文档 AWS SDK 示例 GitHub 存储库中还有更多 [S AWS DK 示例](https://github.com/awsdocs/aws-doc-sdk-examples)。本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。 # IAM 使用的基本示例 AWS SDKs 以下代码示例说明如何使用 with 的基础 AWS Identity and Access Management 知识 AWS SDKs。 **Contents** + [开始使用 IAM](iam_example_iam_Hello_section.md) + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [操作](iam_code_examples_actions.md) + [`AddClientIdToOpenIdConnectProvider`](iam_example_iam_AddClientIdToOpenIdConnectProvider_section.md) + [`AddRoleToInstanceProfile`](iam_example_iam_AddRoleToInstanceProfile_section.md) + [`AddUserToGroup`](iam_example_iam_AddUserToGroup_section.md) + [`AttachGroupPolicy`](iam_example_iam_AttachGroupPolicy_section.md) + [`AttachRolePolicy`](iam_example_iam_AttachRolePolicy_section.md) + [`AttachUserPolicy`](iam_example_iam_AttachUserPolicy_section.md) + [`ChangePassword`](iam_example_iam_ChangePassword_section.md) + [`CreateAccessKey`](iam_example_iam_CreateAccessKey_section.md) + [`CreateAccountAlias`](iam_example_iam_CreateAccountAlias_section.md) + [`CreateGroup`](iam_example_iam_CreateGroup_section.md) + [`CreateInstanceProfile`](iam_example_iam_CreateInstanceProfile_section.md) + [`CreateLoginProfile`](iam_example_iam_CreateLoginProfile_section.md) + [`CreateOpenIdConnectProvider`](iam_example_iam_CreateOpenIdConnectProvider_section.md) + [`CreatePolicy`](iam_example_iam_CreatePolicy_section.md) + [`CreatePolicyVersion`](iam_example_iam_CreatePolicyVersion_section.md) + [`CreateRole`](iam_example_iam_CreateRole_section.md) + [`CreateSAMLProvider`](iam_example_iam_CreateSAMLProvider_section.md) + [`CreateServiceLinkedRole`](iam_example_iam_CreateServiceLinkedRole_section.md) + [`CreateUser`](iam_example_iam_CreateUser_section.md) + [`CreateVirtualMfaDevice`](iam_example_iam_CreateVirtualMfaDevice_section.md) + [`DeactivateMfaDevice`](iam_example_iam_DeactivateMfaDevice_section.md) + [`DeleteAccessKey`](iam_example_iam_DeleteAccessKey_section.md) + [`DeleteAccountAlias`](iam_example_iam_DeleteAccountAlias_section.md) + [`DeleteAccountPasswordPolicy`](iam_example_iam_DeleteAccountPasswordPolicy_section.md) + [`DeleteGroup`](iam_example_iam_DeleteGroup_section.md) + [`DeleteGroupPolicy`](iam_example_iam_DeleteGroupPolicy_section.md) + [`DeleteInstanceProfile`](iam_example_iam_DeleteInstanceProfile_section.md) + [`DeleteLoginProfile`](iam_example_iam_DeleteLoginProfile_section.md) + [`DeleteOpenIdConnectProvider`](iam_example_iam_DeleteOpenIdConnectProvider_section.md) + [`DeletePolicy`](iam_example_iam_DeletePolicy_section.md) + [`DeletePolicyVersion`](iam_example_iam_DeletePolicyVersion_section.md) + [`DeleteRole`](iam_example_iam_DeleteRole_section.md) + [`DeleteRolePermissionsBoundary`](iam_example_iam_DeleteRolePermissionsBoundary_section.md) + [`DeleteRolePolicy`](iam_example_iam_DeleteRolePolicy_section.md) + [`DeleteSAMLProvider`](iam_example_iam_DeleteSAMLProvider_section.md) + [`DeleteServerCertificate`](iam_example_iam_DeleteServerCertificate_section.md) + [`DeleteServiceLinkedRole`](iam_example_iam_DeleteServiceLinkedRole_section.md) + [`DeleteSigningCertificate`](iam_example_iam_DeleteSigningCertificate_section.md) + [`DeleteUser`](iam_example_iam_DeleteUser_section.md) + [`DeleteUserPermissionsBoundary`](iam_example_iam_DeleteUserPermissionsBoundary_section.md) + [`DeleteUserPolicy`](iam_example_iam_DeleteUserPolicy_section.md) + [`DeleteVirtualMfaDevice`](iam_example_iam_DeleteVirtualMfaDevice_section.md) + [`DetachGroupPolicy`](iam_example_iam_DetachGroupPolicy_section.md) + [`DetachRolePolicy`](iam_example_iam_DetachRolePolicy_section.md) + [`DetachUserPolicy`](iam_example_iam_DetachUserPolicy_section.md) + [`EnableMfaDevice`](iam_example_iam_EnableMfaDevice_section.md) + [`GenerateCredentialReport`](iam_example_iam_GenerateCredentialReport_section.md) + [`GenerateServiceLastAccessedDetails`](iam_example_iam_GenerateServiceLastAccessedDetails_section.md) + [`GetAccessKeyLastUsed`](iam_example_iam_GetAccessKeyLastUsed_section.md) + [`GetAccountAuthorizationDetails`](iam_example_iam_GetAccountAuthorizationDetails_section.md) + [`GetAccountPasswordPolicy`](iam_example_iam_GetAccountPasswordPolicy_section.md) + [`GetAccountSummary`](iam_example_iam_GetAccountSummary_section.md) + [`GetContextKeysForCustomPolicy`](iam_example_iam_GetContextKeysForCustomPolicy_section.md) + [`GetContextKeysForPrincipalPolicy`](iam_example_iam_GetContextKeysForPrincipalPolicy_section.md) + [`GetCredentialReport`](iam_example_iam_GetCredentialReport_section.md) + [`GetGroup`](iam_example_iam_GetGroup_section.md) + [`GetGroupPolicy`](iam_example_iam_GetGroupPolicy_section.md) + [`GetInstanceProfile`](iam_example_iam_GetInstanceProfile_section.md) + [`GetLoginProfile`](iam_example_iam_GetLoginProfile_section.md) + [`GetOpenIdConnectProvider`](iam_example_iam_GetOpenIdConnectProvider_section.md) + [`GetPolicy`](iam_example_iam_GetPolicy_section.md) + [`GetPolicyVersion`](iam_example_iam_GetPolicyVersion_section.md) + [`GetRole`](iam_example_iam_GetRole_section.md) + [`GetRolePolicy`](iam_example_iam_GetRolePolicy_section.md) + [`GetSamlProvider`](iam_example_iam_GetSamlProvider_section.md) + [`GetServerCertificate`](iam_example_iam_GetServerCertificate_section.md) + [`GetServiceLastAccessedDetails`](iam_example_iam_GetServiceLastAccessedDetails_section.md) + [`GetServiceLastAccessedDetailsWithEntities`](iam_example_iam_GetServiceLastAccessedDetailsWithEntities_section.md) + [`GetServiceLinkedRoleDeletionStatus`](iam_example_iam_GetServiceLinkedRoleDeletionStatus_section.md) + [`GetUser`](iam_example_iam_GetUser_section.md) + [`GetUserPolicy`](iam_example_iam_GetUserPolicy_section.md) + [`ListAccessKeys`](iam_example_iam_ListAccessKeys_section.md) + [`ListAccountAliases`](iam_example_iam_ListAccountAliases_section.md) + [`ListAttachedGroupPolicies`](iam_example_iam_ListAttachedGroupPolicies_section.md) + [`ListAttachedRolePolicies`](iam_example_iam_ListAttachedRolePolicies_section.md) + [`ListAttachedUserPolicies`](iam_example_iam_ListAttachedUserPolicies_section.md) + [`ListEntitiesForPolicy`](iam_example_iam_ListEntitiesForPolicy_section.md) + [`ListGroupPolicies`](iam_example_iam_ListGroupPolicies_section.md) + [`ListGroups`](iam_example_iam_ListGroups_section.md) + [`ListGroupsForUser`](iam_example_iam_ListGroupsForUser_section.md) + [`ListInstanceProfiles`](iam_example_iam_ListInstanceProfiles_section.md) + [`ListInstanceProfilesForRole`](iam_example_iam_ListInstanceProfilesForRole_section.md) + [`ListMfaDevices`](iam_example_iam_ListMfaDevices_section.md) + [`ListOpenIdConnectProviders`](iam_example_iam_ListOpenIdConnectProviders_section.md) + [`ListPolicies`](iam_example_iam_ListPolicies_section.md) + [`ListPolicyVersions`](iam_example_iam_ListPolicyVersions_section.md) + [`ListRolePolicies`](iam_example_iam_ListRolePolicies_section.md) + [`ListRoleTags`](iam_example_iam_ListRoleTags_section.md) + [`ListRoles`](iam_example_iam_ListRoles_section.md) + [`ListSAMLProviders`](iam_example_iam_ListSAMLProviders_section.md) + [`ListServerCertificates`](iam_example_iam_ListServerCertificates_section.md) + [`ListSigningCertificates`](iam_example_iam_ListSigningCertificates_section.md) + [`ListUserPolicies`](iam_example_iam_ListUserPolicies_section.md) + [`ListUserTags`](iam_example_iam_ListUserTags_section.md) + [`ListUsers`](iam_example_iam_ListUsers_section.md) + [`ListVirtualMfaDevices`](iam_example_iam_ListVirtualMfaDevices_section.md) + [`PutGroupPolicy`](iam_example_iam_PutGroupPolicy_section.md) + [`PutRolePermissionsBoundary`](iam_example_iam_PutRolePermissionsBoundary_section.md) + [`PutRolePolicy`](iam_example_iam_PutRolePolicy_section.md) + [`PutUserPermissionsBoundary`](iam_example_iam_PutUserPermissionsBoundary_section.md) + [`PutUserPolicy`](iam_example_iam_PutUserPolicy_section.md) + [`RemoveClientIdFromOpenIdConnectProvider`](iam_example_iam_RemoveClientIdFromOpenIdConnectProvider_section.md) + [`RemoveRoleFromInstanceProfile`](iam_example_iam_RemoveRoleFromInstanceProfile_section.md) + [`RemoveUserFromGroup`](iam_example_iam_RemoveUserFromGroup_section.md) + [`ResyncMfaDevice`](iam_example_iam_ResyncMfaDevice_section.md) + [`SetDefaultPolicyVersion`](iam_example_iam_SetDefaultPolicyVersion_section.md) + [`TagRole`](iam_example_iam_TagRole_section.md) + [`TagUser`](iam_example_iam_TagUser_section.md) + [`UntagRole`](iam_example_iam_UntagRole_section.md) + [`UntagUser`](iam_example_iam_UntagUser_section.md) + [`UpdateAccessKey`](iam_example_iam_UpdateAccessKey_section.md) + [`UpdateAccountPasswordPolicy`](iam_example_iam_UpdateAccountPasswordPolicy_section.md) + [`UpdateAssumeRolePolicy`](iam_example_iam_UpdateAssumeRolePolicy_section.md) + [`UpdateGroup`](iam_example_iam_UpdateGroup_section.md) + [`UpdateLoginProfile`](iam_example_iam_UpdateLoginProfile_section.md) + [`UpdateOpenIdConnectProviderThumbprint`](iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md) + [`UpdateRole`](iam_example_iam_UpdateRole_section.md) + [`UpdateRoleDescription`](iam_example_iam_UpdateRoleDescription_section.md) + [`UpdateSamlProvider`](iam_example_iam_UpdateSamlProvider_section.md) + [`UpdateServerCertificate`](iam_example_iam_UpdateServerCertificate_section.md) + [`UpdateSigningCertificate`](iam_example_iam_UpdateSigningCertificate_section.md) + [`UpdateUser`](iam_example_iam_UpdateUser_section.md) + [`UploadServerCertificate`](iam_example_iam_UploadServerCertificate_section.md) + [`UploadSigningCertificate`](iam_example_iam_UploadSigningCertificate_section.md) # 开始使用 IAM 以下代码示例展示了如何开始使用 IAM。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` namespace IAMActions; public class HelloIAM { static async Task Main(string[] args) { // Getting started with AWS Identity and Access Management (IAM). List // the policies for the account. var iamClient = new AmazonIdentityManagementServiceClient(); var listPoliciesPaginator = iamClient.Paginators.ListPolicies(new ListPoliciesRequest()); var policies = new List(); await foreach (var response in listPoliciesPaginator.Responses) { policies.AddRange(response.Policies); } Console.WriteLine("Here are the policies defined for your account:\n"); policies.ForEach(policy => { Console.WriteLine($"Created: {policy.CreateDate}\t{policy.PolicyName}\t{policy.Description}"); }); } } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListPolicies)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam/hello_iam#code-examples)中查找完整示例，了解如何进行设置和运行。 CMakeLists.txt CMake 文件的代码。 ``` # Set the minimum required version of CMake for this project. cmake_minimum_required(VERSION 3.13) # Set the AWS service components used by this project. set(SERVICE_COMPONENTS iam) # Set this project's name. project("hello_iam") # Set the C++ standard to use to build this target. # At least C++ 11 is required for the AWS SDK for C++. set(CMAKE_CXX_STANDARD 11) # Use the MSVC variable to determine if this is a Windows build. set(WINDOWS_BUILD ${MSVC}) if (WINDOWS_BUILD) # Set the location where CMake can find the installed libraries for the AWS SDK. string(REPLACE ";" "/aws-cpp-sdk-all;" SYSTEM_MODULE_PATH "${CMAKE_SYSTEM_PREFIX_PATH}/aws-cpp-sdk-all") list(APPEND CMAKE_PREFIX_PATH ${SYSTEM_MODULE_PATH}) endif () # Find the AWS SDK for C++ package. find_package(AWSSDK REQUIRED COMPONENTS ${SERVICE_COMPONENTS}) if (WINDOWS_BUILD AND AWSSDK_INSTALL_AS_SHARED_LIBS) # Copy relevant AWS SDK for C++ libraries into the current binary directory for running and debugging. # set(BIN_SUB_DIR "/Debug") # if you are building from the command line you may need to uncomment this # and set the proper subdirectory to the executables' location. AWSSDK_CPY_DYN_LIBS(SERVICE_COMPONENTS "" ${CMAKE_CURRENT_BINARY_DIR}${BIN_SUB_DIR}) endif () add_executable(${PROJECT_NAME} hello_iam.cpp) target_link_libraries(${PROJECT_NAME} ${AWSSDK_LINK_LIBRARIES}) ``` iam.cpp 源文件的代码。 ``` #include #include #include #include #include /* * A "Hello IAM" starter application which initializes an AWS Identity and Access Management (IAM) client * and lists the IAM policies. * * main function * * Usage: 'hello_iam' * */ int main(int argc, char **argv) { Aws::SDKOptions options; // Optionally change the log level for debugging. // options.loggingOptions.logLevel = Utils::Logging::LogLevel::Debug; Aws::InitAPI(options); // Should only be called once. int result = 0; { const Aws::String DATE_FORMAT("%Y-%m-%d"); Aws::Client::ClientConfiguration clientConfig; // Optional: Set to the AWS Region (overrides config file). // clientConfig.region = "us-east-1"; Aws::IAM::IAMClient iamClient(clientConfig); Aws::IAM::Model::ListPoliciesRequest request; bool done = false; bool header = false; while (!done) { auto outcome = iamClient.ListPolicies(request); if (!outcome.IsSuccess()) { std::cerr << "Failed to list iam policies: " << outcome.GetError().GetMessage() << std::endl; result = 1; break; } if (!header) { std::cout << std::left << std::setw(55) << "Name" << std::setw(30) << "ID" << std::setw(80) << "Arn" << std::setw(64) << "Description" << std::setw(12) << "CreateDate" << std::endl; header = true; } const auto &policies = outcome.GetResult().GetPolicies(); for (const auto &policy: policies) { std::cout << std::left << std::setw(55) << policy.GetPolicyName() << std::setw(30) << policy.GetPolicyId() << std::setw(80) << policy.GetArn() << std::setw(64) << policy.GetDescription() << std::setw(12) << policy.GetCreateDate().ToGmtString(DATE_FORMAT.c_str()) << std::endl; } if (outcome.GetResult().GetIsTruncated()) { request.SetMarker(outcome.GetResult().GetMarker()); } else { done = true; } } } Aws::ShutdownAPI(options); // Should only be called once. return result; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListPolicies)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` package main import ( "context" "fmt" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/iam" ) // main uses the AWS SDK for Go (v2) to create an AWS Identity and Access Management (IAM) // client and list up to 10 policies in your account. // This example uses the default settings specified in your shared credentials // and config files. func main() { ctx := context.Background() sdkConfig, err := config.LoadDefaultConfig(ctx) if err != nil { fmt.Println("Couldn't load default configuration. Have you set up your AWS account?") fmt.Println(err) return } iamClient := iam.NewFromConfig(sdkConfig) const maxPols = 10 fmt.Printf("Let's list up to %v policies for your account.\n", maxPols) result, err := iamClient.ListPolicies(ctx, &iam.ListPoliciesInput{ MaxItems: aws.Int32(maxPols), }) if err != nil { fmt.Printf("Couldn't list policies for your account. Here's why: %v\n", err) return } if len(result.Policies) == 0 { fmt.Println("You don't have any policies!") } else { for _, policy := range result.Policies { fmt.Printf("\t%v\n", *policy.PolicyName) } } } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListPolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListPolicies)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.ListPoliciesResponse; import software.amazon.awssdk.services.iam.model.Policy; import java.util.List; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloIAM { public static void main(String[] args) { Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); listPolicies(iam); } public static void listPolicies(IamClient iam) { ListPoliciesResponse response = iam.listPolicies(); List polList = response.policies(); polList.forEach(policy -> { System.out.println("Policy Name: " + policy.policyName()); }); } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[ListPolicies](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/ListPolicies)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { IAMClient, paginateListPolicies } from "@aws-sdk/client-iam"; const client = new IAMClient({}); export const listLocalPolicies = async () => { /** * In v3, the clients expose paginateOperationName APIs that are written using async generators so that you can use async iterators in a for await..of loop. * https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators */ const paginator = paginateListPolicies( { client, pageSize: 10 }, // List only customer managed policies. { Scope: "Local" }, ); console.log("IAM policies defined in your account:"); let policyCount = 0; for await (const page of paginator) { if (page.Policies) { for (const policy of page.Policies) { console.log(`${policy.PolicyName}`); policyCount++; } } } console.log(`Found ${policyCount} policies.`); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListPoliciesCommand)*中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import boto3 def main(): """ Lists the managed policies in your AWS account using the AWS SDK for Python (Boto3). """ iam = boto3.client("iam") try: # Get a paginator for the list_policies operation paginator = iam.get_paginator("list_policies") # Iterate through the pages of results for page in paginator.paginate(Scope="All", OnlyAttached=False): for policy in page["Policies"]: print(f"Policy name: {policy['PolicyName']}") print(f" Policy ARN: {policy['Arn']}") except boto3.exceptions.BotoCoreError as e: print(f"Encountered an error while listing policies: {e}") if __name__ == "__main__": main() ``` + 有关 API 的详细信息，请参阅适用[ListPolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListPolicies)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` require 'aws-sdk-iam' require 'logger' # IAMManager is a class responsible for managing IAM operations # such as listing all IAM policies in the current AWS account. class IAMManager def initialize(client) @client = client @logger = Logger.new($stdout) end # Lists and prints all IAM policies in the current AWS account. def list_policies @logger.info('Here are the IAM policies in your account:') paginator = @client.list_policies policies = [] paginator.each_page do |page| policies.concat(page.policies) end if policies.empty? @logger.info("You don't have any IAM policies.") else policies.each do |policy| @logger.info("- #{policy.policy_name}") end end end end if $PROGRAM_NAME == __FILE__ iam_client = Aws::IAM::Client.new manager = IAMManager.new(iam_client) manager.list_policies end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListPolicies)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。来自 src/bin/hello .rs. ``` use aws_sdk_iam::error::SdkError; use aws_sdk_iam::operation::list_policies::ListPoliciesError; use clap::Parser; const PATH_PREFIX_HELP: &str = "The path prefix for filtering the results."; #[derive(Debug, clap::Parser)] #[command(about)] struct HelloScenarioArgs { #[arg(long, default_value="/", help=PATH_PREFIX_HELP)] pub path_prefix: String, } #[tokio::main] async fn main() -> Result<(), SdkError> { let sdk_config = aws_config::load_from_env().await; let client = aws_sdk_iam::Client::new(&sdk_config); let args = HelloScenarioArgs::parse(); iam_service::list_policies(client, args.path_prefix).await?; Ok(()) } ``` 来自 src/ .r iam-service-lib s. ``` pub async fn list_policies( client: iamClient, path_prefix: String, ) -> Result, SdkError> { let list_policies = client .list_policies() .path_prefix(path_prefix) .scope(PolicyScopeType::Local) .into_paginator() .items() .send() .try_collect() .await?; let policy_names = list_policies .into_iter() .map(|p| { let name = p .policy_name .unwrap_or_else(|| "Missing Policy Name".to_string()); println!("{}", name); name }) .collect(); Ok(policy_names) } ``` + 有关 API 的详细信息，请参阅适用[ListPolicies](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_policies)于 *Rust 的AWS SDK API 参考*。 ------ # 通过 AWS 软件开发工具包学习 IAM 的基础知识以下代码示例演示了如何创建用户并代入角色。 **警告** 为了避免安全风险，在开发专用软件或处理真实数据时，请勿使用 IAM 用户进行身份验证。而是使用与身份提供者的联合身份验证，例如 [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)。 + 创建没有权限的用户。 + 创建授予列出账户的 Amazon S3 存储桶的权限的角色 + 添加策略以允许用户代入该角色。 + 代入角色并使用临时凭证列出 S3 存储桶，然后清除资源。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples) 中查找完整示例，了解如何进行设置和运行。 ``` global using Amazon.IdentityManagement; global using Amazon.S3; global using Amazon.SecurityToken; global using IAMActions; global using IamScenariosCommon; global using Microsoft.Extensions.DependencyInjection; global using Microsoft.Extensions.Hosting; global using Microsoft.Extensions.Logging; global using Microsoft.Extensions.Logging.Console; global using Microsoft.Extensions.Logging.Debug; namespace IAMActions; public class IAMWrapper { private readonly IAmazonIdentityManagementService _IAMService; ///

/// Constructor for the IAMWrapper class. ///

/// An IAM client object. public IAMWrapper(IAmazonIdentityManagementService IAMService) { _IAMService = IAMService; } ///

/// Attach an IAM policy to a role. ///

/// Create an IAM access key for a user. ///

/// Create an IAM policy. ///

/// Create a new IAM role. ///

/// Create an IAM service-linked role. ///

/// Create an IAM user. ///

/// Delete an IAM user's access key. ///

/// Delete an IAM policy. ///

/// Delete an IAM role. ///

/// Delete an IAM role policy. ///

/// Delete an IAM user. ///

/// Delete an IAM user policy. ///

/// Detach an IAM policy from an IAM role. ///

/// Gets the IAM password policy for an AWS account. ///

/// Get information about an IAM policy. ///

/// Get information about an IAM role. ///

/// Get information about an IAM user. ///

/// List the IAM role policies that are attached to an IAM role. ///

/// List IAM groups. ///

/// List IAM policies. ///

/// List IAM role policies. ///

/// List IAM roles. ///

/// List SAML authentication providers. ///

/// List IAM users. ///

/// Update the inline policy document embedded in a role. ///

/// Add or update an inline policy document that is embedded in an IAM user. ///

/// The name of the IAM user. /// The name of the IAM policy. /// The policy document defining the IAM policy. /// A Boolean value indicating the success of the action. public async Task PutUserPolicyAsync(string userName, string policyName, string policyDocument) { var request = new PutUserPolicyRequest { UserName = userName, PolicyName = policyName, PolicyDocument = policyDocument }; var response = await _IAMService.PutUserPolicyAsync(request); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ///

/// Wait for a new access key to be ready to use. ///

/// The Id of the access key. /// A boolean value indicating the success of the action. public async Task WaitUntilAccessKeyIsReady(string accessKeyId) { var keyReady = false; do { try { var response = await _IAMService.GetAccessKeyLastUsedAsync( new GetAccessKeyLastUsedRequest { AccessKeyId = accessKeyId }); if (response.UserName is not null) { keyReady = true; } } catch (NoSuchEntityException) { keyReady = false; } } while (!keyReady); return keyReady; } } using Microsoft.Extensions.Configuration; namespace IAMBasics; public class IAMBasics { private static ILogger logger = null!; static async Task Main(string[] args) { // Set up dependency injection for the AWS service. using var host = Host.CreateDefaultBuilder(args) .ConfigureLogging(logging => logging.AddFilter("System", LogLevel.Debug) .AddFilter("Microsoft", LogLevel.Information) .AddFilter("Microsoft", LogLevel.Trace)) .ConfigureServices((_, services) => services.AddAWSService() .AddTransient() .AddTransient() ) .Build(); logger = LoggerFactory.Create(builder => { builder.AddConsole(); }) .CreateLogger(); IConfiguration configuration = new ConfigurationBuilder() .SetBasePath(Directory.GetCurrentDirectory()) .AddJsonFile("settings.json") // Load test settings from .json file. .AddJsonFile("settings.local.json", true) // Optionally load local settings. .Build(); // Values needed for user, role, and policies. string userName = configuration["UserName"]!; string s3PolicyName = configuration["S3PolicyName"]!; string roleName = configuration["RoleName"]!; var iamWrapper = host.Services.GetRequiredService(); var uiWrapper = host.Services.GetRequiredService(); uiWrapper.DisplayBasicsOverview(); uiWrapper.PressEnter(); // First create a user. By default, the new user has // no permissions. uiWrapper.DisplayTitle("Create User"); Console.WriteLine($"Creating a new user with user name: {userName}."); var user = await iamWrapper.CreateUserAsync(userName); var userArn = user.Arn; Console.WriteLine($"Successfully created user: {userName} with ARN: {userArn}."); uiWrapper.WaitABit(15, "Now let's wait for the user to be ready for use."); // Define a role policy document that allows the new user // to assume the role. string assumeRolePolicyDocument = "{" + "\"Version\": \"2012-10-17\"," + "\"Statement\": [{" + "\"Effect\": \"Allow\"," + "\"Principal\": {" + $" \"AWS\": \"{userArn}\"" + "}," + "\"Action\": \"sts:AssumeRole\"" + "}]" + "}"; // Permissions to list all buckets. string policyDocument = "{" + "\"Version\": \"2012-10-17\"," + " \"Statement\" : [{" + " \"Action\" : [\"s3:ListAllMyBuckets\"]," + " \"Effect\" : \"Allow\"," + " \"Resource\" : \"*\"" + "}]" + "}"; // Create an AccessKey for the user. uiWrapper.DisplayTitle("Create access key"); Console.WriteLine("Now let's create an access key for the new user."); var accessKey = await iamWrapper.CreateAccessKeyAsync(userName); var accessKeyId = accessKey.AccessKeyId; var secretAccessKey = accessKey.SecretAccessKey; Console.WriteLine($"We have created the access key with Access key id: {accessKeyId}."); Console.WriteLine("Now let's wait until the IAM access key is ready to use."); var keyReady = await iamWrapper.WaitUntilAccessKeyIsReady(accessKeyId); // Now try listing the Amazon Simple Storage Service (Amazon S3) // buckets. This should fail at this point because the user doesn't // have permissions to perform this task. uiWrapper.DisplayTitle("Try to display Amazon S3 buckets"); Console.WriteLine("Now let's try to display a list of the user's Amazon S3 buckets."); var s3Client1 = new AmazonS3Client(accessKeyId, secretAccessKey); var stsClient1 = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey); var s3Wrapper = new S3Wrapper(s3Client1, stsClient1); var buckets = await s3Wrapper.ListMyBucketsAsync(); Console.WriteLine(buckets is null ? "As expected, the call to list the buckets has returned a null list." : "Something went wrong. This shouldn't have worked."); uiWrapper.PressEnter(); uiWrapper.DisplayTitle("Create IAM role"); Console.WriteLine($"Creating the role: {roleName}"); // Creating an IAM role to allow listing the S3 buckets. A role name // is not case sensitive and must be unique to the account for which it // is created. var roleArn = await iamWrapper.CreateRoleAsync(roleName, assumeRolePolicyDocument); uiWrapper.PressEnter(); // Create a policy with permissions to list S3 buckets. uiWrapper.DisplayTitle("Create IAM policy"); Console.WriteLine($"Creating the policy: {s3PolicyName}"); Console.WriteLine("with permissions to list the Amazon S3 buckets for the account."); var policy = await iamWrapper.CreatePolicyAsync(s3PolicyName, policyDocument); // Wait 15 seconds for the IAM policy to be available. uiWrapper.WaitABit(15, "Waiting for the policy to be available."); // Attach the policy to the role you created earlier. uiWrapper.DisplayTitle("Attach new IAM policy"); Console.WriteLine("Now let's attach the policy to the role."); await iamWrapper.AttachRolePolicyAsync(policy.Arn, roleName); // Wait 15 seconds for the role to be updated. Console.WriteLine(); uiWrapper.WaitABit(15, "Waiting for the policy to be attached."); // Use the AWS Security Token Service (AWS STS) to have the user // assume the role we created. var stsClient2 = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey); // Wait for the new credentials to become valid. uiWrapper.WaitABit(10, "Waiting for the credentials to be valid."); var assumedRoleCredentials = await s3Wrapper.AssumeS3RoleAsync("temporary-session", roleArn); // Try again to list the buckets using the client created with // the new user's credentials. This time, it should work. var s3Client2 = new AmazonS3Client(assumedRoleCredentials); s3Wrapper.UpdateClients(s3Client2, stsClient2); buckets = await s3Wrapper.ListMyBucketsAsync(); uiWrapper.DisplayTitle("List Amazon S3 buckets"); Console.WriteLine("This time we should have buckets to list."); if (buckets is not null) { buckets.ForEach(bucket => { Console.WriteLine($"{bucket.BucketName} created: {bucket.CreationDate}"); }); } uiWrapper.PressEnter(); // Now clean up all the resources used in the example. uiWrapper.DisplayTitle("Clean up resources"); Console.WriteLine("Thank you for watching. The IAM Basics demo is complete."); Console.WriteLine("Please wait while we clean up the resources we created."); await iamWrapper.DetachRolePolicyAsync(policy.Arn, roleName); await iamWrapper.DeletePolicyAsync(policy.Arn); await iamWrapper.DeleteRoleAsync(roleName); await iamWrapper.DeleteAccessKeyAsync(accessKeyId, userName); await iamWrapper.DeleteUserAsync(userName); uiWrapper.PressEnter(); Console.WriteLine("All done cleaning up our resources. Thank you for your patience."); } } namespace IamScenariosCommon; using System.Net; ///

/// A class to perform Amazon Simple Storage Service (Amazon S3) actions for /// the IAM Basics scenario. ///

public class S3Wrapper { private IAmazonS3 _s3Service; private IAmazonSecurityTokenService _stsService; ///

/// Constructor for the S3Wrapper class. ///

/// An Amazon S3 client object. /// An AWS Security Token Service (AWS STS) /// client object. public S3Wrapper(IAmazonS3 s3Service, IAmazonSecurityTokenService stsService) { _s3Service = s3Service; _stsService = stsService; } ///

/// Assumes an AWS Identity and Access Management (IAM) role that allows /// Amazon S3 access for the current session. ///

/// A string representing the current session. /// The name of the IAM role to assume. /// Credentials for the newly assumed IAM role. public async Task AssumeS3RoleAsync(string roleSession, string roleToAssume) { // Create the request to use with the AssumeRoleAsync call. var request = new AssumeRoleRequest() { RoleSessionName = roleSession, RoleArn = roleToAssume, }; var response = await _stsService.AssumeRoleAsync(request); return response.Credentials; } ///

/// Delete an S3 bucket. ///

/// Name of the S3 bucket to delete. /// A Boolean value indicating the success of the action. public async Task DeleteBucketAsync(string bucketName) { var result = await _s3Service.DeleteBucketAsync(new DeleteBucketRequest { BucketName = bucketName }); return result.HttpStatusCode == HttpStatusCode.OK; } ///

/// List the buckets that are owned by the user's account. ///

/// Async Task. public async Task?> ListMyBucketsAsync() { try { // Get the list of buckets accessible by the new user. var response = await _s3Service.ListBucketsAsync(); return response.Buckets; } catch (AmazonS3Exception ex) { // Something else went wrong. Display the error message. Console.WriteLine($"Error: {ex.Message}"); return null; } } ///

/// Create a new S3 bucket. ///

/// The name for the new bucket. /// A Boolean value indicating whether the action completed /// successfully. public async Task PutBucketAsync(string bucketName) { var response = await _s3Service.PutBucketAsync(new PutBucketRequest { BucketName = bucketName }); return response.HttpStatusCode == HttpStatusCode.OK; } ///

/// Update the client objects with new client objects. This is available /// because the scenario uses the methods of this class without and then /// with the proper permissions to list S3 buckets. ///

/// The Amazon S3 client object. /// The AWS STS client object. public void UpdateClients(IAmazonS3 s3Service, IAmazonSecurityTokenService stsService) { _s3Service = s3Service; _stsService = stsService; } } namespace IamScenariosCommon; public class UIWrapper { public readonly string SepBar = new('-', Console.WindowWidth); ///

/// Show information about the IAM Groups scenario. ///

public void DisplayGroupsOverview() { Console.Clear(); DisplayTitle("Welcome to the IAM Groups Demo"); Console.WriteLine("This example application does the following:"); Console.WriteLine("\t1. Creates an Amazon Identity and Access Management (IAM) group."); Console.WriteLine("\t2. Adds an IAM policy to the IAM group giving it full access to Amazon S3."); Console.WriteLine("\t3. Creates a new IAM user."); Console.WriteLine("\t4. Creates an IAM access key for the user."); Console.WriteLine("\t5. Adds the user to the IAM group."); Console.WriteLine("\t6. Lists the buckets on the account."); Console.WriteLine("\t7. Proves that the user has full Amazon S3 access by creating a bucket."); Console.WriteLine("\t8. List the buckets again to show the new bucket."); Console.WriteLine("\t9. Cleans up all the resources created."); } ///

/// Show information about the IAM Basics scenario. ///

public void DisplayBasicsOverview() { Console.Clear(); DisplayTitle("Welcome to IAM Basics"); Console.WriteLine("This example application does the following:"); Console.WriteLine("\t1. Creates a user with no permissions."); Console.WriteLine("\t2. Creates a role and policy that grant s3:ListAllMyBuckets permission."); Console.WriteLine("\t3. Grants the user permission to assume the role."); Console.WriteLine("\t4. Creates an S3 client object as the user and tries to list buckets (this will fail)."); Console.WriteLine("\t5. Gets temporary credentials by assuming the role."); Console.WriteLine("\t6. Creates a new S3 client object with the temporary credentials and lists the buckets (this will succeed)."); Console.WriteLine("\t7. Deletes all the resources."); } ///

/// Display a message and wait until the user presses enter. ///

public void PressEnter() { Console.Write("\nPress to continue. "); _ = Console.ReadLine(); Console.WriteLine(); } ///

/// Pad a string with spaces to center it on the console display. ///

/// The string to be centered. /// The padded string. public string CenterString(string strToCenter) { var padAmount = (Console.WindowWidth - strToCenter.Length) / 2; var leftPad = new string(' ', padAmount); return $"{leftPad}{strToCenter}"; } ///

/// Display a line of hyphens, the centered text of the title, and another /// line of hyphens. ///

/// The string to be displayed. public void DisplayTitle(string strTitle) { Console.WriteLine(SepBar); Console.WriteLine(CenterString(strTitle)); Console.WriteLine(SepBar); } ///

