated users and applications so that they can send authenticated requests to access your AWS resources. When requesting these temporary credentials, you must provide a user name and an IAM policy that describes the resource permissions that you want to grant. By default, the session duration is one hour. You can explicitly set a different duration value when requesting the temporary security credentials for federated users and applications.
**Note**
For added security when requesting temporary security credentials for federated users and applications, we recommend that you use a dedicated IAM user with only the necessary access permissions. The temporary user you create can never get more permissions than the IAM user who requested the temporary security credentials. For more information, see [AWS Identity and Access Management FAQs ](https://aws.amazon.com/iam/faqs/#What_are_the_best_practices_for_using_temporary_security_credentials).
To provide security credentials and send authenticated request to access resources, do the following:
+ Create an instance of the `AWSSecurityTokenServiceClient` class.
+ Start a session by calling the `getFederationToken()` method of the Security Token Service (STS) client. Provide session information, including the user name and an IAM policy, that you want to attach to the temporary credentials. You can provide an optional session duration. This method returns your temporary security credentials.
+ Package the temporary security credentials in an instance of the `BasicSessionCredentials` object. You use this object to provide the temporary security credentials to your Amazon S3 client.
+ Create an instance of the `AmazonS3Client` class using the temporary security credentials. You send requests to Amazon S3 using this client. If you send requests using expired credentials, Amazon S3 returns an error.
**Example**
The example lists keys in the specified S3 bucket. In the example, you obtain temporary security credentials for a two-hour session for your federated user and use the credentials to send authenticated requests to Amazon S3. To run the example, you need to create an IAM user with an attached policy that allows the user to request temporary security credentials and list your AWS resources. The following policy accomplishes this:
```
1. {
2. "Statement":[{
3. "Action":["s3:ListBucket",
4. "sts:GetFederationToken*"
5. ],
6. "Effect":"Allow",
7. "Resource":"*"
8. }
9. ]
10. }
```
For more information about how to create an IAM user, see [Creating Your First IAM user and Administrators Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*.
After creating an IAM user and attaching the preceding policy, you can run the following example. For instructions on creating and testing a working sample, see [Getting Started](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/getting-started.html) in the AWS SDK for Java Developer Guide.
```
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.policy.Policy;
import com.amazonaws.auth.policy.Resource;
import com.amazonaws.auth.policy.Statement;
import com.amazonaws.auth.policy.Statement.Effect;
import com.amazonaws.auth.policy.actions.S3Actions;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.ObjectListing;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest;
import com.amazonaws.services.securitytoken.model.GetFederationTokenResult;
import java.io.IOException;
public class MakingRequestsWithFederatedTempCredentials {
public static void main(String[] args) throws IOException {
Regions clientRegion = Regions.DEFAULT_REGION;
String bucketName = "*** Specify bucket name ***";
String federatedUser = "*** Federated user name ***";
String resourceARN = "arn:aws:s3:::" + bucketName;
try {
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder
.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
GetFederationTokenRequest getFederationTokenRequest = new GetFederationTokenRequest();
getFederationTokenRequest.setDurationSeconds(7200);
getFederationTokenRequest.setName(federatedUser);
// Define the policy and add it to the request.
Policy policy = new Policy();
policy.withStatements(new Statement(Effect.Allow)
.withActions(S3Actions.ListObjects)
.withResources(new Resource(resourceARN)));
getFederationTokenRequest.setPolicy(policy.toJson());
// Get the temporary security credentials.
GetFederationTokenResult federationTokenResult = stsClient.getFederationToken(getFederationTokenRequest);
Credentials sessionCredentials = federationTokenResult.getCredentials();
// Package the session credentials as a BasicSessionCredentials
// object for an Amazon S3 client object to use.
BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(
sessionCredentials.getAccessKeyId(),
sessionCredentials.getSecretAccessKey(),
sessionCredentials.getSessionToken());
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(basicSessionCredentials))
.withRegion(clientRegion)
.build();
// To verify that the client works, send a listObjects request using
// the temporary security credentials.
