AWS Doc SDK ExamplesWord
기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
an AWS SDK를 사용하여 IAM Policy Builder API 작업
다음 코드 예시는 다음과 같은 작업을 수행하는 방법을 보여줍니다.
객체 지향 IAM를 사용하여 API 정책을 생성합니다.
IAM 서비스와 함께 API 정책 빌더 IAM를 사용합니다.
- Java
-
- Java 2.x용 SDK
-
참고
더 많은 on GitHub가 있습니다. AWS 코드 예시 리포지토리
에서 전체 예시를 찾고 설정 및 실행하는 방법을 배워보세요. 예제에서는 다음 가져오기를 사용합니다.
import org.slf4j.Logger; import org.slf4j.LoggerFactory; import software.amazon.awssdk.policybuilder.iam.IamConditionOperator; import software.amazon.awssdk.policybuilder.iam.IamEffect; import software.amazon.awssdk.policybuilder.iam.IamPolicy; import software.amazon.awssdk.policybuilder.iam.IamPolicyWriter; import software.amazon.awssdk.policybuilder.iam.IamPrincipal; import software.amazon.awssdk.policybuilder.iam.IamPrincipalType; import software.amazon.awssdk.policybuilder.iam.IamResource; import software.amazon.awssdk.policybuilder.iam.IamStatement; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.services.iam.model.GetPolicyVersionResponse; import software.amazon.awssdk.services.sts.StsClient; import java.net.URLDecoder; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.List;시간 기반 정책을 생성합니다.
public String timeBasedPolicyExample() { IamPolicy policy = IamPolicy.builder() .addStatement(b -> b .effect(IamEffect.ALLOW) .addAction("dynamodb:GetItem") .addResource(IamResource.ALL) .addCondition(b1 -> b1 .operator(IamConditionOperator.DATE_GREATER_THAN) .key("aws:CurrentTime") .value("2020-04-01T00:00:00Z")) .addCondition(b1 -> b1 .operator(IamConditionOperator.DATE_LESS_THAN) .key("aws:CurrentTime") .value("2020-06-30T23:59:59Z"))) .build(); // Use an IamPolicyWriter to write out the JSON string to a more readable // format. return policy.toJson(IamPolicyWriter.builder() .prettyPrint(true) .build()); }여러 조건이 포함된 정책을 생성합니다.
public String multipleConditionsExample() { IamPolicy policy = IamPolicy.builder() .addStatement(b -> b .effect(IamEffect.ALLOW) .addAction("dynamodb:GetItem") .addAction("dynamodb:BatchGetItem") .addAction("dynamodb:Query") .addAction("dynamodb:PutItem") .addAction("dynamodb:UpdateItem") .addAction("dynamodb:DeleteItem") .addAction("dynamodb:BatchWriteItem") .addResource("arn:aws:dynamodb:*:*:table/table-name") .addConditions(IamConditionOperator.STRING_EQUALS .addPrefix("ForAllValues:"), "dynamodb:Attributes", List.of("column-name1", "column-name2", "column-name3")) .addCondition(b1 -> b1 .operator(IamConditionOperator.STRING_EQUALS .addSuffix("IfExists")) .key("dynamodb:Select") .value("SPECIFIC_ATTRIBUTES"))) .build(); return policy.toJson(IamPolicyWriter.builder() .prettyPrint(true).build()); }정책에 보안 주체를 사용합니다.
public String specifyPrincipalsExample() { IamPolicy policy = IamPolicy.builder() .addStatement(b -> b .effect(IamEffect.DENY) .addAction("s3:*") .addPrincipal(IamPrincipal.ALL) .addResource("arn:aws:s3:::BUCKETNAME/*") .addResource("arn:aws:s3:::BUCKETNAME") .addCondition(b1 -> b1 .operator(IamConditionOperator.ARN_NOT_EQUALS) .key("aws:PrincipalArn") .value("arn:aws:iam::444455556666:user/user-name"))) .build(); return policy.toJson(IamPolicyWriter.builder() .prettyPrint(true).build()); }교차 계정 액세스를 허용합니다.
public String allowCrossAccountAccessExample() { IamPolicy policy = IamPolicy.builder() .addStatement(b -> b .effect(IamEffect.ALLOW) .addPrincipal(IamPrincipalType.AWS, "111122223333") .addAction("s3:PutObject") .addResource("arn:aws:s3:::amzn-s3-demo-bucket/*") .addCondition(b1 -> b1 .operator(IamConditionOperator.STRING_EQUALS) .key("s3:x-amz-acl") .value("bucket-owner-full-control"))) .build(); return policy.toJson(IamPolicyWriter.builder() .prettyPrint(true).build()); }IamPolicy를 빌드하고 업로드합니다.public String createAndUploadPolicyExample(IamClient iam, String accountID, String policyName) { // Build the policy. IamPolicy policy = IamPolicy.builder() // 'version' defaults to "2012-10-17". .addStatement(IamStatement.builder() .effect(IamEffect.ALLOW) .addAction("dynamodb:PutItem") .addResource("arn:aws:dynamodb:us-east-1:" + accountID + ":table/exampleTableName") .build()) .build(); // Upload the policy. iam.createPolicy(r -> r.policyName(policyName).policyDocument(policy.toJson())); return policy.toJson(IamPolicyWriter.builder().prettyPrint(true).build()); }IamPolicy를 다운로드하고 사용합니다.public String createNewBasedOnExistingPolicyExample(IamClient iam, String accountID, String policyName, String newPolicyName) { String policyArn = "arn:aws:iam::" + accountID + ":policy/" + policyName; GetPolicyResponse getPolicyResponse = iam.getPolicy(r -> r.policyArn(policyArn)); String policyVersion = getPolicyResponse.policy().defaultVersionId(); GetPolicyVersionResponse getPolicyVersionResponse = iam .getPolicyVersion(r -> r.policyArn(policyArn).versionId(policyVersion)); // Create an IamPolicy instance from the JSON string returned from IAM. String decodedPolicy = URLDecoder.decode(getPolicyVersionResponse.policyVersion().document(), StandardCharsets.UTF_8); IamPolicy policy = IamPolicy.fromJson(decodedPolicy); /* * All IamPolicy components are immutable, so use the copy method that creates a * new instance that * can be altered in the same method call. * * Add the ability to get an item from DynamoDB as an additional action. */ IamStatement newStatement = policy.statements().get(0).copy(s -> s.addAction("dynamodb:GetItem")); // Create a new statement that replaces the original statement. IamPolicy newPolicy = policy.copy(p -> p.statements(Arrays.asList(newStatement))); // Upload the new policy. IAM now has both policies. iam.createPolicy(r -> r.policyName(newPolicyName) .policyDocument(newPolicy.toJson())); return newPolicy.toJson(IamPolicyWriter.builder().prettyPrint(true).build()); }-
자세한 정보는 AWS SDK for Java 2.x 개발자 안내서를 참조하십시오.
-
API 세부 정보는 AWS SDK for Java 2.x API 참조의 다음 주제를 참조하세요.
-
정책 버전 롤백
AWS IoT