/// Display a countdown and wait for a number of seconds. ///

/// The number of seconds to wait. public void WaitABit(int numSeconds, string msg) { Console.WriteLine(msg); // Wait for the requested number of seconds. for (int i = numSeconds; i > 0; i--) { System.Threading.Thread.Sleep(1000); Console.Write($"{i}..."); } PressEnter(); } } ``` + 有关 API 详细信息，请参阅《适用于 .NET 的 AWS SDK API Reference》**中的以下主题。 + [AttachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/AttachRolePolicy) + [CreateAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateAccessKey) + [CreatePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateRole) + [CreateUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateUser) + [DeleteAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteAccessKey) + [DeletePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteRole) + [DeleteUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUser) + [DeleteUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUserPolicy) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DetachRolePolicy) + [PutUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/PutUserPolicy) ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function iam_create_user_assume_role # # Scenario to create an IAM user, create an IAM role, and apply the role to the user. # # "IAM access" permissions are needed to run this code. # "STS assume role" permissions are needed to run this code. (Note: It might be necessary to # create a custom policy). # # Returns: # 0 - If successful. # 1 - If an error occurred. ############################################################################### function iam_create_user_assume_role() { { if [ "$IAM_OPERATIONS_SOURCED" != "True" ]; then source ./iam_operations.sh fi } echo_repeat "*" 88 echo "Welcome to the IAM create user and assume role demo." echo echo "This demo will create an IAM user, create an IAM role, and apply the role to the user." echo_repeat "*" 88 echo echo -n "Enter a name for a new IAM user: " get_input user_name=$get_input_result local user_arn user_arn=$(iam_create_user -u "$user_name") # shellcheck disable=SC2181 if [[ ${?} == 0 ]]; then echo "Created demo IAM user named $user_name" else errecho "$user_arn" errecho "The user failed to create. This demo will exit." return 1 fi local access_key_response access_key_response=$(iam_create_user_access_key -u "$user_name") # shellcheck disable=SC2181 if [[ ${?} != 0 ]]; then errecho "The access key failed to create. This demo will exit." clean_up "$user_name" return 1 fi IFS=$'\t ' read -r -a access_key_values <<<"$access_key_response" local key_name=${access_key_values[0]} local key_secret=${access_key_values[1]} echo "Created access key named $key_name" echo "Wait 10 seconds for the user to be ready." sleep 10 echo_repeat "*" 88 echo local iam_role_name iam_role_name=$(generate_random_name "test-role") echo "Creating a role named $iam_role_name with user $user_name as the principal." local assume_role_policy_document="{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"$user_arn\"}, \"Action\": \"sts:AssumeRole\" }] }" local role_arn role_arn=$(iam_create_role -n "$iam_role_name" -p "$assume_role_policy_document") # shellcheck disable=SC2181 if [ ${?} == 0 ]; then echo "Created IAM role named $iam_role_name" else errecho "The role failed to create. This demo will exit." clean_up "$user_name" "$key_name" return 1 fi local policy_name policy_name=$(generate_random_name "test-policy") local policy_document="{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}]}" local policy_arn policy_arn=$(iam_create_policy -n "$policy_name" -p "$policy_document") # shellcheck disable=SC2181 if [[ ${?} == 0 ]]; then echo "Created IAM policy named $policy_name" else errecho "The policy failed to create." clean_up "$user_name" "$key_name" "$iam_role_name" return 1 fi if (iam_attach_role_policy -n "$iam_role_name" -p "$policy_arn"); then echo "Attached policy $policy_arn to role $iam_role_name" else errecho "The policy failed to attach." clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" return 1 fi local assume_role_policy_document="{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"sts:AssumeRole\", \"Resource\": \"$role_arn\"}]}" local assume_role_policy_name assume_role_policy_name=$(generate_random_name "test-assume-role-") # shellcheck disable=SC2181 local assume_role_policy_arn assume_role_policy_arn=$(iam_create_policy -n "$assume_role_policy_name" -p "$assume_role_policy_document") # shellcheck disable=SC2181 if [ ${?} == 0 ]; then echo "Created IAM policy named $assume_role_policy_name for sts assume role" else errecho "The policy failed to create." clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" return 1 fi echo "Wait 10 seconds to give AWS time to propagate these new resources and connections." sleep 10 echo_repeat "*" 88 echo echo "Try to list buckets without the new user assuming the role." echo_repeat "*" 88 echo # Set the environment variables for the created user. # bashsupport disable=BP2001 export AWS_ACCESS_KEY_ID=$key_name # bashsupport disable=BP2001 export AWS_SECRET_ACCESS_KEY=$key_secret local buckets buckets=$(s3_list_buckets) # shellcheck disable=SC2181 if [ ${?} == 0 ]; then local bucket_count bucket_count=$(echo "$buckets" | wc -w | xargs) echo "There are $bucket_count buckets in the account. This should not have happened." else errecho "Because the role with permissions has not been assumed, listing buckets failed." fi echo echo_repeat "*" 88 echo "Now assume the role $iam_role_name and list the buckets." echo_repeat "*" 88 echo local credentials credentials=$(sts_assume_role -r "$role_arn" -n "AssumeRoleDemoSession") # shellcheck disable=SC2181 if [ ${?} == 0 ]; then echo "Assumed role $iam_role_name" else errecho "Failed to assume role." export AWS_ACCESS_KEY_ID="" export AWS_SECRET_ACCESS_KEY="" clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn" return 1 fi IFS=$'\t ' read -r -a credentials <<<"$credentials" export AWS_ACCESS_KEY_ID=${credentials[0]} export AWS_SECRET_ACCESS_KEY=${credentials[1]} # bashsupport disable=BP2001 export AWS_SESSION_TOKEN=${credentials[2]} buckets=$(s3_list_buckets) # shellcheck disable=SC2181 if [ ${?} == 0 ]; then local bucket_count bucket_count=$(echo "$buckets" | wc -w | xargs) echo "There are $bucket_count buckets in the account. Listing buckets succeeded because of " echo "the assumed role." else errecho "Failed to list buckets. This should not happen." export AWS_ACCESS_KEY_ID="" export AWS_SECRET_ACCESS_KEY="" export AWS_SESSION_TOKEN="" clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn" return 1 fi local result=0 export AWS_ACCESS_KEY_ID="" export AWS_SECRET_ACCESS_KEY="" echo echo_repeat "*" 88 echo "The created resources will now be deleted." echo_repeat "*" 88 echo clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn" # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then result=1 fi return $result } ``` 此场景中使用的 IAM 函数。 ``` ############################################################################### # function iam_user_exists # # This function checks to see if the specified AWS Identity and Access Management (IAM) user already exists. # # Parameters: # $1 - The name of the IAM user to check. # # Returns: # 0 - If the user already exists. # 1 - If the user doesn't exist. ############################################################################### function iam_user_exists() { local user_name user_name=$1 # Check whether the IAM user already exists. # We suppress all output - we're interested only in the return code. local errors errors=$(aws iam get-user \ --user-name "$user_name" 2>&1 >/dev/null) local error_code=${?} if [[ $error_code -eq 0 ]]; then return 0 # 0 in Bash script means true. else if [[ $errors != *"error"*"(NoSuchEntity)"* ]]; then aws_cli_error_log $error_code errecho "Error calling iam get-user $errors" fi return 1 # 1 in Bash script means false. fi } ############################################################################### # function iam_create_user # # This function creates the specified IAM user, unless # it already exists. # # Parameters: # -u user_name -- The name of the user to create. # # Returns: # The ARN of the user. # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_create_user() { local user_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_create_user" echo "Creates an AWS Identity and Access Management (IAM) user. You must supply a username:" echo " -u user_name The name of the user. It must be unique within the account." echo "" } # Retrieve the calling parameters. while getopts "u:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi iecho "Parameters:\n" iecho " User name: $user_name" iecho "" # If the user already exists, we don't want to try to create it. if (iam_user_exists "$user_name"); then errecho "ERROR: A user with that name already exists in the account." return 1 fi response=$(aws iam create-user --user-name "$user_name" \ --output text \ --query 'User.Arn') local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-user operation failed.$response" return 1 fi echo "$response" return 0 } ############################################################################### # function iam_create_user_access_key # # This function creates an IAM access key for the specified user. # # Parameters: # -u user_name -- The name of the IAM user. # [-f file_name] -- The optional file name for the access key output. # # Returns: # [access_key_id access_key_secret] # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_create_user_access_key() { local user_name file_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_create_user_access_key" echo "Creates an AWS Identity and Access Management (IAM) key pair." echo " -u user_name The name of the IAM user." echo " [-f file_name] Optional file name for the access key output." echo "" } # Retrieve the calling parameters. while getopts "u:f:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; f) file_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi response=$(aws iam create-access-key \ --user-name "$user_name" \ --output text) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-access-key operation failed.$response" return 1 fi if [[ -n "$file_name" ]]; then echo "$response" >"$file_name" fi local key_id key_secret # shellcheck disable=SC2086 key_id=$(echo $response | cut -f 2 -d ' ') # shellcheck disable=SC2086 key_secret=$(echo $response | cut -f 4 -d ' ') echo "$key_id $key_secret" return 0 } ############################################################################### # function iam_create_role # # This function creates an IAM role. # # Parameters: # -n role_name -- The name of the IAM role. # -p policy_json -- The assume role policy document. # # Returns: # The ARN of the role. # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_create_role() { local role_name policy_document response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_create_user_access_key" echo "Creates an AWS Identity and Access Management (IAM) role." echo " -n role_name The name of the IAM role." echo " -p policy_json -- The assume role policy document." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; p) policy_document="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi if [[ -z "$policy_document" ]]; then errecho "ERROR: You must provide a policy document with the -p parameter." usage return 1 fi response=$(aws iam create-role \ --role-name "$role_name" \ --assume-role-policy-document "$policy_document" \ --output text \ --query Role.Arn) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-role operation failed.\n$response" return 1 fi echo "$response" return 0 } ############################################################################### # function iam_create_policy # # This function creates an IAM policy. # # Parameters: # -n policy_name -- The name of the IAM policy. # -p policy_json -- The policy document. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_create_policy() { local policy_name policy_document response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_create_policy" echo "Creates an AWS Identity and Access Management (IAM) policy." echo " -n policy_name The name of the IAM policy." echo " -p policy_json -- The policy document." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) policy_name="${OPTARG}" ;; p) policy_document="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$policy_name" ]]; then errecho "ERROR: You must provide a policy name with the -n parameter." usage return 1 fi if [[ -z "$policy_document" ]]; then errecho "ERROR: You must provide a policy document with the -p parameter." usage return 1 fi response=$(aws iam create-policy \ --policy-name "$policy_name" \ --policy-document "$policy_document" \ --output text \ --query Policy.Arn) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-policy operation failed.\n$response" return 1 fi echo "$response" } ############################################################################### # function iam_attach_role_policy # # This function attaches an IAM policy to a tole. # # Parameters: # -n role_name -- The name of the IAM role. # -p policy_ARN -- The IAM policy document ARN.. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_attach_role_policy() { local role_name policy_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_attach_role_policy" echo "Attaches an AWS Identity and Access Management (IAM) policy to an IAM role." echo " -n role_name The name of the IAM role." echo " -p policy_ARN -- The IAM policy document ARN." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; p) policy_arn="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi if [[ -z "$policy_arn" ]]; then errecho "ERROR: You must provide a policy ARN with the -p parameter." usage return 1 fi response=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "$policy_arn") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports attach-role-policy operation failed.\n$response" return 1 fi echo "$response" return 0 } ############################################################################### # function iam_detach_role_policy # # This function detaches an IAM policy to a tole. # # Parameters: # -n role_name -- The name of the IAM role. # -p policy_ARN -- The IAM policy document ARN.. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_detach_role_policy() { local role_name policy_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_detach_role_policy" echo "Detaches an AWS Identity and Access Management (IAM) policy to an IAM role." echo " -n role_name The name of the IAM role." echo " -p policy_ARN -- The IAM policy document ARN." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; p) policy_arn="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi if [[ -z "$policy_arn" ]]; then errecho "ERROR: You must provide a policy ARN with the -p parameter." usage return 1 fi response=$(aws iam detach-role-policy \ --role-name "$role_name" \ --policy-arn "$policy_arn") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports detach-role-policy operation failed.\n$response" return 1 fi echo "$response" return 0 } ############################################################################### # function iam_delete_policy # # This function deletes an IAM policy. # # Parameters: # -n policy_arn -- The name of the IAM policy arn. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_delete_policy() { local policy_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_delete_policy" echo "Deletes an AWS Identity and Access Management (IAM) policy" echo " -n policy_arn -- The name of the IAM policy arn." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) policy_arn="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$policy_arn" ]]; then errecho "ERROR: You must provide a policy arn with the -n parameter." usage return 1 fi iecho "Parameters:\n" iecho " Policy arn: $policy_arn" iecho "" response=$(aws iam delete-policy \ --policy-arn "$policy_arn") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-policy operation failed.\n$response" return 1 fi iecho "delete-policy response:$response" iecho return 0 } ############################################################################### # function iam_delete_role # # This function deletes an IAM role. # # Parameters: # -n role_name -- The name of the IAM role. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_delete_role() { local role_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_delete_role" echo "Deletes an AWS Identity and Access Management (IAM) role" echo " -n role_name -- The name of the IAM role." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 echo "role_name:$role_name" if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi iecho "Parameters:\n" iecho " Role name: $role_name" iecho "" response=$(aws iam delete-role \ --role-name "$role_name") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-role operation failed.\n$response" return 1 fi iecho "delete-role response:$response" iecho return 0 } ############################################################################### # function iam_delete_access_key # # This function deletes an IAM access key for the specified IAM user. # # Parameters: # -u user_name -- The name of the user. # -k access_key -- The access key to delete. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_delete_access_key() { local user_name access_key response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_delete_access_key" echo "Deletes an AWS Identity and Access Management (IAM) access key for the specified IAM user" echo " -u user_name The name of the user." echo " -k access_key The access key to delete." echo "" } # Retrieve the calling parameters. while getopts "u:k:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; k) access_key="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi if [[ -z "$access_key" ]]; then errecho "ERROR: You must provide an access key with the -k parameter." usage return 1 fi iecho "Parameters:\n" iecho " Username: $user_name" iecho " Access key: $access_key" iecho "" response=$(aws iam delete-access-key \ --user-name "$user_name" \ --access-key-id "$access_key") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-access-key operation failed.\n$response" return 1 fi iecho "delete-access-key response:$response" iecho return 0 } ############################################################################### # function iam_delete_user # # This function deletes the specified IAM user. # # Parameters: # -u user_name -- The name of the user to create. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_delete_user() { local user_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_delete_user" echo "Deletes an AWS Identity and Access Management (IAM) user. You must supply a username:" echo " -u user_name The name of the user." echo "" } # Retrieve the calling parameters. while getopts "u:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi iecho "Parameters:\n" iecho " User name: $user_name" iecho "" # If the user does not exist, we don't want to try to delete it. if (! iam_user_exists "$user_name"); then errecho "ERROR: A user with that name does not exist in the account." return 1 fi response=$(aws iam delete-user \ --user-name "$user_name") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-user operation failed.$response" return 1 fi iecho "delete-user response:$response" iecho return 0 } ``` + 有关 API 详细信息，请参阅《AWS CLI 命令参考》**中的以下主题。 + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateAccessKey) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateUser) + [DeleteAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteAccessKey) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUser) + [DeleteUserPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUserPolicy) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [PutUserPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutUserPolicy) ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples) 中查找完整示例，了解如何进行设置和运行。 ``` namespace AwsDoc { namespace IAM { //! Cleanup by deleting created entities. /*! \sa DeleteCreatedEntities \param client: IAM client. \param role: IAM role. \param user: IAM user. \param policy: IAM policy. */ static bool DeleteCreatedEntities(const Aws::IAM::IAMClient &client, const Aws::IAM::Model::Role &role, const Aws::IAM::Model::User &user, const Aws::IAM::Model::Policy &policy); } static const int LIST_BUCKETS_WAIT_SEC = 20; static const char ALLOCATION_TAG[] = "example_code"; } //! Scenario to create an IAM user, create an IAM role, and apply the role to the user. // "IAM access" permissions are needed to run this code. // "STS assume role" permissions are needed to run this code. (Note: It might be necessary to // create a custom policy). /*! \sa iamCreateUserAssumeRoleScenario \param clientConfig: Aws client configuration. \return bool: Successful completion. */ bool AwsDoc::IAM::iamCreateUserAssumeRoleScenario( const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient client(clientConfig); Aws::IAM::Model::User user; Aws::IAM::Model::Role role; Aws::IAM::Model::Policy policy; // 1. Create a user. { Aws::IAM::Model::CreateUserRequest request; Aws::String uuid = Aws::Utils::UUID::RandomUUID(); Aws::String userName = "iam-demo-user-" + Aws::Utils::StringUtils::ToLower(uuid.c_str()); request.SetUserName(userName); Aws::IAM::Model::CreateUserOutcome outcome = client.CreateUser(request); if (!outcome.IsSuccess()) { std::cout << "Error creating IAM user " << userName << ":" << outcome.GetError().GetMessage() << std::endl; return false; } else { std::cout << "Successfully created IAM user " << userName << std::endl; } user = outcome.GetResult().GetUser(); } // 2. Create a role. { // Get the IAM user for the current client in order to access its ARN. Aws::String iamUserArn; { Aws::IAM::Model::GetUserRequest request; Aws::IAM::Model::GetUserOutcome outcome = client.GetUser(request); if (!outcome.IsSuccess()) { std::cerr << "Error getting Iam user. " << outcome.GetError().GetMessage() << std::endl; DeleteCreatedEntities(client, role, user, policy); return false; } else { std::cout << "Successfully retrieved Iam user " << outcome.GetResult().GetUser().GetUserName() << std::endl; } iamUserArn = outcome.GetResult().GetUser().GetArn(); } Aws::IAM::Model::CreateRoleRequest request; Aws::String uuid = Aws::Utils::UUID::RandomUUID(); Aws::String roleName = "iam-demo-role-" + Aws::Utils::StringUtils::ToLower(uuid.c_str()); request.SetRoleName(roleName); // Build policy document for role. Aws::Utils::Document jsonStatement; jsonStatement.WithString("Effect", "Allow"); Aws::Utils::Document jsonPrincipal; jsonPrincipal.WithString("AWS", iamUserArn); jsonStatement.WithObject("Principal", jsonPrincipal); jsonStatement.WithString("Action", "sts:AssumeRole"); jsonStatement.WithObject("Condition", Aws::Utils::Document()); Aws::Utils::Document policyDocument; policyDocument.WithString("Version", "2012-10-17"); Aws::Utils::Array statements(1); statements[0] = jsonStatement; policyDocument.WithArray("Statement", statements); std::cout << "Setting policy for role\n " << policyDocument.View().WriteCompact() << std::endl; // Set role policy document as JSON string. request.SetAssumeRolePolicyDocument(policyDocument.View().WriteCompact()); Aws::IAM::Model::CreateRoleOutcome outcome = client.CreateRole(request); if (!outcome.IsSuccess()) { std::cerr << "Error creating role. " << outcome.GetError().GetMessage() << std::endl; DeleteCreatedEntities(client, role, user, policy); return false; } else { std::cout << "Successfully created a role with name " << roleName << std::endl; } role = outcome.GetResult().GetRole(); } // 3. Create an IAM policy. { Aws::IAM::Model::CreatePolicyRequest request; Aws::String uuid = Aws::Utils::UUID::RandomUUID(); Aws::String policyName = "iam-demo-policy-" + Aws::Utils::StringUtils::ToLower(uuid.c_str()); request.SetPolicyName(policyName); // Build IAM policy document. Aws::Utils::Document jsonStatement; jsonStatement.WithString("Effect", "Allow"); jsonStatement.WithString("Action", "s3:ListAllMyBuckets"); jsonStatement.WithString("Resource", "arn:aws:s3:::*"); Aws::Utils::Document policyDocument; policyDocument.WithString("Version", "2012-10-17"); Aws::Utils::Array statements(1); statements[0] = jsonStatement; policyDocument.WithArray("Statement", statements); std::cout << "Creating a policy.\n " << policyDocument.View().WriteCompact() << std::endl; // Set IAM policy document as JSON string. request.SetPolicyDocument(policyDocument.View().WriteCompact()); Aws::IAM::Model::CreatePolicyOutcome outcome = client.CreatePolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error creating policy. " << outcome.GetError().GetMessage() << std::endl; DeleteCreatedEntities(client, role, user, policy); return false; } else { std::cout << "Successfully created a policy with name, " << policyName << "." << std::endl; } policy = outcome.GetResult().GetPolicy(); } // 4. Assume the new role using the AWS Security Token Service (STS). Aws::STS::Model::Credentials credentials; { Aws::STS::STSClient stsClient(clientConfig); Aws::STS::Model::AssumeRoleRequest request; request.SetRoleArn(role.GetArn()); Aws::String uuid = Aws::Utils::UUID::RandomUUID(); Aws::String roleSessionName = "iam-demo-role-session-" + Aws::Utils::StringUtils::ToLower(uuid.c_str()); request.SetRoleSessionName(roleSessionName); Aws::STS::Model::AssumeRoleOutcome assumeRoleOutcome; // Repeatedly call AssumeRole, because there is often a delay // before the role is available to be assumed. // Repeat at most 20 times when access is denied. int count = 0; while (true) { assumeRoleOutcome = stsClient.AssumeRole(request); if (!assumeRoleOutcome.IsSuccess()) { if (count > 20 || assumeRoleOutcome.GetError().GetErrorType() != Aws::STS::STSErrors::ACCESS_DENIED) { std::cerr << "Error assuming role after 20 tries. " << assumeRoleOutcome.GetError().GetMessage() << std::endl; DeleteCreatedEntities(client, role, user, policy); return false; } std::this_thread::sleep_for(std::chrono::seconds(1)); } else { std::cout << "Successfully assumed the role after " << count << " seconds." << std::endl; break; } count++; } credentials = assumeRoleOutcome.GetResult().GetCredentials(); } // 5. List objects in the bucket (This should fail). { Aws::S3::S3Client s3Client( Aws::Auth::AWSCredentials(credentials.GetAccessKeyId(), credentials.GetSecretAccessKey(), credentials.GetSessionToken()), Aws::MakeShared(ALLOCATION_TAG), clientConfig); Aws::S3::Model::ListBucketsOutcome listBucketsOutcome = s3Client.ListBuckets(); if (!listBucketsOutcome.IsSuccess()) { if (listBucketsOutcome.GetError().GetErrorType() != Aws::S3::S3Errors::ACCESS_DENIED) { std::cerr << "Could not lists buckets. " << listBucketsOutcome.GetError().GetMessage() << std::endl; } else { std::cout << "Access to list buckets denied because privileges have not been applied." << std::endl; } } else { std::cerr << "Successfully retrieved bucket lists when this should not happen." << std::endl; } } // 6. Attach the policy to the role. { Aws::IAM::Model::AttachRolePolicyRequest request; request.SetRoleName(role.GetRoleName()); request.WithPolicyArn(policy.GetArn()); Aws::IAM::Model::AttachRolePolicyOutcome outcome = client.AttachRolePolicy( request); if (!outcome.IsSuccess()) { std::cerr << "Error creating policy. " << outcome.GetError().GetMessage() << std::endl; DeleteCreatedEntities(client, role, user, policy); return false; } else { std::cout << "Successfully attached the policy with name, " << policy.GetPolicyName() << ", to the role, " << role.GetRoleName() << "." << std::endl; } } int count = 0; // 7. List objects in the bucket (this should succeed). // Repeatedly call ListBuckets, because there is often a delay // before the policy with ListBucket permissions has been applied to the role. // Repeat at most LIST_BUCKETS_WAIT_SEC times when access is denied. while (true) { Aws::S3::S3Client s3Client( Aws::Auth::AWSCredentials(credentials.GetAccessKeyId(), credentials.GetSecretAccessKey(), credentials.GetSessionToken()), Aws::MakeShared(ALLOCATION_TAG), clientConfig); Aws::S3::Model::ListBucketsOutcome listBucketsOutcome = s3Client.ListBuckets(); if (!listBucketsOutcome.IsSuccess()) { if ((count > LIST_BUCKETS_WAIT_SEC) || listBucketsOutcome.GetError().GetErrorType() != Aws::S3::S3Errors::ACCESS_DENIED) { std::cerr << "Could not lists buckets after " << LIST_BUCKETS_WAIT_SEC << " seconds. " << listBucketsOutcome.GetError().GetMessage() << std::endl; DeleteCreatedEntities(client, role, user, policy); return false; } std::this_thread::sleep_for(std::chrono::seconds(1)); } else { std::cout << "Successfully retrieved bucket lists after " << count << " seconds." << std::endl; break; } count++; } // 8. Delete all the created resources. return DeleteCreatedEntities(client, role, user, policy); } bool AwsDoc::IAM::DeleteCreatedEntities(const Aws::IAM::IAMClient &client, const Aws::IAM::Model::Role &role, const Aws::IAM::Model::User &user, const Aws::IAM::Model::Policy &policy) { bool result = true; if (policy.ArnHasBeenSet()) { // Detach the policy from the role. { Aws::IAM::Model::DetachRolePolicyRequest request; request.SetPolicyArn(policy.GetArn()); request.SetRoleName(role.GetRoleName()); Aws::IAM::Model::DetachRolePolicyOutcome outcome = client.DetachRolePolicy( request); if (!outcome.IsSuccess()) { std::cerr << "Error Detaching policy from roles. " << outcome.GetError().GetMessage() << std::endl; result = false; } else { std::cout << "Successfully detached the policy with arn " << policy.GetArn() << " from role " << role.GetRoleName() << "." << std::endl; } } // Delete the policy. { Aws::IAM::Model::DeletePolicyRequest request; request.WithPolicyArn(policy.GetArn()); Aws::IAM::Model::DeletePolicyOutcome outcome = client.DeletePolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error deleting policy. " << outcome.GetError().GetMessage() << std::endl; result = false; } else { std::cout << "Successfully deleted the policy with arn " << policy.GetArn() << std::endl; } } } if (role.RoleIdHasBeenSet()) { // Delete the role. Aws::IAM::Model::DeleteRoleRequest request; request.SetRoleName(role.GetRoleName()); Aws::IAM::Model::DeleteRoleOutcome outcome = client.DeleteRole(request); if (!outcome.IsSuccess()) { std::cerr << "Error deleting role. " << outcome.GetError().GetMessage() << std::endl; result = false; } else { std::cout << "Successfully deleted the role with name " << role.GetRoleName() << std::endl; } } if (user.ArnHasBeenSet()) { // Delete the user. Aws::IAM::Model::DeleteUserRequest request; request.WithUserName(user.GetUserName()); Aws::IAM::Model::DeleteUserOutcome outcome = client.DeleteUser(request); if (!outcome.IsSuccess()) { std::cerr << "Error deleting user. " << outcome.GetError().GetMessage() << std::endl; result = false; } else { std::cout << "Successfully deleted the user with name " << user.GetUserName() << std::endl; } } return result; } ``` + 有关 API 详细信息，请参阅《适用于 C\$1\$1 的 AWS SDK API Reference》**中的以下主题。 + [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/AttachRolePolicy) + [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateAccessKey) + [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateRole) + [CreateUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateUser) + [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteAccessKey) + [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteRole) + [DeleteUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUser) + [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUserPolicy) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DetachRolePolicy) + [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/PutUserPolicy) ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。在命令提示符中运行交互式场景。 ``` import ( "context" "errors" "fmt" "log" "math/rand" "strings" "time" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/credentials" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go-v2/service/sts" "github.com/aws/smithy-go" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" "github.com/awsdocs/aws-doc-sdk-examples/gov2/iam/actions" ) // AssumeRoleScenario shows you how to use the AWS Identity and Access Management (IAM) // service to perform the following actions: // // 1. Create a user who has no permissions. // 2. Create a role that grants permission to list Amazon Simple Storage Service // (Amazon S3) buckets for the account. // 3. Add a policy to let the user assume the role. // 4. Try and fail to list buckets without permissions. // 5. Assume the role and list S3 buckets using temporary credentials. // 6. Delete the policy, role, and user. type AssumeRoleScenario struct { sdkConfig aws.Config accountWrapper actions.AccountWrapper policyWrapper actions.PolicyWrapper roleWrapper actions.RoleWrapper userWrapper actions.UserWrapper questioner demotools.IQuestioner helper IScenarioHelper isTestRun bool } // NewAssumeRoleScenario constructs an AssumeRoleScenario instance from a configuration. // It uses the specified config to get an IAM client and create wrappers for the actions // used in the scenario. func NewAssumeRoleScenario(sdkConfig aws.Config, questioner demotools.IQuestioner, helper IScenarioHelper) AssumeRoleScenario { iamClient := iam.NewFromConfig(sdkConfig) return AssumeRoleScenario{ sdkConfig: sdkConfig, accountWrapper: actions.AccountWrapper{IamClient: iamClient}, policyWrapper: actions.PolicyWrapper{IamClient: iamClient}, roleWrapper: actions.RoleWrapper{IamClient: iamClient}, userWrapper: actions.UserWrapper{IamClient: iamClient}, questioner: questioner, helper: helper, } } // addTestOptions appends the API options specified in the original configuration to // another configuration. This is used to attach the middleware stubber to clients // that are constructed during the scenario, which is needed for unit testing. func (scenario AssumeRoleScenario) addTestOptions(scenarioConfig *aws.Config) { if scenario.isTestRun { scenarioConfig.APIOptions = append(scenarioConfig.APIOptions, scenario.sdkConfig.APIOptions...) } } // Run runs the interactive scenario. func (scenario AssumeRoleScenario) Run(ctx context.Context) { defer func() { if r := recover(); r != nil { log.Printf("Something went wrong with the demo.\n") log.Println(r) } }() log.Println(strings.Repeat("-", 88)) log.Println("Welcome to the AWS Identity and Access Management (IAM) assume role demo.") log.Println(strings.Repeat("-", 88)) user := scenario.CreateUser(ctx) accessKey := scenario.CreateAccessKey(ctx, user) role := scenario.CreateRoleAndPolicies(ctx, user) noPermsConfig := scenario.ListBucketsWithoutPermissions(ctx, accessKey) scenario.ListBucketsWithAssumedRole(ctx, noPermsConfig, role) scenario.Cleanup(ctx, user, role) log.Println(strings.Repeat("-", 88)) log.Println("Thanks for watching!") log.Println(strings.Repeat("-", 88)) } // CreateUser creates a new IAM user. This user has no permissions. func (scenario AssumeRoleScenario) CreateUser(ctx context.Context) *types.User { log.Println("Let's create an example user with no permissions.") userName := scenario.questioner.Ask("Enter a name for the example user:", demotools.NotEmpty{}) user, err := scenario.userWrapper.GetUser(ctx, userName) if err != nil { panic(err) } if user == nil { user, err = scenario.userWrapper.CreateUser(ctx, userName) if err != nil { panic(err) } log.Printf("Created user %v.\n", *user.UserName) } else { log.Printf("User %v already exists.\n", *user.UserName) } log.Println(strings.Repeat("-", 88)) return user } // CreateAccessKey creates an access key for the user. func (scenario AssumeRoleScenario) CreateAccessKey(ctx context.Context, user *types.User) *types.AccessKey { accessKey, err := scenario.userWrapper.CreateAccessKeyPair(ctx, *user.UserName) if err != nil { panic(err) } log.Printf("Created access key %v for your user.", *accessKey.AccessKeyId) log.Println("Waiting a few seconds for your user to be ready...") scenario.helper.Pause(10) log.Println(strings.Repeat("-", 88)) return accessKey } // CreateRoleAndPolicies creates a policy that grants permission to list S3 buckets for // the current account and attaches the policy to a newly created role. It also adds an // inline policy to the specified user that grants the user permission to assume the role. func (scenario AssumeRoleScenario) CreateRoleAndPolicies(ctx context.Context, user *types.User) *types.Role { log.Println("Let's create a role and policy that grant permission to list S3 buckets.") scenario.questioner.Ask("Press Enter when you're ready.") listBucketsRole, err := scenario.roleWrapper.CreateRole(ctx, scenario.helper.GetName(), *user.Arn) if err != nil { panic(err) } log.Printf("Created role %v.\n", *listBucketsRole.RoleName) listBucketsPolicy, err := scenario.policyWrapper.CreatePolicy( ctx, scenario.helper.GetName(), []string{"s3:ListAllMyBuckets"}, "arn:aws:s3:::*") if err != nil { panic(err) } log.Printf("Created policy %v.\n", *listBucketsPolicy.PolicyName) err = scenario.roleWrapper.AttachRolePolicy(ctx, *listBucketsPolicy.Arn, *listBucketsRole.RoleName) if err != nil { panic(err) } log.Printf("Attached policy %v to role %v.\n", *listBucketsPolicy.PolicyName, *listBucketsRole.RoleName) err = scenario.userWrapper.CreateUserPolicy(ctx, *user.UserName, scenario.helper.GetName(), []string{"sts:AssumeRole"}, *listBucketsRole.Arn) if err != nil { panic(err) } log.Printf("Created an inline policy for user %v that lets the user assume the role.\n", *user.UserName) log.Println("Let's give AWS a few seconds to propagate these new resources and connections...") scenario.helper.Pause(10) log.Println(strings.Repeat("-", 88)) return listBucketsRole } // ListBucketsWithoutPermissions creates an Amazon S3 client from the user's access key // credentials and tries to list buckets for the account. Because the user does not have // permission to perform this action, the action fails. func (scenario AssumeRoleScenario) ListBucketsWithoutPermissions(ctx context.Context, accessKey *types.AccessKey) *aws.Config { log.Println("Let's try to list buckets without permissions. This should return an AccessDenied error.") scenario.questioner.Ask("Press Enter when you're ready.") noPermsConfig, err := config.LoadDefaultConfig(ctx, config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider( *accessKey.AccessKeyId, *accessKey.SecretAccessKey, ""), )) if err != nil { panic(err) } // Add test options if this is a test run. This is needed only for testing purposes. scenario.addTestOptions(&noPermsConfig) s3Client := s3.NewFromConfig(noPermsConfig) _, err = s3Client.ListBuckets(ctx, &s3.ListBucketsInput{}) if err != nil { // The SDK for Go does not model the AccessDenied error, so check ErrorCode directly. var ae smithy.APIError if errors.As(err, &ae) { switch ae.ErrorCode() { case "AccessDenied": log.Println("Got AccessDenied error, which is the expected result because\n" + "the ListBuckets call was made without permissions.") default: log.Println("Expected AccessDenied, got something else.") panic(err) } } } else { log.Println("Expected AccessDenied error when calling ListBuckets without permissions,\n" + "but the call succeeded. Continuing the example anyway...") } log.Println(strings.Repeat("-", 88)) return &noPermsConfig } // ListBucketsWithAssumedRole performs the following actions: // // 1. Creates an AWS Security Token Service (AWS STS) client from the config created from // the user's access key credentials. // 2. Gets temporary credentials by assuming the role that grants permission to list the // buckets. // 3. Creates an Amazon S3 client from the temporary credentials. // 4. Lists buckets for the account. Because the temporary credentials are generated by // assuming the role that grants permission, the action succeeds. func (scenario AssumeRoleScenario) ListBucketsWithAssumedRole(ctx context.Context, noPermsConfig *aws.Config, role *types.Role) { log.Println("Let's assume the role that grants permission to list buckets and try again.") scenario.questioner.Ask("Press Enter when you're ready.") stsClient := sts.NewFromConfig(*noPermsConfig) tempCredentials, err := stsClient.AssumeRole(ctx, &sts.AssumeRoleInput{ RoleArn: role.Arn, RoleSessionName: aws.String("AssumeRoleExampleSession"), DurationSeconds: aws.Int32(900), }) if err != nil { log.Printf("Couldn't assume role %v.\n", *role.RoleName) panic(err) } log.Printf("Assumed role %v, got temporary credentials.\n", *role.RoleName) assumeRoleConfig, err := config.LoadDefaultConfig(ctx, config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider( *tempCredentials.Credentials.AccessKeyId, *tempCredentials.Credentials.SecretAccessKey, *tempCredentials.Credentials.SessionToken), ), ) if err != nil { panic(err) } // Add test options if this is a test run. This is needed only for testing purposes. scenario.addTestOptions(&assumeRoleConfig) s3Client := s3.NewFromConfig(assumeRoleConfig) result, err := s3Client.ListBuckets(ctx, &s3.ListBucketsInput{}) if err != nil { log.Println("Couldn't list buckets with assumed role credentials.") panic(err) } log.Println("Successfully called ListBuckets with assumed role credentials, \n" + "here are some of them:") for i := 0; i < len(result.Buckets) && i < 5; i++ { log.Printf("\t%v\n", *result.Buckets[i].Name) } log.Println(strings.Repeat("-", 88)) } // Cleanup deletes all resources created for the scenario. func (scenario AssumeRoleScenario) Cleanup(ctx context.Context, user *types.User, role *types.Role) { if scenario.questioner.AskBool( "Do you want to delete the resources created for this example? (y/n)", "y", ) { policies, err := scenario.roleWrapper.ListAttachedRolePolicies(ctx, *role.RoleName) if err != nil { panic(err) } for _, policy := range policies { err = scenario.roleWrapper.DetachRolePolicy(ctx, *role.RoleName, *policy.PolicyArn) if err != nil { panic(err) } err = scenario.policyWrapper.DeletePolicy(ctx, *policy.PolicyArn) if err != nil { panic(err) } log.Printf("Detached policy %v from role %v and deleted the policy.\n", *policy.PolicyName, *role.RoleName) } err = scenario.roleWrapper.DeleteRole(ctx, *role.RoleName) if err != nil { panic(err) } log.Printf("Deleted role %v.\n", *role.RoleName) userPols, err := scenario.userWrapper.ListUserPolicies(ctx, *user.UserName) if err != nil { panic(err) } for _, userPol := range userPols { err = scenario.userWrapper.DeleteUserPolicy(ctx, *user.UserName, userPol) if err != nil { panic(err) } log.Printf("Deleted policy %v from user %v.\n", userPol, *user.UserName) } keys, err := scenario.userWrapper.ListAccessKeys(ctx, *user.UserName) if err != nil { panic(err) } for _, key := range keys { err = scenario.userWrapper.DeleteAccessKey(ctx, *user.UserName, *key.AccessKeyId) if err != nil { panic(err) } log.Printf("Deleted access key %v from user %v.\n", *key.AccessKeyId, *user.UserName) } err = scenario.userWrapper.DeleteUser(ctx, *user.UserName) if err != nil { panic(err) } log.Printf("Deleted user %v.\n", *user.UserName) log.Println(strings.Repeat("-", 88)) } } // IScenarioHelper abstracts input and wait functions from a scenario so that they // can be mocked for unit testing. type IScenarioHelper interface { GetName() string Pause(secs int) } const rMax = 100000 type ScenarioHelper struct { Prefix string Random *rand.Rand } // GetName returns a unique name formed of a prefix and a random number. func (helper *ScenarioHelper) GetName() string { return fmt.Sprintf("%v%v", helper.Prefix, helper.Random.Intn(rMax)) } // Pause waits for the specified number of seconds. func (helper ScenarioHelper) Pause(secs int) { time.Sleep(time.Duration(secs) * time.Second) } ``` 定义一个封装账户操作的结构。 ``` import ( "context" "log" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // AccountWrapper encapsulates AWS Identity and Access Management (IAM) account actions // used in the examples. // It contains an IAM service client that is used to perform account actions. type AccountWrapper struct { IamClient *iam.Client } // GetAccountPasswordPolicy gets the account password policy for the current account. // If no policy has been set, a NoSuchEntityException is error is returned. func (wrapper AccountWrapper) GetAccountPasswordPolicy(ctx context.Context) (*types.PasswordPolicy, error) { var pwPolicy *types.PasswordPolicy result, err := wrapper.IamClient.GetAccountPasswordPolicy(ctx, &iam.GetAccountPasswordPolicyInput{}) if err != nil { log.Printf("Couldn't get account password policy. Here's why: %v\n", err) } else { pwPolicy = result.PasswordPolicy } return pwPolicy, err } // ListSAMLProviders gets the SAML providers for the account. func (wrapper AccountWrapper) ListSAMLProviders(ctx context.Context) ([]types.SAMLProviderListEntry, error) { var providers []types.SAMLProviderListEntry result, err := wrapper.IamClient.ListSAMLProviders(ctx, &iam.ListSAMLProvidersInput{}) if err != nil { log.Printf("Couldn't list SAML providers. Here's why: %v\n", err) } else { providers = result.SAMLProviderList } return providers, err } ``` 定义一个封装策略操作的结构。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions // used in the examples. // It contains an IAM service client that is used to perform policy actions. type PolicyWrapper struct { IamClient *iam.Client } // ListPolicies gets up to maxPolicies policies. func (wrapper PolicyWrapper) ListPolicies(ctx context.Context, maxPolicies int32) ([]types.Policy, error) { var policies []types.Policy result, err := wrapper.IamClient.ListPolicies(ctx, &iam.ListPoliciesInput{ MaxItems: aws.Int32(maxPolicies), }) if err != nil { log.Printf("Couldn't list policies. Here's why: %v\n", err) } else { policies = result.Policies } return policies, err } // PolicyDocument defines a policy document as a Go struct that can be serialized // to JSON. type PolicyDocument struct { Version string Statement []PolicyStatement } // PolicyStatement defines a statement in a policy document. type PolicyStatement struct { Effect string Action []string Principal map[string]string `json:",omitempty"` Resource *string `json:",omitempty"` } // CreatePolicy creates a policy that grants a list of actions to the specified resource. // PolicyDocument shows how to work with a policy document as a data structure and // serialize it to JSON by using Go's JSON marshaler. func (wrapper PolicyWrapper) CreatePolicy(ctx context.Context, policyName string, actions []string, resourceArn string) (*types.Policy, error) { var policy *types.Policy policyDoc := PolicyDocument{ Version: "2012-10-17", Statement: []PolicyStatement{{ Effect: "Allow", Action: actions, Resource: aws.String(resourceArn), }}, } policyBytes, err := json.Marshal(policyDoc) if err != nil { log.Printf("Couldn't create policy document for %v. Here's why: %v\n", resourceArn, err) return nil, err } result, err := wrapper.IamClient.CreatePolicy(ctx, &iam.CreatePolicyInput{ PolicyDocument: aws.String(string(policyBytes)), PolicyName: aws.String(policyName), }) if err != nil { log.Printf("Couldn't create policy %v. Here's why: %v\n", policyName, err) } else { policy = result.Policy } return policy, err } // GetPolicy gets data about a policy. func (wrapper PolicyWrapper) GetPolicy(ctx context.Context, policyArn string) (*types.Policy, error) { var policy *types.Policy result, err := wrapper.IamClient.GetPolicy(ctx, &iam.GetPolicyInput{ PolicyArn: aws.String(policyArn), }) if err != nil { log.Printf("Couldn't get policy %v. Here's why: %v\n", policyArn, err) } else { policy = result.Policy } return policy, err } // DeletePolicy deletes a policy. func (wrapper PolicyWrapper) DeletePolicy(ctx context.Context, policyArn string) error { _, err := wrapper.IamClient.DeletePolicy(ctx, &iam.DeletePolicyInput{ PolicyArn: aws.String(policyArn), }) if err != nil { log.Printf("Couldn't delete policy %v. Here's why: %v\n", policyArn, err) } return err } ``` 定义一个封装角色操作的结构。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // ListRoles gets up to maxRoles roles. func (wrapper RoleWrapper) ListRoles(ctx context.Context, maxRoles int32) ([]types.Role, error) { var roles []types.Role result, err := wrapper.IamClient.ListRoles(ctx, &iam.ListRolesInput{MaxItems: aws.Int32(maxRoles)}, ) if err != nil { log.Printf("Couldn't list roles. Here's why: %v\n", err) } else { roles = result.Roles } return roles, err } // CreateRole creates a role that trusts a specified user. The trusted user can assume // the role to acquire its permissions. // PolicyDocument shows how to work with a policy document as a data structure and // serialize it to JSON by using Go's JSON marshaler. func (wrapper RoleWrapper) CreateRole(ctx context.Context, roleName string, trustedUserArn string) (*types.Role, error) { var role *types.Role trustPolicy := PolicyDocument{ Version: "2012-10-17", Statement: []PolicyStatement{{ Effect: "Allow", Principal: map[string]string{"AWS": trustedUserArn}, Action: []string{"sts:AssumeRole"}, }}, } policyBytes, err := json.Marshal(trustPolicy) if err != nil { log.Printf("Couldn't create trust policy for %v. Here's why: %v\n", trustedUserArn, err) return nil, err } result, err := wrapper.IamClient.CreateRole(ctx, &iam.CreateRoleInput{ AssumeRolePolicyDocument: aws.String(string(policyBytes)), RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't create role %v. Here's why: %v\n", roleName, err) } else { role = result.Role } return role, err } // GetRole gets data about a role. func (wrapper RoleWrapper) GetRole(ctx context.Context, roleName string) (*types.Role, error) { var role *types.Role result, err := wrapper.IamClient.GetRole(ctx, &iam.GetRoleInput{RoleName: aws.String(roleName)}) if err != nil { log.Printf("Couldn't get role %v. Here's why: %v\n", roleName, err) } else { role = result.Role } return role, err } // CreateServiceLinkedRole creates a service-linked role that is owned by the specified service. func (wrapper RoleWrapper) CreateServiceLinkedRole(ctx context.Context, serviceName string, description string) ( *types.Role, error) { var role *types.Role result, err := wrapper.IamClient.CreateServiceLinkedRole(ctx, &iam.CreateServiceLinkedRoleInput{ AWSServiceName: aws.String(serviceName), Description: aws.String(description), }) if err != nil { log.Printf("Couldn't create service-linked role %v. Here's why: %v\n", serviceName, err) } else { role = result.Role } return role, err } // DeleteServiceLinkedRole deletes a service-linked role. func (wrapper RoleWrapper) DeleteServiceLinkedRole(ctx context.Context, roleName string) error { _, err := wrapper.IamClient.DeleteServiceLinkedRole(ctx, &iam.DeleteServiceLinkedRoleInput{ RoleName: aws.String(roleName)}, ) if err != nil { log.Printf("Couldn't delete service-linked role %v. Here's why: %v\n", roleName, err) } return err } // AttachRolePolicy attaches a policy to a role. func (wrapper RoleWrapper) AttachRolePolicy(ctx context.Context, policyArn string, roleName string) error { _, err := wrapper.IamClient.AttachRolePolicy(ctx, &iam.AttachRolePolicyInput{ PolicyArn: aws.String(policyArn), RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't attach policy %v to role %v. Here's why: %v\n", policyArn, roleName, err) } return err } // ListAttachedRolePolicies lists the policies that are attached to the specified role. func (wrapper RoleWrapper) ListAttachedRolePolicies(ctx context.Context, roleName string) ([]types.AttachedPolicy, error) { var policies []types.AttachedPolicy result, err := wrapper.IamClient.ListAttachedRolePolicies(ctx, &iam.ListAttachedRolePoliciesInput{ RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't list attached policies for role %v. Here's why: %v\n", roleName, err) } else { policies = result.AttachedPolicies } return policies, err } // DetachRolePolicy detaches a policy from a role. func (wrapper RoleWrapper) DetachRolePolicy(ctx context.Context, roleName string, policyArn string) error { _, err := wrapper.IamClient.DetachRolePolicy(ctx, &iam.DetachRolePolicyInput{ PolicyArn: aws.String(policyArn), RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't detach policy from role %v. Here's why: %v\n", roleName, err) } return err } // ListRolePolicies lists the inline policies for a role. func (wrapper RoleWrapper) ListRolePolicies(ctx context.Context, roleName string) ([]string, error) { var policies []string result, err := wrapper.IamClient.ListRolePolicies(ctx, &iam.ListRolePoliciesInput{ RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't list policies for role %v. Here's why: %v\n", roleName, err) } else { policies = result.PolicyNames } return policies, err } // DeleteRole deletes a role. All attached policies must be detached before a // role can be deleted. func (wrapper RoleWrapper) DeleteRole(ctx context.Context, roleName string) error { _, err := wrapper.IamClient.DeleteRole(ctx, &iam.DeleteRoleInput{ RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't delete role %v. Here's why: %v\n", roleName, err) } return err } ``` 定义一个封装用户操作的结构。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // ListUsers gets up to maxUsers number of users. func (wrapper UserWrapper) ListUsers(ctx context.Context, maxUsers int32) ([]types.User, error) { var users []types.User result, err := wrapper.IamClient.ListUsers(ctx, &iam.ListUsersInput{ MaxItems: aws.Int32(maxUsers), }) if err != nil { log.Printf("Couldn't list users. Here's why: %v\n", err) } else { users = result.Users } return users, err } // GetUser gets data about a user. func (wrapper UserWrapper) GetUser(ctx context.Context, userName string) (*types.User, error) { var user *types.User result, err := wrapper.IamClient.GetUser(ctx, &iam.GetUserInput{ UserName: aws.String(userName), }) if err != nil { var apiError smithy.APIError if errors.As(err, &apiError) { switch apiError.(type) { case *types.NoSuchEntityException: log.Printf("User %v does not exist.\n", userName) err = nil default: log.Printf("Couldn't get user %v. Here's why: %v\n", userName, err) } } } else { user = result.User } return user, err } // CreateUser creates a new user with the specified name. func (wrapper UserWrapper) CreateUser(ctx context.Context, userName string) (*types.User, error) { var user *types.User result, err := wrapper.IamClient.CreateUser(ctx, &iam.CreateUserInput{ UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err) } else { user = result.User } return user, err } // CreateUserPolicy adds an inline policy to a user. This example creates a policy that // grants a list of actions on a specified role. // PolicyDocument shows how to work with a policy document as a data structure and // serialize it to JSON by using Go's JSON marshaler. func (wrapper UserWrapper) CreateUserPolicy(ctx context.Context, userName string, policyName string, actions []string, roleArn string) error { policyDoc := PolicyDocument{ Version: "2012-10-17", Statement: []PolicyStatement{{ Effect: "Allow", Action: actions, Resource: aws.String(roleArn), }}, } policyBytes, err := json.Marshal(policyDoc) if err != nil { log.Printf("Couldn't create policy document for %v. Here's why: %v\n", roleArn, err) return err } _, err = wrapper.IamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{ PolicyDocument: aws.String(string(policyBytes)), PolicyName: aws.String(policyName), UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't create policy for user %v. Here's why: %v\n", userName, err) } return err } // ListUserPolicies lists the inline policies for the specified user. func (wrapper UserWrapper) ListUserPolicies(ctx context.Context, userName string) ([]string, error) { var policies []string result, err := wrapper.IamClient.ListUserPolicies(ctx, &iam.ListUserPoliciesInput{ UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't list policies for user %v. Here's why: %v\n", userName, err) } else { policies = result.PolicyNames } return policies, err } // DeleteUserPolicy deletes an inline policy from a user. func (wrapper UserWrapper) DeleteUserPolicy(ctx context.Context, userName string, policyName string) error { _, err := wrapper.IamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{ PolicyName: aws.String(policyName), UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't delete policy from user %v. Here's why: %v\n", userName, err) } return err } // DeleteUser deletes a user. func (wrapper UserWrapper) DeleteUser(ctx context.Context, userName string) error { _, err := wrapper.IamClient.DeleteUser(ctx, &iam.DeleteUserInput{ UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't delete user %v. Here's why: %v\n", userName, err) } return err } // CreateAccessKeyPair creates an access key for a user. The returned access key contains // the ID and secret credentials needed to use the key. func (wrapper UserWrapper) CreateAccessKeyPair(ctx context.Context, userName string) (*types.AccessKey, error) { var key *types.AccessKey result, err := wrapper.IamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{ UserName: aws.String(userName)}) if err != nil { log.Printf("Couldn't create access key pair for user %v. Here's why: %v\n", userName, err) } else { key = result.AccessKey } return key, err } // DeleteAccessKey deletes an access key from a user. func (wrapper UserWrapper) DeleteAccessKey(ctx context.Context, userName string, keyId string) error { _, err := wrapper.IamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{ AccessKeyId: aws.String(keyId), UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't delete access key %v. Here's why: %v\n", keyId, err) } return err } // ListAccessKeys lists the access keys for the specified user. func (wrapper UserWrapper) ListAccessKeys(ctx context.Context, userName string) ([]types.AccessKeyMetadata, error) { var keys []types.AccessKeyMetadata result, err := wrapper.IamClient.ListAccessKeys(ctx, &iam.ListAccessKeysInput{ UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't list access keys for user %v. Here's why: %v\n", userName, err) } else { keys = result.AccessKeyMetadata } return keys, err } ``` + 有关 API 详细信息，请参阅《适用于 Go 的 AWS SDK API Reference》**中的以下主题。 + [AttachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.AttachRolePolicy) + [CreateAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateAccessKey) + [CreatePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreatePolicy) + [CreateRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateRole) + [CreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateUser) + [DeleteAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteAccessKey) + [DeletePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeletePolicy) + [DeleteRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteRole) + [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUser) + [DeleteUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUserPolicy) + [DetachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DetachRolePolicy) + [PutUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.PutUserPolicy) ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建包装 IAM 用户操作的函数。 ``` /* To run this Java V2 code example, set up your development environment, including your credentials. For information, see this documentation topic: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html This example performs these operations: 1. Creates a user that has no permissions. 2. Creates a role and policy that grants Amazon S3 permissions. 3. Creates a role. 4. Grants the user permissions. 5. Gets temporary credentials by assuming the role. Creates an Amazon S3 Service client object with the temporary credentials. 6. Deletes the resources. */ public class IAMScenario { public static final String DASHES = new String(new char[80]).replace("\0", "-"); public static final String PolicyDocument = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:*\"" + " ]," + " \"Resource\": \"*\"" + " }" + " ]" + "}"; public static String userArn; public static void main(String[] args) throws Exception { final String usage = """ Usage: \s Where: username - The name of the IAM user to create.\s policyName - The name of the policy to create.\s roleName - The name of the role to create.\s roleSessionName - The name of the session required for the assumeRole operation.\s bucketName - The name of the Amazon S3 bucket from which objects are read.