ObjectListing objects = s3Client.listObjects(bucketName);
System.out.println("No. of Objects = " + objects.getObjectSummaries().size());
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but Amazon S3 couldn't process
// it, so it returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// Amazon S3 couldn't be contacted for a response, or the client
// couldn't parse the response from Amazon S3.
e.printStackTrace();
}
}
}
```
------
#### [ .NET ]
You can provide temporary security credentials for your federated users and applications so that they can send authenticated requests to access your AWS resources. When requesting these temporary credentials, you must provide a user name and an IAM policy that describes the resource permissions that you want to grant. By default, the duration of a session is one hour. You can explicitly set a different duration value when requesting the temporary security credentials for federated users and applications. For information about sending authenticated requests, see [Making requests](MakingRequests.md).
**Note**
When requesting temporary security credentials for federated users and applications, for added security, we suggest that you use a dedicated IAM user with only the necessary access permissions. The temporary user you create can never get more permissions than the IAM user who requested the temporary security credentials. For more information, see [AWS Identity and Access Management FAQs ](https://aws.amazon.com/iam/faqs/#What_are_the_best_practices_for_using_temporary_security_credentials).
You do the following:
+ Create an instance of the AWS Security Token Service client, `AmazonSecurityTokenServiceClient` class.
+ Start a session by calling the `GetFederationToken` method of the STS client. You need to provide session information, including the user name and an IAM policy that you want to attach to the temporary credentials. Optionally, you can provide a session duration. This method returns your temporary security credentials.
+ Package the temporary security credentials in an instance of the `SessionAWSCredentials` object. You use this object to provide the temporary security credentials to your Amazon S3 client.
+ Create an instance of the `AmazonS3Client` class by passing the temporary security credentials. You use this client to send requests to Amazon S3. If you send requests using expired credentials, Amazon S3 returns an error.
**Example**
The following C\$1 example lists the keys in the specified bucket. In the example, you obtain temporary security credentials for a two-hour session for your federated user (User1), and use the credentials to send authenticated requests to Amazon S3.
+ For this exercise, you create an IAM user with minimal permissions. Using the credentials of this IAM user, you request temporary credentials for others. This example lists only the objects in a specific bucket. Create an IAM user with the following policy attached:
```
1. {
2. "Statement":[{
3. "Action":["s3:ListBucket",
4. "sts:GetFederationToken*"
5. ],
6. "Effect":"Allow",
7. "Resource":"*"
8. }
9. ]
10. }
```
The policy allows the IAM user to request temporary security credentials and access permission only to list your AWS resources. For more information about how to create an IAM user, see [Creating Your IAM user User and Administrators Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*.
+ Use the IAM user security credentials to test the following example. The example sends authenticated request to Amazon S3 using temporary security credentials. The example specifies the following policy when requesting temporary security credentials for the federated user (User1), which restricts access to listing objects in a specific bucket (`YourBucketName`). You must update the policy and provide your own existing bucket name.
```
1. {
2. "Statement":[
3. {
4. "Sid":"1",
5. "Action":["s3:ListBucket"],
6. "Effect":"Allow",
7. "Resource":"arn:aws:s3:::YourBucketName"
8. }
9. ]
10. }
```
+
**Example**
Update the following sample and provide the bucket name that you specified in the preceding federated user access policy. For information about setting up and running the code examples, see [Getting Started with the AWS SDK for .NET](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/net-dg-setup.html) in the *AWS SDK for .NET Developer Guide*.
```
using Amazon;
using Amazon.Runtime;
using Amazon.S3;
using Amazon.S3.Model;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
namespace Amazon.DocSamples.S3
{
class TempFederatedCredentialsTest
{
private const string bucketName = "*** bucket name ***";
// Specify your bucket region (an example region is shown).
private static readonly RegionEndpoint bucketRegion = RegionEndpoint.USWest2;
private static IAmazonS3 client;
public static void Main()
{
ListObjectsAsync().Wait();
}
private static async Task ListObjectsAsync()
{
try
{
Console.WriteLine("Listing objects stored in a bucket");
// Credentials use the default AWS SDK for .NET credential search chain.
