Working with IAM policies with AWS SDK for PHP Version 3
You grant permissions to a user by creating a policy. A policy is a document that lists the actions that a user can perform and the resources those actions can affect. By default, any actions or resources that are not explicitly allowed are denied. Policies can be created and attached to users, groups of users, roles assumed by users, and resources.
The following examples show how to:
-
Create a managed policy using CreatePolicy.
-
Attach a policy to a role using AttachRolePolicy.
-
Attach a policy to a user using AttachUserPolicy.
-
Attach a policy to a group using AttachGroupPolicy.
-
Remove a role policy using DetachRolePolicy.
-
Remove a user policy using DetachUserPolicy.
-
Remove a group policy using DetachGroupPolicy.
-
Delete a managed policy using DeletePolicy.
-
Delete a role policy using DeleteRolePolicy.
-
Delete a user policy using DeleteUserPolicy.
-
Delete a group policy using DeleteGroupPolicy.
All the example code for the AWS SDK for PHP is available here on
GitHub
Credentials
Before running the example code, configure your AWS credentials, as described in Credentials. Then import the AWS SDK for PHP, as described in Basic usage.
Create a policy
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $myManagedPolicy = '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "RESOURCE_ARN" }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": "RESOURCE_ARN" } ] }'; try { $result = $client->createPolicy(array( // PolicyName is required 'PolicyName' => 'myDynamoDBPolicy', // PolicyDocument is required 'PolicyDocument' => $myManagedPolicy )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Attach a policy to a role
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $roleName = 'ROLE_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedRolePolicies = $client->getIterator('ListAttachedRolePolicies', ([ 'RoleName' => $roleName, ])); if (count($attachedRolePolicies) > 0) { foreach ($attachedRolePolicies as $attachedRolePolicy) { if ($attachedRolePolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachRolePolicy(array( // RoleName is required 'RoleName' => $roleName, // PolicyArn is required 'PolicyArn' => $policyArn )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Attach a policy to a user
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $userName = 'USER_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedUserPolicies = $client->getIterator('ListAttachedUserPolicies', ([ 'UserName' => $userName, ])); if (count($attachedUserPolicies) > 0) { foreach ($attachedUserPolicies as $attachedUserPolicy) { if ($attachedUserPolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachUserPolicy(array( // UserName is required 'UserName' => $userName, // PolicyArn is required 'PolicyArn' => $policyArn, )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Attach a policy to a group
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->attachGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Detach a user policy
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachUserPolicy([ // UserName is required 'UserName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Detach a group policy
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachGroupPolicy([ // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Delete a policy
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deletePolicy(array( // PolicyArn is required 'PolicyArn' => 'string' )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Delete a role policy
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteRolePolicy([ // RoleName is required 'RoleName' => 'string', // PolicyName is required 'PolicyName' => 'string' ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Delete a user policy
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteUserPolicy([ // UserName is required 'UserName' => 'string', // PolicyName is required 'PolicyName' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
Delete a group policy
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
Sample Code
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyName is required 'PolicyName' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