\s """; if (args.length != 5) { System.out.println(usage); System.exit(1); } String userName = args[0]; String policyName = args[1]; String roleName = args[2]; String roleSessionName = args[3]; String bucketName = args[4]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); System.out.println(DASHES); System.out.println("Welcome to the AWS IAM example scenario."); System.out.println(DASHES); System.out.println(DASHES); System.out.println(" 1. Create the IAM user."); User createUser = createIAMUser(iam, userName); System.out.println(DASHES); userArn = createUser.arn(); AccessKey myKey = createIAMAccessKey(iam, userName); String accessKey = myKey.accessKeyId(); String secretKey = myKey.secretAccessKey(); String assumeRolePolicyDocument = "{" + "\"Version\": \"2012-10-17\"," + "\"Statement\": [{" + "\"Effect\": \"Allow\"," + "\"Principal\": {" + " \"AWS\": \"" + userArn + "\"" + "}," + "\"Action\": \"sts:AssumeRole\"" + "}]" + "}"; System.out.println(assumeRolePolicyDocument); System.out.println(userName + " was successfully created."); System.out.println(DASHES); System.out.println("2. Creates a policy."); String polArn = createIAMPolicy(iam, policyName); System.out.println("The policy " + polArn + " was successfully created."); System.out.println(DASHES); System.out.println(DASHES); System.out.println("3. Creates a role."); TimeUnit.SECONDS.sleep(30); String roleArn = createIAMRole(iam, roleName, assumeRolePolicyDocument); System.out.println(roleArn + " was successfully created."); System.out.println(DASHES); System.out.println(DASHES); System.out.println("4. Grants the user permissions."); attachIAMRolePolicy(iam, roleName, polArn); System.out.println(DASHES); System.out.println(DASHES); System.out.println("*** Wait for 30 secs so the resource is available"); TimeUnit.SECONDS.sleep(30); System.out.println("5. Gets temporary credentials by assuming the role."); System.out.println("Perform an Amazon S3 Service operation using the temporary credentials."); assumeRole(roleArn, roleSessionName, bucketName, accessKey, secretKey); System.out.println(DASHES); System.out.println(DASHES); System.out.println("6 Getting ready to delete the AWS resources"); deleteKey(iam, userName, accessKey); deleteRole(iam, roleName, polArn); deleteIAMUser(iam, userName); System.out.println(DASHES); System.out.println(DASHES); System.out.println("This IAM Scenario has successfully completed"); System.out.println(DASHES); } public static AccessKey createIAMAccessKey(IamClient iam, String user) { try { CreateAccessKeyRequest request = CreateAccessKeyRequest.builder() .userName(user) .build(); CreateAccessKeyResponse response = iam.createAccessKey(request); return response.accessKey(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return null; } public static User createIAMUser(IamClient iam, String username) { try { // Create an IamWaiter object IamWaiter iamWaiter = iam.waiter(); CreateUserRequest request = CreateUserRequest.builder() .userName(username) .build(); // Wait until the user is created. CreateUserResponse response = iam.createUser(request); GetUserRequest userRequest = GetUserRequest.builder() .userName(response.user().userName()) .build(); WaiterResponse waitUntilUserExists = iamWaiter.waitUntilUserExists(userRequest); waitUntilUserExists.matched().response().ifPresent(System.out::println); return response.user(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return null; } public static String createIAMRole(IamClient iam, String rolename, String json) { try { CreateRoleRequest request = CreateRoleRequest.builder() .roleName(rolename) .assumeRolePolicyDocument(json) .description("Created using the AWS SDK for Java") .build(); CreateRoleResponse response = iam.createRole(request); System.out.println("The ARN of the role is " + response.role().arn()); return response.role().arn(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return ""; } public static String createIAMPolicy(IamClient iam, String policyName) { try { // Create an IamWaiter object. IamWaiter iamWaiter = iam.waiter(); CreatePolicyRequest request = CreatePolicyRequest.builder() .policyName(policyName) .policyDocument(PolicyDocument).build(); CreatePolicyResponse response = iam.createPolicy(request); GetPolicyRequest polRequest = GetPolicyRequest.builder() .policyArn(response.policy().arn()) .build(); WaiterResponse waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest); waitUntilPolicyExists.matched().response().ifPresent(System.out::println); return response.policy().arn(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return ""; } public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn) { try { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .build(); ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request); List attachedPolicies = response.attachedPolicies(); String polArn; for (AttachedPolicy policy : attachedPolicies) { polArn = policy.policyArn(); if (polArn.compareTo(policyArn) == 0) { System.out.println(roleName + " policy is already attached to this role."); return; } } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } // Invoke an Amazon S3 operation using the Assumed Role. public static void assumeRole(String roleArn, String roleSessionName, String bucketName, String keyVal, String keySecret) { // Use the creds of the new IAM user that was created in this code example. AwsBasicCredentials credentials = AwsBasicCredentials.create(keyVal, keySecret); StsClient stsClient = StsClient.builder() .region(Region.US_EAST_1) .credentialsProvider(StaticCredentialsProvider.create(credentials)) .build(); try { AssumeRoleRequest roleRequest = AssumeRoleRequest.builder() .roleArn(roleArn) .roleSessionName(roleSessionName) .build(); AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest); Credentials myCreds = roleResponse.credentials(); String key = myCreds.accessKeyId(); String secKey = myCreds.secretAccessKey(); String secToken = myCreds.sessionToken(); // List all objects in an Amazon S3 bucket using the temp creds retrieved by // invoking assumeRole. Region region = Region.US_EAST_1; S3Client s3 = S3Client.builder() .credentialsProvider( StaticCredentialsProvider.create(AwsSessionCredentials.create(key, secKey, secToken))) .region(region) .build(); System.out.println("Created a S3Client using temp credentials."); System.out.println("Listing objects in " + bucketName); ListObjectsRequest listObjects = ListObjectsRequest.builder() .bucket(bucketName) .build(); ListObjectsResponse res = s3.listObjects(listObjects); List objects = res.contents(); for (S3Object myValue : objects) { System.out.println("The name of the key is " + myValue.key()); System.out.println("The owner is " + myValue.owner()); } } catch (StsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void deleteRole(IamClient iam, String roleName, String polArn) { try { // First the policy needs to be detached. DetachRolePolicyRequest rolePolicyRequest = DetachRolePolicyRequest.builder() .policyArn(polArn) .roleName(roleName) .build(); iam.detachRolePolicy(rolePolicyRequest); // Delete the policy. DeletePolicyRequest request = DeletePolicyRequest.builder() .policyArn(polArn) .build(); iam.deletePolicy(request); System.out.println("*** Successfully deleted " + polArn); // Delete the role. DeleteRoleRequest roleRequest = DeleteRoleRequest.builder() .roleName(roleName) .build(); iam.deleteRole(roleRequest); System.out.println("*** Successfully deleted " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } public static void deleteKey(IamClient iam, String username, String accessKey) { try { DeleteAccessKeyRequest request = DeleteAccessKeyRequest.builder() .accessKeyId(accessKey) .userName(username) .build(); iam.deleteAccessKey(request); System.out.println("Successfully deleted access key " + accessKey + " from user " + username); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } public static void deleteIAMUser(IamClient iam, String userName) { try { DeleteUserRequest request = DeleteUserRequest.builder() .userName(userName) .build(); iam.deleteUser(request); System.out.println("*** Successfully deleted " + userName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 详细信息，请参阅《AWS SDK for Java 2.x API Reference》**中的以下主题。 + [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/AttachRolePolicy) + [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateAccessKey) + [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateRole) + [CreateUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateUser) + [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteAccessKey) + [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteRole) + [DeleteUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUser) + [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUserPolicy) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DetachRolePolicy) + [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/PutUserPolicy) ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建 IAM 用户和授予列出 Amazon S3 存储桶的权限的角色。用户仅具有代入该角色的权限。代入该角色后，使用临时凭证列出该账户的存储桶。 ``` import { CreateUserCommand, GetUserCommand, CreateAccessKeyCommand, CreatePolicyCommand, CreateRoleCommand, AttachRolePolicyCommand, DeleteAccessKeyCommand, DeleteUserCommand, DeleteRoleCommand, DeletePolicyCommand, DetachRolePolicyCommand, IAMClient, } from "@aws-sdk/client-iam"; import { ListBucketsCommand, S3Client } from "@aws-sdk/client-s3"; import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts"; import { retry } from "@aws-doc-sdk-examples/lib/utils/util-timers.js"; import { ScenarioInput } from "@aws-doc-sdk-examples/lib/scenario/index.js"; // Set the parameters. const iamClient = new IAMClient({}); const userName = "iam_basic_test_username"; const policyName = "iam_basic_test_policy"; const roleName = "iam_basic_test_role"; /** * Create a new IAM user. If the user already exists, give * the option to delete and re-create it. * @param {string} name */ export const createUser = async (name, confirmAll = false) => { try { const { User } = await iamClient.send( new GetUserCommand({ UserName: name }), ); const input = new ScenarioInput( "deleteUser", "Do you want to delete and remake this user?", { type: "confirm" }, ); const deleteUser = await input.handle({}, { confirmAll }); // If the user exists, and you want to delete it, delete the user // and then create it again. if (deleteUser) { await iamClient.send(new DeleteUserCommand({ UserName: User.UserName })); await iamClient.send(new CreateUserCommand({ UserName: name })); } else { console.warn( `${name} already exists. The scenario may not work as expected.`, ); return User; } } catch (caught) { // If there is no user by that name, create one. if (caught instanceof Error && caught.name === "NoSuchEntityException") { const { User } = await iamClient.send( new CreateUserCommand({ UserName: name }), ); return User; } throw caught; } }; export const main = async (confirmAll = false) => { // Create a user. The user has no permissions by default. const User = await createUser(userName, confirmAll); if (!User) { throw new Error("User not created"); } // Create an access key. This key is used to authenticate the new user to // Amazon Simple Storage Service (Amazon S3) and AWS Security Token Service (AWS STS). // It's not best practice to use access keys. For more information, see https://aws.amazon.com/iam/resources/best-practices/. const createAccessKeyResponse = await iamClient.send( new CreateAccessKeyCommand({ UserName: userName }), ); if ( !createAccessKeyResponse.AccessKey?.AccessKeyId || !createAccessKeyResponse.AccessKey?.SecretAccessKey ) { throw new Error("Access key not created"); } const { AccessKey: { AccessKeyId, SecretAccessKey }, } = createAccessKeyResponse; let s3Client = new S3Client({ credentials: { accessKeyId: AccessKeyId, secretAccessKey: SecretAccessKey, }, }); // Retry the list buckets operation until it succeeds. InvalidAccessKeyId is // thrown while the user and access keys are still stabilizing. await retry({ intervalInMs: 1000, maxRetries: 300 }, async () => { try { return await listBuckets(s3Client); } catch (err) { if (err instanceof Error && err.name === "InvalidAccessKeyId") { throw err; } } }); // Retry the create role operation until it succeeds. A MalformedPolicyDocument error // is thrown while the user and access keys are still stabilizing. const { Role } = await retry( { intervalInMs: 2000, maxRetries: 60, }, () => iamClient.send( new CreateRoleCommand({ AssumeRolePolicyDocument: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { // Allow the previously created user to assume this role. AWS: User.Arn, }, Action: "sts:AssumeRole", }, ], }), RoleName: roleName, }), ), ); if (!Role) { throw new Error("Role not created"); } // Create a policy that allows the user to list S3 buckets. const { Policy: listBucketPolicy } = await iamClient.send( new CreatePolicyCommand({ PolicyDocument: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Action: ["s3:ListAllMyBuckets"], Resource: "*", }, ], }), PolicyName: policyName, }), ); if (!listBucketPolicy) { throw new Error("Policy not created"); } // Attach the policy granting the 's3:ListAllMyBuckets' action to the role. await iamClient.send( new AttachRolePolicyCommand({ PolicyArn: listBucketPolicy.Arn, RoleName: Role.RoleName, }), ); // Assume the role. const stsClient = new STSClient({ credentials: { accessKeyId: AccessKeyId, secretAccessKey: SecretAccessKey, }, }); // Retry the assume role operation until it succeeds. const { Credentials } = await retry( { intervalInMs: 2000, maxRetries: 60 }, () => stsClient.send( new AssumeRoleCommand({ RoleArn: Role.Arn, RoleSessionName: `iamBasicScenarioSession-${Math.floor( Math.random() * 1000000, )}`, DurationSeconds: 900, }), ), ); if (!Credentials?.AccessKeyId || !Credentials?.SecretAccessKey) { throw new Error("Credentials not created"); } s3Client = new S3Client({ credentials: { accessKeyId: Credentials.AccessKeyId, secretAccessKey: Credentials.SecretAccessKey, sessionToken: Credentials.SessionToken, }, }); // List the S3 buckets again. // Retry the list buckets operation until it succeeds. AccessDenied might // be thrown while the role policy is still stabilizing. await retry({ intervalInMs: 2000, maxRetries: 120 }, () => listBuckets(s3Client), ); // Clean up. await iamClient.send( new DetachRolePolicyCommand({ PolicyArn: listBucketPolicy.Arn, RoleName: Role.RoleName, }), ); await iamClient.send( new DeletePolicyCommand({ PolicyArn: listBucketPolicy.Arn, }), ); await iamClient.send( new DeleteRoleCommand({ RoleName: Role.RoleName, }), ); await iamClient.send( new DeleteAccessKeyCommand({ UserName: userName, AccessKeyId, }), ); await iamClient.send( new DeleteUserCommand({ UserName: userName, }), ); }; /** * * @param {S3Client} s3Client */ const listBuckets = async (s3Client) => { const { Buckets } = await s3Client.send(new ListBucketsCommand({})); if (!Buckets) { throw new Error("Buckets not listed"); } console.log(Buckets.map((bucket) => bucket.Name).join("\n")); }; ``` + 有关 API 详细信息，请参阅《适用于 JavaScript 的 AWS SDK API Reference》**中的以下主题。 + [AttachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/AttachRolePolicyCommand) + [CreateAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateAccessKeyCommand) + [CreatePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreatePolicyCommand) + [CreateRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateRoleCommand) + [CreateUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateUserCommand) + [DeleteAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteAccessKeyCommand) + [DeletePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeletePolicyCommand) + [DeleteRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteRoleCommand) + [DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserCommand) + [DeleteUserPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserPolicyCommand) + [DetachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DetachRolePolicyCommand) + [PutUserPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/PutUserPolicyCommand) ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建包装 IAM 用户操作的函数。 ``` suspend fun main(args: Array) { val usage = """ Usage: Where: username - The name of the IAM user to create. policyName - The name of the policy to create. roleName - The name of the role to create. roleSessionName - The name of the session required for the assumeRole operation. fileLocation - The file location to the JSON required to create the role (see Readme). bucketName - The name of the Amazon S3 bucket from which objects are read. """ if (args.size != 6) { println(usage) exitProcess(1) } val userName = args[0] val policyName = args[1] val roleName = args[2] val roleSessionName = args[3] val fileLocation = args[4] val bucketName = args[5] createUser(userName) println("$userName was successfully created.") val polArn = createPolicy(policyName) println("The policy $polArn was successfully created.") val roleArn = createRole(roleName, fileLocation) println("$roleArn was successfully created.") attachRolePolicy(roleName, polArn) println("*** Wait for 1 MIN so the resource is available.") delay(60000) assumeGivenRole(roleArn, roleSessionName, bucketName) println("*** Getting ready to delete the AWS resources.") deleteRole(roleName, polArn) deleteUser(userName) println("This IAM Scenario has successfully completed.") } suspend fun createUser(usernameVal: String?): String? { val request = CreateUserRequest { userName = usernameVal } IamClient { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.createUser(request) return response.user?.userName } } suspend fun createPolicy(policyNameVal: String?): String { val policyDocumentValue = """ { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "*" } ] } """.trimIndent() val request = CreatePolicyRequest { policyName = policyNameVal policyDocument = policyDocumentValue } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.createPolicy(request) return response.policy?.arn.toString() } } suspend fun createRole( rolenameVal: String?, fileLocation: String?, ): String? { val jsonObject = fileLocation?.let { readJsonSimpleDemo(it) } as JSONObject val request = CreateRoleRequest { roleName = rolenameVal assumeRolePolicyDocument = jsonObject.toJSONString() description = "Created using the AWS SDK for Kotlin" } IamClient { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.createRole(request) return response.role?.arn } } suspend fun attachRolePolicy( roleNameVal: String, policyArnVal: String, ) { val request = ListAttachedRolePoliciesRequest { roleName = roleNameVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.listAttachedRolePolicies(request) val attachedPolicies = response.attachedPolicies // Ensure that the policy is not attached to this role. val checkStatus: Int if (attachedPolicies != null) { checkStatus = checkMyList(attachedPolicies, policyArnVal) if (checkStatus == -1) { return } } val policyRequest = AttachRolePolicyRequest { roleName = roleNameVal policyArn = policyArnVal } iamClient.attachRolePolicy(policyRequest) println("Successfully attached policy $policyArnVal to role $roleNameVal") } } fun checkMyList( attachedPolicies: List, policyArnVal: String, ): Int { for (policy in attachedPolicies) { val polArn = policy.policyArn.toString() if (polArn.compareTo(policyArnVal) == 0) { println("The policy is already attached to this role.") return -1 } } return 0 } suspend fun assumeGivenRole( roleArnVal: String?, roleSessionNameVal: String?, bucketName: String, ) { val stsClient = StsClient.fromEnvironment { region = "us-east-1" } val roleRequest = AssumeRoleRequest { roleArn = roleArnVal roleSessionName = roleSessionNameVal } val roleResponse = stsClient.assumeRole(roleRequest) val myCreds = roleResponse.credentials val key = myCreds?.accessKeyId val secKey = myCreds?.secretAccessKey val secToken = myCreds?.sessionToken val staticCredentials = StaticCredentialsProvider { accessKeyId = key secretAccessKey = secKey sessionToken = secToken } // List all objects in an Amazon S3 bucket using the temp creds. val s3 = S3Client.fromEnvironment { region = "us-east-1" credentialsProvider = staticCredentials } println("Created a S3Client using temp credentials.") println("Listing objects in $bucketName") val listObjects = ListObjectsRequest { bucket = bucketName } val response = s3.listObjects(listObjects) response.contents?.forEach { myObject -> println("The name of the key is ${myObject.key}") println("The owner is ${myObject.owner}") } } suspend fun deleteRole( roleNameVal: String, polArn: String, ) { val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" } // First the policy needs to be detached. val rolePolicyRequest = DetachRolePolicyRequest { policyArn = polArn roleName = roleNameVal } iam.detachRolePolicy(rolePolicyRequest) // Delete the policy. val request = DeletePolicyRequest { policyArn = polArn } iam.deletePolicy(request) println("*** Successfully deleted $polArn") // Delete the role. val roleRequest = DeleteRoleRequest { roleName = roleNameVal } iam.deleteRole(roleRequest) println("*** Successfully deleted $roleNameVal") } suspend fun deleteUser(userNameVal: String) { val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" } val request = DeleteUserRequest { userName = userNameVal } iam.deleteUser(request) println("*** Successfully deleted $userNameVal") } @Throws(java.lang.Exception::class) fun readJsonSimpleDemo(filename: String): Any? { val reader = FileReader(filename) val jsonParser = JSONParser() return jsonParser.parse(reader) } ``` + 有关 API 详细信息，请参阅《AWS SDK for Kotlin API Reference》**中的以下主题。 + [AttachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [CreateAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [CreatePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [CreateRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [CreateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [DeleteAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [DeletePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [DeleteRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [DeleteUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [DeleteUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [DetachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [PutUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html) ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples) 中查找完整示例，了解如何进行设置和运行。 ``` namespace Iam\Basics; require 'vendor/autoload.php'; use Aws\Credentials\Credentials; use Aws\S3\Exception\S3Exception; use Aws\S3\S3Client; use Aws\Sts\StsClient; use Iam\IAMService; echo("\n"); echo("--------------------------------------\n"); print("Welcome to the IAM getting started demo using PHP!\n"); echo("--------------------------------------\n"); $uuid = uniqid(); $service = new IAMService(); $user = $service->createUser("iam_demo_user_$uuid"); echo "Created user with the arn: {$user['Arn']}\n"; $key = $service->createAccessKey($user['UserName']); $assumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"{$user['Arn']}\"}, \"Action\": \"sts:AssumeRole\" }] }"; $assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument); echo "Created role: {$assumeRoleRole['RoleName']}\n"; $listAllBucketsPolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}] }"; $listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument); echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n"; $service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']); $inlinePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"sts:AssumeRole\", \"Resource\": \"{$assumeRoleRole['Arn']}\"}] }"; $inlinePolicy = $service->createUserPolicy("iam_demo_inline_policy_$uuid", $inlinePolicyDocument, $user['UserName']); //First, fail to list the buckets with the user $credentials = new Credentials($key['AccessKeyId'], $key['SecretAccessKey']); $s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]); try { $s3Client->listBuckets([ ]); echo "this should not run"; } catch (S3Exception $exception) { echo "successfully failed!\n"; } $stsClient = new StsClient(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]); sleep(10); $assumedRole = $stsClient->assumeRole([ 'RoleArn' => $assumeRoleRole['Arn'], 'RoleSessionName' => "DemoAssumeRoleSession_$uuid", ]); $assumedCredentials = [ 'key' => $assumedRole['Credentials']['AccessKeyId'], 'secret' => $assumedRole['Credentials']['SecretAccessKey'], 'token' => $assumedRole['Credentials']['SessionToken'], ]; $s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $assumedCredentials]); try { $s3Client->listBuckets([]); echo "this should now run!\n"; } catch (S3Exception $exception) { echo "this should now not fail\n"; } $service->detachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']); $deletePolicy = $service->deletePolicy($listAllBucketsPolicy['Arn']); echo "Delete policy: {$listAllBucketsPolicy['PolicyName']}\n"; $deletedRole = $service->deleteRole($assumeRoleRole['Arn']); echo "Deleted role: {$assumeRoleRole['RoleName']}\n"; $deletedKey = $service->deleteAccessKey($key['AccessKeyId'], $user['UserName']); $deletedUser = $service->deleteUser($user['UserName']); echo "Delete user: {$user['UserName']}\n"; ``` + 有关 API 详细信息，请参阅《适用于 PHP 的 AWS SDK API Reference》**中的以下主题。 + [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/AttachRolePolicy) + [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateAccessKey) + [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateRole) + [CreateUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateUser) + [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteAccessKey) + [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteRole) + [DeleteUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteUser) + [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteUserPolicy) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DetachRolePolicy) + [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/PutUserPolicy) ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建 IAM 用户和授予列出 Amazon S3 存储桶的权限的角色。用户仅具有代入该角色的权限。代入该角色后，使用临时凭证列出该账户的存储桶。 ``` import json import sys import time from uuid import uuid4 import boto3 from botocore.exceptions import ClientError def progress_bar(seconds): """Shows a simple progress bar in the command window.""" for _ in range(seconds): time.sleep(1) print(".", end="") sys.stdout.flush() print() def setup(iam_resource): """ Creates a new user with no permissions. Creates an access key pair for the user. Creates a role with a policy that lets the user assume the role. Creates a policy that allows listing Amazon S3 buckets. Attaches the policy to the role. Creates an inline policy for the user that lets the user assume the role. :param iam_resource: A Boto3 AWS Identity and Access Management (IAM) resource that has permissions to create users, roles, and policies in the account. :return: The newly created user, user key, and role. """ try: user = iam_resource.create_user(UserName=f"demo-user-{uuid4()}") print(f"Created user {user.name}.") except ClientError as error: print( f"Couldn't create a user for the demo. Here's why: " f"{error.response['Error']['Message']}" ) raise try: user_key = user.create_access_key_pair() print(f"Created access key pair for user.") except ClientError as error: print( f"Couldn't create access keys for user {user.name}. Here's why: " f"{error.response['Error']['Message']}" ) raise print(f"Wait for user to be ready.", end="") progress_bar(10) try: role = iam_resource.create_role( RoleName=f"demo-role-{uuid4()}", AssumeRolePolicyDocument=json.dumps( { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": user.arn}, "Action": "sts:AssumeRole", } ], } ), ) print(f"Created role {role.name}.") except ClientError as error: print( f"Couldn't create a role for the demo. Here's why: " f"{error.response['Error']['Message']}" ) raise try: policy = iam_resource.create_policy( PolicyName=f"demo-policy-{uuid4()}", PolicyDocument=json.dumps( { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*", } ], } ), ) role.attach_policy(PolicyArn=policy.arn) print(f"Created policy {policy.policy_name} and attached it to the role.") except ClientError as error: print( f"Couldn't create a policy and attach it to role {role.name}. Here's why: " f"{error.response['Error']['Message']}" ) raise try: user.create_policy( PolicyName=f"demo-user-policy-{uuid4()}", PolicyDocument=json.dumps( { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": role.arn, } ], } ), ) print( f"Created an inline policy for {user.name} that lets the user assume " f"the role." ) except ClientError as error: print( f"Couldn't create an inline policy for user {user.name}. Here's why: " f"{error.response['Error']['Message']}" ) raise print("Give AWS time to propagate these new resources and connections.", end="") progress_bar(10) return user, user_key, role def show_access_denied_without_role(user_key): """ Shows that listing buckets without first assuming the role is not allowed. :param user_key: The key of the user created during setup. This user does not have permission to list buckets in the account. """ print(f"Try to list buckets without first assuming the role.") s3_denied_resource = boto3.resource( "s3", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret ) try: for bucket in s3_denied_resource.buckets.all(): print(bucket.name) raise RuntimeError("Expected to get AccessDenied error when listing buckets!") except ClientError as error: if error.response["Error"]["Code"] == "AccessDenied": print("Attempt to list buckets with no permissions: AccessDenied.") else: raise def list_buckets_from_assumed_role(user_key, assume_role_arn, session_name): """ Assumes a role that grants permission to list the Amazon S3 buckets in the account. Uses the temporary credentials from the role to list the buckets that are owned by the assumed role's account. :param user_key: The access key of a user that has permission to assume the role. :param assume_role_arn: The Amazon Resource Name (ARN) of the role that grants access to list the other account's buckets. :param session_name: The name of the STS session. """ sts_client = boto3.client( "sts", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret ) try: response = sts_client.assume_role( RoleArn=assume_role_arn, RoleSessionName=session_name ) temp_credentials = response["Credentials"] print(f"Assumed role {assume_role_arn} and got temporary credentials.") except ClientError as error: print( f"Couldn't assume role {assume_role_arn}. Here's why: " f"{error.response['Error']['Message']}" ) raise # Create an S3 resource that can access the account with the temporary credentials. s3_resource = boto3.resource( "s3", aws_access_key_id=temp_credentials["AccessKeyId"], aws_secret_access_key=temp_credentials["SecretAccessKey"], aws_session_token=temp_credentials["SessionToken"], ) print(f"Listing buckets for the assumed role's account:") try: for bucket in s3_resource.buckets.all(): print(bucket.name) except ClientError as error: print( f"Couldn't list buckets for the account. Here's why: " f"{error.response['Error']['Message']}" ) raise def teardown(user, role): """ Removes all resources created during setup. :param user: The demo user. :param role: The demo role. """ try: for attached in role.attached_policies.all(): policy_name = attached.policy_name role.detach_policy(PolicyArn=attached.arn) attached.delete() print(f"Detached and deleted {policy_name}.") role.delete() print(f"Deleted {role.name}.") except ClientError as error: print( "Couldn't detach policy, delete policy, or delete role. Here's why: " f"{error.response['Error']['Message']}" ) raise try: for user_pol in user.policies.all(): user_pol.delete() print("Deleted inline user policy.") for key in user.access_keys.all(): key.delete() print("Deleted user's access key.") user.delete() print(f"Deleted {user.name}.") except ClientError as error: print( "Couldn't delete user policy or delete user. Here's why: " f"{error.response['Error']['Message']}" ) def usage_demo(): """Drives the demonstration.""" print("-" * 88) print(f"Welcome to the IAM create user and assume role demo.") print("-" * 88) iam_resource = boto3.resource("iam") user = None role = None try: user, user_key, role = setup(iam_resource) print(f"Created {user.name} and {role.name}.") show_access_denied_without_role(user_key) list_buckets_from_assumed_role(user_key, role.arn, "AssumeRoleDemoSession") except Exception: print("Something went wrong!") finally: if user is not None and role is not None: teardown(user, role) print("Thanks for watching!") if __name__ == "__main__": usage_demo() ``` + 有关 API 详细信息，请参阅《AWS SDK for Python (Boto3) API Reference》**中的以下主题。 + [AttachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachRolePolicy) + [CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey) + [CreatePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateRole) + [CreateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateUser) + [DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey) + [DeletePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteRole) + [DeleteUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUser) + [DeleteUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUserPolicy) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachRolePolicy) + [PutUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/PutUserPolicy) ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建 IAM 用户和授予列出 Amazon S3 存储桶的权限的角色。用户仅具有代入该角色的权限。代入该角色后，使用临时凭证列出该账户的存储桶。 ``` # Wraps the scenario actions. class ScenarioCreateUserAssumeRole attr_reader :iam_client # @param [Aws::IAM::Client] iam_client: The AWS IAM client. def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger end # Waits for the specified number of seconds. # # @param duration [Integer] The number of seconds to wait. def wait(duration) puts('Give AWS time to propagate resources...') sleep(duration) end # Creates a user. # # @param user_name [String] The name to give the user. # @return [Aws::IAM::User] The newly created user. def create_user(user_name) user = @iam_client.create_user(user_name: user_name).user @logger.info("Created demo user named #{user.user_name}.") rescue Aws::Errors::ServiceError => e @logger.info('Tried and failed to create demo user.') @logger.info("\t#{e.code}: #{e.message}") @logger.info("\nCan't continue the demo without a user!") raise else user end # Creates an access key for a user. # # @param user [Aws::IAM::User] The user that owns the key. # @return [Aws::IAM::AccessKeyPair] The newly created access key. def create_access_key_pair(user) user_key = @iam_client.create_access_key(user_name: user.user_name).access_key @logger.info("Created accesskey pair for user #{user.user_name}.") rescue Aws::Errors::ServiceError => e @logger.info("Couldn't create access keys for user #{user.user_name}.") @logger.info("\t#{e.code}: #{e.message}") raise else user_key end # Creates a role that can be assumed by a user. # # @param role_name [String] The name to give the role. # @param user [Aws::IAM::User] The user who is granted permission to assume the role. # @return [Aws::IAM::Role] The newly created role. def create_role(role_name, user) trust_policy = { Version: '2012-10-17', Statement: [{ Effect: 'Allow', Principal: { 'AWS': user.arn }, Action: 'sts:AssumeRole' }] }.to_json role = @iam_client.create_role( role_name: role_name, assume_role_policy_document: trust_policy ).role @logger.info("Created role #{role.role_name}.") rescue Aws::Errors::ServiceError => e @logger.info("Couldn't create a role for the demo. Here's why: ") @logger.info("\t#{e.code}: #{e.message}") raise else role end # Creates a policy that grants permission to list S3 buckets in the account, and # then attaches the policy to a role. # # @param policy_name [String] The name to give the policy. # @param role [Aws::IAM::Role] The role that the policy is attached to. # @return [Aws::IAM::Policy] The newly created policy. def create_and_attach_role_policy(policy_name, role) policy_document = { Version: '2012-10-17', Statement: [{ Effect: 'Allow', Action: 's3:ListAllMyBuckets', Resource: 'arn:aws:s3:::*' }] }.to_json policy = @iam_client.create_policy( policy_name: policy_name, policy_document: policy_document ).policy @iam_client.attach_role_policy( role_name: role.role_name, policy_arn: policy.arn ) @logger.info("Created policy #{policy.policy_name} and attached it to role #{role.role_name}.") rescue Aws::Errors::ServiceError => e @logger.info("Couldn't create a policy and attach it to role #{role.role_name}. Here's why: ") @logger.info("\t#{e.code}: #{e.message}") raise end # Creates an inline policy for a user that lets the user assume a role. # # @param policy_name [String] The name to give the policy. # @param user [Aws::IAM::User] The user that owns the policy. # @param role [Aws::IAM::Role] The role that can be assumed. # @return [Aws::IAM::UserPolicy] The newly created policy. def create_user_policy(policy_name, user, role) policy_document = { Version: '2012-10-17', Statement: [{ Effect: 'Allow', Action: 'sts:AssumeRole', Resource: role.arn }] }.to_json @iam_client.put_user_policy( user_name: user.user_name, policy_name: policy_name, policy_document: policy_document ) puts("Created an inline policy for #{user.user_name} that lets the user assume role #{role.role_name}.") rescue Aws::Errors::ServiceError => e @logger.info("Couldn't create an inline policy for user #{user.user_name}. Here's why: ") @logger.info("\t#{e.code}: #{e.message}") raise end # Creates an Amazon S3 resource with specified credentials. This is separated into a # factory function so that it can be mocked for unit testing. # # @param credentials [Aws::Credentials] The credentials used by the Amazon S3 resource. def create_s3_resource(credentials) Aws::S3::Resource.new(client: Aws::S3::Client.new(credentials: credentials)) end # Lists the S3 buckets for the account, using the specified Amazon S3 resource. # Because the resource uses credentials with limited access, it may not be able to # list the S3 buckets. # # @param s3_resource [Aws::S3::Resource] An Amazon S3 resource. def list_buckets(s3_resource) count = 10 s3_resource.buckets.each do |bucket| @logger.info "\t#{bucket.name}" count -= 1 break if count.zero? end rescue Aws::Errors::ServiceError => e if e.code == 'AccessDenied' puts('Attempt to list buckets with no permissions: AccessDenied.') else @logger.info("Couldn't list buckets for the account. Here's why: ") @logger.info("\t#{e.code}: #{e.message}") raise end end # Creates an AWS Security Token Service (AWS STS) client with specified credentials. # This is separated into a factory function so that it can be mocked for unit testing. # # @param key_id [String] The ID of the access key used by the STS client. # @param key_secret [String] The secret part of the access key used by the STS client. def create_sts_client(key_id, key_secret) Aws::STS::Client.new(access_key_id: key_id, secret_access_key: key_secret) end # Gets temporary credentials that can be used to assume a role. # # @param role_arn [String] The ARN of the role that is assumed when these credentials # are used. # @param sts_client [AWS::STS::Client] An AWS STS client. # @return [Aws::AssumeRoleCredentials] The credentials that can be used to assume the role. def assume_role(role_arn, sts_client) credentials = Aws::AssumeRoleCredentials.new( client: sts_client, role_arn: role_arn, role_session_name: 'create-use-assume-role-scenario' ) @logger.info("Assumed role '#{role_arn}', got temporary credentials.") credentials end # Deletes a role. If the role has policies attached, they are detached and # deleted before the role is deleted. # # @param role_name [String] The name of the role to delete. def delete_role(role_name) @iam_client.list_attached_role_policies(role_name: role_name).attached_policies.each do |policy| @iam_client.detach_role_policy(role_name: role_name, policy_arn: policy.policy_arn) @iam_client.delete_policy(policy_arn: policy.policy_arn) @logger.info("Detached and deleted policy #{policy.policy_name}.") end @iam_client.delete_role({ role_name: role_name }) @logger.info("Role deleted: #{role_name}.") rescue Aws::Errors::ServiceError => e @logger.info("Couldn't detach policies and delete role #{role.name}. Here's why:") @logger.info("\t#{e.code}: #{e.message}") raise end # Deletes a user. If the user has inline policies or access keys, they are deleted # before the user is deleted. # # @param user [Aws::IAM::User] The user to delete. def delete_user(user_name) user = @iam_client.list_access_keys(user_name: user_name).access_key_metadata user.each do |key| @iam_client.delete_access_key({ access_key_id: key.access_key_id, user_name: user_name }) @logger.info("Deleted access key #{key.access_key_id} for user '#{user_name}'.") end @iam_client.delete_user(user_name: user_name) @logger.info("Deleted user '#{user_name}'.") rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting user '#{user_name}': #{e.message}") end end # Runs the IAM create a user and assume a role scenario. def run_scenario(scenario) puts('-' * 88) puts('Welcome to the IAM create a user and assume a role demo!') puts('-' * 88) user = scenario.create_user("doc-example-user-#{Random.uuid}") user_key = scenario.create_access_key_pair(user) scenario.wait(10) role = scenario.create_role("doc-example-role-#{Random.uuid}", user) scenario.create_and_attach_role_policy("doc-example-role-policy-#{Random.uuid}", role) scenario.create_user_policy("doc-example-user-policy-#{Random.uuid}", user, role) scenario.wait(10) puts('Try to list buckets with credentials for a user who has no permissions.') puts('Expect AccessDenied from this call.') scenario.list_buckets( scenario.create_s3_resource(Aws::Credentials.new(user_key.access_key_id, user_key.secret_access_key)) ) puts('Now, assume the role that grants permission.') temp_credentials = scenario.assume_role( role.arn, scenario.create_sts_client(user_key.access_key_id, user_key.secret_access_key) ) puts('Here are your buckets:') scenario.list_buckets(scenario.create_s3_resource(temp_credentials)) puts("Deleting role '#{role.role_name}' and attached policies.") scenario.delete_role(role.role_name) puts("Deleting user '#{user.user_name}', policies, and keys.") scenario.delete_user(user.user_name) puts('Thanks for watching!') puts('-' * 88) rescue Aws::Errors::ServiceError => e puts('Something went wrong with the demo.') puts("\t#{e.code}: #{e.message}") end run_scenario(ScenarioCreateUserAssumeRole.new(Aws::IAM::Client.new)) if $PROGRAM_NAME == __FILE__ ``` + 有关 API 详细信息，请参阅《适用于 Ruby 的 AWS SDK API Reference》**中的以下主题。 + [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/AttachRolePolicy) + [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateAccessKey) + [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateRole) + [CreateUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateUser) + [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteAccessKey) + [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteRole) + [DeleteUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUser) + [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUserPolicy) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DetachRolePolicy) + [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/PutUserPolicy) ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` use aws_config::meta::region::RegionProviderChain; use aws_sdk_iam::Error as iamError; use aws_sdk_iam::{config::Credentials as iamCredentials, config::Region, Client as iamClient}; use aws_sdk_s3::Client as s3Client; use aws_sdk_sts::Client as stsClient; use tokio::time::{sleep, Duration}; use uuid::Uuid; #[tokio::main] async fn main() -> Result<(), iamError> { let (client, uuid, list_all_buckets_policy_document, inline_policy_document) = initialize_variables().await; if let Err(e) = run_iam_operations( client, uuid, list_all_buckets_policy_document, inline_policy_document, ) .await { println!("{:?}", e); }; Ok(()) } async fn initialize_variables() -> (iamClient, String, String, String) { let region_provider = RegionProviderChain::first_try(Region::new("us-west-2")); let shared_config = aws_config::from_env().region(region_provider).load().await; let client = iamClient::new(&shared_config); let uuid = Uuid::new_v4().to_string(); let list_all_buckets_policy_document = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}] }" .to_string(); let inline_policy_document = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"sts:AssumeRole\", \"Resource\": \"{}\"}] }" .to_string(); ( client, uuid, list_all_buckets_policy_document, inline_policy_document, ) } async fn run_iam_operations( client: iamClient, uuid: String, list_all_buckets_policy_document: String, inline_policy_document: String, ) -> Result<(), iamError> { let user = iam_service::create_user(&client, &format!("{}{}", "iam_demo_user_", uuid)).await?; println!("Created the user with the name: {}", user.user_name()); let key = iam_service::create_access_key(&client, user.user_name()).await?; let assume_role_policy_document = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"{}\"}, \"Action\": \"sts:AssumeRole\" }] }" .to_string() .replace("{}", user.arn()); let assume_role_role = iam_service::create_role( &client, &format!("{}{}", "iam_demo_role_", uuid), &assume_role_policy_document, ) .await?; println!("Created the role with the ARN: {}", assume_role_role.arn()); let list_all_buckets_policy = iam_service::create_policy( &client, &format!("{}{}", "iam_demo_policy_", uuid), &list_all_buckets_policy_document, ) .await?; println!( "Created policy: {}", list_all_buckets_policy.policy_name.as_ref().unwrap() ); let attach_role_policy_result = iam_service::attach_role_policy(&client, &assume_role_role, &list_all_buckets_policy) .await?; println!( "Attached the policy to the role: {:?}", attach_role_policy_result ); let inline_policy_name = format!("{}{}", "iam_demo_inline_policy_", uuid); let inline_policy_document = inline_policy_document.replace("{}", assume_role_role.arn()); iam_service::create_user_policy(&client, &user, &inline_policy_name, &inline_policy_document) .await?; println!("Created inline policy."); //First, fail to list the buckets with the user. let creds = iamCredentials::from_keys(key.access_key_id(), key.secret_access_key(), None); let fail_config = aws_config::from_env() .credentials_provider(creds.clone()) .load() .await; println!("Fail config: {:?}", fail_config); let fail_client: s3Client = s3Client::new(&fail_config); match fail_client.list_buckets().send().await { Ok(e) => { println!("This should not run. {:?}", e); } Err(e) => { println!("Successfully failed with error: {:?}", e) } } let sts_config = aws_config::from_env() .credentials_provider(creds.clone()) .load() .await; let sts_client: stsClient = stsClient::new(&sts_config); sleep(Duration::from_secs(10)).await; let assumed_role = sts_client .assume_role() .role_arn(assume_role_role.arn()) .role_session_name(format!("iam_demo_assumerole_session_{uuid}")) .send() .await; println!("Assumed role: {:?}", assumed_role); sleep(Duration::from_secs(10)).await; let assumed_credentials = iamCredentials::from_keys( assumed_role .as_ref() .unwrap() .credentials .as_ref() .unwrap() .access_key_id(), assumed_role .as_ref() .unwrap() .credentials .as_ref() .unwrap() .secret_access_key(), Some( assumed_role .as_ref() .unwrap() .credentials .as_ref() .unwrap() .session_token .clone(), ), ); let succeed_config = aws_config::from_env() .credentials_provider(assumed_credentials) .load() .await; println!("succeed config: {:?}", succeed_config); let succeed_client: s3Client = s3Client::new(&succeed_config); sleep(Duration::from_secs(10)).await; match succeed_client.list_buckets().send().await { Ok(_) => { println!("This should now run successfully.") } Err(e) => { println!("This should not run. {:?}", e); panic!() } } //Clean up. iam_service::detach_role_policy( &client, assume_role_role.role_name(), list_all_buckets_policy.arn().unwrap_or_default(), ) .await?; iam_service::delete_policy(&client, list_all_buckets_policy).await?; iam_service::delete_role(&client, &assume_role_role).await?; println!("Deleted role {}", assume_role_role.role_name()); iam_service::delete_access_key(&client, &user, &key).await?; println!("Deleted key for {}", key.user_name()); iam_service::delete_user_policy(&client, &user, &inline_policy_name).await?; println!("Deleted inline user policy: {}", inline_policy_name); iam_service::delete_user(&client, &user).await?; println!("Deleted user {}", user.user_name()); Ok(()) } ``` + 有关 API 详细信息，请参阅《AWS SDK for Rust API Reference》**中的以下主题。 + [AttachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.attach_role_policy) + [CreateAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_access_key) + [CreatePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_policy) + [CreateRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_role) + [CreateUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_user) + [DeleteAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_access_key) + [DeletePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_policy) + [DeleteRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_role) + [DeleteUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user) + [DeleteUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user_policy) + [DetachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.detach_role_policy) + [PutUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.put_user_policy) ------ # 用于 IAM 的操作 AWS SDKs 以下代码示例演示了如何使用执行单个 IAM 操作 AWS SDKs。每个示例都包含一个指向的链接 GitHub，您可以在其中找到有关设置和运行代码的说明。这些代码节选调用了 IAM API，是必须在上下文中运行的大型程序的代码节选。您可以在[IAM 使用的场景 AWS SDKs](iam_code_examples_scenarios.md)中结合上下文查看操作。以下示例仅包括最常用的操作。有关完整列表，请参阅 [AWS Identity and Access Management API 参考](https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html)。 **Topics** + [`AddClientIdToOpenIdConnectProvider`](iam_example_iam_AddClientIdToOpenIdConnectProvider_section.md) + [`AddRoleToInstanceProfile`](iam_example_iam_AddRoleToInstanceProfile_section.md) + [`AddUserToGroup`](iam_example_iam_AddUserToGroup_section.md) + [`AttachGroupPolicy`](iam_example_iam_AttachGroupPolicy_section.md) + [`AttachRolePolicy`](iam_example_iam_AttachRolePolicy_section.md) + [`AttachUserPolicy`](iam_example_iam_AttachUserPolicy_section.md) + [`ChangePassword`](iam_example_iam_ChangePassword_section.md) + [`CreateAccessKey`](iam_example_iam_CreateAccessKey_section.md) + [`CreateAccountAlias`](iam_example_iam_CreateAccountAlias_section.md) + [`CreateGroup`](iam_example_iam_CreateGroup_section.md) + [`CreateInstanceProfile`](iam_example_iam_CreateInstanceProfile_section.md) + [`CreateLoginProfile`](iam_example_iam_CreateLoginProfile_section.md) + [`CreateOpenIdConnectProvider`](iam_example_iam_CreateOpenIdConnectProvider_section.md) + [`CreatePolicy`](iam_example_iam_CreatePolicy_section.md) + [`CreatePolicyVersion`](iam_example_iam_CreatePolicyVersion_section.md) + [`CreateRole`](iam_example_iam_CreateRole_section.md) + [`CreateSAMLProvider`](iam_example_iam_CreateSAMLProvider_section.md) + [`CreateServiceLinkedRole`](iam_example_iam_CreateServiceLinkedRole_section.md) + [`CreateUser`](iam_example_iam_CreateUser_section.md) + [`CreateVirtualMfaDevice`](iam_example_iam_CreateVirtualMfaDevice_section.md) + [`DeactivateMfaDevice`](iam_example_iam_DeactivateMfaDevice_section.md) + [`DeleteAccessKey`](iam_example_iam_DeleteAccessKey_section.md) + [`DeleteAccountAlias`](iam_example_iam_DeleteAccountAlias_section.md) + [`DeleteAccountPasswordPolicy`](iam_example_iam_DeleteAccountPasswordPolicy_section.md) + [`DeleteGroup`](iam_example_iam_DeleteGroup_section.md) + [`DeleteGroupPolicy`](iam_example_iam_DeleteGroupPolicy_section.md) + [`DeleteInstanceProfile`](iam_example_iam_DeleteInstanceProfile_section.md) + [`DeleteLoginProfile`](iam_example_iam_DeleteLoginProfile_section.md) + [`DeleteOpenIdConnectProvider`](iam_example_iam_DeleteOpenIdConnectProvider_section.md) + [`DeletePolicy`](iam_example_iam_DeletePolicy_section.md) + [`DeletePolicyVersion`](iam_example_iam_DeletePolicyVersion_section.md) + [`DeleteRole`](iam_example_iam_DeleteRole_section.md) + [`DeleteRolePermissionsBoundary`](iam_example_iam_DeleteRolePermissionsBoundary_section.md) + [`DeleteRolePolicy`](iam_example_iam_DeleteRolePolicy_section.md) + [`DeleteSAMLProvider`](iam_example_iam_DeleteSAMLProvider_section.md) + [`DeleteServerCertificate`](iam_example_iam_DeleteServerCertificate_section.md) + [`DeleteServiceLinkedRole`](iam_example_iam_DeleteServiceLinkedRole_section.md) + [`DeleteSigningCertificate`](iam_example_iam_DeleteSigningCertificate_section.md) + [`DeleteUser`](iam_example_iam_DeleteUser_section.md) + [`DeleteUserPermissionsBoundary`](iam_example_iam_DeleteUserPermissionsBoundary_section.md) + [`DeleteUserPolicy`](iam_example_iam_DeleteUserPolicy_section.md) + [`DeleteVirtualMfaDevice`](iam_example_iam_DeleteVirtualMfaDevice_section.md) + [`DetachGroupPolicy`](iam_example_iam_DetachGroupPolicy_section.md) + [`DetachRolePolicy`](iam_example_iam_DetachRolePolicy_section.md) + [`DetachUserPolicy`](iam_example_iam_DetachUserPolicy_section.md) + [`EnableMfaDevice`](iam_example_iam_EnableMfaDevice_section.md) + [`GenerateCredentialReport`](iam_example_iam_GenerateCredentialReport_section.md) + [`GenerateServiceLastAccessedDetails`](iam_example_iam_GenerateServiceLastAccessedDetails_section.md) + [`GetAccessKeyLastUsed`](iam_example_iam_GetAccessKeyLastUsed_section.md) + [`GetAccountAuthorizationDetails`](iam_example_iam_GetAccountAuthorizationDetails_section.md) + [`GetAccountPasswordPolicy`](iam_example_iam_GetAccountPasswordPolicy_section.md) + [`GetAccountSummary`](iam_example_iam_GetAccountSummary_section.md) + [`GetContextKeysForCustomPolicy`](iam_example_iam_GetContextKeysForCustomPolicy_section.md) + [`GetContextKeysForPrincipalPolicy`](iam_example_iam_GetContextKeysForPrincipalPolicy_section.md) + [`GetCredentialReport`](iam_example_iam_GetCredentialReport_section.md) + [`GetGroup`](iam_example_iam_GetGroup_section.md) + [`GetGroupPolicy`](iam_example_iam_GetGroupPolicy_section.md) + [`GetInstanceProfile`](iam_example_iam_GetInstanceProfile_section.md) + [`GetLoginProfile`](iam_example_iam_GetLoginProfile_section.md) + [`GetOpenIdConnectProvider`](iam_example_iam_GetOpenIdConnectProvider_section.md) + [`GetPolicy`](iam_example_iam_GetPolicy_section.md) + [`GetPolicyVersion`](iam_example_iam_GetPolicyVersion_section.md) + [`GetRole`](iam_example_iam_GetRole_section.md) + [`GetRolePolicy`](iam_example_iam_GetRolePolicy_section.md) + [`GetSamlProvider`](iam_example_iam_GetSamlProvider_section.md) + [`GetServerCertificate`](iam_example_iam_GetServerCertificate_section.md) + [`GetServiceLastAccessedDetails`](iam_example_iam_GetServiceLastAccessedDetails_section.md) + [`GetServiceLastAccessedDetailsWithEntities`](iam_example_iam_GetServiceLastAccessedDetailsWithEntities_section.md) + [`GetServiceLinkedRoleDeletionStatus`](iam_example_iam_GetServiceLinkedRoleDeletionStatus_section.md) + [`GetUser`](iam_example_iam_GetUser_section.md) + [`GetUserPolicy`](iam_example_iam_GetUserPolicy_section.md) + [`ListAccessKeys`](iam_example_iam_ListAccessKeys_section.md) + [`ListAccountAliases`](iam_example_iam_ListAccountAliases_section.md) + [`ListAttachedGroupPolicies`](iam_example_iam_ListAttachedGroupPolicies_section.md) + [`ListAttachedRolePolicies`](iam_example_iam_ListAttachedRolePolicies_section.md) + [`ListAttachedUserPolicies`](iam_example_iam_ListAttachedUserPolicies_section.md) + [`ListEntitiesForPolicy`](iam_example_iam_ListEntitiesForPolicy_section.md) + [`ListGroupPolicies`](iam_example_iam_ListGroupPolicies_section.md) + [`ListGroups`](iam_example_iam_ListGroups_section.md) + [`ListGroupsForUser`](iam_example_iam_ListGroupsForUser_section.md) + [`ListInstanceProfiles`](iam_example_iam_ListInstanceProfiles_section.md) + [`ListInstanceProfilesForRole`](iam_example_iam_ListInstanceProfilesForRole_section.md) + [`ListMfaDevices`](iam_example_iam_ListMfaDevices_section.md) + [`ListOpenIdConnectProviders`](iam_example_iam_ListOpenIdConnectProviders_section.md) + [`ListPolicies`](iam_example_iam_ListPolicies_section.md) + [`ListPolicyVersions`](iam_example_iam_ListPolicyVersions_section.md) + [`ListRolePolicies`](iam_example_iam_ListRolePolicies_section.md) + [`ListRoleTags`](iam_example_iam_ListRoleTags_section.md) + [`ListRoles`](iam_example_iam_ListRoles_section.md) + [`ListSAMLProviders`](iam_example_iam_ListSAMLProviders_section.md) + [`ListServerCertificates`](iam_example_iam_ListServerCertificates_section.md) + [`ListSigningCertificates`](iam_example_iam_ListSigningCertificates_section.md) + [`ListUserPolicies`](iam_example_iam_ListUserPolicies_section.md) + [`ListUserTags`](iam_example_iam_ListUserTags_section.md) + [`ListUsers`](iam_example_iam_ListUsers_section.md) + [`ListVirtualMfaDevices`](iam_example_iam_ListVirtualMfaDevices_section.md) + [`PutGroupPolicy`](iam_example_iam_PutGroupPolicy_section.md) + [`PutRolePermissionsBoundary`](iam_example_iam_PutRolePermissionsBoundary_section.md) + [`PutRolePolicy`](iam_example_iam_PutRolePolicy_section.md) + [`PutUserPermissionsBoundary`](iam_example_iam_PutUserPermissionsBoundary_section.md) + [`PutUserPolicy`](iam_example_iam_PutUserPolicy_section.md) + [`RemoveClientIdFromOpenIdConnectProvider`](iam_example_iam_RemoveClientIdFromOpenIdConnectProvider_section.md) + [`RemoveRoleFromInstanceProfile`](iam_example_iam_RemoveRoleFromInstanceProfile_section.md) + [`RemoveUserFromGroup`](iam_example_iam_RemoveUserFromGroup_section.md) + [`ResyncMfaDevice`](iam_example_iam_ResyncMfaDevice_section.md) + [`SetDefaultPolicyVersion`](iam_example_iam_SetDefaultPolicyVersion_section.md) + [`TagRole`](iam_example_iam_TagRole_section.md) + [`TagUser`](iam_example_iam_TagUser_section.md) + [`UntagRole`](iam_example_iam_UntagRole_section.md) + [`UntagUser`](iam_example_iam_UntagUser_section.md) + [`UpdateAccessKey`](iam_example_iam_UpdateAccessKey_section.md) + [`UpdateAccountPasswordPolicy`](iam_example_iam_UpdateAccountPasswordPolicy_section.md) + [`UpdateAssumeRolePolicy`](iam_example_iam_UpdateAssumeRolePolicy_section.md) + [`UpdateGroup`](iam_example_iam_UpdateGroup_section.md) + [`UpdateLoginProfile`](iam_example_iam_UpdateLoginProfile_section.md) + [`UpdateOpenIdConnectProviderThumbprint`](iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md) + [`UpdateRole`](iam_example_iam_UpdateRole_section.md) + [`UpdateRoleDescription`](iam_example_iam_UpdateRoleDescription_section.md) + [`UpdateSamlProvider`](iam_example_iam_UpdateSamlProvider_section.md) + [`UpdateServerCertificate`](iam_example_iam_UpdateServerCertificate_section.md) + [`UpdateSigningCertificate`](iam_example_iam_UpdateSigningCertificate_section.md) + [`UpdateUser`](iam_example_iam_UpdateUser_section.md) + [`UploadServerCertificate`](iam_example_iam_UploadServerCertificate_section.md) + [`UploadSigningCertificate`](iam_example_iam_UploadSigningCertificate_section.md) # 将 `AddClientIdToOpenIdConnectProvider` 与 CLI 配合使用以下代码示例演示如何使用 `AddClientIdToOpenIdConnectProvider`。 ------ #### [ CLI ] **AWS CLI** **将客户端 ID（受众）添加到 Open-ID Connect（OIDC）提供者** 以下 `add-client-id-to-open-id-connect-provider` 命令将客户端 ID `my-application-ID` 添加到名为 `server.example.com` 的 OIDC 提供者。 ``` aws iam add-client-id-to-open-id-connect-provider \ --client-id my-application-ID \ --open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/server.example.com ``` 此命令不生成任何输出。要创建 OIDC 提供者，请使用 `create-open-id-connect-provider` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 OpenID Connect（OIDC）身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[AddClientIdToOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/add-client-id-to-open-id-connect-provider.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令将客户端 ID（或受众）`my-application-ID` 添加到名为 `server.example.com` 的现有 OIDC 提供者。** ``` Add-IAMClientIDToOpenIDConnectProvider -ClientID "my-application-ID" -OpenIDConnectProviderARN "arn:aws:iam::123456789012:oidc-provider/server.example.com" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [AddClientIdToOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令将客户端 ID（或受众）`my-application-ID` 添加到名为 `server.example.com` 的现有 OIDC 提供者。** ``` Add-IAMClientIDToOpenIDConnectProvider -ClientID "my-application-ID" -OpenIDConnectProviderARN "arn:aws:iam::123456789012:oidc-provider/server.example.com" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [AddClientIdToOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `AddRoleToInstanceProfile` 与 CLI 配合使用以下代码示例演示如何使用 `AddRoleToInstanceProfile`。 ------ #### [ CLI ] **AWS CLI** **为实例配置文件添加角色** 以下 `add-role-to-instance-profile` 命令可将名为 `S3Access` 的角色添加到名为 `Webserver` 的实例配置文件。 ``` aws iam add-role-to-instance-profile \ --role-name S3Access \ --instance-profile-name Webserver ``` 此命令不生成任何输出。要创建实例配置文件，请使用 `create-instance-profile` 命令。有关更多信息，请参阅《IAM 用户指南》*AWS *中的[使用 IAM 角色为 Amazon EC2 实例上运行的应用程序授予权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[AddRoleToInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/add-role-to-instance-profile.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令将名为 `S3Access` 的角色添加到名为 `webserver` 的现有实例配置文件中。要创建实例配置文件，请使用 `New-IAMInstanceProfile` 命令。使用此命令创建实例配置文件并将其与角色关联后，您可以将其附加到 EC2 实例。为此，请使用带有 `InstanceProfile_Arn` 或 `InstanceProfile-Name` 参数的 `New-EC2Instance` cmdlet 来启动新实例。** ``` Add-IAMRoleToInstanceProfile -RoleName "S3Access" -InstanceProfileName "webserver" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [AddRoleToInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令将名为 `S3Access` 的角色添加到名为 `webserver` 的现有实例配置文件中。要创建实例配置文件，请使用 `New-IAMInstanceProfile` 命令。使用此命令创建实例配置文件并将其与角色关联后，您可以将其附加到 EC2 实例。为此，请使用带有 `InstanceProfile_Arn` 或 `InstanceProfile-Name` 参数的 `New-EC2Instance` cmdlet 来启动新实例。** ``` Add-IAMRoleToInstanceProfile -RoleName "S3Access" -InstanceProfileName "webserver" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [AddRoleToInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `AddUserToGroup` 与 CLI 配合使用以下代码示例演示如何使用 `AddUserToGroup`。 ------ #### [ CLI ] **AWS CLI** **将用户添加到 IAM 组** 以下 `add-user-to-group` 命令可将名为 `Bob` 的 IAM 用户添加到名为 `Admins` 的 IAM 组。 ``` aws iam add-user-to-group \ --user-name Bob \ --group-name Admins ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 IAM 用户组中添加和删除用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[AddUserToGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/add-user-to-group.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令将名为 `Bob` 的用户添加到名为 `Admins` 的组中。** ``` Add-IAMUserToGroup -UserName "Bob" -GroupName "Admins" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [AddUserToGroup](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令将名为 `Bob` 的用户添加到名为 `Admins` 的组中。** ``` Add-IAMUserToGroup -UserName "Bob" -GroupName "Admins" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [AddUserToGroup](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `AttachGroupPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `AttachGroupPolicy`。 ------ #### [ CLI ] **AWS CLI** **将托管策略附加到 IAM 组** 以下`attach-group-policy`命令将名为的 AWS 托管策略附加`ReadOnlyAccess`到名为的 IAM 组`Finance`。 ``` aws iam attach-group-policy \ --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess \ --group-name Finance ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[托管策略和内联策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[AttachGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-group-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将名为 `TesterPolicy` 的客户管理型策略附加到 IAM 组 `Testers`。该组中的用户会立即受到该策略默认版本中所定义权限的影响。** ``` Register-IAMGroupPolicy -GroupName Testers -PolicyArn arn:aws:iam::123456789012:policy/TesterPolicy ``` **示例 2：此示例将名为的 AWS 托管策略附加`AdministratorAccess`到 IAM 组`Admins`。该组中的用户会立即受到该策略最新版本中所定义权限的影响。** ``` Register-IAMGroupPolicy -GroupName Admins -PolicyArn arn:aws:iam::aws:policy/AdministratorAccess ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [AttachGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将名为 `TesterPolicy` 的客户管理型策略附加到 IAM 组 `Testers`。该组中的用户会立即受到该策略默认版本中所定义权限的影响。** ``` Register-IAMGroupPolicy -GroupName Testers -PolicyArn arn:aws:iam::123456789012:policy/TesterPolicy ``` **示例 2：此示例将名为的 AWS 托管策略附加`AdministratorAccess`到 IAM 组`Admins`。该组中的用户会立即受到该策略最新版本中所定义权限的影响。** ``` Register-IAMGroupPolicy -GroupName Admins -PolicyArn arn:aws:iam::aws:policy/AdministratorAccess ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [AttachGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `AttachRolePolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `AttachRolePolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [管理角色](iam_example_iam_Scenario_RoleManagement_section.md) + [使用直播和 Time-to-Live](iam_example_dynamodb_Scenario_StreamsAndTTL_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Attach an IAM policy to a role. ///