// On local development machines, this is your default profile.
SessionAWSCredentials tempCredentials =
await GetTemporaryFederatedCredentialsAsync();
// Create a client by providing temporary security credentials.
using (client = new AmazonS3Client(bucketRegion))
{
ListObjectsRequest listObjectRequest = new ListObjectsRequest();
listObjectRequest.BucketName = bucketName;
ListObjectsResponse response = await client.ListObjectsAsync(listObjectRequest);
List objects = response.S3Objects;
Console.WriteLine("Object count = {0}", objects.Count);
Console.WriteLine("Press any key to continue...");
Console.ReadKey();
}
}
catch (AmazonS3Exception e)
{
Console.WriteLine("Error encountered ***. Message:'{0}' when writing an object", e.Message);
}
catch (Exception e)
{
Console.WriteLine("Unknown encountered on server. Message:'{0}' when writing an object", e.Message);
}
}
private static async Task GetTemporaryFederatedCredentialsAsync()
{
AmazonSecurityTokenServiceConfig config = new AmazonSecurityTokenServiceConfig();
AmazonSecurityTokenServiceClient stsClient =
new AmazonSecurityTokenServiceClient(
config);
GetFederationTokenRequest federationTokenRequest =
new GetFederationTokenRequest();
federationTokenRequest.DurationSeconds = 7200;
federationTokenRequest.Name = "User1";
federationTokenRequest.Policy = @"{
""Statement"":
[
{
""Sid"":""Stmt1311212314284"",
""Action"":[""s3:ListBucket""],
""Effect"":""Allow"",
""Resource"":""arn:aws:s3:::" + bucketName + @"""
}
]
}
";
GetFederationTokenResponse federationTokenResponse =
await stsClient.GetFederationTokenAsync(federationTokenRequest);
Credentials credentials = federationTokenResponse.Credentials;
SessionAWSCredentials sessionCredentials =
new SessionAWSCredentials(credentials.AccessKeyId,
credentials.SecretAccessKey,
credentials.SessionToken);
return sessionCredentials;
}
}
}
```
------
#### [ PHP ]
This topic explains how to use classes from version 3 of the AWS SDK for PHP to request temporary security credentials for federated users and applications and use them to access resources stored in Amazon S3. For more information about the AWS SDK for Ruby API, go to [AWS SDK for Ruby - Version 2](https://docs.aws.amazon.com/sdkforruby/api/index.html).
You can provide temporary security credentials to your federated users and applications so they can send authenticated requests to access your AWS resources. When requesting these temporary credentials, you must provide a user name and an IAM policy that describes the resource permissions that you want to grant. These credentials expire when the session duration expires. By default, the session duration is one hour. You can explicitly set a different value for the duration when requesting the temporary security credentials for federated users and applications. For more information about temporary security credentials, see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*. For information about providing temporary security credentials to your federated users and applications, see [Making requests](MakingRequests.md).
For added security when requesting temporary security credentials for federated users and applications, we recommend using a dedicated IAM user with only the necessary access permissions. The temporary user you create can never get more permissions than the IAM user who requested the temporary security credentials. For information about identity federation, see [AWS Identity and Access Management FAQs](https://aws.amazon.com/iam/faqs/#What_are_the_best_practices_for_using_temporary_security_credentials).
For more information about the AWS SDK for Ruby API, go to [AWS SDK for Ruby - Version 2](https://docs.aws.amazon.com/sdkforruby/api/index.html).
**Example**
The following PHP example lists keys in the specified bucket. In the example, you obtain temporary security credentials for an hour session for your federated user (User1). Then you use the temporary security credentials to send authenticated requests to Amazon S3.
