The AWS SDK for Java 1.x has entered maintenance mode as of July 31, 2024,
and will reach end-of-support
Working with IAM Policies
Creating a Policy
To create a new policy, provide the policy’s name and a JSON-formatted policy document in a CreatePolicyRequest to the AmazonIdentityManagementClient’s createPolicy method.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.CreatePolicyRequest; import com.amazonaws.services.identitymanagement.model.CreatePolicyResult;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); CreatePolicyRequest request = new CreatePolicyRequest() .withPolicyName(policy_name) .withPolicyDocument(POLICY_DOCUMENT); CreatePolicyResult response = iam.createPolicy(request);
IAM policy documents are JSON strings with a well-documented syntax. Here is an example that provides access to make particular requests to DynamoDB.
public static final String POLICY_DOCUMENT = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"logs:CreateLogGroup\"," + " \"Resource\": \"%s\"" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"dynamodb:DeleteItem\"," + " \"dynamodb:GetItem\"," + " \"dynamodb:PutItem\"," + " \"dynamodb:Scan\"," + " \"dynamodb:UpdateItem\"" + " ]," + " \"Resource\": \"RESOURCE_ARN\"" + " }" + " ]" + "}";
See the complete example
Getting a Policy
To retrieve an existing policy, call the AmazonIdentityManagementClient’s getPolicy method, providing the policy’s ARN within a GetPolicyRequest object.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.GetPolicyRequest; import com.amazonaws.services.identitymanagement.model.GetPolicyResult;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); GetPolicyRequest request = new GetPolicyRequest() .withPolicyArn(policy_arn); GetPolicyResult response = iam.getPolicy(request);
See the complete example
Attaching a Role Policy
You can attach a policy to an IAMhttp://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html[role] by calling the AmazonIdentityManagementClient’s attachRolePolicy method, providing it with the role name and policy ARN in an AttachRolePolicyRequest.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.AttachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.AttachedPolicy;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); AttachRolePolicyRequest attach_request = new AttachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(POLICY_ARN); iam.attachRolePolicy(attach_request);
See the complete example
Listing Attached Role Policies
List attached policies on a role by calling the AmazonIdentityManagementClient’s listAttachedRolePolicies method. It takes a ListAttachedRolePoliciesRequest object that contains the role name to list the policies for.
Call getAttachedPolicies on the returned ListAttachedRolePoliciesResult object to get the list of attached policies. Results may be truncated; if the ListAttachedRolePoliciesResult object’s getIsTruncated method returns true, call the ListAttachedRolePoliciesRequest object’s setMarker method and use it to call listAttachedRolePolicies again to get the next batch of results.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesRequest; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesResult; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); ListAttachedRolePoliciesRequest request = new ListAttachedRolePoliciesRequest() .withRoleName(role_name); List<AttachedPolicy> matching_policies = new ArrayList<>(); boolean done = false; while(!done) { ListAttachedRolePoliciesResult response = iam.listAttachedRolePolicies(request); matching_policies.addAll( response.getAttachedPolicies() .stream() .filter(p -> p.getPolicyName().equals(role_name)) .collect(Collectors.toList())); if(!response.getIsTruncated()) { done = true; } request.setMarker(response.getMarker()); }
See the complete example
Detaching a Role Policy
To detach a policy from a role, call the AmazonIdentityManagementClient’s detachRolePolicy method, providing it with the role name and policy ARN in a DetachRolePolicyRequest.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyResult;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); DetachRolePolicyRequest request = new DetachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(policy_arn); DetachRolePolicyResult response = iam.detachRolePolicy(request);
See the complete example
More Information
-
Overview of IAM Policies in the IAM User Guide.
-
AWS IAM Policy Reference in the IAM User Guide.
-
CreatePolicy in the IAM API Reference
-
GetPolicy in the IAM API Reference
-
AttachRolePolicy in the IAM API Reference
-
ListAttachedRolePolicies in the IAM API Reference
-
DetachRolePolicy in the IAM API Reference