/// The policy to attach. /// The role that the policy will be attached to. /// A Boolean value indicating the success of the action. public async Task AttachRolePolicyAsync(string policyArn, string roleName) { var response = await _IAMService.AttachRolePolicyAsync(new AttachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[AttachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/AttachRolePolicy)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_attach_role_policy # # This function attaches an IAM policy to a tole. # # Parameters: # -n role_name -- The name of the IAM role. # -p policy_ARN -- The IAM policy document ARN.. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_attach_role_policy() { local role_name policy_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_attach_role_policy" echo "Attaches an AWS Identity and Access Management (IAM) policy to an IAM role." echo " -n role_name The name of the IAM role." echo " -p policy_ARN -- The IAM policy document ARN." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; p) policy_arn="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi if [[ -z "$policy_arn" ]]; then errecho "ERROR: You must provide a policy ARN with the -p parameter." usage return 1 fi response=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "$policy_arn") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports attach-role-policy operation failed.\n$response" return 1 fi echo "$response" return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::attachRolePolicy(const Aws::String &roleName, const Aws::String &policyArn, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::ListAttachedRolePoliciesRequest list_request; list_request.SetRoleName(roleName); bool done = false; while (!done) { auto list_outcome = iam.ListAttachedRolePolicies(list_request); if (!list_outcome.IsSuccess()) { std::cerr << "Failed to list attached policies of role " << roleName << ": " << list_outcome.GetError().GetMessage() << std::endl; return false; } const auto &policies = list_outcome.GetResult().GetAttachedPolicies(); if (std::any_of(policies.cbegin(), policies.cend(), [=](const Aws::IAM::Model::AttachedPolicy &policy) { return policy.GetPolicyArn() == policyArn; })) { std::cout << "Policy " << policyArn << " is already attached to role " << roleName << std::endl; return true; } done = !list_outcome.GetResult().GetIsTruncated(); list_request.SetMarker(list_outcome.GetResult().GetMarker()); } Aws::IAM::Model::AttachRolePolicyRequest request; request.SetRoleName(roleName); request.SetPolicyArn(policyArn); Aws::IAM::Model::AttachRolePolicyOutcome outcome = iam.AttachRolePolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Failed to attach policy " << policyArn << " to role " << roleName << ": " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully attached policy " << policyArn << " to role " << roleName << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/AttachRolePolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **将托管策略附加到 IAM 角色** 以下`attach-role-policy`命令将名为的 AWS 托管策略附加`ReadOnlyAccess`到名为的 IAM 角色`ReadOnlyRole`。 ``` aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess \ --role-name ReadOnlyRole ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[托管策略和内联策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[AttachRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // AttachRolePolicy attaches a policy to a role. func (wrapper RoleWrapper) AttachRolePolicy(ctx context.Context, policyArn string, roleName string) error { _, err := wrapper.IamClient.AttachRolePolicy(ctx, &iam.AttachRolePolicyInput{ PolicyArn: aws.String(policyArn), RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't attach policy %v to role %v. Here's why: %v\n", policyArn, roleName, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[AttachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.AttachRolePolicy)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.List; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class AttachRolePolicy { public static void main(String[] args) { final String usage = """ Usage: \s Where: roleName - A role name that you can obtain from the AWS Management Console.\s policyArn - A policy ARN that you can obtain from the AWS Management Console.\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String roleName = args[0]; String policyArn = args[1]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); attachIAMRolePolicy(iam, roleName, policyArn); iam.close(); } public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn) { try { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .build(); ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request); List attachedPolicies = response.attachedPolicies(); // Ensure that the policy is not attached to this role String polArn = ""; for (AttachedPolicy policy : attachedPolicies) { polArn = policy.policyArn(); if (polArn.compareTo(policyArn) == 0) { System.out.println(roleName + " policy is already attached to this role."); return; } } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/AttachRolePolicy)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。附加策略。 ``` import { AttachRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} policyArn * @param {string} roleName */ export const attachRolePolicy = (policyArn, roleName) => { const command = new AttachRolePolicyCommand({ PolicyArn: policyArn, RoleName: roleName, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-attaching-role-policy](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-attaching-role-policy)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[AttachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/AttachRolePolicyCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var paramsRoleList = { RoleName: process.argv[2], }; iam.listAttachedRolePolicies(paramsRoleList, function (err, data) { if (err) { console.log("Error", err); } else { var myRolePolicies = data.AttachedPolicies; myRolePolicies.forEach(function (val, index, array) { if (myRolePolicies[index].PolicyName === "AmazonDynamoDBFullAccess") { console.log( "AmazonDynamoDBFullAccess is already attached to this role." ); process.exit(); } }); var params = { PolicyArn: "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess", RoleName: process.argv[2], }; iam.attachRolePolicy(params, function (err, data) { if (err) { console.log("Unable to attach policy to role", err); } else { console.log("Role attached successfully"); } }); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-attaching-role-policy](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-attaching-role-policy)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[AttachRolePolicy](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/AttachRolePolicy)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun attachIAMRolePolicy( roleNameVal: String, policyArnVal: String, ) { val request = ListAttachedRolePoliciesRequest { roleName = roleNameVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.listAttachedRolePolicies(request) val attachedPolicies = response.attachedPolicies // Ensure that the policy is not attached to this role. val checkStatus: Int if (attachedPolicies != null) { checkStatus = checkList(attachedPolicies, policyArnVal) if (checkStatus == -1) { return } } val policyRequest = AttachRolePolicyRequest { roleName = roleNameVal policyArn = policyArnVal } iamClient.attachRolePolicy(policyRequest) println("Successfully attached policy $policyArnVal to role $roleNameVal") } } fun checkList( attachedPolicies: List, policyArnVal: String, ): Int { for (policy in attachedPolicies) { val polArn = policy.policyArn.toString() if (polArn.compareTo(policyArnVal) == 0) { println("The policy is already attached to this role.") return -1 } } return 0 } ``` + 有关 API 的详细信息，请参阅适用[AttachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); $assumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"{$user['Arn']}\"}, \"Action\": \"sts:AssumeRole\" }] }"; $assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument); echo "Created role: {$assumeRoleRole['RoleName']}\n"; $listAllBucketsPolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}] }"; $listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument); echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n"; $service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']); public function attachRolePolicy($roleName, $policyArn) { return $this->customWaiter(function () use ($roleName, $policyArn) { $this->iamClient->attachRolePolicy([ 'PolicyArn' => $policyArn, 'RoleName' => $roleName, ]); }); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/AttachRolePolicy)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将名为的 AWS 托管策略附加`SecurityAudit`到 IAM 角色`CoSecurityAuditors`。担任该角色的用户会立即受到该策略最新版本中所定义权限的影响。** ``` Register-IAMRolePolicy -RoleName CoSecurityAuditors -PolicyArn arn:aws:iam::aws:policy/SecurityAudit ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [AttachRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将名为的 AWS 托管策略附加`SecurityAudit`到 IAM 角色`CoSecurityAuditors`。担任该角色的用户会立即受到该策略最新版本中所定义权限的影响。** ``` Register-IAMRolePolicy -RoleName CoSecurityAuditors -PolicyArn arn:aws:iam::aws:policy/SecurityAudit ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [AttachRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。使用 Boto3 策略对象将策略附加到角色。 ``` def attach_to_role(role_name, policy_arn): """ Attaches a policy to a role. :param role_name: The name of the role. **Note** this is the name, not the ARN. :param policy_arn: The ARN of the policy. """ try: iam.Policy(policy_arn).attach_role(RoleName=role_name) logger.info("Attached policy %s to role %s.", policy_arn, role_name) except ClientError: logger.exception("Couldn't attach policy %s to role %s.", policy_arn, role_name) raise ``` 使用 Boto3 角色对象将策略附加到角色。 ``` def attach_policy(role_name, policy_arn): """ Attaches a policy to a role. :param role_name: The name of the role. **Note** this is the name, not the ARN. :param policy_arn: The ARN of the policy. """ try: iam.Role(role_name).attach_policy(PolicyArn=policy_arn) logger.info("Attached policy %s to role %s.", policy_arn, role_name) except ClientError: logger.exception("Couldn't attach policy %s to role %s.", policy_arn, role_name) raise ``` + 有关 API 的详细信息，请参阅适用[AttachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachRolePolicy)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例模块会列出、创建、附加和分离角色策略。 ``` # Manages policies in AWS Identity and Access Management (IAM) class RolePolicyManager # Initialize with an AWS IAM client # # @param iam_client [Aws::IAM::Client] An initialized IAM client def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'PolicyManager' end # Creates a policy # # @param policy_name [String] The name of the policy # @param policy_document [Hash] The policy document # @return [String] The policy ARN if successful, otherwise nil def create_policy(policy_name, policy_document) response = @iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) response.policy.arn rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating policy: #{e.message}") nil end # Fetches an IAM policy by its ARN # @param policy_arn [String] the ARN of the IAM policy to retrieve # @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found def get_policy(policy_arn) response = @iam_client.get_policy(policy_arn: policy_arn) policy = response.policy @logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.") policy rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.") raise rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}") raise end # Attaches a policy to a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def attach_policy_to_role(role_name, policy_arn) @iam_client.attach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error attaching policy to role: #{e.message}") false end # Lists policy ARNs attached to a role # # @param role_name [String] The name of the role # @return [Array] List of policy ARNs def list_attached_policy_arns(role_name) response = @iam_client.list_attached_role_policies(role_name: role_name) response.attached_policies.map(&:policy_arn) rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing policies attached to role: #{e.message}") [] end # Detaches a policy from a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def detach_policy_from_role(role_name, policy_arn) @iam_client.detach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error detaching policy from role: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/AttachRolePolicy)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn attach_role_policy( client: &iamClient, role: &Role, policy: &Policy, ) -> Result> { client .attach_role_policy() .role_name(role.role_name()) .policy_arn(policy.arn().unwrap_or_default()) .send() .await } ``` + 有关 API 的详细信息，请参阅适用[AttachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.attach_role_policy)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->attachrolepolicy( iv_rolename = iv_role_name iv_policyarn = iv_policy_arn ). MESSAGE 'Policy attached to role successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Role or policy does not exist.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Policy attachment limit exceeded.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[AttachRolePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func attachRolePolicy(role: String, policyArn: String) async throws { let input = AttachRolePolicyInput( policyArn: policyArn, roleName: role ) do { _ = try await client.attachRolePolicy(input: input) } catch { print("ERROR: Attaching a role policy:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[AttachRolePolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/attachrolepolicy(input:))*中。 ------ # `AttachUserPolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `AttachUserPolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) ------ #### [ CLI ] **AWS CLI** **将托管策略附加到 IAM 用户** 以下`attach-user-policy`命令将名为的 AWS 托管策略附加`AdministratorAccess`到名为的 IAM 用户`Alice`。 ``` aws iam attach-user-policy \ --policy-arn arn:aws:iam::aws:policy/AdministratorAccess \ --user-name Alice ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[托管策略和内联策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[AttachUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-user-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将名为的 AWS 托管策略附加`AmazonCognitoPowerUser`到 IAM 用户`Bob`。用户会立即受到该策略最新版本中所定义权限的影响。** ``` Register-IAMUserPolicy -UserName Bob -PolicyArn arn:aws:iam::aws:policy/AmazonCognitoPowerUser ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [AttachUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将名为的 AWS 托管策略附加`AmazonCognitoPowerUser`到 IAM 用户`Bob`。用户会立即受到该策略最新版本中所定义权限的影响。** ``` Register-IAMUserPolicy -UserName Bob -PolicyArn arn:aws:iam::aws:policy/AmazonCognitoPowerUser ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [AttachUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def attach_policy(user_name, policy_arn): """ Attaches a policy to a user. :param user_name: The name of the user. :param policy_arn: The Amazon Resource Name (ARN) of the policy. """ try: iam.User(user_name).attach_policy(PolicyArn=policy_arn) logger.info("Attached policy %s to user %s.", policy_arn, user_name) except ClientError: logger.exception("Couldn't attach policy %s to user %s.", policy_arn, user_name) raise ``` + 有关 API 的详细信息，请参阅适用[AttachUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachUserPolicy)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Attaches a policy to a user # # @param user_name [String] The name of the user # @param policy_arn [String] The Amazon Resource Name (ARN) of the policy # @return [Boolean] true if successful, false otherwise def attach_policy_to_user(user_name, policy_arn) @iam_client.attach_user_policy( user_name: user_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error attaching policy to user: #{e.message}") false end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[AttachUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/AttachUserPolicy)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn attach_user_policy( client: &iamClient, user_name: &str, policy_arn: &str, ) -> Result<(), iamError> { client .attach_user_policy() .user_name(user_name) .policy_arn(policy_arn) .send() .await?; Ok(()) } ``` + 有关 API 的详细信息，请参阅适用[AttachUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.attach_user_policy)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->attachuserpolicy( iv_username = iv_user_name iv_policyarn = iv_policy_arn ). MESSAGE 'Policy attached to user successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'User or policy does not exist.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Policy attachment limit exceeded.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[AttachUserPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `ChangePassword` 与 CLI 配合使用以下代码示例演示如何使用 `ChangePassword`。 ------ #### [ CLI ] **AWS CLI** **更改 IAM 用户的密码** 要更改 IAM 用户的密码，建议使用 `--cli-input-json` 参数传递包含新旧密码的 JSON 文件。通过此方法，您可以使用含有非字母数字字符的强密码。将密码作为命令行参数传递时，可能难以使用含有非字母数字字符的密码。要使用 `--cli-input-json` 参数，请先使用带 `--generate-cli-skeleton` 参数的 `change-password` 命令，如以下示例所示。 ``` aws iam change-password \ --generate-cli-skeleton > change-password.json ``` 前述命令创建一个名为 change-password.json 的 JSON 文件，您可以用该文件来填写旧密码和新密码。例如，该文件可能如下所示。 ``` { "OldPassword": "3s0K_;xh4~8XXI", "NewPassword": "]35d/{pB9Fo9wJ" } ``` 接下来，要更改密码，请再次使用 `change-password` 命令，这次是传递 `--cli-input-json` 参数以指定您的 JSON 文件。以下 `change-password` 命令将 `--cli-input-json` 参数与名为 change-password.json 的 JSON 文件一起使用。 ``` aws iam change-password \ --cli-input-json file://change-password.json ``` 此命令不生成任何输出。此命令只能由 IAM 用户调用。如果使用 AWS 账户（根）凭据调用此命令，则该命令将返回`InvalidUserType`错误。有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 用户如何更改自己的密码](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_user-change-own.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ChangePassword](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/change-password.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令更改运行该命令的用户的密码。此命令只能由 IAM 用户调用。如果您在使用 AWS 账户（根）凭据登录时调用此命令，则该命令将返回错误。`InvalidUserType`** ``` Edit-IAMPassword -OldPassword "MyOldP@ssw0rd" -NewPassword "MyNewP@ssw0rd" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ChangePassword](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令更改运行该命令的用户的密码。此命令只能由 IAM 用户调用。如果您在使用 AWS 账户（根）凭据登录时调用此命令，则该命令将返回错误。`InvalidUserType`** ``` Edit-IAMPassword -OldPassword "MyOldP@ssw0rd" -NewPassword "MyNewP@ssw0rd" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ChangePassword](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `CreateAccessKey`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreateAccessKey`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) + [管理访问密钥](iam_example_iam_Scenario_ManageAccessKeys_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Create an IAM access key for a user. ///

/// The username for which to create the IAM access /// key. /// The AccessKey. public async Task CreateAccessKeyAsync(string userName) { var response = await _IAMService.CreateAccessKeyAsync(new CreateAccessKeyRequest { UserName = userName, }); return response.AccessKey; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[CreateAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateAccessKey)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_create_user_access_key # # This function creates an IAM access key for the specified user. # # Parameters: # -u user_name -- The name of the IAM user. # [-f file_name] -- The optional file name for the access key output. # # Returns: # [access_key_id access_key_secret] # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_create_user_access_key() { local user_name file_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_create_user_access_key" echo "Creates an AWS Identity and Access Management (IAM) key pair." echo " -u user_name The name of the IAM user." echo " [-f file_name] Optional file name for the access key output." echo "" } # Retrieve the calling parameters. while getopts "u:f:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; f) file_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi response=$(aws iam create-access-key \ --user-name "$user_name" \ --output text) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-access-key operation failed.$response" return 1 fi if [[ -n "$file_name" ]]; then echo "$response" >"$file_name" fi local key_id key_secret # shellcheck disable=SC2086 key_id=$(echo $response | cut -f 2 -d ' ') # shellcheck disable=SC2086 key_secret=$(echo $response | cut -f 4 -d ' ') echo "$key_id $key_secret" return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateAccessKey)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` Aws::String AwsDoc::IAM::createAccessKey(const Aws::String &userName, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::CreateAccessKeyRequest request; request.SetUserName(userName); Aws::String result; Aws::IAM::Model::CreateAccessKeyOutcome outcome = iam.CreateAccessKey(request); if (!outcome.IsSuccess()) { std::cerr << "Error creating access key for IAM user " << userName << ":" << outcome.GetError().GetMessage() << std::endl; } else { const auto &accessKey = outcome.GetResult().GetAccessKey(); std::cout << "Successfully created access key for IAM user " << userName << std::endl << " aws_access_key_id = " << accessKey.GetAccessKeyId() << std::endl << " aws_secret_access_key = " << accessKey.GetSecretAccessKey() << std::endl; result = accessKey.GetAccessKeyId(); } return result; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateAccessKey)*中的。 ------ #### [ CLI ] **AWS CLI** **为 IAM 用户创建访问密钥** 以下 `create-access-key` 命令创建名为 `Bob` IAM 用户的访问密钥（访问密钥 ID 和秘密访问密钥）。 ``` aws iam create-access-key \ --user-name Bob ``` 输出： ``` { "AccessKey": { "UserName": "Bob", "Status": "Active", "CreateDate": "2015-03-09T18:39:23.411Z", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", "AccessKeyId": "AKIAIOSFODNN7EXAMPLE" } } ``` 将秘密访问密钥存储在安全位置。如果访问密钥丢失，将无法恢复，必须创建一个新的访问密钥。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的访问密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateAccessKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-access-key.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // CreateAccessKeyPair creates an access key for a user. The returned access key contains // the ID and secret credentials needed to use the key. func (wrapper UserWrapper) CreateAccessKeyPair(ctx context.Context, userName string) (*types.AccessKey, error) { var key *types.AccessKey result, err := wrapper.IamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{ UserName: aws.String(userName)}) if err != nil { log.Printf("Couldn't create access key pair for user %v. Here's why: %v\n", userName, err) } else { key = result.AccessKey } return key, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[CreateAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateAccessKey)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.CreateAccessKeyRequest; import software.amazon.awssdk.services.iam.model.CreateAccessKeyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class CreateAccessKey { public static void main(String[] args) { final String usage = """ Usage: \s Where: user - An AWS IAM user that you can obtain from the AWS Management Console. """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String user = args[0]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); String keyId = createIAMAccessKey(iam, user); System.out.println("The Key Id is " + keyId); iam.close(); } public static String createIAMAccessKey(IamClient iam, String user) { try { CreateAccessKeyRequest request = CreateAccessKeyRequest.builder() .userName(user) .build(); CreateAccessKeyResponse response = iam.createAccessKey(request); return response.accessKey().accessKeyId(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return ""; } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateAccessKey)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建访问密钥。 ``` import { CreateAccessKeyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} userName */ export const createAccessKey = (userName) => { const command = new CreateAccessKeyCommand({ UserName: userName }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-creating](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-creating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateAccessKeyCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); iam.createAccessKey({ UserName: "IAM_USER_NAME" }, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data.AccessKey); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-creating](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-creating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateAccessKey](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/CreateAccessKey)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun createIAMAccessKey(user: String?): String { val request = CreateAccessKeyRequest { userName = user } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.createAccessKey(request) return response.accessKey?.accessKeyId.toString() } } ``` + 有关 API 的详细信息，请参阅适用[CreateAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建新的访问密钥和秘密访问密钥对，并将其分配给用户 `David`。确保将 `AccessKeyId` 和 `SecretAccessKey` 值保存到文件中，因为这是您唯一可以获得 `SecretAccessKey` 的时间。您以后无法检索它。如果您丢失了秘密密钥，则必须创建一个新的访问密钥对。** ``` New-IAMAccessKey -UserName David ``` **输出**： ``` AccessKeyId : AKIAIOSFODNN7EXAMPLE CreateDate : 4/13/2015 1:00:42 PM SecretAccessKey : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Status : Active UserName : David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateAccessKey](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建新的访问密钥和秘密访问密钥对，并将其分配给用户 `David`。确保将 `AccessKeyId` 和 `SecretAccessKey` 值保存到文件中，因为这是您唯一可以获得 `SecretAccessKey` 的时间。您以后无法检索它。如果您丢失了秘密密钥，则必须创建一个新的访问密钥对。** ``` New-IAMAccessKey -UserName David ``` **输出**： ``` AccessKeyId : AKIAIOSFODNN7EXAMPLE CreateDate : 4/13/2015 1:00:42 PM SecretAccessKey : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Status : Active UserName : David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateAccessKey](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def create_key(user_name): """ Creates an access key for the specified user. Each user can have a maximum of two keys. :param user_name: The name of the user. :return: The created access key. """ try: key_pair = iam.User(user_name).create_access_key_pair() logger.info( "Created access key pair for %s. Key ID is %s.", key_pair.user_name, key_pair.id, ) except ClientError: logger.exception("Couldn't create access key pair for %s.", user_name) raise else: return key_pair ``` + 有关 API 的详细信息，请参阅适用[CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例模块会列出、创建、停用和删除访问密钥。 ``` # Manages access keys for IAM users class AccessKeyManager def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'AccessKeyManager' end # Lists access keys for a user # # @param user_name [String] The name of the user. def list_access_keys(user_name) response = @iam_client.list_access_keys(user_name: user_name) if response.access_key_metadata.empty? @logger.info("No access keys found for user '#{user_name}'.") else response.access_key_metadata.map(&:access_key_id) end rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Error listing access keys: cannot find user '#{user_name}'.") [] rescue StandardError => e @logger.error("Error listing access keys: #{e.message}") [] end # Creates an access key for a user # # @param user_name [String] The name of the user. # @return [Boolean] def create_access_key(user_name) response = @iam_client.create_access_key(user_name: user_name) access_key = response.access_key @logger.info("Access key created for user '#{user_name}': #{access_key.access_key_id}") access_key rescue Aws::IAM::Errors::LimitExceeded @logger.error('Error creating access key: limit exceeded. Cannot create more.') nil rescue StandardError => e @logger.error("Error creating access key: #{e.message}") nil end # Deactivates an access key # # @param user_name [String] The name of the user. # @param access_key_id [String] The ID for the access key. # @return [Boolean] def deactivate_access_key(user_name, access_key_id) @iam_client.update_access_key( user_name: user_name, access_key_id: access_key_id, status: 'Inactive' ) true rescue StandardError => e @logger.error("Error deactivating access key: #{e.message}") false end # Deletes an access key # # @param user_name [String] The name of the user. # @param access_key_id [String] The ID for the access key. # @return [Boolean] def delete_access_key(user_name, access_key_id) @iam_client.delete_access_key( user_name: user_name, access_key_id: access_key_id ) true rescue StandardError => e @logger.error("Error deleting access key: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateAccessKey)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn create_access_key(client: &iamClient, user_name: &str) -> Result { let mut tries: i32 = 0; let max_tries: i32 = 10; let response: Result> = loop { match client.create_access_key().user_name(user_name).send().await { Ok(inner_response) => { break Ok(inner_response); } Err(e) => { tries += 1; if tries > max_tries { break Err(e); } sleep(Duration::from_secs(2)).await; } } }; Ok(response.unwrap().access_key.unwrap()) } ``` + 有关 API 的详细信息，请参阅适用[CreateAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_access_key)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->createaccesskey( iv_username = iv_user_name ). MESSAGE 'Access key created successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'User does not exist.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Maximum number of access keys reached.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[CreateAccessKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func createAccessKey(userName: String) async throws -> IAMClientTypes.AccessKey { let input = CreateAccessKeyInput( userName: userName ) do { let output = try await iamClient.createAccessKey(input: input) guard let accessKey = output.accessKey else { throw ServiceHandlerError.keyError } return accessKey } catch { print("ERROR: createAccessKey:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[CreateAccessKey](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createaccesskey(input:))*中。 ------ # `CreateAccountAlias`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreateAccountAlias`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理您的账户](iam_example_iam_Scenario_AccountManagement_section.md) ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::createAccountAlias(const Aws::String &aliasName, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::CreateAccountAliasRequest request; request.SetAccountAlias(aliasName); Aws::IAM::Model::CreateAccountAliasOutcome outcome = iam.CreateAccountAlias( request); if (!outcome.IsSuccess()) { std::cerr << "Error creating account alias " << aliasName << ": " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully created account alias " << aliasName << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[CreateAccountAlias](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateAccountAlias)*中的。 ------ #### [ CLI ] **AWS CLI** **创建账户别名** 以下`create-account-alias`命令`examplecorp`为您的 AWS 账户创建别名。 ``` aws iam create-account-alias \ --account-alias examplecorp ``` 此命令不生成任何输出。有关更多信息，请参阅 *AWS IAM 用户指南*中的[您的 AWS 账户 ID 及其别名](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateAccountAlias](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-account-alias.html)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.CreateAccountAliasRequest; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class CreateAccountAlias { public static void main(String[] args) { final String usage = """ Usage: \s Where: alias - The account alias to create (for example, myawsaccount).\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String alias = args[0]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); createIAMAccountAlias(iam, alias); iam.close(); System.out.println("Done"); } public static void createIAMAccountAlias(IamClient iam, String alias) { try { CreateAccountAliasRequest request = CreateAccountAliasRequest.builder() .accountAlias(alias) .build(); iam.createAccountAlias(request); System.out.println("Successfully created account alias: " + alias); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[CreateAccountAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateAccountAlias)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建账户别名。 ``` import { CreateAccountAliasCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} alias - A unique name for the account alias. * @returns */ export const createAccountAlias = (alias) => { const command = new CreateAccountAliasCommand({ AccountAlias: alias, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-creating](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-creating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateAccountAlias](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateAccountAliasCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); iam.createAccountAlias({ AccountAlias: process.argv[2] }, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-creating](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-creating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateAccountAlias](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/CreateAccountAlias)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun createIAMAccountAlias(alias: String) { val request = CreateAccountAliasRequest { accountAlias = alias } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> iamClient.createAccountAlias(request) println("Successfully created account alias named $alias") } } ``` + 有关 API 的详细信息，请参阅适用[CreateAccountAlias](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将您 AWS 账户的账户别名更改为`mycompanyaws`。用户登录页面的地址更改为 https://mycom panyaws.signin.aws.amazon.com/console。使用您的账户 ID 号而不是别名的原始 URL（https://.signin.aws.amazon.com/console）继续有效。但是，任何先前定义的基于别名的都将 URLs 停止工作。** ``` New-IAMAccountAlias -AccountAlias mycompanyaws ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateAccountAlias](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将您 AWS 账户的账户别名更改为`mycompanyaws`。用户登录页面的地址更改为 https://mycom panyaws.signin.aws.amazon.com/console。使用您的账户 ID 号而不是别名的原始 URL（https://.signin.aws.amazon.com/console）继续有效。但是，任何先前定义的基于别名的都将 URLs 停止工作。** ``` New-IAMAccountAlias -AccountAlias mycompanyaws ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateAccountAlias](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def create_alias(alias): """ Creates an alias for the current account. The alias can be used in place of the account ID in the sign-in URL. An account can have only one alias. When a new alias is created, it replaces any existing alias. :param alias: The alias to assign to the account. """ try: iam.create_account_alias(AccountAlias=alias) logger.info("Created an alias '%s' for your account.", alias) except ClientError: logger.exception("Couldn't create alias '%s' for your account.", alias) raise ``` + 有关 API 的详细信息，请参阅适用[CreateAccountAlias](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccountAlias)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出、创建和删除账户别名。 ``` class IAMAliasManager # Initializes the IAM client and logger # # @param iam_client [Aws::IAM::Client] An initialized IAM client. def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger end # Lists available AWS account aliases. def list_aliases response = @iam_client.list_account_aliases if response.account_aliases.count.positive? @logger.info('Account aliases are:') response.account_aliases.each { |account_alias| @logger.info(" #{account_alias}") } else @logger.info('No account aliases found.') end rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing account aliases: #{e.message}") end # Creates an AWS account alias. # # @param account_alias [String] The name of the account alias to create. # @return [Boolean] true if the account alias was created; otherwise, false. def create_account_alias(account_alias) @iam_client.create_account_alias(account_alias: account_alias) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating account alias: #{e.message}") false end # Deletes an AWS account alias. # # @param account_alias [String] The name of the account alias to delete. # @return [Boolean] true if the account alias was deleted; otherwise, false. def delete_account_alias(account_alias) @iam_client.delete_account_alias(account_alias: account_alias) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting account alias: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[CreateAccountAlias](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateAccountAlias)*中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->createaccountalias( iv_accountalias = iv_account_alias ). MESSAGE 'Account alias created successfully.' TYPE 'I'. CATCH /aws1/cx_iamentityalrdyexex. MESSAGE 'Account alias already exists.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Account alias limit exceeded.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[CreateAccountAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `CreateGroup`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreateGroup`。 ------ #### [ CLI ] **AWS CLI** **创建 IAM 组** 以下 `create-group` 命令创建名为 `Admins` 的 IAM 组。 ``` aws iam create-group \ --group-name Admins ``` 输出： ``` { "Group": { "Path": "/", "CreateDate": "2015-03-09T20:30:24.940Z", "GroupId": "AIDGPMS9RO4H3FEXAMPLE", "Arn": "arn:aws:iam::123456789012:group/Admins", "GroupName": "Admins" } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM 用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { CreateGroupCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} groupName */ export const createGroup = async (groupName) => { const command = new CreateGroupCommand({ GroupName: groupName }); const response = await client.send(command); console.log(response); return response; }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateGroupCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建了一个名为 `Developers` 的新 IAM 组。** ``` New-IAMGroup -GroupName Developers ``` **输出**： ``` Arn : arn:aws:iam::123456789012:group/Developers CreateDate : 4/14/2015 11:21:31 AM GroupId : QNEJ5PM4NFSQCEXAMPLE1 GroupName : Developers Path : / ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateGroup](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建了一个名为 `Developers` 的新 IAM 组。** ``` New-IAMGroup -GroupName Developers ``` **输出**： ``` Arn : arn:aws:iam::123456789012:group/Developers CreateDate : 4/14/2015 11:21:31 AM GroupId : QNEJ5PM4NFSQCEXAMPLE1 GroupName : Developers Path : / ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateGroup](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `CreateInstanceProfile`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreateInstanceProfile`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [构建和管理弹性服务](iam_example_cross_ResilientService_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/cross-service/ResilientService/AutoScalerActions#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Create a policy, role, and profile that is associated with instances with a specified name. /// An instance's associated profile defines a role that is assumed by the /// instance.The role has attached policies that specify the AWS permissions granted to /// clients that run on the instance. ///