For added security when requesting temporary credentials for others, you use the security credentials of an IAM user who has permissions to request temporary security credentials. To ensure that the IAM user grants only the minimum application-specific permissions to the federated user, you can also limit the access permissions of this IAM user. This example lists only objects in a specific bucket. Create an IAM user with the following policy attached:
```
1. {
2. "Statement":[{
3. "Action":["s3:ListBucket",
4. "sts:GetFederationToken*"
5. ],
6. "Effect":"Allow",
7. "Resource":"*"
8. }
9. ]
10. }
```
The policy allows the IAM user to request temporary security credentials and access permission only to list your AWS resources. For more information about how to create an IAM user, see [Creating Your First IAM user and Administrators Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*.
You can now use the IAM user security credentials to test the following example. The example sends an authenticated request to Amazon S3 using temporary security credentials. When requesting temporary security credentials for the federated user (User1), the example specifies the following policy, which restricts access to list objects in a specific bucket. Update the policy with your bucket name.
```
1. {
2. "Statement":[
3. {
4. "Sid":"1",
5. "Action":["s3:ListBucket"],
6. "Effect":"Allow",
7. "Resource":"arn:aws:s3:::YourBucketName"
8. }
9. ]
10. }
```
In the following example, when specifying the policy resource, replace `YourBucketName` with the name of your bucket.:
```
require 'vendor/autoload.php';
use Aws\S3\Exception\S3Exception;
use Aws\S3\S3Client;
use Aws\Sts\StsClient;
$bucket = '*** Your Bucket Name ***';
// In real applications, the following code is part of your trusted code. It has
// the security credentials that you use to obtain temporary security credentials.
$sts = new StsClient([
'version' => 'latest',
'region' => 'us-east-1'
]);
// Fetch the federated credentials.
$sessionToken = $sts->getFederationToken([
'Name' => 'User1',
'DurationSeconds' => '3600',
'Policy' => json_encode([
'Statement' => [
'Sid' => 'randomstatementid' . time(),
'Action' => ['s3:ListBucket'],
'Effect' => 'Allow',
'Resource' => 'arn:aws:s3:::' . $bucket
]
])
]);
// The following will be part of your less trusted code. You provide temporary
// security credentials so the code can send authenticated requests to Amazon S3.
$s3 = new S3Client([
'region' => 'us-east-1',
'version' => 'latest',
'credentials' => [
'key' => $sessionToken['Credentials']['AccessKeyId'],
'secret' => $sessionToken['Credentials']['SecretAccessKey'],
'token' => $sessionToken['Credentials']['SessionToken']
]
]);
try {
$result = $s3->listObjects([
'Bucket' => $bucket
]);
} catch (S3Exception $e) {
echo $e->getMessage() . PHP_EOL;
}
```
------
#### [ Ruby ]
You can provide temporary security credentials for your federated users and applications so that they can send authenticated requests to access your AWS resources. When requesting temporary credentials from the IAM service, you must provide a user name and an IAM policy that describes the resource permissions that you want to grant. By default, the session duration is one hour. However, if you are requesting temporary credentials using IAM user credentials, you can explicitly set a different duration value when requesting the temporary security credentials for federated users and applications. For information about temporary security credentials for your federated users and applications, see [Making requests](MakingRequests.md).
**Note**
For added security when you request temporary security credentials for federated users and applications, you might want to use a dedicated IAM user with only the necessary access permissions. The temporary user you create can never get more permissions than the IAM user who requested the temporary security credentials. For more information, see [AWS Identity and Access Management FAQs ](https://aws.amazon.com/iam/faqs/#What_are_the_best_practices_for_using_temporary_security_credentials).
**Example**
The following Ruby code example allows a federated user with a limited set of permissions to lists keys in the specified bucket.