/// Name to use for the policy. /// Name to use for the role. /// Name to use for the profile. /// Path to a policy file for SSM. /// AWS Managed policies to be attached to the role. /// The Arn of the profile. public async Task CreateInstanceProfileWithName( string policyName, string roleName, string profileName, string ssmOnlyPolicyFile, List? awsManagedPolicies = null) { var assumeRoleDoc = "{" + "\"Version\": \"2012-10-17\"," + "\"Statement\": [{" + "\"Effect\": \"Allow\"," + "\"Principal\": {" + "\"Service\": [" + "\"ec2.amazonaws.com\"" + "]" + "}," + "\"Action\": \"sts:AssumeRole\"" + "}]" + "}"; var policyDocument = await File.ReadAllTextAsync(ssmOnlyPolicyFile); var policyArn = ""; try { var createPolicyResult = await _amazonIam.CreatePolicyAsync( new CreatePolicyRequest { PolicyName = policyName, PolicyDocument = policyDocument }); policyArn = createPolicyResult.Policy.Arn; } catch (EntityAlreadyExistsException) { // The policy already exists, so we look it up to get the Arn. var policiesPaginator = _amazonIam.Paginators.ListPolicies( new ListPoliciesRequest() { Scope = PolicyScopeType.Local }); // Get the entire list using the paginator. await foreach (var policy in policiesPaginator.Policies) { if (policy.PolicyName.Equals(policyName)) { policyArn = policy.Arn; } } if (policyArn == null) { throw new InvalidOperationException("Policy not found"); } } try { await _amazonIam.CreateRoleAsync(new CreateRoleRequest() { RoleName = roleName, AssumeRolePolicyDocument = assumeRoleDoc, }); await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest() { RoleName = roleName, PolicyArn = policyArn }); if (awsManagedPolicies != null) { foreach (var awsPolicy in awsManagedPolicies) { await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest() { PolicyArn = $"arn:aws:iam::aws:policy/{awsPolicy}", RoleName = roleName }); } } } catch (EntityAlreadyExistsException) { Console.WriteLine("Role already exists."); } string profileArn = ""; try { var profileCreateResponse = await _amazonIam.CreateInstanceProfileAsync( new CreateInstanceProfileRequest() { InstanceProfileName = profileName }); // Allow time for the profile to be ready. profileArn = profileCreateResponse.InstanceProfile.Arn; Thread.Sleep(10000); await _amazonIam.AddRoleToInstanceProfileAsync( new AddRoleToInstanceProfileRequest() { InstanceProfileName = profileName, RoleName = roleName }); } catch (EntityAlreadyExistsException) { Console.WriteLine("Policy already exists."); var profileGetResponse = await _amazonIam.GetInstanceProfileAsync( new GetInstanceProfileRequest() { InstanceProfileName = profileName }); profileArn = profileGetResponse.InstanceProfile.Arn; } return profileArn; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[CreateInstanceProfile](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateInstanceProfile)*中的。 ------ #### [ CLI ] **AWS CLI** **创建实例配置文件** 以下 `create-instance-profile` 命令创建名为 `Webserver` 的实例配置文件。 ``` aws iam create-instance-profile \ --instance-profile-name Webserver ``` 输出： ``` { "InstanceProfile": { "InstanceProfileId": "AIPAJMBYC7DLSPEXAMPLE", "Roles": [], "CreateDate": "2015-03-09T20:33:19.626Z", "InstanceProfileName": "Webserver", "Path": "/", "Arn": "arn:aws:iam::123456789012:instance-profile/Webserver" } } ``` 要将角色添加到实例配置文件，请使用 `add-role-to-instance-profile` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用 IAM 角色为 Amazon EC2 实例上运行的应用程序授予权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-instance-profile.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-resilient-service#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` const { InstanceProfile } = await iamClient.send( new CreateInstanceProfileCommand({ InstanceProfileName: NAMES.ssmOnlyInstanceProfileName, }), ); await waitUntilInstanceProfileExists( { client: iamClient }, { InstanceProfileName: NAMES.ssmOnlyInstanceProfileName }, ); ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateInstanceProfile](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateInstanceProfileCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建了一个名为 `ProfileForDevEC2Instance` 的新 IAM 实例配置文件。您必须单独运行 `Add-IAMRoleToInstanceProfile` 命令，以将实例配置文件与为该实例提供权限的现有 IAM 角色相关联。最后，在启动 EC2 实例时将实例配置文件附加到该实例。为此，请使用带有 `InstanceProfile_Arn` 或 `InstanceProfile_Name` 参数的 `New-EC2Instance` cmdlet。** ``` New-IAMInstanceProfile -InstanceProfileName ProfileForDevEC2Instance ``` **输出**： ``` Arn : arn:aws:iam::123456789012:instance-profile/ProfileForDevEC2Instance CreateDate : 4/14/2015 11:31:39 AM InstanceProfileId : DYMFXL556EY46EXAMPLE1 InstanceProfileName : ProfileForDevEC2Instance Path : / Roles : {} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建了一个名为 `ProfileForDevEC2Instance` 的新 IAM 实例配置文件。您必须单独运行 `Add-IAMRoleToInstanceProfile` 命令，以将实例配置文件与为该实例提供权限的现有 IAM 角色相关联。最后，在启动 EC2 实例时将实例配置文件附加到该实例。为此，请使用带有 `InstanceProfile_Arn` 或 `InstanceProfile_Name` 参数的 `New-EC2Instance` cmdlet。** ``` New-IAMInstanceProfile -InstanceProfileName ProfileForDevEC2Instance ``` **输出**： ``` Arn : arn:aws:iam::123456789012:instance-profile/ProfileForDevEC2Instance CreateDate : 4/14/2015 11:31:39 AM InstanceProfileId : DYMFXL556EY46EXAMPLE1 InstanceProfileName : ProfileForDevEC2Instance Path : / Roles : {} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例将创建一个策略、角色和实例配置文件，并将其全部关联起来。 ``` class AutoScalingWrapper: """ Encapsulates Amazon EC2 Auto Scaling and EC2 management actions. """ def __init__( self, resource_prefix: str, inst_type: str, ami_param: str, autoscaling_client: boto3.client, ec2_client: boto3.client, ssm_client: boto3.client, iam_client: boto3.client, ): """ Initializes the AutoScaler class with the necessary parameters. :param resource_prefix: The prefix for naming AWS resources that are created by this class. :param inst_type: The type of EC2 instance to create, such as t3.micro. :param ami_param: The Systems Manager parameter used to look up the AMI that is created. :param autoscaling_client: A Boto3 EC2 Auto Scaling client. :param ec2_client: A Boto3 EC2 client. :param ssm_client: A Boto3 Systems Manager client. :param iam_client: A Boto3 IAM client. """ self.inst_type = inst_type self.ami_param = ami_param self.autoscaling_client = autoscaling_client self.ec2_client = ec2_client self.ssm_client = ssm_client self.iam_client = iam_client sts_client = boto3.client("sts") self.account_id = sts_client.get_caller_identity()["Account"] self.key_pair_name = f"{resource_prefix}-key-pair" self.launch_template_name = f"{resource_prefix}-template-" self.group_name = f"{resource_prefix}-group" # Happy path self.instance_policy_name = f"{resource_prefix}-pol" self.instance_role_name = f"{resource_prefix}-role" self.instance_profile_name = f"{resource_prefix}-prof" # Failure mode self.bad_creds_policy_name = f"{resource_prefix}-bc-pol" self.bad_creds_role_name = f"{resource_prefix}-bc-role" self.bad_creds_profile_name = f"{resource_prefix}-bc-prof" def create_instance_profile( self, policy_file: str, policy_name: str, role_name: str, profile_name: str, aws_managed_policies: Tuple[str, ...] = (), ) -> str: """ Creates a policy, role, and profile that is associated with instances created by this class. An instance's associated profile defines a role that is assumed by the instance. The role has attached policies that specify the AWS permissions granted to clients that run on the instance. :param policy_file: The name of a JSON file that contains the policy definition to create and attach to the role. :param policy_name: The name to give the created policy. :param role_name: The name to give the created role. :param profile_name: The name to the created profile. :param aws_managed_policies: Additional AWS-managed policies that are attached to the role, such as AmazonSSMManagedInstanceCore to grant use of Systems Manager to send commands to the instance. :return: The ARN of the profile that is created. """ assume_role_doc = { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole", } ], } policy_arn = self.create_policy(policy_file, policy_name) self.create_role(role_name, assume_role_doc) self.attach_policy(role_name, policy_arn, aws_managed_policies) try: profile_response = self.iam_client.create_instance_profile( InstanceProfileName=profile_name ) waiter = self.iam_client.get_waiter("instance_profile_exists") waiter.wait(InstanceProfileName=profile_name) time.sleep(10) # wait a little longer profile_arn = profile_response["InstanceProfile"]["Arn"] self.iam_client.add_role_to_instance_profile( InstanceProfileName=profile_name, RoleName=role_name ) log.info("Created profile %s and added role %s.", profile_name, role_name) except ClientError as err: if err.response["Error"]["Code"] == "EntityAlreadyExists": prof_response = self.iam_client.get_instance_profile( InstanceProfileName=profile_name ) profile_arn = prof_response["InstanceProfile"]["Arn"] log.info( "Instance profile %s already exists, nothing to do.", profile_name ) log.error(f"Full error:\n\t{err}") return profile_arn ``` + 有关 API 的详细信息，请参阅适用[CreateInstanceProfile](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateInstanceProfile)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ # 将 `CreateLoginProfile` 与 CLI 配合使用以下代码示例演示如何使用 `CreateLoginProfile`。 ------ #### [ CLI ] **AWS CLI** **为 IAM 用户创建密码** 要为 IAM 用户创建密码，建议使用 `--cli-input-json` 参数传递包含密码的 JSON 文件。通过此方法，您可以创建含有非字母数字字符的强密码。将密码作为命令行参数传递时，可能难以创建含有非字母数字字符的密码。要使用 `--cli-input-json` 参数，请先使用带 `--generate-cli-skeleton` 参数的 `create-login-profile` 命令，如以下示例所示。 ``` aws iam create-login-profile \ --generate-cli-skeleton > create-login-profile.json ``` 前面的命令创建了一个名为 create-login-profile .json 的 JSON 文件，您可以使用该文件为后续`create-login-profile`命令填写信息。例如： ``` { "UserName": "Bob", "Password": "&1-3a6u:RA0djs", "PasswordResetRequired": true } ``` 接下来，要为 IAM 用户创建密码，请再次使用 `create-login-profile` 命令，这次是传递 `--cli-input-json` 参数以指定您的 JSON 文件。以下`create-login-profile`命令将`--cli-input-json`参数与名为 create-login-profile .json 的 JSON 文件一起使用。 ``` aws iam create-login-profile \ --cli-input-json file://create-login-profile.json ``` 输出： ``` { "LoginProfile": { "UserName": "Bob", "CreateDate": "2015-03-10T20:55:40.274Z", "PasswordResetRequired": true } } ``` 如果新密码违反了账户密码策略，则该命令将返回 `PasswordPolicyViolation` 错误。要更改已有密码用户的密码，请使用 `update-login-profile`。要为账户设置密码策略，请使用 `update-account-password-policy` 命令。如果账户密码策略允许，则 IAM 用户可以使用 `change-password` 命令更改自己的密码。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的密码](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-login-profile.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例为名为 Bob 的 IAM 用户创建一个（临时）密码，并设置在 `Bob` 下次登录时要求该用户更改密码的标志。** ``` New-IAMLoginProfile -UserName Bob -Password P@ssw0rd -PasswordResetRequired $true ``` **输出**： ``` CreateDate PasswordResetRequired UserName ---------- --------------------- -------- 4/14/2015 12:26:30 PM True Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateLoginProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例为名为 Bob 的 IAM 用户创建一个（临时）密码，并设置在 `Bob` 下次登录时要求该用户更改密码的标志。** ``` New-IAMLoginProfile -UserName Bob -Password P@ssw0rd -PasswordResetRequired $true ``` **输出**： ``` CreateDate PasswordResetRequired UserName ---------- --------------------- -------- 4/14/2015 12:26:30 PM True Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateLoginProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `CreateOpenIdConnectProvider` 与 CLI 配合使用以下代码示例演示如何使用 `CreateOpenIdConnectProvider`。 ------ #### [ CLI ] **AWS CLI** **创建 OpenID Connect（OIDC）提供者** 要创建 OpenID Connect（OIDC）提供者，建议使用 `--cli-input-json` 参数来传递包含所需参数的 JSON 文件。创建 OIDC 提供者时，必须传递提供者的 URL，而且 URL 必须以 `https://` 开头。将 URL 作为命令行参数传递可能很困难，因为冒号（:）和正斜杠（/）字符在某些命令行环境中具有特殊含义。使用 `--cli-input-json` 参数可以绕过这一限制。要使用 `--cli-input-json` 参数，请先使用带 `--generate-cli-skeleton` 参数的 `create-open-id-connect-provider` 命令，如以下示例所示。 ``` aws iam create-open-id-connect-provider \ --generate-cli-skeleton > create-open-id-connect-provider.json ``` 前面的命令创建了一个名为 create-open-id-connect-provider.json 的 JSON 文件，你可以用它来填写后续命令的信息。`create-open-id-connect-provider`例如： ``` { "Url": "https://server.example.com", "ClientIDList": [ "example-application-ID" ], "ThumbprintList": [ "c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE" ] } ``` 接下来，要创建 OpenID Connect（OIDC）提供者，请再次使用 `create-open-id-connect-provider` 命令，这次是传递 `--cli-input-json` 参数以指定您的 JSON 文件。以下`create-open-id-connect-provider`命令将`--cli-input-json`参数与名为 create-open-id-connect-provider.json 的 JSON 文件一起使用。 ``` aws iam create-open-id-connect-provider \ --cli-input-json file://create-open-id-connect-provider.json ``` 输出： ``` { "OpenIDConnectProviderArn": "arn:aws:iam::123456789012:oidc-provider/server.example.com" } ``` 有关 OIDC 提供者的更多信息，请参阅《AWS IAM 用户指南》**中的[创建 OpenID Connect（OIDC）身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。有关获取 OIDC 提供者指纹的更多信息，请参阅《AWS IAM 用户指南》**中的[获取 OpenID Connect 身份提供者的指纹](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-open-id-connect-provider.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建一个 IAM OIDC 提供者，该提供者与位于 URL `https://example.oidcprovider.com` 中的 OIDC 兼容提供者服务和客户端 ID `my-testapp-1` 关联。OIDC 提供者将提供指纹。要对指纹进行身份验证，请按照 http://docs.aws.amazon 上的步骤进行操作。 com/IAM/latest/UserGuide/identity-providers-oidc-obtain-thumbprint .html。** ``` New-IAMOpenIDConnectProvider -Url https://example.oidcprovider.com -ClientIDList my-testapp-1 -ThumbprintList 990F419EXAMPLEECF12DDEDA5EXAMPLE52F20D9E ``` **输出**： ``` arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建一个 IAM OIDC 提供者，该提供者与位于 URL `https://example.oidcprovider.com` 中的 OIDC 兼容提供者服务和客户端 ID `my-testapp-1` 关联。OIDC 提供者将提供指纹。要对指纹进行身份验证，请按照 http://docs.aws.amazon 上的步骤进行操作。 com/IAM/latest/UserGuide/identity-providers-oidc-obtain-thumbprint .html。** ``` New-IAMOpenIDConnectProvider -Url https://example.oidcprovider.com -ClientIDList my-testapp-1 -ThumbprintList 990F419EXAMPLEECF12DDEDA5EXAMPLE52F20D9E ``` **输出**： ``` arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `CreatePolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreatePolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) + [管理策略](iam_example_iam_Scenario_PolicyManagement_section.md) + [设置基于属性的访问控制](iam_example_dynamodb_Scenario_ABACSetup_section.md) + [使用 IAM Policy Builder API](iam_example_iam_Scenario_IamPolicyBuilder_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Create an IAM policy. ///

/// The name to give the new IAM policy. /// The policy document for the new policy. /// The new IAM policy object. public async Task CreatePolicyAsync(string policyName, string policyDocument) { var response = await _IAMService.CreatePolicyAsync(new CreatePolicyRequest { PolicyDocument = policyDocument, PolicyName = policyName, }); return response.Policy; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[CreatePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreatePolicy)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_create_policy # # This function creates an IAM policy. # # Parameters: # -n policy_name -- The name of the IAM policy. # -p policy_json -- The policy document. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_create_policy() { local policy_name policy_document response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_create_policy" echo "Creates an AWS Identity and Access Management (IAM) policy." echo " -n policy_name The name of the IAM policy." echo " -p policy_json -- The policy document." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) policy_name="${OPTARG}" ;; p) policy_document="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$policy_name" ]]; then errecho "ERROR: You must provide a policy name with the -n parameter." usage return 1 fi if [[ -z "$policy_document" ]]; then errecho "ERROR: You must provide a policy document with the -p parameter." usage return 1 fi response=$(aws iam create-policy \ --policy-name "$policy_name" \ --policy-document "$policy_document" \ --output text \ --query Policy.Arn) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-policy operation failed.\n$response" return 1 fi echo "$response" } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` Aws::String AwsDoc::IAM::createPolicy(const Aws::String &policyName, const Aws::String &rsrcArn, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::CreatePolicyRequest request; request.SetPolicyName(policyName); request.SetPolicyDocument(BuildSamplePolicyDocument(rsrcArn)); Aws::IAM::Model::CreatePolicyOutcome outcome = iam.CreatePolicy(request); Aws::String result; if (!outcome.IsSuccess()) { std::cerr << "Error creating policy " << policyName << ": " << outcome.GetError().GetMessage() << std::endl; } else { result = outcome.GetResult().GetPolicy().GetArn(); std::cout << "Successfully created policy " << policyName << std::endl; } return result; } Aws::String AwsDoc::IAM::BuildSamplePolicyDocument(const Aws::String &rsrc_arn) { std::stringstream stringStream; stringStream << "{" << " \"Version\": \"2012-10-17\"," << " \"Statement\": [" << " {" << " \"Effect\": \"Allow\"," << " \"Action\": \"logs:CreateLogGroup\"," << " \"Resource\": \"" << rsrc_arn << "\"" << " }," << " {" << " \"Effect\": \"Allow\"," << " \"Action\": [" << " \"dynamodb:DeleteItem\"," << " \"dynamodb:GetItem\"," << " \"dynamodb:PutItem\"," << " \"dynamodb:Scan\"," << " \"dynamodb:UpdateItem\"" << " ]," << " \"Resource\": \"" << rsrc_arn << "\"" << " }" << " ]" << "}"; return stringStream.str(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[CreatePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreatePolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **示例 1：创建客户托管策略** 以下命令创建名为 `my-policy` 的客户托管策略。`policy.json` 文件是当前文件夹中的一个 JSON 文档，它授予对名为 `amzn-s3-demo-bucket` 的 Amazon S3 存储桶中 `shared` 文件夹的只读权限。 ``` aws iam create-policy \ --policy-name my-policy \ --policy-document file://policy.json ``` policy.json 的内容： ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/shared/*" ] } ] } ``` 输出： ``` { "Policy": { "PolicyName": "my-policy", "CreateDate": "2015-06-01T19:31:18.620Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "ZXR6A36LTYANPAI7NJ5UV", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::0123456789012:policy/my-policy", "UpdateDate": "2015-06-01T19:31:18.620Z" } } ``` 有关使用文件作为字符串参数输入的更多信息，请参阅 [AWS CLI *用户指南中的为 CL AWS I* 指定参数值](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html)。 **示例 2：创建带有描述的客户管理型策略** 以下命令创建名为 `my-policy` 且带有不可变描述的客户管理型策略。 `policy.json` 文件是当前文件夹中的一个 JSON 文档，它授予对名为 `amzn-s3-demo-bucket` 的 Amazon S3 存储桶的所有 Put、List 和 Get 操作的访问权限。 ``` aws iam create-policy \ --policy-name my-policy \ --policy-document file://policy.json \ --description "This policy grants access to all Put, Get, and List actions for amzn-s3-demo-bucket" ``` policy.json 的内容： ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket*", "s3:PutBucket*", "s3:GetBucket*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] } ] } ``` 输出： ``` { "Policy": { "PolicyName": "my-policy", "PolicyId": "ANPAWGSUGIDPEXAMPLE", "Arn": "arn:aws:iam::123456789012:policy/my-policy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2023-05-24T22:38:47+00:00", "UpdateDate": "2023-05-24T22:38:47+00:00" } } ``` 有关基于身份的策略的更多信息，请参阅《AWS IAM 用户指南》**中的[基于身份的策略和基于资源的策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html)。 **示例 3：创建带有标签的客户管理型策略** 以下命令创建名为 `my-policy` 且带有标签的客户托管策略。此示例使用带有以下 JSON 格式标签的 `--tags` 参数：`'{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'`。或者，`--tags` 参数可与简写格式的标签一起使用：`'Key=Department,Value=Accounting Key=Location,Value=Seattle'`。 `policy.json` 文件是当前文件夹中的一个 JSON 文档，它授予对名为 `amzn-s3-demo-bucket` 的 Amazon S3 存储桶的所有 Put、List 和 Get 操作的访问权限。 ``` aws iam create-policy \ --policy-name my-policy \ --policy-document file://policy.json \ --tags '{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}' ``` policy.json 的内容： ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket*", "s3:PutBucket*", "s3:GetBucket*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] } ] } ``` 输出： ``` { "Policy": { "PolicyName": "my-policy", "PolicyId": "ANPAWGSUGIDPEXAMPLE", "Arn": "arn:aws:iam::12345678012:policy/my-policy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2023-05-24T23:16:39+00:00", "UpdateDate": "2023-05-24T23:16:39+00:00", "Tags": [ { "Key": "Department", "Value": "Accounting" }, "Key": "Location", "Value": "Seattle" { ] } } ``` 有关标记策略的更多信息，请参阅《AWS IAM 用户指南》**中的[标记客户托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_customer-managed-policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreatePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions // used in the examples. // It contains an IAM service client that is used to perform policy actions. type PolicyWrapper struct { IamClient *iam.Client } // PolicyDocument defines a policy document as a Go struct that can be serialized // to JSON. type PolicyDocument struct { Version string Statement []PolicyStatement } // PolicyStatement defines a statement in a policy document. type PolicyStatement struct { Effect string Action []string Principal map[string]string `json:",omitempty"` Resource *string `json:",omitempty"` } // CreatePolicy creates a policy that grants a list of actions to the specified resource. // PolicyDocument shows how to work with a policy document as a data structure and // serialize it to JSON by using Go's JSON marshaler. func (wrapper PolicyWrapper) CreatePolicy(ctx context.Context, policyName string, actions []string, resourceArn string) (*types.Policy, error) { var policy *types.Policy policyDoc := PolicyDocument{ Version: "2012-10-17", Statement: []PolicyStatement{{ Effect: "Allow", Action: actions, Resource: aws.String(resourceArn), }}, } policyBytes, err := json.Marshal(policyDoc) if err != nil { log.Printf("Couldn't create policy document for %v. Here's why: %v\n", resourceArn, err) return nil, err } result, err := wrapper.IamClient.CreatePolicy(ctx, &iam.CreatePolicyInput{ PolicyDocument: aws.String(string(policyBytes)), PolicyName: aws.String(policyName), }) if err != nil { log.Printf("Couldn't create policy %v. Here's why: %v\n", policyName, err) } else { policy = result.Policy } return policy, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[CreatePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreatePolicy)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.core.waiters.WaiterResponse; import software.amazon.awssdk.services.iam.model.CreatePolicyRequest; import software.amazon.awssdk.services.iam.model.CreatePolicyResponse; import software.amazon.awssdk.services.iam.model.GetPolicyRequest; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.waiters.IamWaiter; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class CreatePolicy { public static final String PolicyDocument = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"dynamodb:DeleteItem\"," + " \"dynamodb:GetItem\"," + " \"dynamodb:PutItem\"," + " \"dynamodb:Scan\"," + " \"dynamodb:UpdateItem\"" + " ]," + " \"Resource\": \"*\"" + " }" + " ]" + "}"; public static void main(String[] args) { final String usage = """ Usage: CreatePolicy \s Where: policyName - A unique policy name.\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String policyName = args[0]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); String result = createIAMPolicy(iam, policyName); System.out.println("Successfully created a policy with this ARN value: " + result); iam.close(); } public static String createIAMPolicy(IamClient iam, String policyName) { try { // Create an IamWaiter object. IamWaiter iamWaiter = iam.waiter(); CreatePolicyRequest request = CreatePolicyRequest.builder() .policyName(policyName) .policyDocument(PolicyDocument) .build(); CreatePolicyResponse response = iam.createPolicy(request); // Wait until the policy is created. GetPolicyRequest polRequest = GetPolicyRequest.builder() .policyArn(response.policy().arn()) .build(); WaiterResponse waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest); waitUntilPolicyExists.matched().response().ifPresent(System.out::println); return response.policy().arn(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return ""; } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[CreatePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreatePolicy)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建策略。 ``` import { CreatePolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} policyName */ export const createPolicy = (policyName) => { const command = new CreatePolicyCommand({ PolicyDocument: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Action: "*", Resource: "*", }, ], }), PolicyName: policyName, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-creating](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-creating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreatePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreatePolicyCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var myManagedPolicy = { Version: "2012-10-17", Statement: [ { Effect: "Allow", Action: "logs:CreateLogGroup", Resource: "RESOURCE_ARN", }, { Effect: "Allow", Action: [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem", ], Resource: "RESOURCE_ARN", }, ], }; var params = { PolicyDocument: JSON.stringify(myManagedPolicy), PolicyName: "myDynamoDBPolicy", }; iam.createPolicy(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-creating](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-creating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreatePolicy](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/CreatePolicy)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun createIAMPolicy(policyNameVal: String?): String { val policyDocumentVal = """ { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": "*" } ] } """.trimIndent() val request = CreatePolicyRequest { policyName = policyNameVal policyDocument = policyDocumentVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.createPolicy(request) return response.policy?.arn.toString() } } ``` + 有关 API 的详细信息，请参阅适用[CreatePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); $listAllBucketsPolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}] }"; $listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument); echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n"; /** * @param string $policyName * @param string $policyDocument * @return array */ public function createPolicy(string $policyName, string $policyDocument) { $result = $this->customWaiter(function () use ($policyName, $policyDocument) { return $this->iamClient->createPolicy([ 'PolicyName' => $policyName, 'PolicyDocument' => $policyDocument, ]); }); return $result['Policy']; } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[CreatePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreatePolicy)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例在当前 AWS 账户中创建了一个名为的新 IAM 策略。`MySamplePolicy`该文件`MySamplePolicy.json`提供了策略内容。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 策略文件。** ``` New-IAMPolicy -PolicyName MySamplePolicy -PolicyDocument (Get-Content -Raw MySamplePolicy.json) ``` **输出**： ``` Arn : arn:aws:iam::123456789012:policy/MySamplePolicy AttachmentCount : 0 CreateDate : 4/14/2015 2:45:59 PM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : LD4KP6HVFE7WGEXAMPLE1 PolicyName : MySamplePolicy UpdateDate : 4/14/2015 2:45:59 PM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreatePolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例在当前 AWS 账户中创建了一个名为的新 IAM 策略。`MySamplePolicy`该文件`MySamplePolicy.json`提供了策略内容。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 策略文件。** ``` New-IAMPolicy -PolicyName MySamplePolicy -PolicyDocument (Get-Content -Raw MySamplePolicy.json) ``` **输出**： ``` Arn : arn:aws:iam::123456789012:policy/MySamplePolicy AttachmentCount : 0 CreateDate : 4/14/2015 2:45:59 PM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : LD4KP6HVFE7WGEXAMPLE1 PolicyName : MySamplePolicy UpdateDate : 4/14/2015 2:45:59 PM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreatePolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def create_policy(name, description, actions, resource_arn): """ Creates a policy that contains a single statement. :param name: The name of the policy to create. :param description: The description of the policy. :param actions: The actions allowed by the policy. These typically take the form of service:action, such as s3:PutObject. :param resource_arn: The Amazon Resource Name (ARN) of the resource this policy applies to. This ARN can contain wildcards, such as 'arn:aws:s3:::amzn-s3-demo-bucket/*' to allow actions on all objects in the bucket named 'amzn-s3-demo-bucket'. :return: The newly created policy. """ policy_doc = { "Version":"2012-10-17", "Statement": [{"Effect": "Allow", "Action": actions, "Resource": resource_arn}], } try: policy = iam.create_policy( PolicyName=name, Description=description, PolicyDocument=json.dumps(policy_doc), ) logger.info("Created policy %s.", policy.arn) except ClientError: logger.exception("Couldn't create policy %s.", name) raise else: return policy ``` + 有关 API 的详细信息，请参阅适用[CreatePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicy)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例模块会列出、创建、附加和分离角色策略。 ``` # Manages policies in AWS Identity and Access Management (IAM) class RolePolicyManager # Initialize with an AWS IAM client # # @param iam_client [Aws::IAM::Client] An initialized IAM client def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'PolicyManager' end # Creates a policy # # @param policy_name [String] The name of the policy # @param policy_document [Hash] The policy document # @return [String] The policy ARN if successful, otherwise nil def create_policy(policy_name, policy_document) response = @iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) response.policy.arn rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating policy: #{e.message}") nil end # Fetches an IAM policy by its ARN # @param policy_arn [String] the ARN of the IAM policy to retrieve # @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found def get_policy(policy_arn) response = @iam_client.get_policy(policy_arn: policy_arn) policy = response.policy @logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.") policy rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.") raise rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}") raise end # Attaches a policy to a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def attach_policy_to_role(role_name, policy_arn) @iam_client.attach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error attaching policy to role: #{e.message}") false end # Lists policy ARNs attached to a role # # @param role_name [String] The name of the role # @return [Array] List of policy ARNs def list_attached_policy_arns(role_name) response = @iam_client.list_attached_role_policies(role_name: role_name) response.attached_policies.map(&:policy_arn) rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing policies attached to role: #{e.message}") [] end # Detaches a policy from a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def detach_policy_from_role(role_name, policy_arn) @iam_client.detach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error detaching policy from role: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[CreatePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreatePolicy)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn create_policy( client: &iamClient, policy_name: &str, policy_document: &str, ) -> Result { let policy = client .create_policy() .policy_name(policy_name) .policy_document(policy_document) .send() .await?; Ok(policy.policy.unwrap()) } ``` + 有关 API 的详细信息，请参阅适用[CreatePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_policy)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->createpolicy( iv_policyname = iv_policy_name iv_policydocument = iv_policy_document iv_description = iv_description ). MESSAGE 'Policy created successfully.' TYPE 'I'. CATCH /aws1/cx_iamentityalrdyexex. MESSAGE 'Policy already exists.' TYPE 'E'. CATCH /aws1/cx_iammalformedplydocex. MESSAGE 'Policy document is malformed.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Policy limit exceeded.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[CreatePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func createPolicy(name: String, policyDocument: String) async throws -> IAMClientTypes.Policy { let input = CreatePolicyInput( policyDocument: policyDocument, policyName: name ) do { let output = try await iamClient.createPolicy(input: input) guard let policy = output.policy else { throw ServiceHandlerError.noSuchPolicy } return policy } catch { print("ERROR: createPolicy:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[CreatePolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createpolicy(input:))*中。 ------ # `CreatePolicyVersion`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreatePolicyVersion`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理策略](iam_example_iam_Scenario_PolicyManagement_section.md) ------ #### [ CLI ] **AWS CLI** **创建新版本的托管策略** 此示例创建了一个新的 `v2` 版本的 IAM policy，其 ARN 为 `arn:aws:iam::123456789012:policy/MyPolicy`，并设为默认版本。 ``` aws iam create-policy-version \ --policy-arn arn:aws:iam::123456789012:policy/MyPolicy \ --policy-document file://NewPolicyVersion.json \ --set-as-default ``` 输出： ``` { "PolicyVersion": { "CreateDate": "2015-06-16T18:56:03.721Z", "VersionId": "v2", "IsDefaultVersion": true } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM policy 版本控制](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreatePolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建了一个新“v2”版本的 IAM 策略，其 ARN 为 `arn:aws:iam::123456789012:policy/MyPolicy`，并设为默认版本。`NewPolicyVersion.json` 文件提供了策略内容。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 策略文件。** ``` New-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyPolicy -PolicyDocument (Get-content -Raw NewPolicyVersion.json) -SetAsDefault $true ``` **输出**： ``` CreateDate Document IsDefaultVersion VersionId ---------- -------- ---------------- --------- 4/15/2015 10:54:54 AM True v2 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreatePolicyVersion](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建了一个新“v2”版本的 IAM 策略，其 ARN 为 `arn:aws:iam::123456789012:policy/MyPolicy`，并设为默认版本。`NewPolicyVersion.json` 文件提供了策略内容。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 策略文件。** ``` New-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyPolicy -PolicyDocument (Get-content -Raw NewPolicyVersion.json) -SetAsDefault $true ``` **输出**： ``` CreateDate Document IsDefaultVersion VersionId ---------- -------- ---------------- --------- 4/15/2015 10:54:54 AM True v2 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreatePolicyVersion](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def create_policy_version(policy_arn, actions, resource_arn, set_as_default): """ Creates a policy version. Policies can have up to five versions. The default version is the one that is used for all resources that reference the policy. :param policy_arn: The ARN of the policy. :param actions: The actions to allow in the policy version. :param resource_arn: The ARN of the resource this policy version applies to. :param set_as_default: When True, this policy version is set as the default version for the policy. Otherwise, the default is not changed. :return: The newly created policy version. """ policy_doc = { "Version":"2012-10-17", "Statement": [{"Effect": "Allow", "Action": actions, "Resource": resource_arn}], } try: policy = iam.Policy(policy_arn) policy_version = policy.create_version( PolicyDocument=json.dumps(policy_doc), SetAsDefault=set_as_default ) logger.info( "Created policy version %s for policy %s.", policy_version.version_id, policy_version.arn, ) except ClientError: logger.exception("Couldn't create a policy version for %s.", policy_arn) raise else: return policy_version ``` + 有关 API 的详细信息，请参阅适用[CreatePolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicyVersion)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->createpolicyversion( iv_policyarn = iv_policy_arn iv_policydocument = iv_policy_document iv_setasdefault = iv_set_as_default ). MESSAGE 'Policy version created successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Policy does not exist.' TYPE 'E'. CATCH /aws1/cx_iammalformedplydocex. MESSAGE 'Policy document is malformed.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Policy version limit exceeded.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[CreatePolicyVersion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `CreateRole`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreateRole`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [管理角色](iam_example_iam_Scenario_RoleManagement_section.md) + [使用直播和 Time-to-Live](iam_example_dynamodb_Scenario_StreamsAndTTL_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Create a new IAM role. ///

/// The name of the IAM role. /// The name of the IAM policy document /// for the new role. /// The Amazon Resource Name (ARN) of the role. public async Task CreateRoleAsync(string roleName, string rolePolicyDocument) { var request = new CreateRoleRequest { RoleName = roleName, AssumeRolePolicyDocument = rolePolicyDocument, }; var response = await _IAMService.CreateRoleAsync(request); return response.Role.Arn; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[CreateRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateRole)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_create_role # # This function creates an IAM role. # # Parameters: # -n role_name -- The name of the IAM role. # -p policy_json -- The assume role policy document. # # Returns: # The ARN of the role. # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_create_role() { local role_name policy_document response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_create_user_access_key" echo "Creates an AWS Identity and Access Management (IAM) role." echo " -n role_name The name of the IAM role." echo " -p policy_json -- The assume role policy document." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; p) policy_document="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi if [[ -z "$policy_document" ]]; then errecho "ERROR: You must provide a policy document with the -p parameter." usage return 1 fi response=$(aws iam create-role \ --role-name "$role_name" \ --assume-role-policy-document "$policy_document" \ --output text \ --query Role.Arn) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-role operation failed.\n$response" return 1 fi echo "$response" return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::createIamRole( const Aws::String &roleName, const Aws::String &policy, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient client(clientConfig); Aws::IAM::Model::CreateRoleRequest request; request.SetRoleName(roleName); request.SetAssumeRolePolicyDocument(policy); Aws::IAM::Model::CreateRoleOutcome outcome = client.CreateRole(request); if (!outcome.IsSuccess()) { std::cerr << "Error creating role. " << outcome.GetError().GetMessage() << std::endl; } else { const Aws::IAM::Model::Role iamRole = outcome.GetResult().GetRole(); std::cout << "Created role " << iamRole.GetRoleName() << "\n"; std::cout << "ID: " << iamRole.GetRoleId() << "\n"; std::cout << "ARN: " << iamRole.GetArn() << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[CreateRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateRole)*中的。 ------ #### [ CLI ] **AWS CLI** **示例 1：创建 IAM 角色** 以下 `create-role` 命令创建一个名为 `Test-Role` 的角色并对其附加信任策略。 ``` aws iam create-role \ --role-name Test-Role \ --assume-role-policy-document file://Test-Role-Trust-Policy.json ``` 输出： ``` { "Role": { "AssumeRolePolicyDocument": "", "RoleId": "AKIAIOSFODNN7EXAMPLE", "CreateDate": "2013-06-07T20:43:32.821Z", "RoleName": "Test-Role", "Path": "/", "Arn": "arn:aws:iam::123456789012:role/Test-Role" } } ``` 信任策略在 *Test-Role-Trust-Policy.json* 文件中定义为 JSON 文档。（文件名和扩展名没有意义。）信任策略必须指定主体。要将权限策略附加到角色，请使用 `put-role-policy` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。 **示例 2：创建具有指定最长会话持续时间的 IAM 角色** 以下 `create-role` 命令创建一个名为 `Test-Role` 的角色，并将最长会话持续时间设置为 7200 秒（2 小时）。 ``` aws iam create-role \ --role-name Test-Role \ --assume-role-policy-document file://Test-Role-Trust-Policy.json \ --max-session-duration 7200 ``` 输出： ``` { "Role": { "Path": "/", "RoleName": "Test-Role", "RoleId": "AKIAIOSFODNN7EXAMPLE", "Arn": "arn:aws:iam::12345678012:role/Test-Role", "CreateDate": "2023-05-24T23:50:25+00:00", "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::12345678012:root" }, "Action": "sts:AssumeRole" } ] } } } ``` 有关更多信息，请参阅 I *AWS AM 用户指南*中的[修改角色最长会话持续时间 (AWS API)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-api.html#roles-modify_max-session-duration-api)。 **示例 3：创建带有标签的 IAM 角色** 以下命令创建带有标签的 IAM 角色。`Test-Role`此示例使用带有以下 JSON 格式标签的 `--tags` 参数标志：`'{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'`。或者，`--tags` 标志可与简写格式的标签一起使用：`'Key=Department,Value=Accounting Key=Location,Value=Seattle'`。 ``` aws iam create-role \ --role-name Test-Role \ --assume-role-policy-document file://Test-Role-Trust-Policy.json \ --tags '{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}' ``` 输出： ``` { "Role": { "Path": "/", "RoleName": "Test-Role", "RoleId": "AKIAIOSFODNN7EXAMPLE", "Arn": "arn:aws:iam::123456789012:role/Test-Role", "CreateDate": "2023-05-25T23:29:41+00:00", "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole" } ] }, "Tags": [ { "Key": "Department", "Value": "Accounting" }, { "Key": "Location", "Value": "Seattle" } ] } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[标记 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_roles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // CreateRole creates a role that trusts a specified user. The trusted user can assume // the role to acquire its permissions. // PolicyDocument shows how to work with a policy document as a data structure and // serialize it to JSON by using Go's JSON marshaler. func (wrapper RoleWrapper) CreateRole(ctx context.Context, roleName string, trustedUserArn string) (*types.Role, error) { var role *types.Role trustPolicy := PolicyDocument{ Version: "2012-10-17", Statement: []PolicyStatement{{ Effect: "Allow", Principal: map[string]string{"AWS": trustedUserArn}, Action: []string{"sts:AssumeRole"}, }}, } policyBytes, err := json.Marshal(trustPolicy) if err != nil { log.Printf("Couldn't create trust policy for %v. Here's why: %v\n", trustedUserArn, err) return nil, err } result, err := wrapper.IamClient.CreateRole(ctx, &iam.CreateRoleInput{ AssumeRolePolicyDocument: aws.String(string(policyBytes)), RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't create role %v. Here's why: %v\n", roleName, err) } else { role = result.Role } return role, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[CreateRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateRole)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import org.json.simple.JSONObject; import org.json.simple.parser.JSONParser; import software.amazon.awssdk.services.iam.model.CreateRoleRequest; import software.amazon.awssdk.services.iam.model.CreateRoleResponse; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import java.io.FileReader; /* * This example requires a trust policy document. For more information, see: * https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/ * * * In addition, set up your development environment, including your credentials. * * For information, see this documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class CreateRole { public static void main(String[] args) throws Exception { final String usage = """ Usage: \s Where: rolename - The name of the role to create.\s fileLocation - The location of the JSON document that represents the trust policy.\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String rolename = args[0]; String fileLocation = args[1]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); String result = createIAMRole(iam, rolename, fileLocation); System.out.println("Successfully created user: " + result); iam.close(); } public static String createIAMRole(IamClient iam, String rolename, String fileLocation) throws Exception { try { JSONObject jsonObject = (JSONObject) readJsonSimpleDemo(fileLocation); CreateRoleRequest request = CreateRoleRequest.builder() .roleName(rolename) .assumeRolePolicyDocument(jsonObject.toJSONString()) .description("Created using the AWS SDK for Java") .build(); CreateRoleResponse response = iam.createRole(request); System.out.println("The ARN of the role is " + response.role().arn()); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return ""; } public static Object readJsonSimpleDemo(String filename) throws Exception { FileReader reader = new FileReader(filename); JSONParser jsonParser = new JSONParser(); return jsonParser.parse(reader); } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[CreateRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateRole)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建角色。 ``` import { CreateRoleCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} roleName */ export const createRole = (roleName) => { const command = new CreateRoleCommand({ AssumeRolePolicyDocument: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { Service: "lambda.amazonaws.com", }, Action: "sts:AssumeRole", }, ], }), RoleName: roleName, }); return client.send(command); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateRoleCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); $assumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"{$user['Arn']}\"}, \"Action\": \"sts:AssumeRole\" }] }"; $assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument); echo "Created role: {$assumeRoleRole['RoleName']}\n"; /** * @param string $roleName * @param string $rolePolicyDocument * @return array * @throws AwsException */ public function createRole(string $roleName, string $rolePolicyDocument) { $result = $this->customWaiter(function () use ($roleName, $rolePolicyDocument) { return $this->iamClient->createRole([ 'AssumeRolePolicyDocument' => $rolePolicyDocument, 'RoleName' => $roleName, ]); }); return $result['Role']; } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[CreateRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateRole)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建一个名为 `MyNewRole` 的新角色，并将文件 `NewRoleTrustPolicy.json` 中的策略附加到该角色。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 策略文件。输出中显示的策略文档采用 URL 编码。在本例中，使用 `UrlDecode` .NET 方法对其进行解码。** ``` $results = New-IAMRole -AssumeRolePolicyDocument (Get-Content -raw NewRoleTrustPolicy.json) -RoleName MyNewRole $results ``` **输出**： ``` Arn : arn:aws:iam::123456789012:role/MyNewRole AssumeRolePolicyDocument : %7B%0D%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0D%0A%20%20%22Statement%22 %3A%20%5B%0D%0A%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%22Sid%22%3A%20%22%22%2C %0D%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0D%0A%20%20%20%20%20%20 %22Principal%22%3A%20%7B%0D%0A%20%20%20%20%20%20%20%20%22AWS%22%3A%20%22arn%3Aaws %3Aiam%3A%3A123456789012%3ADavid%22%0D%0A%20%20%20%20%20%20%7D%2C%0D%0A%20%20%20 %20%20%20%22Action%22%3A%20%22sts%3AAssumeRole%22%0D%0A%20%20%20%20%7D%0D%0A%20 %20%5D%0D%0A%7D CreateDate : 4/15/2015 11:04:23 AM Path : / RoleId : V5PAJI2KPN4EAEXAMPLE1 RoleName : MyNewRole [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") [System.Web.HttpUtility]::UrlDecode($results.AssumeRolePolicyDocument) { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:David" }, "Action": "sts:AssumeRole" } ] } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建一个名为 `MyNewRole` 的新角色，并将文件 `NewRoleTrustPolicy.json` 中的策略附加到该角色。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 策略文件。输出中显示的策略文档采用 URL 编码。在本例中，使用 `UrlDecode` .NET 方法对其进行解码。** ``` $results = New-IAMRole -AssumeRolePolicyDocument (Get-Content -raw NewRoleTrustPolicy.json) -RoleName MyNewRole $results ``` **输出**： ``` Arn : arn:aws:iam::123456789012:role/MyNewRole AssumeRolePolicyDocument : %7B%0D%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0D%0A%20%20%22Statement%22 %3A%20%5B%0D%0A%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%22Sid%22%3A%20%22%22%2C %0D%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0D%0A%20%20%20%20%20%20 %22Principal%22%3A%20%7B%0D%0A%20%20%20%20%20%20%20%20%22AWS%22%3A%20%22arn%3Aaws %3Aiam%3A%3A123456789012%3ADavid%22%0D%0A%20%20%20%20%20%20%7D%2C%0D%0A%20%20%20 %20%20%20%22Action%22%3A%20%22sts%3AAssumeRole%22%0D%0A%20%20%20%20%7D%0D%0A%20 %20%5D%0D%0A%7D CreateDate : 4/15/2015 11:04:23 AM Path : / RoleId : V5PAJI2KPN4EAEXAMPLE1 RoleName : MyNewRole [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") [System.Web.HttpUtility]::UrlDecode($results.AssumeRolePolicyDocument) { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:David" }, "Action": "sts:AssumeRole" } ] } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def create_role(role_name, allowed_services): """ Creates a role that lets a list of specified services assume the role. :param role_name: The name of the role. :param allowed_services: The services that can assume the role. :return: The newly created role. """ trust_policy = { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": service}, "Action": "sts:AssumeRole", } for service in allowed_services ], } try: role = iam.create_role( RoleName=role_name, AssumeRolePolicyDocument=json.dumps(trust_policy) ) logger.info("Created role %s.", role.name) except ClientError: logger.exception("Couldn't create role %s.", role_name) raise else: return role ``` + 有关 API 的详细信息，请参阅适用[CreateRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateRole)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Creates a role and attaches policies to it. # # @param role_name [String] The name of the role. # @param assume_role_policy_document [Hash] The trust relationship policy document. # @param policy_arns [Array] The ARNs of the policies to attach. # @return [String, nil] The ARN of the new role if successful, or nil if an error occurred. def create_role(role_name, assume_role_policy_document, policy_arns) response = @iam_client.create_role( role_name: role_name, assume_role_policy_document: assume_role_policy_document.to_json ) role_arn = response.role.arn policy_arns.each do |policy_arn| @iam_client.attach_role_policy( role_name: role_name, policy_arn: policy_arn ) end role_arn rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating role: #{e.message}") nil end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[CreateRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateRole)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn create_role( client: &iamClient, role_name: &str, role_policy_document: &str, ) -> Result { let response: CreateRoleOutput = loop { if let Ok(response) = client .create_role() .role_name(role_name) .assume_role_policy_document(role_policy_document) .send() .await { break response; } }; Ok(response.role.unwrap()) } ``` + 有关 API 的详细信息，请参阅适用[CreateRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_role)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->createrole( iv_rolename = iv_role_name iv_assumerolepolicydocument = iv_assume_role_policy_document ). MESSAGE 'Role created successfully.' TYPE 'I'. CATCH /aws1/cx_iamentityalrdyexex. MESSAGE 'Role already exists.' TYPE 'E'. CATCH /aws1/cx_iammalformedplydocex. MESSAGE 'Assume role policy document is malformed.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Role limit exceeded.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[CreateRole](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func createRole(name: String, policyDocument: String) async throws -> String { let input = CreateRoleInput( assumeRolePolicyDocument: policyDocument, roleName: name ) do { let output = try await client.createRole(input: input) guard let role = output.role else { throw ServiceHandlerError.noSuchRole } guard let id = role.roleId else { throw ServiceHandlerError.noSuchRole } return id } catch { print("ERROR: createRole:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[CreateRole](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createrole(input:))*中。 ------ # `CreateSAMLProvider`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreateSAMLProvider`。 ------ #### [ CLI ] **AWS CLI** **创建 SAML 提供者** 此示例在 IAM 中创建了一个名为 `MySAMLProvider` 的新 SAML 提供者。`SAMLMetaData.xml` 文件中的 SAML 元数据文档对其进行了描述。 ``` aws iam create-saml-provider \ --saml-metadata-document file://SAMLMetaData.xml \ --name MySAMLProvider ``` 输出： ``` { "SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/MySAMLProvider" } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM SAML 身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。 + 有关 API 的详细信息，请参阅SAMLProvider《*AWS CLI 命令参考*》中的 “[创建](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-saml-provider.html)”。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { CreateSAMLProviderCommand, IAMClient } from "@aws-sdk/client-iam"; import { readFileSync } from "node:fs"; import * as path from "node:path"; import { dirnameFromMetaUrl } from "@aws-doc-sdk-examples/lib/utils/util-fs.js"; const client = new IAMClient({}); /** * This sample document was generated using Auth0. * For more information on generating this document, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html#samlstep1. */ const sampleMetadataDocument = readFileSync( path.join( dirnameFromMetaUrl(import.meta.url), "../../../../resources/sample_files/sample_saml_metadata.xml", ), ); /** * * @param {*} providerName * @returns */ export const createSAMLProvider = async (providerName) => { const command = new CreateSAMLProviderCommand({ Name: providerName, SAMLMetadataDocument: sampleMetadataDocument.toString(), }); const response = await client.send(command); console.log(response); return response; }; ``` + 有关 API 的详细信息，请参阅SAMLProvider在 *适用于 JavaScript 的 AWS SDK API 参考*中[创建](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateSAMLProviderCommand)。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例在 IAM 中创建了一个新 SAML 提供者实体。其命名为 `MySAMLProvider`，通过文件 `SAMLMetaData.xml` 中的 SAML 元数据文档描述，该文件从 SAML 服务提供者网站单独下载。** ``` New-IAMSAMLProvider -Name MySAMLProvider -SAMLMetadataDocument (Get-Content -Raw SAMLMetaData.xml) ``` **输出**： ``` arn:aws:iam::123456789012:saml-provider/MySAMLProvider ``` + 有关 API 的详细信息，请参阅SAMLProvider在 *AWS Tools for PowerShell Cmdlet 参考中[创建](https://docs.aws.amazon.com/powershell/v4/reference) (V4)*。 **适用于 PowerShell V5 的工具** **示例 1：此示例在 IAM 中创建了一个新 SAML 提供者实体。其命名为 `MySAMLProvider`，通过文件 `SAMLMetaData.xml` 中的 SAML 元数据文档描述，该文件从 SAML 服务提供者网站单独下载。** ``` New-IAMSAMLProvider -Name MySAMLProvider -SAMLMetadataDocument (Get-Content -Raw SAMLMetaData.xml) ``` **输出**： ``` arn:aws:iam::123456789012:saml-provider/MySAMLProvider ``` + 有关 API 的详细信息，请参阅SAMLProvider在 *AWS Tools for PowerShell Cmdlet 参考文档 (V* 5) 中[创建](https://docs.aws.amazon.com/powershell/v5/reference)。 ------ # `CreateServiceLinkedRole`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreateServiceLinkedRole`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Create an IAM service-linked role. ///

/// The name of the AWS Service. /// A description of the IAM service-linked role. /// The IAM role that was created. public async Task CreateServiceLinkedRoleAsync(string serviceName, string description) { var request = new CreateServiceLinkedRoleRequest { AWSServiceName = serviceName, Description = description }; var response = await _IAMService.CreateServiceLinkedRoleAsync(request); return response.Role; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[CreateServiceLinkedRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateServiceLinkedRole)*中的。 ------ #### [ CLI ] **AWS CLI** **创建服务相关角色** 以下`create-service-linked-role`示例为指定 AWS 服务创建服务相关角色并附加指定的描述。 ``` aws iam create-service-linked-role \ --aws-service-name lex.amazonaws.com \ --description "My service-linked role to support Lex" ``` 输出： ``` { "Role": { "Path": "/aws-service-role/lex.amazonaws.com/", "RoleName": "AWSServiceRoleForLexBots", "RoleId": "AROA1234567890EXAMPLE", "Arn": "arn:aws:iam::1234567890:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots", "CreateDate": "2019-04-17T20:34:14+00:00", "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "lex.amazonaws.com" ] } } ] } } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用服务相关角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateServiceLinkedRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-service-linked-role.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // CreateServiceLinkedRole creates a service-linked role that is owned by the specified service. func (wrapper RoleWrapper) CreateServiceLinkedRole(ctx context.Context, serviceName string, description string) ( *types.Role, error) { var role *types.Role result, err := wrapper.IamClient.CreateServiceLinkedRole(ctx, &iam.CreateServiceLinkedRoleInput{ AWSServiceName: aws.String(serviceName), Description: aws.String(description), }) if err != nil { log.Printf("Couldn't create service-linked role %v. Here's why: %v\n", serviceName, err) } else { role = result.Role } return role, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[CreateServiceLinkedRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateServiceLinkedRole)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建服务相关角色。 ``` import { CreateServiceLinkedRoleCommand, GetRoleCommand, IAMClient, } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} serviceName */ export const createServiceLinkedRole = async (serviceName) => { const command = new CreateServiceLinkedRoleCommand({ // For a list of AWS services that support service-linked roles, // see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html. // // For a list of AWS service endpoints, see https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html. AWSServiceName: serviceName, }); try { const response = await client.send(command); console.log(response); return response; } catch (caught) { if ( caught instanceof Error && caught.name === "InvalidInputException" && caught.message.includes( "Service role name AWSServiceRoleForElasticBeanstalk has been taken in this account", ) ) { console.warn(caught.message); return client.send( new GetRoleCommand({ RoleName: "AWSServiceRoleForElasticBeanstalk" }), ); } throw caught; } }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateServiceLinkedRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateServiceLinkedRoleCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function createServiceLinkedRole($awsServiceName, $customSuffix = "", $description = "") { $createServiceLinkedRoleArguments = ['AWSServiceName' => $awsServiceName]; if ($customSuffix) { $createServiceLinkedRoleArguments['CustomSuffix'] = $customSuffix; } if ($description) { $createServiceLinkedRoleArguments['Description'] = $description; } return $this->iamClient->createServiceLinkedRole($createServiceLinkedRoleArguments); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[CreateServiceLinkedRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateServiceLinkedRole)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例为自动扩缩服务创建 servicelinked 角色。** ``` New-IAMServiceLinkedRole -AWSServiceName autoscaling.amazonaws.com -CustomSuffix RoleNameEndsWithThis -Description "My service-linked role to support autoscaling" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateServiceLinkedRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例为自动扩缩服务创建 servicelinked 角色。** ``` New-IAMServiceLinkedRole -AWSServiceName autoscaling.amazonaws.com -CustomSuffix RoleNameEndsWithThis -Description "My service-linked role to support autoscaling" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateServiceLinkedRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def create_service_linked_role(service_name, description): """ Creates a service-linked role. :param service_name: The name of the service that owns the role. :param description: A description to give the role. :return: The newly created role. """ try: response = iam.meta.client.create_service_linked_role( AWSServiceName=service_name, Description=description ) role = iam.Role(response["Role"]["RoleName"]) logger.info("Created service-linked role %s.", role.name) except ClientError: logger.exception("Couldn't create service-linked role for %s.", service_name) raise else: return role ``` + 有关 API 的详细信息，请参阅适用[CreateServiceLinkedRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateServiceLinkedRole)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Creates a service-linked role # # @param service_name [String] The service name to create the role for. # @param description [String] The description of the service-linked role. # @param suffix [String] Suffix for customizing role name. # @return [String] The name of the created role def create_service_linked_role(service_name, description, suffix) response = @iam_client.create_service_linked_role( aws_service_name: service_name, description: description, custom_suffix: suffix ) role_name = response.role.role_name @logger.info("Created service-linked role #{role_name}.") role_name rescue Aws::Errors::ServiceError => e @logger.error("Couldn't create service-linked role for #{service_name}. Here's why:") @logger.error("\t#{e.code}: #{e.message}") raise end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[CreateServiceLinkedRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateServiceLinkedRole)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn create_service_linked_role( client: &iamClient, aws_service_name: String, custom_suffix: Option, description: Option, ) -> Result> { let response = client .create_service_linked_role() .aws_service_name(aws_service_name) .set_custom_suffix(custom_suffix) .set_description(description) .send() .await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用[CreateServiceLinkedRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_service_linked_role)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listpolicyversions( iv_policyarn = iv_policy_arn ). MESSAGE 'Retrieved policy versions list.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Policy does not exist.' TYPE 'E'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when listing policy versions.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[CreateServiceLinkedRole](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func createServiceLinkedRole(service: String, suffix: String? = nil, description: String?) async throws -> IAMClientTypes.Role { let input = CreateServiceLinkedRoleInput( awsServiceName: service, customSuffix: suffix, description: description ) do { let output = try await client.createServiceLinkedRole(input: input) guard let role = output.role else { throw ServiceHandlerError.noSuchRole } return role } catch { print("ERROR: createServiceLinkedRole:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[CreateServiceLinkedRole](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createservicelinkedrole(input:))*中。 ------ # `CreateUser`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `CreateUser`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Create an IAM user. ///

/// The username for the new IAM user. /// The IAM user that was created. public async Task CreateUserAsync(string userName) { var response = await _IAMService.CreateUserAsync(new CreateUserRequest { UserName = userName }); return response.User; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[CreateUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateUser)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_create_user # # This function creates the specified IAM user, unless # it already exists. # # Parameters: # -u user_name -- The name of the user to create. # # Returns: # The ARN of the user. # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_create_user() { local user_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_create_user" echo "Creates an AWS Identity and Access Management (IAM) user. You must supply a username:" echo " -u user_name The name of the user. It must be unique within the account." echo "" } # Retrieve the calling parameters. while getopts "u:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi iecho "Parameters:\n" iecho " User name: $user_name" iecho "" # If the user already exists, we don't want to try to create it. if (iam_user_exists "$user_name"); then errecho "ERROR: A user with that name already exists in the account." return 1 fi response=$(aws iam create-user --user-name "$user_name" \ --output text \ --query 'User.Arn') local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-user operation failed.$response" return 1 fi echo "$response" return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateUser)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::CreateUserRequest create_request; create_request.SetUserName(userName); auto create_outcome = iam.CreateUser(create_request); if (!create_outcome.IsSuccess()) { std::cerr << "Error creating IAM user " << userName << ":" << create_outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully created IAM user " << userName << std::endl; } return create_outcome.IsSuccess(); ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[CreateUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateUser)*中的。 ------ #### [ CLI ] **AWS CLI** **示例 1：创建 IAM 用户** 以下 `create-user` 命令可在当前账户中创建一个名为 `Bob` 的 IAM 用户。 ``` aws iam create-user \ --user-name Bob ``` 输出： ``` { "User": { "UserName": "Bob", "Path": "/", "CreateDate": "2023-06-08T03:20:41.270Z", "UserId": "AIDAIOSFODNN7EXAMPLE", "Arn": "arn:aws:iam::123456789012:user/Bob" } } ``` 有关更多信息，请参阅 [IAM 用户指南中的在您的 AWS 账户中创建AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) *IAM 用户*。 **示例 2：在指定路径创建 IAM 用户** 以下 `create-user` 命令可在指定路径创建一个名为 `Bob` 的 IAM 用户。 ``` aws iam create-user \ --user-name Bob \ --path /division_abc/subdivision_xyz/ ``` 输出： ``` { "User": { "Path": "/division_abc/subdivision_xyz/", "UserName": "Bob", "UserId": "AIDAIOSFODNN7EXAMPLE", "Arn": "arn:aws:iam::12345678012:user/division_abc/subdivision_xyz/Bob", "CreateDate": "2023-05-24T18:20:17+00:00" } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 标识符](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)。 **示例 3：创建带有标签的 IAM 用户** 以下 `create-user` 命令创建一个名为 `Bob` 且带有标签的 IAM 用户。此示例使用带有以下 JSON 格式标签的 `--tags` 参数标志：`'{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}'`。或者，`--tags` 标志可与简写格式的标签一起使用：`'Key=Department,Value=Accounting Key=Location,Value=Seattle'`。 ``` aws iam create-user \ --user-name Bob \ --tags '{"Key": "Department", "Value": "Accounting"}' '{"Key": "Location", "Value": "Seattle"}' ``` 输出： ``` { "User": { "Path": "/", "UserName": "Bob", "UserId": "AIDAIOSFODNN7EXAMPLE", "Arn": "arn:aws:iam::12345678012:user/Bob", "CreateDate": "2023-05-25T17:14:21+00:00", "Tags": [ { "Key": "Department", "Value": "Accounting" }, { "Key": "Location", "Value": "Seattle" } ] } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[标记 IAM 用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_users.html)。 **示例 3：创建具有设定权限边界的 IAM 用户** 以下`create-user`命令创建一个名为的 IAM 用户，`Bob`其权限范围为 AmazonS3 FullAccess。 ``` aws iam create-user \ --user-name Bob \ --permissions-boundary arn:aws:iam::aws:policy/AmazonS3FullAccess ``` 输出： ``` { "User": { "Path": "/", "UserName": "Bob", "UserId": "AIDAIOSFODNN7EXAMPLE", "Arn": "arn:aws:iam::12345678012:user/Bob", "CreateDate": "2023-05-24T17:50:53+00:00", "PermissionsBoundary": { "PermissionsBoundaryType": "Policy", "PermissionsBoundaryArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess" } } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 实体的权限边界](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-user.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // CreateUser creates a new user with the specified name. func (wrapper UserWrapper) CreateUser(ctx context.Context, userName string) (*types.User, error) { var user *types.User result, err := wrapper.IamClient.CreateUser(ctx, &iam.CreateUserInput{ UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err) } else { user = result.User } return user, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[CreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateUser)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.core.waiters.WaiterResponse; import software.amazon.awssdk.services.iam.model.CreateUserRequest; import software.amazon.awssdk.services.iam.model.CreateUserResponse; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.waiters.IamWaiter; import software.amazon.awssdk.services.iam.model.GetUserRequest; import software.amazon.awssdk.services.iam.model.GetUserResponse; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class CreateUser { public static void main(String[] args) { final String usage = """ Usage: \s Where: username - The name of the user to create.\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String username = args[0]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); String result = createIAMUser(iam, username); System.out.println("Successfully created user: " + result); iam.close(); } public static String createIAMUser(IamClient iam, String username) { try { // Create an IamWaiter object. IamWaiter iamWaiter = iam.waiter(); CreateUserRequest request = CreateUserRequest.builder() .userName(username) .build(); CreateUserResponse response = iam.createUser(request); // Wait until the user is created. GetUserRequest userRequest = GetUserRequest.builder() .userName(response.user().userName()) .build(); WaiterResponse waitUntilUserExists = iamWaiter.waitUntilUserExists(userRequest); waitUntilUserExists.matched().response().ifPresent(System.out::println); return response.user().userName(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return ""; } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[CreateUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateUser)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。创建用户。 ``` import { CreateUserCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} name */ export const createUser = (name) => { const command = new CreateUserCommand({ UserName: name }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-creating-users](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-creating-users)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateUserCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { UserName: process.argv[2], }; iam.getUser(params, function (err, data) { if (err && err.code === "NoSuchEntity") { iam.createUser(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); } else { console.log( "User " + process.argv[2] + " already exists", data.User.UserId ); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-creating-users](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-creating-users)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[CreateUser](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/CreateUser)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun createIAMUser(usernameVal: String?): String? { val request = CreateUserRequest { userName = usernameVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.createUser(request) return response.user?.userName } } ``` + 有关 API 的详细信息，请参阅适用[CreateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); $user = $service->createUser("iam_demo_user_$uuid"); echo "Created user with the arn: {$user['Arn']}\n"; /** * @param string $name * @return array * @throws AwsException */ public function createUser(string $name): array { $result = $this->iamClient->createUser([ 'UserName' => $name, ]); return $result['User']; } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[CreateUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateUser)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建一个名为 `Bob` 的 IAM 用户。如果 Bob 需要登录 AWS 控制台，则必须单独运行命令`New-IAMLoginProfile`来创建带有密码的登录配置文件。如果 Bob 需要运行 AWS PowerShell 或跨平台 CLI 命令或 AWS 进行 API 调用，则必须单独运行该`New-IAMAccessKey`命令来创建访问密钥。** ``` New-IAMUser -UserName Bob ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Bob CreateDate : 4/22/2015 12:02:11 PM PasswordLastUsed : 1/1/0001 12:00:00 AM Path : / UserId : AIDAJWGEFDMEMEXAMPLE1 UserName : Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateUser](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建一个名为 `Bob` 的 IAM 用户。如果 Bob 需要登录 AWS 控制台，则必须单独运行命令`New-IAMLoginProfile`来创建带有密码的登录配置文件。如果 Bob 需要运行 AWS PowerShell 或跨平台 CLI 命令或 AWS 进行 API 调用，则必须单独运行该`New-IAMAccessKey`命令来创建访问密钥。** ``` New-IAMUser -UserName Bob ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Bob CreateDate : 4/22/2015 12:02:11 PM PasswordLastUsed : 1/1/0001 12:00:00 AM Path : / UserId : AIDAJWGEFDMEMEXAMPLE1 UserName : Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateUser](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def create_user(user_name): """ Creates a user. By default, a user has no permissions or access keys. :param user_name: The name of the user. :return: The newly created user. """ try: user = iam.create_user(UserName=user_name) logger.info("Created user %s.", user.name) except ClientError: logger.exception("Couldn't create user %s.", user_name) raise else: return user ``` + 有关 API 的详细信息，请参阅适用[CreateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateUser)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Creates a user and their login profile # # @param user_name [String] The name of the user # @param initial_password [String] The initial password for the user # @return [String, nil] The ID of the user if created, or nil if an error occurred def create_user(user_name, initial_password) response = @iam_client.create_user(user_name: user_name) @iam_client.wait_until(:user_exists, user_name: user_name) @iam_client.create_login_profile( user_name: user_name, password: initial_password, password_reset_required: true ) @logger.info("User '#{user_name}' created successfully.") response.user.user_id rescue Aws::IAM::Errors::EntityAlreadyExists @logger.error("Error creating user '#{user_name}': user already exists.") nil rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating user '#{user_name}': #{e.message}") nil end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[CreateUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateUser)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn create_user(client: &iamClient, user_name: &str) -> Result { let response = client.create_user().user_name(user_name).send().await?; Ok(response.user.unwrap()) } ``` + 有关 API 的详细信息，请参阅适用[CreateUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_user)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->createuser( iv_username = iv_user_name ). MESSAGE 'User created successfully.' TYPE 'I'. CATCH /aws1/cx_iamentityalrdyexex. MESSAGE 'User already exists.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Limit exceeded for IAM users.' TYPE 'E'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Entity does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[CreateUser](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func createUser(name: String) async throws -> String { let input = CreateUserInput( userName: name ) do { let output = try await client.createUser(input: input) guard let user = output.user else { throw ServiceHandlerError.noSuchUser } guard let id = user.userId else { throw ServiceHandlerError.noSuchUser } return id } catch { print("ERROR: createUser:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[CreateUser](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/createuser(input:))*中。 ------ # 将 `CreateVirtualMfaDevice` 与 CLI 配合使用以下代码示例演示如何使用 `CreateVirtualMfaDevice`。 ------ #### [ CLI ] **AWS CLI** **创建虚拟 MFA 设备** 此示例创建名为 `BobsMFADevice` 的新虚拟 MFA 设备。它会创建一个包含引导信息的、名为 `QRCode.png` 的文件，并将其放在 `C:/` 目录中。本示例中使用的引导方法为 `QRCodePNG`。 ``` aws iam create-virtual-mfa-device \ --virtual-mfa-device-name BobsMFADevice \ --outfile C:/QRCode.png \ --bootstrap-method QRCodePNG ``` 输出： ``` { "VirtualMFADevice": { "SerialNumber": "arn:aws:iam::210987654321:mfa/BobsMFADevice" } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 AWS中使用多重身份验证（MFA）](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[CreateVirtualMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-virtual-mfa-device.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建一个新的虚拟 MFA 设备。第 2 行和第 3 行提取虚拟 MFA 软件程序创建账户所需的 `Base32StringSeed` 值（作为二维码的替代方案）。使用该值配置程序后，从程序中获取两个连续的身份验证码。最后，使用最后一条命令将虚拟 MFA 设备关联到 IAM 用户 `Bob`，并将账户与两个身份验证码同步。** ``` $Device = New-IAMVirtualMFADevice -VirtualMFADeviceName BobsMFADevice $SR = New-Object System.IO.StreamReader($Device.Base32StringSeed) $base32stringseed = $SR.ReadToEnd() $base32stringseed CZWZMCQNW4DEXAMPLE3VOUGXJFZYSUW7EXAMPLECR4NJFD65GX2SLUDW2EXAMPLE ``` **输出**： ``` -- Pause here to enter base-32 string seed code into virtual MFA program to register account. -- Enable-IAMMFADevice -SerialNumber $Device.SerialNumber -UserName Bob -AuthenticationCode1 123456 -AuthenticationCode2 789012 ``` **示例 2：此示例创建一个新虚拟 MFA 设备。第 2 行和第 3 行提取 `QRCodePNG` 值并将其写入文件。虚拟的 MFA 软件程序可以扫描此图像以创建账户（作为手动输入 Base32 StringSeed 值的替代方法）。在虚拟 MFA 程序中创建账户后，获取两个连续的身份验证码，然后在最后一条命令中输入验证码，将虚拟 MFA 设备关联到 IAM 用户 `Bob` 并同步账户。** ``` $Device = New-IAMVirtualMFADevice -VirtualMFADeviceName BobsMFADevice $BR = New-Object System.IO.BinaryReader($Device.QRCodePNG) $BR.ReadBytes($BR.BaseStream.Length) | Set-Content -Encoding Byte -Path QRCode.png ``` **输出**： ``` -- Pause here to scan PNG with virtual MFA program to register account. -- Enable-IAMMFADevice -SerialNumber $Device.SerialNumber -UserName Bob -AuthenticationCode1 123456 -AuthenticationCode2 789012 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [CreateVirtualMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建一个新的虚拟 MFA 设备。第 2 行和第 3 行提取虚拟 MFA 软件程序创建账户所需的 `Base32StringSeed` 值（作为二维码的替代方案）。使用该值配置程序后，从程序中获取两个连续的身份验证码。最后，使用最后一条命令将虚拟 MFA 设备关联到 IAM 用户 `Bob`，并将账户与两个身份验证码同步。** ``` $Device = New-IAMVirtualMFADevice -VirtualMFADeviceName BobsMFADevice $SR = New-Object System.IO.StreamReader($Device.Base32StringSeed) $base32stringseed = $SR.ReadToEnd() $base32stringseed CZWZMCQNW4DEXAMPLE3VOUGXJFZYSUW7EXAMPLECR4NJFD65GX2SLUDW2EXAMPLE ``` **输出**： ``` -- Pause here to enter base-32 string seed code into virtual MFA program to register account. -- Enable-IAMMFADevice -SerialNumber $Device.SerialNumber -UserName Bob -AuthenticationCode1 123456 -AuthenticationCode2 789012 ``` **示例 2：此示例创建一个新虚拟 MFA 设备。第 2 行和第 3 行提取 `QRCodePNG` 值并将其写入文件。虚拟的 MFA 软件程序可以扫描此图像以创建账户（作为手动输入 Base32 StringSeed 值的替代方法）。在虚拟 MFA 程序中创建账户后，获取两个连续的身份验证码，然后在最后一条命令中输入验证码，将虚拟 MFA 设备关联到 IAM 用户 `Bob` 并同步账户。** ``` $Device = New-IAMVirtualMFADevice -VirtualMFADeviceName BobsMFADevice $BR = New-Object System.IO.BinaryReader($Device.QRCodePNG) $BR.ReadBytes($BR.BaseStream.Length) | Set-Content -Encoding Byte -Path QRCode.png ``` **输出**： ``` -- Pause here to scan PNG with virtual MFA program to register account. -- Enable-IAMMFADevice -SerialNumber $Device.SerialNumber -UserName Bob -AuthenticationCode1 123456 -AuthenticationCode2 789012 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [CreateVirtualMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `DeactivateMfaDevice` 与 CLI 配合使用以下代码示例演示如何使用 `DeactivateMfaDevice`。 ------ #### [ CLI ] **AWS CLI** **停用 MFA 设备** 此命令使用与用户 `Bob` 关联的 ARN `arn:aws:iam::210987654321:mfa/BobsMFADevice` 停用虚拟 MFA 设备。 ``` aws iam deactivate-mfa-device \ --user-name Bob \ --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 AWS中使用多重身份验证（MFA）](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeactivateMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令禁用与具有序列号 `123456789012` 的用户 `Bob` 关联的硬件 MFA 设备。** ``` Disable-IAMMFADevice -UserName "Bob" -SerialNumber "123456789012" ``` **示例 2：此命令禁用与具有 ARN `arn:aws:iam::210987654321:mfa/David` 的用户 `David` 关联的虚拟 MFA 设备。请注意，虚拟 MFA 设备不会从账户中删除。虚拟设备仍然存在并出现在 `Get-IAMVirtualMFADevice` 命令的输出中。您必须先使用 `Remove-IAMVirtualMFADevice` 命令删除旧的虚拟 MFA 设备，然后才能为同一用户创建新的虚拟 MFA 设备。** ``` Disable-IAMMFADevice -UserName "David" -SerialNumber "arn:aws:iam::210987654321:mfa/David" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeactivateMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令禁用与具有序列号 `123456789012` 的用户 `Bob` 关联的硬件 MFA 设备。** ``` Disable-IAMMFADevice -UserName "Bob" -SerialNumber "123456789012" ``` **示例 2：此命令禁用与具有 ARN `arn:aws:iam::210987654321:mfa/David` 的用户 `David` 关联的虚拟 MFA 设备。请注意，虚拟 MFA 设备不会从账户中删除。虚拟设备仍然存在并出现在 `Get-IAMVirtualMFADevice` 命令的输出中。您必须先使用 `Remove-IAMVirtualMFADevice` 命令删除旧的虚拟 MFA 设备，然后才能为同一用户创建新的虚拟 MFA 设备。** ``` Disable-IAMMFADevice -UserName "David" -SerialNumber "arn:aws:iam::210987654321:mfa/David" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeactivateMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DeleteAccessKey`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteAccessKey`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) + [管理访问密钥](iam_example_iam_Scenario_ManageAccessKeys_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Delete an IAM user's access key. ///