```
# Prerequisites:
# - An existing Amazon S3 bucket.
require 'aws-sdk-s3'
require 'aws-sdk-iam'
require 'json'
# Checks to see whether a user exists in IAM; otherwise,
# creates the user.
#
# @param iam [Aws::IAM::Client] An initialized IAM client.
# @param user_name [String] The user's name.
# @return [Aws::IAM::Types::User] The existing or new user.
# @example
# iam = Aws::IAM::Client.new(region: 'us-west-2')
# user = get_user(iam, 'my-user')
# exit 1 unless user.user_name
# puts "User's name: #{user.user_name}"
def get_user(iam, user_name)
puts "Checking for a user with the name '#{user_name}'..."
response = iam.get_user(user_name: user_name)
puts "A user with the name '#{user_name}' already exists."
response.user
# If the user doesn't exist, create them.
rescue Aws::IAM::Errors::NoSuchEntity
puts "A user with the name '#{user_name}' doesn't exist. Creating this user..."
response = iam.create_user(user_name: user_name)
iam.wait_until(:user_exists, user_name: user_name)
puts "Created user with the name '#{user_name}'."
response.user
rescue StandardError => e
puts "Error while accessing or creating the user named '#{user_name}': #{e.message}"
end
# Gets temporary AWS credentials for an IAM user with the specified permissions.
#
# @param sts [Aws::STS::Client] An initialized AWS STS client.
# @param duration_seconds [Integer] The number of seconds for valid credentials.
# @param user_name [String] The user's name.
# @param policy [Hash] The access policy.
# @return [Aws::STS::Types::Credentials] AWS credentials for API authentication.
# @example
# sts = Aws::STS::Client.new(region: 'us-west-2')
# credentials = get_temporary_credentials(sts, duration_seconds, user_name,
# {
# 'Version' => '2012-10-17',
# 'Statement' => [
# 'Sid' => 'Stmt1',
# 'Effect' => 'Allow',
# 'Action' => 's3:ListBucket',
# 'Resource' => 'arn:aws:s3:::amzn-s3-demo-bucket'
# ]
# }
# )
# exit 1 unless credentials.access_key_id
# puts "Access key ID: #{credentials.access_key_id}"
def get_temporary_credentials(sts, duration_seconds, user_name, policy)
response = sts.get_federation_token(
duration_seconds: duration_seconds,
name: user_name,
policy: policy.to_json
)
response.credentials
rescue StandardError => e
puts "Error while getting federation token: #{e.message}"
end
# Lists the keys and ETags for the objects in an Amazon S3 bucket.
#
# @param s3_client [Aws::S3::Client] An initialized Amazon S3 client.
# @param bucket_name [String] The bucket's name.
# @return [Boolean] true if the objects were listed; otherwise, false.
# @example
# s3_client = Aws::S3::Client.new(region: 'us-west-2')
# exit 1 unless list_objects_in_bucket?(s3_client, 'amzn-s3-demo-bucket')
def list_objects_in_bucket?(s3_client, bucket_name)
puts "Accessing the contents of the bucket named '#{bucket_name}'..."
response = s3_client.list_objects_v2(
bucket: bucket_name,
max_keys: 50
)
if response.count.positive?
puts "Contents of the bucket named '#{bucket_name}' (first 50 objects):"
puts 'Name => ETag'
response.contents.each do |obj|
puts "#{obj.key} => #{obj.etag}"
end
else
puts "No objects in the bucket named '#{bucket_name}'."
end
true
rescue StandardError => e
puts "Error while accessing the bucket named '#{bucket_name}': #{e.message}"
end
# Example usage:
def run_me
region = "us-west-2"
user_name = "my-user"
bucket_name = "amzn-s3-demo-bucket"
iam = Aws::IAM::Client.new(region: region)
user = get_user(iam, user_name)
exit 1 unless user.user_name
puts "User's name: #{user.user_name}"
sts = Aws::STS::Client.new(region: region)
credentials = get_temporary_credentials(sts, 3600, user_name,
{
'Version' => '2012-10-17',
'Statement' => [
'Sid' => 'Stmt1',
'Effect' => 'Allow',
'Action' => 's3:ListBucket',
'Resource' => "arn:aws:s3:::#{bucket_name}"
]
})
exit 1 unless credentials.access_key_id
puts "Access key ID: #{credentials.access_key_id}"
s3_client = Aws::S3::Client.new(region: region, credentials: credentials)
exit 1 unless list_objects_in_bucket?(s3_client, bucket_name)
end
run_me if $PROGRAM_NAME == __FILE__
```
------