/// The Id for the IAM access key. /// The username of the user that owns the IAM /// access key. /// A Boolean value indicating the success of the action. public async Task DeleteAccessKeyAsync(string accessKeyId, string userName) { var response = await _IAMService.DeleteAccessKeyAsync(new DeleteAccessKeyRequest { AccessKeyId = accessKeyId, UserName = userName, }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[DeleteAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteAccessKey)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_delete_access_key # # This function deletes an IAM access key for the specified IAM user. # # Parameters: # -u user_name -- The name of the user. # -k access_key -- The access key to delete. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_delete_access_key() { local user_name access_key response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_delete_access_key" echo "Deletes an AWS Identity and Access Management (IAM) access key for the specified IAM user" echo " -u user_name The name of the user." echo " -k access_key The access key to delete." echo "" } # Retrieve the calling parameters. while getopts "u:k:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; k) access_key="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi if [[ -z "$access_key" ]]; then errecho "ERROR: You must provide an access key with the -k parameter." usage return 1 fi iecho "Parameters:\n" iecho " Username: $user_name" iecho " Access key: $access_key" iecho "" response=$(aws iam delete-access-key \ --user-name "$user_name" \ --access-key-id "$access_key") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-access-key operation failed.\n$response" return 1 fi iecho "delete-access-key response:$response" iecho return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteAccessKey)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::deleteAccessKey(const Aws::String &userName, const Aws::String &accessKeyID, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::DeleteAccessKeyRequest request; request.SetUserName(userName); request.SetAccessKeyId(accessKeyID); auto outcome = iam.DeleteAccessKey(request); if (!outcome.IsSuccess()) { std::cerr << "Error deleting access key " << accessKeyID << " from user " << userName << ": " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully deleted access key " << accessKeyID << " for IAM user " << userName << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteAccessKey)*中的。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 用户的访问密钥** 以下 `delete-access-key` 命令将删除名为 `Bob` IAM 用户的指定访问密钥（访问密钥 ID 和秘密访问密钥）。 ``` aws iam delete-access-key \ --access-key-id AKIDPMS9RO4H3FEXAMPLE \ --user-name Bob ``` 此命令不生成任何输出。要列出为 IAM 用户定义的访问密钥，请使用 `list-access-keys` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的访问密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteAccessKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-access-key.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // DeleteAccessKey deletes an access key from a user. func (wrapper UserWrapper) DeleteAccessKey(ctx context.Context, userName string, keyId string) error { _, err := wrapper.IamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{ AccessKeyId: aws.String(keyId), UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't delete access key %v. Here's why: %v\n", keyId, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[DeleteAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteAccessKey)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.DeleteAccessKeyRequest; import software.amazon.awssdk.services.iam.model.IamException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DeleteAccessKey { public static void main(String[] args) { final String usage = """ Usage: \s Where: username - The name of the user.\s accessKey - The access key ID for the secret access key you want to delete.\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String username = args[0]; String accessKey = args[1]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); deleteKey(iam, username, accessKey); iam.close(); } public static void deleteKey(IamClient iam, String username, String accessKey) { try { DeleteAccessKeyRequest request = DeleteAccessKeyRequest.builder() .accessKeyId(accessKey) .userName(username) .build(); iam.deleteAccessKey(request); System.out.println("Successfully deleted access key " + accessKey + " from user " + username); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteAccessKey)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。删除访问密钥。 ``` import { DeleteAccessKeyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} userName * @param {string} accessKeyId */ export const deleteAccessKey = (userName, accessKeyId) => { const command = new DeleteAccessKeyCommand({ AccessKeyId: accessKeyId, UserName: userName, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-deleting](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-deleting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteAccessKeyCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { AccessKeyId: "ACCESS_KEY_ID", UserName: "USER_NAME", }; iam.deleteAccessKey(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-deleting](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-deleting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteAccessKey](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DeleteAccessKey)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun deleteKey( userNameVal: String, accessKey: String, ) { val request = DeleteAccessKeyRequest { accessKeyId = accessKey userName = userNameVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> iamClient.deleteAccessKey(request) println("Successfully deleted access key $accessKey from $userNameVal") } } ``` + 有关 API 的详细信息，请参阅适用[DeleteAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例`AKIAIOSFODNN7EXAMPLE`从名为的用户删除带有密钥 ID 的 AWS 访问密钥对`Bob`。** ``` Remove-IAMAccessKey -AccessKeyId AKIAIOSFODNN7EXAMPLE -UserName Bob -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteAccessKey](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例`AKIAIOSFODNN7EXAMPLE`从名为的用户删除带有密钥 ID 的 AWS 访问密钥对`Bob`。** ``` Remove-IAMAccessKey -AccessKeyId AKIAIOSFODNN7EXAMPLE -UserName Bob -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteAccessKey](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def delete_key(user_name, key_id): """ Deletes a user's access key. :param user_name: The user that owns the key. :param key_id: The ID of the key to delete. """ try: key = iam.AccessKey(user_name, key_id) key.delete() logger.info("Deleted access key %s for %s.", key.id, key.user_name) except ClientError: logger.exception("Couldn't delete key %s for %s", key_id, user_name) raise ``` + 有关 API 的详细信息，请参阅适用[DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例模块会列出、创建、停用和删除访问密钥。 ``` # Manages access keys for IAM users class AccessKeyManager def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'AccessKeyManager' end # Lists access keys for a user # # @param user_name [String] The name of the user. def list_access_keys(user_name) response = @iam_client.list_access_keys(user_name: user_name) if response.access_key_metadata.empty? @logger.info("No access keys found for user '#{user_name}'.") else response.access_key_metadata.map(&:access_key_id) end rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Error listing access keys: cannot find user '#{user_name}'.") [] rescue StandardError => e @logger.error("Error listing access keys: #{e.message}") [] end # Creates an access key for a user # # @param user_name [String] The name of the user. # @return [Boolean] def create_access_key(user_name) response = @iam_client.create_access_key(user_name: user_name) access_key = response.access_key @logger.info("Access key created for user '#{user_name}': #{access_key.access_key_id}") access_key rescue Aws::IAM::Errors::LimitExceeded @logger.error('Error creating access key: limit exceeded. Cannot create more.') nil rescue StandardError => e @logger.error("Error creating access key: #{e.message}") nil end # Deactivates an access key # # @param user_name [String] The name of the user. # @param access_key_id [String] The ID for the access key. # @return [Boolean] def deactivate_access_key(user_name, access_key_id) @iam_client.update_access_key( user_name: user_name, access_key_id: access_key_id, status: 'Inactive' ) true rescue StandardError => e @logger.error("Error deactivating access key: #{e.message}") false end # Deletes an access key # # @param user_name [String] The name of the user. # @param access_key_id [String] The ID for the access key. # @return [Boolean] def delete_access_key(user_name, access_key_id) @iam_client.delete_access_key( user_name: user_name, access_key_id: access_key_id ) true rescue StandardError => e @logger.error("Error deleting access key: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteAccessKey)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn delete_access_key( client: &iamClient, user: &User, key: &AccessKey, ) -> Result<(), iamError> { loop { match client .delete_access_key() .user_name(user.user_name()) .access_key_id(key.access_key_id()) .send() .await { Ok(_) => { break; } Err(e) => { println!("Can't delete the access key: {:?}", e); sleep(Duration::from_secs(2)).await; } } } Ok(()) } ``` + 有关 API 的详细信息，请参阅适用[DeleteAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_access_key)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->deleteaccesskey( iv_accesskeyid = iv_access_key_id iv_username = iv_user_name ). MESSAGE 'Access key deleted successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Access key or user does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[DeleteAccessKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func deleteAccessKey(user: IAMClientTypes.User? = nil, key: IAMClientTypes.AccessKey) async throws { let userName: String? if user != nil { userName = user!.userName } else { userName = nil } let input = DeleteAccessKeyInput( accessKeyId: key.accessKeyId, userName: userName ) do { _ = try await iamClient.deleteAccessKey(input: input) } catch { print("ERROR: deleteAccessKey:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[DeleteAccessKey](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deleteaccesskey(input:))*中。 ------ # `DeleteAccountAlias`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteAccountAlias`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理您的账户](iam_example_iam_Scenario_AccountManagement_section.md) ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::deleteAccountAlias(const Aws::String &accountAlias, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::DeleteAccountAliasRequest request; request.SetAccountAlias(accountAlias); const auto outcome = iam.DeleteAccountAlias(request); if (!outcome.IsSuccess()) { std::cerr << "Error deleting account alias " << accountAlias << ": " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully deleted account alias " << accountAlias << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[DeleteAccountAlias](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteAccountAlias)*中的。 ------ #### [ CLI ] **AWS CLI** **删除账户别名** 以下 `delete-account-alias` 命令将删除当前账户的别名 `mycompany`。 ``` aws iam delete-account-alias \ --account-alias mycompany ``` 此命令不生成任何输出。有关更多信息，请参阅 *AWS IAM 用户指南*中的[您的 AWS 账户 ID 及其别名](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteAccountAlias](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-account-alias.html)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.DeleteAccountAliasRequest; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DeleteAccountAlias { public static void main(String[] args) { final String usage = """ Usage: \s Where: alias - The account alias to delete.\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String alias = args[0]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); deleteIAMAccountAlias(iam, alias); iam.close(); } public static void deleteIAMAccountAlias(IamClient iam, String alias) { try { DeleteAccountAliasRequest request = DeleteAccountAliasRequest.builder() .accountAlias(alias) .build(); iam.deleteAccountAlias(request); System.out.println("Successfully deleted account alias " + alias); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[DeleteAccountAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteAccountAlias)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。删除账户别名。 ``` import { DeleteAccountAliasCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} alias */ export const deleteAccountAlias = (alias) => { const command = new DeleteAccountAliasCommand({ AccountAlias: alias }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-deleting](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-deleting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteAccountAlias](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteAccountAliasCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); iam.deleteAccountAlias({ AccountAlias: process.argv[2] }, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-deleting](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-deleting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteAccountAlias](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DeleteAccountAlias)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun deleteIAMAccountAlias(alias: String) { val request = DeleteAccountAliasRequest { accountAlias = alias } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> iamClient.deleteAccountAlias(request) println("Successfully deleted account alias $alias") } } ``` + 有关 API 的详细信息，请参阅适用[DeleteAccountAlias](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从您的账户中删除了账户别名 AWS 账户。别名为 https://mycom panyaws.signin.aws.amazon.com/console 的用户登录页面不再起作用。相反，你必须使用带有 AWS 账户身份证号的原始 URL，网址为 https: //.signin.aws.amazon.com/console。** ``` Remove-IAMAccountAlias -AccountAlias mycompanyaws ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteAccountAlias](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从您的账户中删除了账户别名 AWS 账户。别名为 https://mycom panyaws.signin.aws.amazon.com/console 的用户登录页面不再起作用。相反，你必须使用带有 AWS 账户身份证号的原始 URL，网址为 https: //.signin.aws.amazon.com/console。** ``` Remove-IAMAccountAlias -AccountAlias mycompanyaws ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteAccountAlias](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def delete_alias(alias): """ Removes the alias from the current account. :param alias: The alias to remove. """ try: iam.meta.client.delete_account_alias(AccountAlias=alias) logger.info("Removed alias '%s' from your account.", alias) except ClientError: logger.exception("Couldn't remove alias '%s' from your account.", alias) raise ``` + 有关 API 的详细信息，请参阅适用[DeleteAccountAlias](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccountAlias)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出、创建和删除账户别名。 ``` class IAMAliasManager # Initializes the IAM client and logger # # @param iam_client [Aws::IAM::Client] An initialized IAM client. def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger end # Lists available AWS account aliases. def list_aliases response = @iam_client.list_account_aliases if response.account_aliases.count.positive? @logger.info('Account aliases are:') response.account_aliases.each { |account_alias| @logger.info(" #{account_alias}") } else @logger.info('No account aliases found.') end rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing account aliases: #{e.message}") end # Creates an AWS account alias. # # @param account_alias [String] The name of the account alias to create. # @return [Boolean] true if the account alias was created; otherwise, false. def create_account_alias(account_alias) @iam_client.create_account_alias(account_alias: account_alias) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating account alias: #{e.message}") false end # Deletes an AWS account alias. # # @param account_alias [String] The name of the account alias to delete. # @return [Boolean] true if the account alias was deleted; otherwise, false. def delete_account_alias(account_alias) @iam_client.delete_account_alias(account_alias: account_alias) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting account alias: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DeleteAccountAlias](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteAccountAlias)*中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->deleteaccountalias( iv_accountalias = iv_account_alias ). MESSAGE 'Account alias deleted successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Account alias does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[DeleteAccountAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `DeleteAccountPasswordPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `DeleteAccountPasswordPolicy`。 ------ #### [ CLI ] **AWS CLI** **删除当前账户密码策略** 以下 `delete-account-password-policy` 命令将删除当前账户的密码策略。 ``` aws iam delete-account-password-policy ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[为 IAM 用户设置账户密码策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteAccountPasswordPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-account-password-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除了的密码策略 AWS 账户并将所有值重置为其原始默认值。如果当前不存在密码策略，则会显示以下错误消息：找 PasswordPolicy 不到带有名称的账户策略。** ``` Remove-IAMAccountPasswordPolicy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除了的密码策略 AWS 账户并将所有值重置为其原始默认值。如果当前不存在密码策略，则会显示以下错误消息：找 PasswordPolicy 不到带有名称的账户策略。** ``` Remove-IAMAccountPasswordPolicy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DeleteGroup`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteGroup`。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 组** 以下 `delete-group` 命令将删除名为 `MyTestGroup` 的 IAM 组。 ``` aws iam delete-group \ --group-name MyTestGroup ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[删除 IAM 用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_delete.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { DeleteGroupCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} groupName */ export const deleteGroup = async (groupName) => { const command = new DeleteGroupCommand({ GroupName: groupName, }); const response = await client.send(command); console.log(response); return response; }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteGroupCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除名为 `MyTestGroup` 的 IAM 组。第一条命令删除作为该组成员的所有 IAM 用户，第二条命令删除该 IAM 组。这两条命令都可以在没有任何确认提示的情况下生效。** ``` (Get-IAMGroup -GroupName MyTestGroup).Users | Remove-IAMUserFromGroup -GroupName MyTestGroup -Force Remove-IAMGroup -GroupName MyTestGroup -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteGroup](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除名为 `MyTestGroup` 的 IAM 组。第一条命令删除作为该组成员的所有 IAM 用户，第二条命令删除该 IAM 组。这两条命令都可以在没有任何确认提示的情况下生效。** ``` (Get-IAMGroup -GroupName MyTestGroup).Users | Remove-IAMUserFromGroup -GroupName MyTestGroup -Force Remove-IAMGroup -GroupName MyTestGroup -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteGroup](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `DeleteGroupPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `DeleteGroupPolicy`。 ------ #### [ CLI ] **AWS CLI** **从 IAM 组中删除策略** 以下 `delete-group-policy` 命令可将名为 `ExamplePolicy` 的策略从名为 `Admins` 的组中删除。 ``` aws iam delete-group-policy \ --group-name Admins \ --policy-name ExamplePolicy ``` 此命令不生成任何输出。要查看附加到组的策略，请使用 `list-group-policies` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从 IAM 组 `Testers` 中删除名为 `TesterPolicy` 的内联策略。该组中的用户会立即失去该策略中定义的权限。** ``` Remove-IAMGroupPolicy -GroupName Testers -PolicyName TestPolicy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从 IAM 组 `Testers` 中删除名为 `TesterPolicy` 的内联策略。该组中的用户会立即失去该策略中定义的权限。** ``` Remove-IAMGroupPolicy -GroupName Testers -PolicyName TestPolicy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DeleteInstanceProfile`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteInstanceProfile`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [构建和管理弹性服务](iam_example_cross_ResilientService_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/cross-service/ResilientService/AutoScalerActions#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Detaches a role from an instance profile, detaches policies from the role, /// and deletes all the resources. ///

/// The name of the profile to delete. /// The name of the role to delete. /// Async task. public async Task DeleteInstanceProfile(string profileName, string roleName) { try { await _amazonIam.RemoveRoleFromInstanceProfileAsync( new RemoveRoleFromInstanceProfileRequest() { InstanceProfileName = profileName, RoleName = roleName }); await _amazonIam.DeleteInstanceProfileAsync( new DeleteInstanceProfileRequest() { InstanceProfileName = profileName }); var attachedPolicies = await _amazonIam.ListAttachedRolePoliciesAsync( new ListAttachedRolePoliciesRequest() { RoleName = roleName }); foreach (var policy in attachedPolicies.AttachedPolicies) { await _amazonIam.DetachRolePolicyAsync( new DetachRolePolicyRequest() { RoleName = roleName, PolicyArn = policy.PolicyArn }); // Delete the custom policies only. if (!policy.PolicyArn.StartsWith("arn:aws:iam::aws")) { await _amazonIam.DeletePolicyAsync( new Amazon.IdentityManagement.Model.DeletePolicyRequest() { PolicyArn = policy.PolicyArn }); } } await _amazonIam.DeleteRoleAsync( new DeleteRoleRequest() { RoleName = roleName }); } catch (NoSuchEntityException) { Console.WriteLine($"Instance profile {profileName} does not exist."); } } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[DeleteInstanceProfile](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteInstanceProfile)*中的。 ------ #### [ CLI ] **AWS CLI** **删除实例配置文件** 以下 `delete-instance-profile` 命令将删除名为 `ExampleInstanceProfile` 的实例配置文件。 ``` aws iam delete-instance-profile \ --instance-profile-name ExampleInstanceProfile ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用实例配置文件](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-instance-profile.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-resilient-service#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` const client = new IAMClient({}); await client.send( new DeleteInstanceProfileCommand({ InstanceProfileName: NAMES.instanceProfileName, }), ); ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteInstanceProfile](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteInstanceProfileCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除名为 `MyAppInstanceProfile` 的 EC2 实例配置文件。第一条命令从实例配置文件中分离所有角色，然后第二条命令删除实例配置文件。** ``` (Get-IAMInstanceProfile -InstanceProfileName MyAppInstanceProfile).Roles | Remove-IAMRoleFromInstanceProfile -InstanceProfileName MyAppInstanceProfile Remove-IAMInstanceProfile -InstanceProfileName MyAppInstanceProfile ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除名为 `MyAppInstanceProfile` 的 EC2 实例配置文件。第一条命令从实例配置文件中分离所有角色，然后第二条命令删除实例配置文件。** ``` (Get-IAMInstanceProfile -InstanceProfileName MyAppInstanceProfile).Roles | Remove-IAMRoleFromInstanceProfile -InstanceProfileName MyAppInstanceProfile Remove-IAMInstanceProfile -InstanceProfileName MyAppInstanceProfile ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例从实例配置文件中移除该角色，分离附加到该角色的所有策略，然后删除所有资源。 ``` class AutoScalingWrapper: """ Encapsulates Amazon EC2 Auto Scaling and EC2 management actions. """ def __init__( self, resource_prefix: str, inst_type: str, ami_param: str, autoscaling_client: boto3.client, ec2_client: boto3.client, ssm_client: boto3.client, iam_client: boto3.client, ): """ Initializes the AutoScaler class with the necessary parameters. :param resource_prefix: The prefix for naming AWS resources that are created by this class. :param inst_type: The type of EC2 instance to create, such as t3.micro. :param ami_param: The Systems Manager parameter used to look up the AMI that is created. :param autoscaling_client: A Boto3 EC2 Auto Scaling client. :param ec2_client: A Boto3 EC2 client. :param ssm_client: A Boto3 Systems Manager client. :param iam_client: A Boto3 IAM client. """ self.inst_type = inst_type self.ami_param = ami_param self.autoscaling_client = autoscaling_client self.ec2_client = ec2_client self.ssm_client = ssm_client self.iam_client = iam_client sts_client = boto3.client("sts") self.account_id = sts_client.get_caller_identity()["Account"] self.key_pair_name = f"{resource_prefix}-key-pair" self.launch_template_name = f"{resource_prefix}-template-" self.group_name = f"{resource_prefix}-group" # Happy path self.instance_policy_name = f"{resource_prefix}-pol" self.instance_role_name = f"{resource_prefix}-role" self.instance_profile_name = f"{resource_prefix}-prof" # Failure mode self.bad_creds_policy_name = f"{resource_prefix}-bc-pol" self.bad_creds_role_name = f"{resource_prefix}-bc-role" self.bad_creds_profile_name = f"{resource_prefix}-bc-prof" def delete_instance_profile(self, profile_name: str, role_name: str) -> None: """ Detaches a role from an instance profile, detaches policies from the role, and deletes all the resources. :param profile_name: The name of the profile to delete. :param role_name: The name of the role to delete. """ try: self.iam_client.remove_role_from_instance_profile( InstanceProfileName=profile_name, RoleName=role_name ) self.iam_client.delete_instance_profile(InstanceProfileName=profile_name) log.info("Deleted instance profile %s.", profile_name) attached_policies = self.iam_client.list_attached_role_policies( RoleName=role_name ) for pol in attached_policies["AttachedPolicies"]: self.iam_client.detach_role_policy( RoleName=role_name, PolicyArn=pol["PolicyArn"] ) if not pol["PolicyArn"].startswith("arn:aws:iam::aws"): self.iam_client.delete_policy(PolicyArn=pol["PolicyArn"]) log.info("Detached and deleted policy %s.", pol["PolicyName"]) self.iam_client.delete_role(RoleName=role_name) log.info("Deleted role %s.", role_name) except ClientError as err: log.error( f"Couldn't delete instance profile {profile_name} or detach " f"policies and delete role {role_name}: {err}" ) if err.response["Error"]["Code"] == "NoSuchEntity": log.info( "Instance profile %s doesn't exist, nothing to do.", profile_name ) ``` + 有关 API 的详细信息，请参阅适用[DeleteInstanceProfile](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteInstanceProfile)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ # 将 `DeleteLoginProfile` 与 CLI 配合使用以下代码示例演示如何使用 `DeleteLoginProfile`。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 用户的密码** 以下 `delete-login-profile` 命令删除名为 `Bob` 的 IAM 用户的密码。 ``` aws iam delete-login-profile \ --user-name Bob ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的密码](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-login-profile.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除名为 `Bob` 的 IAM 用户的登录配置文件。这会阻止用户登录控制台。 AWS 它不会阻止用户使用可能仍附加到用户账户的 AWS 访问密钥运行任何 AWS CLI PowerShell、或 API 调用。** ``` Remove-IAMLoginProfile -UserName Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteLoginProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除名为 `Bob` 的 IAM 用户的登录配置文件。这会阻止用户登录控制台。 AWS 它不会阻止用户使用可能仍附加到用户账户的 AWS 访问密钥运行任何 AWS CLI PowerShell、或 API 调用。** ``` Remove-IAMLoginProfile -UserName Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteLoginProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `DeleteOpenIdConnectProvider` 与 CLI 配合使用以下代码示例演示如何使用 `DeleteOpenIdConnectProvider`。 ------ #### [ CLI ] **AWS CLI** **删除 IAM OpenID Connect 身份提供者** 此示例删除了连接到提供者 `example.oidcprovider.com` 的 IAM OIDC 提供者。 ``` aws iam delete-open-id-connect-provider \ --open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 OpenID Connect（OIDC）身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-open-id-connect-provider.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除了连接到提供者 `example.oidcprovider.com` 的 IAM OIDC 提供者。确保更新或删除角色信任策略 `Principal` 元素中引用此提供者的所有角色。** ``` Remove-IAMOpenIDConnectProvider -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除了连接到提供者 `example.oidcprovider.com` 的 IAM OIDC 提供者。确保更新或删除角色信任策略 `Principal` 元素中引用此提供者的所有角色。** ``` Remove-IAMOpenIDConnectProvider -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DeletePolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeletePolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) + [管理策略](iam_example_iam_Scenario_PolicyManagement_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Delete an IAM policy. ///

/// The Amazon Resource Name (ARN) of the policy to /// delete. /// A Boolean value indicating the success of the action. public async Task DeletePolicyAsync(string policyArn) { var response = await _IAMService.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[DeletePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeletePolicy)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_delete_policy # # This function deletes an IAM policy. # # Parameters: # -n policy_arn -- The name of the IAM policy arn. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_delete_policy() { local policy_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_delete_policy" echo "Deletes an AWS Identity and Access Management (IAM) policy" echo " -n policy_arn -- The name of the IAM policy arn." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) policy_arn="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$policy_arn" ]]; then errecho "ERROR: You must provide a policy arn with the -n parameter." usage return 1 fi iecho "Parameters:\n" iecho " Policy arn: $policy_arn" iecho "" response=$(aws iam delete-policy \ --policy-arn "$policy_arn") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-policy operation failed.\n$response" return 1 fi iecho "delete-policy response:$response" iecho return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::deletePolicy(const Aws::String &policyArn, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::DeletePolicyRequest request; request.SetPolicyArn(policyArn); auto outcome = iam.DeletePolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error deleting policy with arn " << policyArn << ": " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully deleted policy with arn " << policyArn << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[DeletePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeletePolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 策略** 此示例删除了 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的策略。 ``` aws iam delete-policy \ --policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeletePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-policy.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions // used in the examples. // It contains an IAM service client that is used to perform policy actions. type PolicyWrapper struct { IamClient *iam.Client } // DeletePolicy deletes a policy. func (wrapper PolicyWrapper) DeletePolicy(ctx context.Context, policyArn string) error { _, err := wrapper.IamClient.DeletePolicy(ctx, &iam.DeletePolicyInput{ PolicyArn: aws.String(policyArn), }) if err != nil { log.Printf("Couldn't delete policy %v. Here's why: %v\n", policyArn, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[DeletePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeletePolicy)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.DeletePolicyRequest; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DeletePolicy { public static void main(String[] args) { final String usage = """ Usage: \s Where: policyARN - A policy ARN value to delete.\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String policyARN = args[0]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); deleteIAMPolicy(iam, policyARN); iam.close(); } public static void deleteIAMPolicy(IamClient iam, String policyARN) { try { DeletePolicyRequest request = DeletePolicyRequest.builder() .policyArn(policyARN) .build(); iam.deletePolicy(request); System.out.println("Successfully deleted the policy"); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[DeletePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeletePolicy)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam/#code-examples)中查找完整示例，了解如何进行设置和运行。删除策略。 ``` import { DeletePolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} policyArn */ export const deletePolicy = (policyArn) => { const command = new DeletePolicyCommand({ PolicyArn: policyArn }); return client.send(command); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeletePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeletePolicyCommand)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun deleteIAMPolicy(policyARNVal: String?) { val request = DeletePolicyRequest { policyArn = policyARNVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> iamClient.deletePolicy(request) println("Successfully deleted $policyARNVal") } } ``` + 有关 API 的详细信息，请参阅适用[DeletePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除了 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的策略。必须先通过运行 `Remove-IAMPolicyVersion` 删除默认版本除外的所有版本，然后才能删除该策略。您还必须将该策略与所有 IAM 用户、组或角色分离。** ``` Remove-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy ``` **示例 2：此示例通过先删除所有非默认策略版本，将其与所有附加的 IAM 实体分离，最后删除策略本身来删除策略。第一行检索策略对象。第二行检索集合中未标记为默认的所有策略版本，然后删除集合中的每个策略。第三行检索该策略附加到的所有 IAM 用户、组和角色。第四行到第六行将该策略与每个附加的实体分离。最后一行使用此命令删除托管策略，以及剩余的默认版本。该示例在需要抑制确认提示的所有行中都包含 `-Force` 开关参数。** ``` $pol = Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy Get-IAMPolicyVersions -PolicyArn $pol.Arn | where {-not $_.IsDefaultVersion} | Remove-IAMPolicyVersion -PolicyArn $pol.Arn -force $attached = Get-IAMEntitiesForPolicy -PolicyArn $pol.Arn $attached.PolicyGroups | Unregister-IAMGroupPolicy -PolicyArn $pol.arn $attached.PolicyRoles | Unregister-IAMRolePolicy -PolicyArn $pol.arn $attached.PolicyUsers | Unregister-IAMUserPolicy -PolicyArn $pol.arn Remove-IAMPolicy $pol.Arn -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeletePolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除了 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的策略。必须先通过运行 `Remove-IAMPolicyVersion` 删除默认版本除外的所有版本，然后才能删除该策略。您还必须将该策略与所有 IAM 用户、组或角色分离。** ``` Remove-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy ``` **示例 2：此示例通过先删除所有非默认策略版本，将其与所有附加的 IAM 实体分离，最后删除策略本身来删除策略。第一行检索策略对象。第二行检索集合中未标记为默认的所有策略版本，然后删除集合中的每个策略。第三行检索该策略附加到的所有 IAM 用户、组和角色。第四行到第六行将该策略与每个附加的实体分离。最后一行使用此命令删除托管策略，以及剩余的默认版本。该示例在需要抑制确认提示的所有行中都包含 `-Force` 开关参数。** ``` $pol = Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy Get-IAMPolicyVersions -PolicyArn $pol.Arn | where {-not $_.IsDefaultVersion} | Remove-IAMPolicyVersion -PolicyArn $pol.Arn -force $attached = Get-IAMEntitiesForPolicy -PolicyArn $pol.Arn $attached.PolicyGroups | Unregister-IAMGroupPolicy -PolicyArn $pol.arn $attached.PolicyRoles | Unregister-IAMRolePolicy -PolicyArn $pol.arn $attached.PolicyUsers | Unregister-IAMUserPolicy -PolicyArn $pol.arn Remove-IAMPolicy $pol.Arn -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeletePolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def delete_policy(policy_arn): """ Deletes a policy. :param policy_arn: The ARN of the policy to delete. """ try: iam.Policy(policy_arn).delete() logger.info("Deleted policy %s.", policy_arn) except ClientError: logger.exception("Couldn't delete policy %s.", policy_arn) raise ``` + 有关 API 的详细信息，请参阅适用[DeletePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicy)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn delete_policy(client: &iamClient, policy: Policy) -> Result<(), iamError> { client .delete_policy() .policy_arn(policy.arn.unwrap()) .send() .await?; Ok(()) } ``` + 有关 API 的详细信息，请参阅适用[DeletePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_policy)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->deletepolicy( iv_policyarn = iv_policy_arn ). MESSAGE 'Policy deleted successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Policy does not exist.' TYPE 'E'. CATCH /aws1/cx_iamdeleteconflictex. MESSAGE 'Policy cannot be deleted due to attachments.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[DeletePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func deletePolicy(policy: IAMClientTypes.Policy) async throws { let input = DeletePolicyInput( policyArn: policy.arn ) do { _ = try await iamClient.deletePolicy(input: input) } catch { print("ERROR: deletePolicy:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[DeletePolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deletepolicy(input:))*中。 ------ # `DeletePolicyVersion`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeletePolicyVersion`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [管理策略](iam_example_iam_Scenario_PolicyManagement_section.md) + [回滚策略版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md) ------ #### [ CLI ] **AWS CLI** **删除托管策略的某个版本** 此示例从 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的策略中删除标识为 `v2` 的版本。 ``` aws iam delete-policy-version \ --policy-arn arn:aws:iam::123456789012:policy/MyPolicy \ --version-id v2 ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeletePolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-policy-version.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的策略中删除标识为 `v2` 的版本。** ``` Remove-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy -VersionID v2 ``` **示例 2：此示例通过先删除所有非默认策略版本，然后删除策略本身来删除策略。第一行检索策略对象。第二行检索集合中未标记为默认的所有策略版本，然后使用此命令删除集合中的每个策略。最后一行删除策略本身，以及剩余的默认版本。请注意，要成功删除托管策略，还必须使用 `Unregister-IAMUserPolicy`、`Unregister-IAMGroupPolicy` 和 `Unregister-IAMRolePolicy` 命令将该策略与所有用户、组或角色分离。请参阅 `Remove-IAMPolicy` cmdlet 的示例。** ``` $pol = Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy Get-IAMPolicyVersions -PolicyArn $pol.Arn | where {-not $_.IsDefaultVersion} | Remove-IAMPolicyVersion -PolicyArn $pol.Arn -force Remove-IAMPolicy -PolicyArn $pol.Arn -force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeletePolicyVersion](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的策略中删除标识为 `v2` 的版本。** ``` Remove-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy -VersionID v2 ``` **示例 2：此示例通过先删除所有非默认策略版本，然后删除策略本身来删除策略。第一行检索策略对象。第二行检索集合中未标记为默认的所有策略版本，然后使用此命令删除集合中的每个策略。最后一行删除策略本身，以及剩余的默认版本。请注意，要成功删除托管策略，还必须使用 `Unregister-IAMUserPolicy`、`Unregister-IAMGroupPolicy` 和 `Unregister-IAMRolePolicy` 命令将该策略与所有用户、组或角色分离。请参阅 `Remove-IAMPolicy` cmdlet 的示例。** ``` $pol = Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy Get-IAMPolicyVersions -PolicyArn $pol.Arn | where {-not $_.IsDefaultVersion} | Remove-IAMPolicyVersion -PolicyArn $pol.Arn -force Remove-IAMPolicy -PolicyArn $pol.Arn -force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeletePolicyVersion](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->deletepolicyversion( iv_policyarn = iv_policy_arn iv_versionid = iv_version_id ). MESSAGE 'Policy version deleted successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Policy or version does not exist.' TYPE 'E'. CATCH /aws1/cx_iamdeleteconflictex. MESSAGE 'Cannot delete default policy version.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Limit exceeded.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[DeletePolicyVersion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `DeleteRole`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteRole`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [管理角色](iam_example_iam_Scenario_RoleManagement_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Delete an IAM role. ///

/// The name of the IAM role to delete. /// A Boolean value indicating the success of the action. public async Task DeleteRoleAsync(string roleName) { var response = await _IAMService.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[DeleteRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteRole)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_delete_role # # This function deletes an IAM role. # # Parameters: # -n role_name -- The name of the IAM role. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_delete_role() { local role_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_delete_role" echo "Deletes an AWS Identity and Access Management (IAM) role" echo " -n role_name -- The name of the IAM role." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 echo "role_name:$role_name" if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi iecho "Parameters:\n" iecho " Role name: $role_name" iecho "" response=$(aws iam delete-role \ --role-name "$role_name") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-role operation failed.\n$response" return 1 fi iecho "delete-role response:$response" iecho return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole)*中的。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 角色** 以下 `delete-role` 命令将删除名为 `Test-Role` 的角色。 ``` aws iam delete-role \ --role-name Test-Role ``` 此命令不生成任何输出。在删除角色之前，必须从所有实例配置文件中删除该角色（`remove-role-from-instance-profile`），分离所有托管策略（`detach-role-policy`），删除附加到该角色的所有内联策略（`delete-role-policy`）。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)和[使用实例配置文件](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-role.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // DeleteRole deletes a role. All attached policies must be detached before a // role can be deleted. func (wrapper RoleWrapper) DeleteRole(ctx context.Context, roleName string) error { _, err := wrapper.IamClient.DeleteRole(ctx, &iam.DeleteRoleInput{ RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't delete role %v. Here's why: %v\n", roleName, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[DeleteRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteRole)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。删除角色。 ``` import { DeleteRoleCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} roleName */ export const deleteRole = (roleName) => { const command = new DeleteRoleCommand({ RoleName: roleName }); return client.send(command); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteRoleCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从当前 IAM 账户中删除名为 `MyNewRole` 的角色。必须先使用 `Unregister-IAMRolePolicy` 命令分离所有托管策略，然后才能删除该角色。内联策略将与角色一起删除。** ``` Remove-IAMRole -RoleName MyNewRole ``` **示例 2：此示例将所有托管策略与名为 `MyNewRole` 的角色分离，然后删除该角色。第一行检索作为集合附加到该角色的所有托管策略，然后将集合中的每个策略与该角色分离。第二行删除该角色本身。内联策略将与角色一起删除。** ``` Get-IAMAttachedRolePolicyList -RoleName MyNewRole | Unregister-IAMRolePolicy -RoleName MyNewRole Remove-IAMRole -RoleName MyNewRole ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从当前 IAM 账户中删除名为 `MyNewRole` 的角色。必须先使用 `Unregister-IAMRolePolicy` 命令分离所有托管策略，然后才能删除该角色。内联策略将与角色一起删除。** ``` Remove-IAMRole -RoleName MyNewRole ``` **示例 2：此示例将所有托管策略与名为 `MyNewRole` 的角色分离，然后删除该角色。第一行检索作为集合附加到该角色的所有托管策略，然后将集合中的每个策略与该角色分离。第二行删除该角色本身。内联策略将与角色一起删除。** ``` Get-IAMAttachedRolePolicyList -RoleName MyNewRole | Unregister-IAMRolePolicy -RoleName MyNewRole Remove-IAMRole -RoleName MyNewRole ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def delete_role(role_name): """ Deletes a role. :param role_name: The name of the role to delete. """ try: iam.Role(role_name).delete() logger.info("Deleted role %s.", role_name) except ClientError: logger.exception("Couldn't delete role %s.", role_name) raise ``` + 有关 API 的详细信息，请参阅适用[DeleteRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteRole)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Deletes a role and its attached policies. # # @param role_name [String] The name of the role to delete. def delete_role(role_name) # Detach and delete attached policies @iam_client.list_attached_role_policies(role_name: role_name).each do |response| response.attached_policies.each do |policy| @iam_client.detach_role_policy({ role_name: role_name, policy_arn: policy.policy_arn }) # Check if the policy is a customer managed policy (not AWS managed) unless policy.policy_arn.include?('aws:policy/') @iam_client.delete_policy({ policy_arn: policy.policy_arn }) @logger.info("Deleted customer managed policy #{policy.policy_name}.") end end end # Delete the role @iam_client.delete_role({ role_name: role_name }) @logger.info("Deleted role #{role_name}.") rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't detach policies and delete role #{role_name}. Here's why:") @logger.error("\t#{e.code}: #{e.message}") raise end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DeleteRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteRole)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn delete_role(client: &iamClient, role: &Role) -> Result<(), iamError> { let role = role.clone(); while client .delete_role() .role_name(role.role_name()) .send() .await .is_err() { sleep(Duration::from_secs(2)).await; } Ok(()) } ``` + 有关 API 的详细信息，请参阅适用[DeleteRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_role)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->deleterole( iv_rolename = iv_role_name ). MESSAGE 'Role deleted successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Role does not exist.' TYPE 'E'. CATCH /aws1/cx_iamdeleteconflictex. MESSAGE 'Role cannot be deleted due to attached resources.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[DeleteRole](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func deleteRole(role: IAMClientTypes.Role) async throws { let input = DeleteRoleInput( roleName: role.roleName ) do { _ = try await iamClient.deleteRole(input: input) } catch { print("ERROR: deleteRole:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[DeleteRole](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deleterole(input:))*中。 ------ # 将 `DeleteRolePermissionsBoundary` 与 CLI 配合使用以下代码示例演示如何使用 `DeleteRolePermissionsBoundary`。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 角色的权限边界** 以下 `delete-role-permissions-boundary` 示例删除指定 IAM 角色的权限边界。要对角色应用权限边界，请使用 `put-role-permissions-boundary` 命令。 ``` aws iam delete-role-permissions-boundary \ --role-name lambda-application-role ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteRolePermissionsBoundary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-role-permissions-boundary.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例展示了如何删除附加到 IAM 角色的权限边界。** ``` Remove-IAMRolePermissionsBoundary -RoleName MyRoleName ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteRolePermissionsBoundary](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例展示了如何删除附加到 IAM 角色的权限边界。** ``` Remove-IAMRolePermissionsBoundary -RoleName MyRoleName ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteRolePermissionsBoundary](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DeleteRolePolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteRolePolicy`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Delete an IAM role policy. ///

/// The name of the IAM role. /// The name of the IAM role policy to delete. /// A Boolean value indicating the success of the action. public async Task DeleteRolePolicyAsync(string roleName, string policyName) { var response = await _IAMService.DeleteRolePolicyAsync(new DeleteRolePolicyRequest { PolicyName = policyName, RoleName = roleName, }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[DeleteRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteRolePolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **从 IAM 角色中移除策略** 以下 `delete-role-policy` 命令可将名为 `ExamplePolicy` 的策略从名为 `Test-Role` 的角色中移除。 ``` aws iam delete-role-policy \ --role-name Test-Role \ --policy-name ExamplePolicy ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-role-policy.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { DeleteRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} roleName * @param {string} policyName */ export const deleteRolePolicy = (roleName, policyName) => { const command = new DeleteRolePolicyCommand({ RoleName: roleName, PolicyName: policyName, }); return client.send(command); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteRolePolicyCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除了 IAM 角色 `S3BackupRole` 中嵌入的内联策略 `S3AccessPolicy`。** ``` Remove-IAMRolePolicy -PolicyName S3AccessPolicy -RoleName S3BackupRole ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除了 IAM 角色 `S3BackupRole` 中嵌入的内联策略 `S3AccessPolicy`。** ``` Remove-IAMRolePolicy -PolicyName S3AccessPolicy -RoleName S3BackupRole ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DeleteSAMLProvider`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteSAMLProvider`。 ------ #### [ CLI ] **AWS CLI** **删除 SAML 提供者** 此示例删除了 ARN 为 `arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider` 的 IAM SAML 2.0 提供者。 ``` aws iam delete-saml-provider \ --saml-provider-arn arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM SAML 身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。 + 有关 API 的详细信息，请参阅SAMLProvider《*AWS CLI 命令参考*》中的 [“删除”](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-saml-provider.html)。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { DeleteSAMLProviderCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} providerArn * @returns */ export const deleteSAMLProvider = async (providerArn) => { const command = new DeleteSAMLProviderCommand({ SAMLProviderArn: providerArn, }); const response = await client.send(command); console.log(response); return response; }; ``` + 有关 API 的详细信息，请参阅SAMLProvider《*适用于 JavaScript 的 AWS SDK API 参考*》中的 [“删除”](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteSAMLProviderCommand)。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除了 ARN 为 `arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider` 的 IAM SAML 2.0 提供者。** ``` Remove-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考文档 (V* 4) SAMLProvider 中的[删除](https://docs.aws.amazon.com/powershell/v4/reference)。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除了 ARN 为 `arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider` 的 IAM SAML 2.0 提供者。** ``` Remove-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFSProvider ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考文档 (V* 5) SAMLProvider 中的[删除](https://docs.aws.amazon.com/powershell/v5/reference)。 ------ # `DeleteServerCertificate`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteServerCertificate`。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::deleteServerCertificate(const Aws::String &certificateName, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::DeleteServerCertificateRequest request; request.SetServerCertificateName(certificateName); const auto outcome = iam.DeleteServerCertificate(request); bool result = true; if (!outcome.IsSuccess()) { if (outcome.GetError().GetErrorType() != Aws::IAM::IAMErrors::NO_SUCH_ENTITY) { std::cerr << "Error deleting server certificate " << certificateName << ": " << outcome.GetError().GetMessage() << std::endl; result = false; } else { std::cout << "Certificate '" << certificateName << "' not found." << std::endl; } } else { std::cout << "Successfully deleted server certificate " << certificateName << std::endl; } return result; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[DeleteServerCertificate](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteServerCertificate)*中的。 ------ #### [ CLI ] **AWS CLI** **从您的 AWS 账户中删除服务器证书** 以下`delete-server-certificate`命令从您的 AWS 账户中删除指定的服务器证书。 ``` aws iam delete-server-certificate \ --server-certificate-name myUpdatedServerCertificate ``` 此命令不生成任何输出。要列出您 AWS 账户中可用的服务器证书，请使用`list-server-certificates`命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 IAM 中管理服务器证书](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteServerCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-server-certificate.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。删除服务器证书。 ``` import { DeleteServerCertificateCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} certName */ export const deleteServerCertificate = (certName) => { const command = new DeleteServerCertificateCommand({ ServerCertificateName: certName, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-deleting](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-deleting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteServerCertificate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteServerCertificateCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); iam.deleteServerCertificate( { ServerCertificateName: "CERTIFICATE_NAME" }, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } } ); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-deleting](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-deleting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteServerCertificate](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DeleteServerCertificate)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除名为 `MyServerCert` 的服务器证书。** ``` Remove-IAMServerCertificate -ServerCertificateName MyServerCert ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteServerCertificate](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除名为 `MyServerCert` 的服务器证书。** ``` Remove-IAMServerCertificate -ServerCertificateName MyServerCert ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteServerCertificate](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出、更新和删除服务器证书。 ``` class ServerCertificateManager def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'ServerCertificateManager' end # Creates a new server certificate. # @param name [String] the name of the server certificate # @param certificate_body [String] the contents of the certificate # @param private_key [String] the private key contents # @return [Boolean] returns true if the certificate was successfully created def create_server_certificate(name, certificate_body, private_key) @iam_client.upload_server_certificate({ server_certificate_name: name, certificate_body: certificate_body, private_key: private_key }) true rescue Aws::IAM::Errors::ServiceError => e puts "Failed to create server certificate: #{e.message}" false end # Lists available server certificate names. def list_server_certificate_names response = @iam_client.list_server_certificates if response.server_certificate_metadata_list.empty? @logger.info('No server certificates found.') return end response.server_certificate_metadata_list.each do |certificate_metadata| @logger.info("Certificate Name: #{certificate_metadata.server_certificate_name}") end rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing server certificates: #{e.message}") end # Updates the name of a server certificate. def update_server_certificate_name(current_name, new_name) @iam_client.update_server_certificate( server_certificate_name: current_name, new_server_certificate_name: new_name ) @logger.info("Server certificate name updated from '#{current_name}' to '#{new_name}'.") true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error updating server certificate name: #{e.message}") false end # Deletes a server certificate. def delete_server_certificate(name) @iam_client.delete_server_certificate(server_certificate_name: name) @logger.info("Server certificate '#{name}' deleted.") true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting server certificate: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DeleteServerCertificate](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteServerCertificate)*中的。 ------ # `DeleteServiceLinkedRole`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteServiceLinkedRole`。 ------ #### [ CLI ] **AWS CLI** **删除服务相关角色** 以下 `delete-service-linked-role` 示例将删除您不再需要的指定服务相关角色。删除操作异步进行。您也可以使用 `get-service-linked-role-deletion-status` 命令查看删除状态并确认何时删除。 ``` aws iam delete-service-linked-role \ --role-name AWSServiceRoleForLexBots ``` 输出： ``` { "DeletionTaskId": "task/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots/1a2b3c4d-1234-abcd-7890-abcdeEXAMPLE" } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用服务相关角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteServiceLinkedRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-service-linked-role.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // DeleteServiceLinkedRole deletes a service-linked role. func (wrapper RoleWrapper) DeleteServiceLinkedRole(ctx context.Context, roleName string) error { _, err := wrapper.IamClient.DeleteServiceLinkedRole(ctx, &iam.DeleteServiceLinkedRoleInput{ RoleName: aws.String(roleName)}, ) if err != nil { log.Printf("Couldn't delete service-linked role %v. Here's why: %v\n", roleName, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[DeleteServiceLinkedRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteServiceLinkedRole)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { DeleteServiceLinkedRoleCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} roleName */ export const deleteServiceLinkedRole = (roleName) => { const command = new DeleteServiceLinkedRoleCommand({ RoleName: roleName }); return client.send(command); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteServiceLinkedRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteServiceLinkedRoleCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除服务关联角色。请注意，如果服务仍在使用此角色，则此命令将导致失败。** ``` Remove-IAMServiceLinkedRole -RoleName AWSServiceRoleForAutoScaling_RoleNameEndsWithThis ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteServiceLinkedRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除服务关联角色。请注意，如果服务仍在使用此角色，则此命令将导致失败。** ``` Remove-IAMServiceLinkedRole -RoleName AWSServiceRoleForAutoScaling_RoleNameEndsWithThis ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteServiceLinkedRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Deletes a service-linked role. # # @param role_name [String] The name of the role to delete. def delete_service_linked_role(role_name) response = @iam_client.delete_service_linked_role(role_name: role_name) task_id = response.deletion_task_id check_deletion_status(role_name, task_id) rescue Aws::Errors::ServiceError => e handle_deletion_error(e, role_name) end private # Checks the deletion status of a service-linked role # # @param role_name [String] The name of the role being deleted # @param task_id [String] The task ID for the deletion process def check_deletion_status(role_name, task_id) loop do response = @iam_client.get_service_linked_role_deletion_status( deletion_task_id: task_id ) status = response.status @logger.info("Deletion of #{role_name} #{status}.") break if %w[SUCCEEDED FAILED].include?(status) sleep(3) end end # Handles deletion error # # @param e [Aws::Errors::ServiceError] The error encountered during deletion # @param role_name [String] The name of the role attempted to delete def handle_deletion_error(e, role_name) return if e.code == 'NoSuchEntity' @logger.error("Couldn't delete #{role_name}. Here's why:") @logger.error("\t#{e.code}: #{e.message}") raise end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DeleteServiceLinkedRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteServiceLinkedRole)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn delete_service_linked_role( client: &iamClient, role_name: &str, ) -> Result<(), iamError> { client .delete_service_linked_role() .role_name(role_name) .send() .await?; Ok(()) } ``` + 有关 API 的详细信息，请参阅适用[DeleteServiceLinkedRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_service_linked_role)于 *Rust 的AWS SDK API 参考*。 ------ # 将 `DeleteSigningCertificate` 与 CLI 配合使用以下代码示例演示如何使用 `DeleteSigningCertificate`。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 用户的签名证书** 以下 `delete-signing-certificate` 命令删除名为 `Bob` 的 IAM 用户的指定签名证书。 ``` aws iam delete-signing-certificate \ --user-name Bob \ --certificate-id TA7SMP42TDN5Z26OBPJE7EXAMPLE ``` 此命令不生成任何输出。要获取签名证书的 ID，请使用 `list-signing-certificates` 命令。有关更多信息，请参阅《Amazon EC2 用户指南》**中的[管理签名证书](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-up-ami-tools.html#ami-tools-managing-certs)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteSigningCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-signing-certificate.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从名为 `Bob` 的 IAM 用户删除 ID 为 `Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU` 的签名证书。** ``` Remove-IAMSigningCertificate -UserName Bob -CertificateId Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteSigningCertificate](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从名为 `Bob` 的 IAM 用户删除 ID 为 `Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU` 的签名证书。** ``` Remove-IAMSigningCertificate -UserName Bob -CertificateId Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteSigningCertificate](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DeleteUser`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteUser`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Delete an IAM user. ///

/// The username of the IAM user to delete. /// A Boolean value indicating the success of the action. public async Task DeleteUserAsync(string userName) { var response = await _IAMService.DeleteUserAsync(new DeleteUserRequest { UserName = userName }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[DeleteUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUser)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_delete_user # # This function deletes the specified IAM user. # # Parameters: # -u user_name -- The name of the user to create. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_delete_user() { local user_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_delete_user" echo "Deletes an AWS Identity and Access Management (IAM) user. You must supply a username:" echo " -u user_name The name of the user." echo "" } # Retrieve the calling parameters. while getopts "u:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi iecho "Parameters:\n" iecho " User name: $user_name" iecho "" # If the user does not exist, we don't want to try to delete it. if (! iam_user_exists "$user_name"); then errecho "ERROR: A user with that name does not exist in the account." return 1 fi response=$(aws iam delete-user \ --user-name "$user_name") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-user operation failed.$response" return 1 fi iecho "delete-user response:$response" iecho return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUser)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::DeleteUserRequest request; request.SetUserName(userName); auto outcome = iam.DeleteUser(request); if (!outcome.IsSuccess()) { std::cerr << "Error deleting IAM user " << userName << ": " << outcome.GetError().GetMessage() << std::endl;; } else { std::cout << "Successfully deleted IAM user " << userName << std::endl; } return outcome.IsSuccess(); ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[DeleteUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUser)*中的。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 用户** 以下 `delete-user` 命令可将名为 `Bob` 的 IAM 用户从当前账户中删除。 ``` aws iam delete-user \ --user-name Bob ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[删除 IAM 用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-user.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // DeleteUser deletes a user. func (wrapper UserWrapper) DeleteUser(ctx context.Context, userName string) error { _, err := wrapper.IamClient.DeleteUser(ctx, &iam.DeleteUserInput{ UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't delete user %v. Here's why: %v\n", userName, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUser)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.DeleteUserRequest; import software.amazon.awssdk.services.iam.model.IamException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DeleteUser { public static void main(String[] args) { final String usage = """ Usage: \s Where: userName - The name of the user to delete.\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String userName = args[0]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); deleteIAMUser(iam, userName); System.out.println("Done"); iam.close(); } public static void deleteIAMUser(IamClient iam, String userName) { try { DeleteUserRequest request = DeleteUserRequest.builder() .userName(userName) .build(); iam.deleteUser(request); System.out.println("Successfully deleted IAM user " + userName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[DeleteUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUser)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。删除用户。 ``` import { DeleteUserCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} name */ export const deleteUser = (name) => { const command = new DeleteUserCommand({ UserName: name }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-deleting-users](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-deleting-users)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { UserName: process.argv[2], }; iam.getUser(params, function (err, data) { if (err && err.code === "NoSuchEntity") { console.log("User " + process.argv[2] + " does not exist."); } else { iam.deleteUser(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-deleting-users](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-deleting-users)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DeleteUser](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DeleteUser)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun deleteIAMUser(userNameVal: String) { val request = DeleteUserRequest { userName = userNameVal } // To delete a user, ensure that the user's access keys are deleted first. IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> iamClient.deleteUser(request) println("Successfully deleted user $userNameVal") } } ``` + 有关 API 的详细信息，请参阅适用[DeleteUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除名为 `Bob` 的 IAM 用户。** ``` Remove-IAMUser -UserName Bob ``` **示例 2：此示例删除名为 `Theresa` 的 IAM 用户，以及必须先删除的所有元素。** ``` $name = "Theresa" # find any groups and remove user from them $groups = Get-IAMGroupForUser -UserName $name foreach ($group in $groups) { Remove-IAMUserFromGroup -GroupName $group.GroupName -UserName $name -Force } # find any inline policies and delete them $inlinepols = Get-IAMUserPolicies -UserName $name foreach ($pol in $inlinepols) { Remove-IAMUserPolicy -PolicyName $pol -UserName $name -Force} # find any managed polices and detach them $managedpols = Get-IAMAttachedUserPolicies -UserName $name foreach ($pol in $managedpols) { Unregister-IAMUserPolicy -PolicyArn $pol.PolicyArn -UserName $name } # find any signing certificates and delete them $certs = Get-IAMSigningCertificate -UserName $name foreach ($cert in $certs) { Remove-IAMSigningCertificate -CertificateId $cert.CertificateId -UserName $name -Force } # find any access keys and delete them $keys = Get-IAMAccessKey -UserName $name foreach ($key in $keys) { Remove-IAMAccessKey -AccessKeyId $key.AccessKeyId -UserName $name -Force } # delete the user's login profile, if one exists - note: need to use try/catch to suppress not found error try { $prof = Get-IAMLoginProfile -UserName $name -ea 0 } catch { out-null } if ($prof) { Remove-IAMLoginProfile -UserName $name -Force } # find any MFA device, detach it, and if virtual, delete it. $mfa = Get-IAMMFADevice -UserName $name if ($mfa) { Disable-IAMMFADevice -SerialNumber $mfa.SerialNumber -UserName $name if ($mfa.SerialNumber -like "arn:*") { Remove-IAMVirtualMFADevice -SerialNumber $mfa.SerialNumber } } # finally, remove the user Remove-IAMUser -UserName $name -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteUser](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除名为 `Bob` 的 IAM 用户。** ``` Remove-IAMUser -UserName Bob ``` **示例 2：此示例删除名为 `Theresa` 的 IAM 用户，以及必须先删除的所有元素。** ``` $name = "Theresa" # find any groups and remove user from them $groups = Get-IAMGroupForUser -UserName $name foreach ($group in $groups) { Remove-IAMUserFromGroup -GroupName $group.GroupName -UserName $name -Force } # find any inline policies and delete them $inlinepols = Get-IAMUserPolicies -UserName $name foreach ($pol in $inlinepols) { Remove-IAMUserPolicy -PolicyName $pol -UserName $name -Force} # find any managed polices and detach them $managedpols = Get-IAMAttachedUserPolicies -UserName $name foreach ($pol in $managedpols) { Unregister-IAMUserPolicy -PolicyArn $pol.PolicyArn -UserName $name } # find any signing certificates and delete them $certs = Get-IAMSigningCertificate -UserName $name foreach ($cert in $certs) { Remove-IAMSigningCertificate -CertificateId $cert.CertificateId -UserName $name -Force } # find any access keys and delete them $keys = Get-IAMAccessKey -UserName $name foreach ($key in $keys) { Remove-IAMAccessKey -AccessKeyId $key.AccessKeyId -UserName $name -Force } # delete the user's login profile, if one exists - note: need to use try/catch to suppress not found error try { $prof = Get-IAMLoginProfile -UserName $name -ea 0 } catch { out-null } if ($prof) { Remove-IAMLoginProfile -UserName $name -Force } # find any MFA device, detach it, and if virtual, delete it. $mfa = Get-IAMMFADevice -UserName $name if ($mfa) { Disable-IAMMFADevice -SerialNumber $mfa.SerialNumber -UserName $name if ($mfa.SerialNumber -like "arn:*") { Remove-IAMVirtualMFADevice -SerialNumber $mfa.SerialNumber } } # finally, remove the user Remove-IAMUser -UserName $name -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteUser](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def delete_user(user_name): """ Deletes a user. Before a user can be deleted, all associated resources, such as access keys and policies, must be deleted or detached. :param user_name: The name of the user. """ try: iam.User(user_name).delete() logger.info("Deleted user %s.", user_name) except ClientError: logger.exception("Couldn't delete user %s.", user_name) raise ``` + 有关 API 的详细信息，请参阅适用[DeleteUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUser)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Deletes a user and their associated resources # # @param user_name [String] The name of the user to delete def delete_user(user_name) user = @iam_client.list_access_keys(user_name: user_name).access_key_metadata user.each do |key| @iam_client.delete_access_key({ access_key_id: key.access_key_id, user_name: user_name }) @logger.info("Deleted access key #{key.access_key_id} for user '#{user_name}'.") end @iam_client.delete_user(user_name: user_name) @logger.info("Deleted user '#{user_name}'.") rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting user '#{user_name}': #{e.message}") end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DeleteUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUser)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn delete_user(client: &iamClient, user: &User) -> Result<(), SdkError> { let user = user.clone(); let mut tries: i32 = 0; let max_tries: i32 = 10; let response: Result<(), SdkError> = loop { match client .delete_user() .user_name(user.user_name()) .send() .await { Ok(_) => { break Ok(()); } Err(e) => { tries += 1; if tries > max_tries { break Err(e); } sleep(Duration::from_secs(2)).await; } } }; response } ``` + 有关 API 的详细信息，请参阅适用[DeleteUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->deleteuser( iv_username = iv_user_name ). MESSAGE 'User deleted successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'User does not exist.' TYPE 'E'. CATCH /aws1/cx_iamdeleteconflictex. MESSAGE 'User cannot be deleted due to attached resources.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[DeleteUser](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func deleteUser(user: IAMClientTypes.User) async throws { let input = DeleteUserInput( userName: user.userName ) do { _ = try await iamClient.deleteUser(input: input) } catch { print("ERROR: deleteUser:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[DeleteUser](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deleteuser(input:))*中。 ------ # 将 `DeleteUserPermissionsBoundary` 与 CLI 配合使用以下代码示例演示如何使用 `DeleteUserPermissionsBoundary`。 ------ #### [ CLI ] **AWS CLI** **删除 IAM 用户的权限边界** 以下 `delete-user-permissions-boundary` 示例删除了附加到名为 `intern` 的 IAM 用户的权限边界。要对用户应用权限边界，请使用 `put-user-permissions-boundary` 命令。 ``` aws iam delete-user-permissions-boundary \ --user-name intern ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteUserPermissionsBoundary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-user-permissions-boundary.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例展示了如何删除附加到 IAM 用户的权限边界。** ``` Remove-IAMUserPermissionsBoundary -UserName joe ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteUserPermissionsBoundary](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例展示了如何删除附加到 IAM 用户的权限边界。** ``` Remove-IAMUserPermissionsBoundary -UserName joe ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteUserPermissionsBoundary](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DeleteUserPolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DeleteUserPolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Delete an IAM user policy. ///

/// The name of the IAM policy to delete. /// The username of the IAM user. /// A Boolean value indicating the success of the action. public async Task DeleteUserPolicyAsync(string policyName, string userName) { var response = await _IAMService.DeleteUserPolicyAsync(new DeleteUserPolicyRequest { PolicyName = policyName, UserName = userName }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[DeleteUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUserPolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **从 IAM 用户中移除策略** 以下 `delete-user-policy` 命令可将指定策略从名为 `Bob` 的 IAM 用户中移除。 ``` aws iam delete-user-policy \ --user-name Bob \ --policy-name ExamplePolicy ``` 此命令不生成任何输出。要获取 IAM 用户的策略列表，请使用 `list-user-policies` 命令。有关更多信息，请参阅 [IAM 用户指南中的在您的 AWS 账户中创建AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) *IAM 用户*。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-user-policy.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // DeleteUserPolicy deletes an inline policy from a user. func (wrapper UserWrapper) DeleteUserPolicy(ctx context.Context, userName string, policyName string) error { _, err := wrapper.IamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{ PolicyName: aws.String(policyName), UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't delete policy from user %v. Here's why: %v\n", userName, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[DeleteUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUserPolicy)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除嵌入在名为 `Bob` 的 IAM 用户中的名为 `AccessToEC2Policy` 的内联策略。** ``` Remove-IAMUserPolicy -PolicyName AccessToEC2Policy -UserName Bob ``` **示例 2：此示例查找嵌入在名为 `Theresa` 的 IAM 用户中的所有内联策略，然后将其删除。** ``` $inlinepols = Get-IAMUserPolicies -UserName Theresa foreach ($pol in $inlinepols) { Remove-IAMUserPolicy -PolicyName $pol -UserName Theresa -Force} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除嵌入在名为 `Bob` 的 IAM 用户中的名为 `AccessToEC2Policy` 的内联策略。** ``` Remove-IAMUserPolicy -PolicyName AccessToEC2Policy -UserName Bob ``` **示例 2：此示例查找嵌入在名为 `Theresa` 的 IAM 用户中的所有内联策略，然后将其删除。** ``` $inlinepols = Get-IAMUserPolicies -UserName Theresa foreach ($pol in $inlinepols) { Remove-IAMUserPolicy -PolicyName $pol -UserName Theresa -Force} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Deletes a user and their associated resources # # @param user_name [String] The name of the user to delete def delete_user(user_name) user = @iam_client.list_access_keys(user_name: user_name).access_key_metadata user.each do |key| @iam_client.delete_access_key({ access_key_id: key.access_key_id, user_name: user_name }) @logger.info("Deleted access key #{key.access_key_id} for user '#{user_name}'.") end @iam_client.delete_user(user_name: user_name) @logger.info("Deleted user '#{user_name}'.") rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting user '#{user_name}': #{e.message}") end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUserPolicy)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn delete_user_policy( client: &iamClient, user: &User, policy_name: &str, ) -> Result<(), SdkError> { client .delete_user_policy() .user_name(user.user_name()) .policy_name(policy_name) .send() .await?; Ok(()) } ``` + 有关 API 的详细信息，请参阅适用[DeleteUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user_policy)于 *Rust 的AWS SDK API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 func deleteUserPolicy(user: IAMClientTypes.User, policyName: String) async throws { let input = DeleteUserPolicyInput( policyName: policyName, userName: user.userName ) do { _ = try await iamClient.deleteUserPolicy(input: input) } catch { print("ERROR: deleteUserPolicy:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[DeleteUserPolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/deleteuserpolicy(input:))*中。 ------ # 将 `DeleteVirtualMfaDevice` 与 CLI 配合使用以下代码示例演示如何使用 `DeleteVirtualMfaDevice`。 ------ #### [ CLI ] **AWS CLI** **删除虚拟 MFA 设备** 以下 `delete-virtual-mfa-device` 命令从当前账户中删除指定的 MFA 设备。 ``` aws iam delete-virtual-mfa-device \ --serial-number arn:aws:iam::123456789012:mfa/MFATest ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[停用 MFA 设备](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_disable.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DeleteVirtualMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-virtual-mfa-device.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例删除 ARN 为 `arn:aws:iam::123456789012:mfa/bob` 的 IAM 虚拟 MFA 设备。** ``` Remove-IAMVirtualMFADevice -SerialNumber arn:aws:iam::123456789012:mfa/bob ``` **示例 2：此示例检查是否为 IAM 用户 Theresa 分配了 MFA 设备。如果找到设备，则会为 IAM 用户禁用该设备。如果设备是虚拟的，则会同时删除该设备。** ``` $mfa = Get-IAMMFADevice -UserName Theresa if ($mfa) { Disable-IAMMFADevice -SerialNumber $mfa.SerialNumber -UserName $name if ($mfa.SerialNumber -like "arn:*") { Remove-IAMVirtualMFADevice -SerialNumber $mfa.SerialNumber } } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DeleteVirtualMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例删除 ARN 为 `arn:aws:iam::123456789012:mfa/bob` 的 IAM 虚拟 MFA 设备。** ``` Remove-IAMVirtualMFADevice -SerialNumber arn:aws:iam::123456789012:mfa/bob ``` **示例 2：此示例检查是否为 IAM 用户 Theresa 分配了 MFA 设备。如果找到设备，则会为 IAM 用户禁用该设备。如果设备是虚拟的，则会同时删除该设备。** ``` $mfa = Get-IAMMFADevice -UserName Theresa if ($mfa) { Disable-IAMMFADevice -SerialNumber $mfa.SerialNumber -UserName $name if ($mfa.SerialNumber -like "arn:*") { Remove-IAMVirtualMFADevice -SerialNumber $mfa.SerialNumber } } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DeleteVirtualMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `DetachGroupPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `DetachGroupPolicy`。 ------ #### [ CLI ] **AWS CLI** **从组中分离策略** 此示例将从名为 `Testers` 的组重删除 ARN 为 `arn:aws:iam::123456789012:policy/TesterAccessPolicy` 的托管策略。 ``` aws iam detach-group-policy \ --group-name Testers \ --policy-arn arn:aws:iam::123456789012:policy/TesterAccessPolicy ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DetachGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-group-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将 ARN 为 `arn:aws:iam::123456789012:policy/TesterAccessPolicy` 的托管组策略与名为 `Testers` 的组分离。** ``` Unregister-IAMGroupPolicy -GroupName Testers -PolicyArn arn:aws:iam::123456789012:policy/TesterAccessPolicy ``` **示例 2：此示例查找附加到名为 `Testers` 的组的所有托管策略，并将其与该组分离。** ``` Get-IAMAttachedGroupPolicies -GroupName Testers | Unregister-IAMGroupPolicy -Groupname Testers ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DetachGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将 ARN 为 `arn:aws:iam::123456789012:policy/TesterAccessPolicy` 的托管组策略与名为 `Testers` 的组分离。** ``` Unregister-IAMGroupPolicy -GroupName Testers -PolicyArn arn:aws:iam::123456789012:policy/TesterAccessPolicy ``` **示例 2：此示例查找附加到名为 `Testers` 的组的所有托管策略，并将其与该组分离。** ``` Get-IAMAttachedGroupPolicies -GroupName Testers | Unregister-IAMGroupPolicy -Groupname Testers ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DetachGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `DetachRolePolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DetachRolePolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) + [管理角色](iam_example_iam_Scenario_RoleManagement_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Detach an IAM policy from an IAM role. ///

/// The Amazon Resource Name (ARN) of the IAM policy. /// The name of the IAM role. /// A Boolean value indicating the success of the action. public async Task DetachRolePolicyAsync(string policyArn, string roleName) { var response = await _IAMService.DetachRolePolicyAsync(new DetachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[DetachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DetachRolePolicy)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_detach_role_policy # # This function detaches an IAM policy to a tole. # # Parameters: # -n role_name -- The name of the IAM role. # -p policy_ARN -- The IAM policy document ARN.. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_detach_role_policy() { local role_name policy_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_detach_role_policy" echo "Detaches an AWS Identity and Access Management (IAM) policy to an IAM role." echo " -n role_name The name of the IAM role." echo " -p policy_ARN -- The IAM policy document ARN." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; p) policy_arn="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi if [[ -z "$policy_arn" ]]; then errecho "ERROR: You must provide a policy ARN with the -p parameter." usage return 1 fi response=$(aws iam detach-role-policy \ --role-name "$role_name" \ --policy-arn "$policy_arn") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports detach-role-policy operation failed.\n$response" return 1 fi echo "$response" return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::DetachRolePolicyRequest detachRequest; detachRequest.SetRoleName(roleName); detachRequest.SetPolicyArn(policyArn); auto detachOutcome = iam.DetachRolePolicy(detachRequest); if (!detachOutcome.IsSuccess()) { std::cerr << "Failed to detach policy " << policyArn << " from role " << roleName << ": " << detachOutcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully detached policy " << policyArn << " from role " << roleName << std::endl; } return detachOutcome.IsSuccess(); ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DetachRolePolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **从角色分离策略** 此示例将从名为 `FedTesterRole` 的角色删除具有 ARN `arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy` 的托管策略。 ``` aws iam detach-role-policy \ --role-name FedTesterRole \ --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DetachRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-role-policy.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // DetachRolePolicy detaches a policy from a role. func (wrapper RoleWrapper) DetachRolePolicy(ctx context.Context, roleName string, policyArn string) error { _, err := wrapper.IamClient.DetachRolePolicy(ctx, &iam.DetachRolePolicyInput{ PolicyArn: aws.String(policyArn), RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't detach policy from role %v. Here's why: %v\n", roleName, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[DetachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DetachRolePolicy)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DetachRolePolicy { public static void main(String[] args) { final String usage = """ Usage: \s Where: roleName - A role name that you can obtain from the AWS Management Console.\s policyArn - A policy ARN that you can obtain from the AWS Management Console.\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String roleName = args[0]; String policyArn = args[1]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); detachPolicy(iam, roleName, policyArn); System.out.println("Done"); iam.close(); } public static void detachPolicy(IamClient iam, String roleName, String policyArn) { try { DetachRolePolicyRequest request = DetachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.detachRolePolicy(request); System.out.println("Successfully detached policy " + policyArn + " from role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DetachRolePolicy)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。分离策略。 ``` import { DetachRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} policyArn * @param {string} roleName */ export const detachRolePolicy = (policyArn, roleName) => { const command = new DetachRolePolicyCommand({ PolicyArn: policyArn, RoleName: roleName, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-detaching-role-policy](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-detaching-role-policy)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DetachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DetachRolePolicyCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var paramsRoleList = { RoleName: process.argv[2], }; iam.listAttachedRolePolicies(paramsRoleList, function (err, data) { if (err) { console.log("Error", err); } else { var myRolePolicies = data.AttachedPolicies; myRolePolicies.forEach(function (val, index, array) { if (myRolePolicies[index].PolicyName === "AmazonDynamoDBFullAccess") { var params = { PolicyArn: "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess", RoleName: process.argv[2], }; iam.detachRolePolicy(params, function (err, data) { if (err) { console.log("Unable to detach policy from role", err); } else { console.log("Policy detached from role successfully"); process.exit(); } }); } }); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-detaching-role-policy](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-detaching-role-policy)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[DetachRolePolicy](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/DetachRolePolicy)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun detachPolicy( roleNameVal: String, policyArnVal: String, ) { val request = DetachRolePolicyRequest { roleName = roleNameVal policyArn = policyArnVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> iamClient.detachRolePolicy(request) println("Successfully detached policy $policyArnVal from role $roleNameVal") } } ``` + 有关 API 的详细信息，请参阅适用[DetachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将 ARN 为 `arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy` 的托管组策略与名为 `FedTesterRole` 的角色分离。** ``` Unregister-IAMRolePolicy -RoleName FedTesterRole -PolicyArn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy ``` **示例 2：此示例查找附加到名为 `FedTesterRole` 的角色的所有托管策略，并将其与该角色分离。** ``` Get-IAMAttachedRolePolicyList -RoleName FedTesterRole | Unregister-IAMRolePolicy -Rolename FedTesterRole ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DetachRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将 ARN 为 `arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy` 的托管组策略与名为 `FedTesterRole` 的角色分离。** ``` Unregister-IAMRolePolicy -RoleName FedTesterRole -PolicyArn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy ``` **示例 2：此示例查找附加到名为 `FedTesterRole` 的角色的所有托管策略，并将其与该角色分离。** ``` Get-IAMAttachedRolePolicyList -RoleName FedTesterRole | Unregister-IAMRolePolicy -Rolename FedTesterRole ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DetachRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。使用 Boto3 策略对象从角色分离策略。 ``` def detach_from_role(role_name, policy_arn): """ Detaches a policy from a role. :param role_name: The name of the role. **Note** this is the name, not the ARN. :param policy_arn: The ARN of the policy. """ try: iam.Policy(policy_arn).detach_role(RoleName=role_name) logger.info("Detached policy %s from role %s.", policy_arn, role_name) except ClientError: logger.exception( "Couldn't detach policy %s from role %s.", policy_arn, role_name ) raise ``` 使用 Boto3 角色对象从角色分离策略。 ``` def detach_policy(role_name, policy_arn): """ Detaches a policy from a role. :param role_name: The name of the role. **Note** this is the name, not the ARN. :param policy_arn: The ARN of the policy. """ try: iam.Role(role_name).detach_policy(PolicyArn=policy_arn) logger.info("Detached policy %s from role %s.", policy_arn, role_name) except ClientError: logger.exception( "Couldn't detach policy %s from role %s.", policy_arn, role_name ) raise ``` + 有关 API 的详细信息，请参阅适用[DetachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachRolePolicy)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例模块会列出、创建、附加和分离角色策略。 ``` # Manages policies in AWS Identity and Access Management (IAM) class RolePolicyManager # Initialize with an AWS IAM client # # @param iam_client [Aws::IAM::Client] An initialized IAM client def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'PolicyManager' end # Creates a policy # # @param policy_name [String] The name of the policy # @param policy_document [Hash] The policy document # @return [String] The policy ARN if successful, otherwise nil def create_policy(policy_name, policy_document) response = @iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) response.policy.arn rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating policy: #{e.message}") nil end # Fetches an IAM policy by its ARN # @param policy_arn [String] the ARN of the IAM policy to retrieve # @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found def get_policy(policy_arn) response = @iam_client.get_policy(policy_arn: policy_arn) policy = response.policy @logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.") policy rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.") raise rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}") raise end # Attaches a policy to a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def attach_policy_to_role(role_name, policy_arn) @iam_client.attach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error attaching policy to role: #{e.message}") false end # Lists policy ARNs attached to a role # # @param role_name [String] The name of the role # @return [Array] List of policy ARNs def list_attached_policy_arns(role_name) response = @iam_client.list_attached_role_policies(role_name: role_name) response.attached_policies.map(&:policy_arn) rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing policies attached to role: #{e.message}") [] end # Detaches a policy from a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def detach_policy_from_role(role_name, policy_arn) @iam_client.detach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error detaching policy from role: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DetachRolePolicy)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn detach_role_policy( client: &iamClient, role_name: &str, policy_arn: &str, ) -> Result<(), iamError> { client .detach_role_policy() .role_name(role_name) .policy_arn(policy_arn) .send() .await?; Ok(()) } ``` + 有关 API 的详细信息，请参阅适用[DetachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.detach_role_policy)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->detachrolepolicy( iv_rolename = iv_role_name iv_policyarn = iv_policy_arn ). MESSAGE 'Policy detached from role successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Role or policy does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[DetachRolePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func detachRolePolicy(policy: IAMClientTypes.Policy, role: IAMClientTypes.Role) async throws { let input = DetachRolePolicyInput( policyArn: policy.arn, roleName: role.roleName ) do { _ = try await iamClient.detachRolePolicy(input: input) } catch { print("ERROR: detachRolePolicy:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[DetachRolePolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/detachrolepolicy(input:))*中。 ------ # `DetachUserPolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `DetachUserPolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) ------ #### [ CLI ] **AWS CLI** **从用户分离策略** 此示例将从用户 `Bob` 删除具有 ARN `arn:aws:iam::123456789012:policy/TesterPolicy` 的托管策略。 ``` aws iam detach-user-policy \ --user-name Bob \ --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[更改 IAM 用户的权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[DetachUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将 ARN 为 `arn:aws:iam::123456789012:policy/TesterPolicy` 的托管策略与名为 `Bob` 的 IAM 用户分离。** ``` Unregister-IAMUserPolicy -UserName Bob -PolicyArn arn:aws:iam::123456789012:policy/TesterPolicy ``` **示例 2：此示例查找附加到名为 `Theresa` 的 IAM 用户的所有托管策略，并将这些策略与该用户分离。** ``` Get-IAMAttachedUserPolicyList -UserName Theresa | Unregister-IAMUserPolicy -Username Theresa ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DetachUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将 ARN 为 `arn:aws:iam::123456789012:policy/TesterPolicy` 的托管策略与名为 `Bob` 的 IAM 用户分离。** ``` Unregister-IAMUserPolicy -UserName Bob -PolicyArn arn:aws:iam::123456789012:policy/TesterPolicy ``` **示例 2：此示例查找附加到名为 `Theresa` 的 IAM 用户的所有托管策略，并将这些策略与该用户分离。** ``` Get-IAMAttachedUserPolicyList -UserName Theresa | Unregister-IAMUserPolicy -Username Theresa ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DetachUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def detach_policy(user_name, policy_arn): """ Detaches a policy from a user. :param user_name: The name of the user. :param policy_arn: The Amazon Resource Name (ARN) of the policy. """ try: iam.User(user_name).detach_policy(PolicyArn=policy_arn) logger.info("Detached policy %s from user %s.", policy_arn, user_name) except ClientError: logger.exception( "Couldn't detach policy %s from user %s.", policy_arn, user_name ) raise ``` + 有关 API 的详细信息，请参阅适用[DetachUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachUserPolicy)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Detaches a policy from a user # # @param user_name [String] The name of the user # @param policy_arn [String] The ARN of the policy to detach # @return [Boolean] true if the policy was successfully detached, false otherwise def detach_user_policy(user_name, policy_arn) @iam_client.detach_user_policy( user_name: user_name, policy_arn: policy_arn ) @logger.info("Policy '#{policy_arn}' detached from user '#{user_name}' successfully.") true rescue Aws::IAM::Errors::NoSuchEntity @logger.error('Error detaching policy: Policy or user does not exist.') false rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error detaching policy from user '#{user_name}': #{e.message}") false end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[DetachUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DetachUserPolicy)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn detach_user_policy( client: &iamClient, user_name: &str, policy_arn: &str, ) -> Result<(), iamError> { client .detach_user_policy() .user_name(user_name) .policy_arn(policy_arn) .send() .await?; Ok(()) } ``` + 有关 API 的详细信息，请参阅适用[DetachUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.detach_user_policy)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->detachuserpolicy( iv_username = iv_user_name iv_policyarn = iv_policy_arn ). MESSAGE 'Policy detached from user successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'User or policy does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[DetachUserPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `EnableMfaDevice` 与 CLI 配合使用以下代码示例演示如何使用 `EnableMfaDevice`。 ------ #### [ CLI ] **AWS CLI** **启用 MFA 设备** 使用 `create-virtual-mfa-device` 命令创建新的虚拟 MFA 设备后，您可以将 MFA 设备分配给用户。以下 `enable-mfa-device` 示例将序列号为 `arn:aws:iam::210987654321:mfa/BobsMFADevice` 的 MFA 设备分配给用户 `Bob`。该命令还 AWS 通过按顺序包含虚拟 MFA 设备中的前两个代码来与设备同步。 ``` aws iam enable-mfa-device \ --user-name Bob \ --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \ --authentication-code1 123456 \ --authentication-code2 789012 ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[启用虚拟多重身份验证（MFA）设备](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[EnableMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/enable-mfa-device.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令启用序列号为 `987654321098` 的硬件 MFA 设备，并将该设备与用户 `Bob` 关联。它包含设备中按顺序排列的前两个代码。** ``` Enable-IAMMFADevice -UserName "Bob" -SerialNumber "987654321098" -AuthenticationCode1 "12345678" -AuthenticationCode2 "87654321" ``` **示例 2：此示例创建并启用虚拟 MFA 设备。第一条命令创建虚拟设备并在变量 `$MFADevice` 中返回设备的对象表示形式。您可以使用 `.Base32StringSeed` 或 `QRCodePng` 属性来配置用户的软件应用程序。最后一条命令将该设备分配给用户 `David`，通过其序列号识别设备。该命令还 AWS 通过按顺序包含虚拟 MFA 设备中的前两个代码来与设备同步。** ``` $MFADevice = New-IAMVirtualMFADevice -VirtualMFADeviceName "MyMFADevice" # see example for New-IAMVirtualMFADevice to see how to configure the software program with PNG or base32 seed code Enable-IAMMFADevice -UserName "David" -SerialNumber -SerialNumber $MFADevice.SerialNumber -AuthenticationCode1 "24681357" -AuthenticationCode2 "13572468" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [EnableMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令启用序列号为 `987654321098` 的硬件 MFA 设备，并将该设备与用户 `Bob` 关联。它包含设备中按顺序排列的前两个代码。** ``` Enable-IAMMFADevice -UserName "Bob" -SerialNumber "987654321098" -AuthenticationCode1 "12345678" -AuthenticationCode2 "87654321" ``` **示例 2：此示例创建并启用虚拟 MFA 设备。第一条命令创建虚拟设备并在变量 `$MFADevice` 中返回设备的对象表示形式。您可以使用 `.Base32StringSeed` 或 `QRCodePng` 属性来配置用户的软件应用程序。最后一条命令将该设备分配给用户 `David`，通过其序列号识别设备。该命令还 AWS 通过按顺序包含虚拟 MFA 设备中的前两个代码来与设备同步。** ``` $MFADevice = New-IAMVirtualMFADevice -VirtualMFADeviceName "MyMFADevice" # see example for New-IAMVirtualMFADevice to see how to configure the software program with PNG or base32 seed code Enable-IAMMFADevice -UserName "David" -SerialNumber -SerialNumber $MFADevice.SerialNumber -AuthenticationCode1 "24681357" -AuthenticationCode2 "13572468" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [EnableMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `GenerateCredentialReport`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GenerateCredentialReport`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理您的账户](iam_example_iam_Scenario_AccountManagement_section.md) ------ #### [ CLI ] **AWS CLI** **生成凭证报告** 以下示例尝试为该 AWS 账户生成凭证报告。 ``` aws iam generate-credential-report ``` 输出： ``` { "State": "STARTED", "Description": "No report exists. Starting a new report generation task" } ``` 有关更多信息，请参阅 *AWS IAM 用户指南*中的[获取 AWS 账户的凭证报告](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GenerateCredentialReport](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/generate-credential-report.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例请求生成一份新报告，报告可每四小时生成一次。如果上次报告仍然是最新的，则“状态”字段显示为 `COMPLETE`。使用 `Get-IAMCredentialReport` 查看已完成的报告。** ``` Request-IAMCredentialReport ``` **输出**： ``` Description State ----------- ----- No report exists. Starting a new report generation task STARTED ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GenerateCredentialReport](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例请求生成一份新报告，报告可每四小时生成一次。如果上次报告仍然是最新的，则“状态”字段显示为 `COMPLETE`。使用 `Get-IAMCredentialReport` 查看已完成的报告。** ``` Request-IAMCredentialReport ``` **输出**： ``` Description State ----------- ----- No report exists. Starting a new report generation task STARTED ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GenerateCredentialReport](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def generate_credential_report(): """ Starts generation of a credentials report about the current account. After calling this function to generate the report, call get_credential_report to get the latest report. A new report can be generated a minimum of four hours after the last one was generated. """ try: response = iam.meta.client.generate_credential_report() logger.info( "Generating credentials report for your account. " "Current state is %s.", response["State"], ) except ClientError: logger.exception("Couldn't generate a credentials report for your account.") raise else: return response ``` + 有关 API 的详细信息，请参阅适用[GenerateCredentialReport](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GenerateCredentialReport)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->generatecredentialreport( ). MESSAGE 'Credential report generation started.' TYPE 'I'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Report generation limit exceeded.' TYPE 'E'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when generating credential report.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[GenerateCredentialReport](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `GenerateServiceLastAccessedDetails` 与 CLI 配合使用以下代码示例演示如何使用 `GenerateServiceLastAccessedDetails`。 ------ #### [ CLI ] **AWS CLI** **示例 1：为自定义策略生成服务访问报告** 以下 `generate-service-last-accessed-details` 示例启动后台作业以生成一份报告，其中列出使用名为 `intern-boundary` 的自定义策略的 IAM 用户和其他实体所访问的服务。创建报告后，您可以通过运行 `get-service-last-accessed-details` 命令来显示该报告。 ``` aws iam generate-service-last-accessed-details \ --arn arn:aws:iam::123456789012:policy/intern-boundary ``` 输出： ``` { "JobId": "2eb6c2b8-7b4c-3xmp-3c13-03b72c8cdfdc" } ``` **示例 2：为 AWS 托管 AdministratorAccess 策略生成服务访问报告** 以下`generate-service-last-accessed-details`示例启动后台作业以生成一份报告，其中列出了 IAM 用户和其他实体使用 AWS 托管`AdministratorAccess`策略访问的服务。创建报告后，您可以通过运行 `get-service-last-accessed-details` 命令来显示该报告。 ``` aws iam generate-service-last-accessed-details \ --arn arn:aws:iam::aws:policy/AdministratorAccess ``` 输出： ``` { "JobId": "78b6c2ba-d09e-6xmp-7039-ecde30b26916" } ``` 有关更多信息，请参阅 *AWS IAM 用户指南*[中的在 AWS 使用上次访问的信息时细化权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GenerateServiceLastAccessedDetails](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/generate-service-last-accessed-details.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例等同于 API 的 cmdlet。 GenerateServiceLastAccessedDetails 这提供了一个任务 ID，可以在 Get-IAMServiceLastAccessedDetail 和 Get-中使用 IAMService LastAccessedDetailWithEntity** ``` Request-IAMServiceLastAccessedDetail -Arn arn:aws:iam::123456789012:user/TestUser ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GenerateServiceLastAccessedDetails](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例等同于 API 的 cmdlet。 GenerateServiceLastAccessedDetails 这提供了一个任务 ID，可以在 Get-IAMServiceLastAccessedDetail 和 Get-中使用 IAMService LastAccessedDetailWithEntity** ``` Request-IAMServiceLastAccessedDetail -Arn arn:aws:iam::123456789012:user/TestUser ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GenerateServiceLastAccessedDetails](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `GetAccessKeyLastUsed`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetAccessKeyLastUsed`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理访问密钥](iam_example_iam_Scenario_ManageAccessKeys_section.md) ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::accessKeyLastUsed(const Aws::String &secretKeyID, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::GetAccessKeyLastUsedRequest request; request.SetAccessKeyId(secretKeyID); Aws::IAM::Model::GetAccessKeyLastUsedOutcome outcome = iam.GetAccessKeyLastUsed( request); if (!outcome.IsSuccess()) { std::cerr << "Error querying last used time for access key " << secretKeyID << ":" << outcome.GetError().GetMessage() << std::endl; } else { Aws::String lastUsedTimeString = outcome.GetResult() .GetAccessKeyLastUsed() .GetLastUsedDate() .ToGmtString(Aws::Utils::DateFormat::ISO_8601); std::cout << "Access key " << secretKeyID << " last used at time " << lastUsedTimeString << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[GetAccessKeyLastUsed](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/GetAccessKeyLastUsed)*中的。 ------ #### [ CLI ] **AWS CLI** **检索上次使用指定访问密钥的时间信息** 以下示例将检索上次使用访问密钥 `ABCDEXAMPLE` 的时间信息。 ``` aws iam get-access-key-last-used \ --access-key-id ABCDEXAMPLE ``` 输出： ``` { "UserName": "Bob", "AccessKeyLastUsed": { "Region": "us-east-1", "ServiceName": "iam", "LastUsedDate": "2015-06-16T22:45:00Z" } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的访问密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetAccessKeyLastUsed](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-access-key-last-used.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。获取访问密钥。 ``` import { GetAccessKeyLastUsedCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} accessKeyId */ export const getAccessKeyLastUsed = async (accessKeyId) => { const command = new GetAccessKeyLastUsedCommand({ AccessKeyId: accessKeyId, }); const response = await client.send(command); if (response.AccessKeyLastUsed?.LastUsedDate) { console.log(` ${accessKeyId} was last used by ${response.UserName} via the ${response.AccessKeyLastUsed.ServiceName} service on ${response.AccessKeyLastUsed.LastUsedDate.toISOString()} `); } return response; }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-last-used](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-last-used)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetAccessKeyLastUsed](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetAccessKeyLastUsedCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); iam.getAccessKeyLastUsed( { AccessKeyId: "ACCESS_KEY_ID" }, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data.AccessKeyLastUsed); } } ); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-last-used](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-last-used)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetAccessKeyLastUsed](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/GetAccessKeyLastUsed)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：返回所提供访问密钥的拥有用户名和上次使用信息。** ``` Get-IAMAccessKeyLastUsed -AccessKeyId ABCDEXAMPLE ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetAccessKeyLastUsed](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：返回所提供访问密钥的拥有用户名和上次使用信息。** ``` Get-IAMAccessKeyLastUsed -AccessKeyId ABCDEXAMPLE ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetAccessKeyLastUsed](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def get_last_use(key_id): """ Gets information about when and how a key was last used. :param key_id: The ID of the key to look up. :return: Information about the key's last use. """ try: response = iam.meta.client.get_access_key_last_used(AccessKeyId=key_id) last_used_date = response["AccessKeyLastUsed"].get("LastUsedDate", None) last_service = response["AccessKeyLastUsed"].get("ServiceName", None) logger.info( "Key %s was last used by %s on %s to access %s.", key_id, response["UserName"], last_used_date, last_service, ) except ClientError: logger.exception("Couldn't get last use of key %s.", key_id) raise else: return response ``` + 有关 API 的详细信息，请参阅适用[GetAccessKeyLastUsed](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccessKeyLastUsed)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->getaccesskeylastused( iv_accesskeyid = iv_access_key_id ). MESSAGE 'Retrieved access key last used information.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Access key does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[GetAccessKeyLastUsed](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `GetAccountAuthorizationDetails`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetAccountAuthorizationDetails`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理您的账户](iam_example_iam_Scenario_AccountManagement_section.md) ------ #### [ CLI ] **AWS CLI** **列出 AWS 账户的 IAM 用户、群组、角色和策略** 以下`get-account-authorization-details`命令返回有关 AWS 账户中所有 IAM 用户、群组、角色和策略的信息。 ``` aws iam get-account-authorization-details ``` 输出： ``` { "RoleDetailList": [ { "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "RoleId": "AROA1234567890EXAMPLE", "CreateDate": "2014-07-30T17:09:20Z", "InstanceProfileList": [ { "InstanceProfileId": "AIPA1234567890EXAMPLE", "Roles": [ { "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "RoleId": "AROA1234567890EXAMPLE", "CreateDate": "2014-07-30T17:09:20Z", "RoleName": "EC2role", "Path": "/", "Arn": "arn:aws:iam::123456789012:role/EC2role" } ], "CreateDate": "2014-07-30T17:09:20Z", "InstanceProfileName": "EC2role", "Path": "/", "Arn": "arn:aws:iam::123456789012:instance-profile/EC2role" } ], "RoleName": "EC2role", "Path": "/", "AttachedManagedPolicies": [ { "PolicyName": "AmazonS3FullAccess", "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess" }, { "PolicyName": "AmazonDynamoDBFullAccess", "PolicyArn": "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" } ], "RoleLastUsed": { "Region": "us-west-2", "LastUsedDate": "2019-11-13T17:30:00Z" }, "RolePolicyList": [], "Arn": "arn:aws:iam::123456789012:role/EC2role" } ], "GroupDetailList": [ { "GroupId": "AIDA1234567890EXAMPLE", "AttachedManagedPolicies": { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" }, "GroupName": "Admins", "Path": "/", "Arn": "arn:aws:iam::123456789012:group/Admins", "CreateDate": "2013-10-14T18:32:24Z", "GroupPolicyList": [] }, { "GroupId": "AIDA1234567890EXAMPLE", "AttachedManagedPolicies": { "PolicyName": "PowerUserAccess", "PolicyArn": "arn:aws:iam::aws:policy/PowerUserAccess" }, "GroupName": "Dev", "Path": "/", "Arn": "arn:aws:iam::123456789012:group/Dev", "CreateDate": "2013-10-14T18:33:55Z", "GroupPolicyList": [] }, { "GroupId": "AIDA1234567890EXAMPLE", "AttachedManagedPolicies": [], "GroupName": "Finance", "Path": "/", "Arn": "arn:aws:iam::123456789012:group/Finance", "CreateDate": "2013-10-14T18:57:48Z", "GroupPolicyList": [ { "PolicyName": "policygen-201310141157", "PolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Action": "aws-portal:*", "Sid": "Stmt1381777017000", "Resource": "*", "Effect": "Allow" } ] } } ] } ], "UserDetailList": [ { "UserName": "Alice", "GroupList": [ "Admins" ], "CreateDate": "2013-10-14T18:32:24Z", "UserId": "AIDA1234567890EXAMPLE", "UserPolicyList": [], "Path": "/", "AttachedManagedPolicies": [], "Arn": "arn:aws:iam::123456789012:user/Alice" }, { "UserName": "Bob", "GroupList": [ "Admins" ], "CreateDate": "2013-10-14T18:32:25Z", "UserId": "AIDA1234567890EXAMPLE", "UserPolicyList": [ { "PolicyName": "DenyBillingAndIAMPolicy", "PolicyDocument": { "Version":"2012-10-17", "Statement": { "Effect": "Deny", "Action": [ "aws-portal:*", "iam:*" ], "Resource": "*" } } } ], "Path": "/", "AttachedManagedPolicies": [], "Arn": "arn:aws:iam::123456789012:user/Bob" }, { "UserName": "Charlie", "GroupList": [ "Dev" ], "CreateDate": "2013-10-14T18:33:56Z", "UserId": "AIDA1234567890EXAMPLE", "UserPolicyList": [], "Path": "/", "AttachedManagedPolicies": [], "Arn": "arn:aws:iam::123456789012:user/Charlie" } ], "Policies": [ { "PolicyName": "create-update-delete-set-managed-policies", "CreateDate": "2015-02-06T19:58:34Z", "AttachmentCount": 1, "IsAttachable": true, "PolicyId": "ANPA1234567890EXAMPLE", "DefaultVersionId": "v1", "PolicyVersionList": [ { "CreateDate": "2015-02-06T19:58:34Z", "VersionId": "v1", "Document": { "Version":"2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListPolicies", "iam:ListPolicyVersions", "iam:SetDefaultPolicyVersion" ], "Resource": "*" } }, "IsDefaultVersion": true } ], "Path": "/", "Arn": "arn:aws:iam::123456789012:policy/create-update-delete-set-managed-policies", "UpdateDate": "2015-02-06T19:58:34Z" }, { "PolicyName": "S3-read-only-specific-bucket", "CreateDate": "2015-01-21T21:39:41Z", "AttachmentCount": 1, "IsAttachable": true, "PolicyId": "ANPA1234567890EXAMPLE", "DefaultVersionId": "v1", "PolicyVersionList": [ { "CreateDate": "2015-01-21T21:39:41Z", "VersionId": "v1", "Document": { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*" ] } ] }, "IsDefaultVersion": true } ], "Path": "/", "Arn": "arn:aws:iam::123456789012:policy/S3-read-only-specific-bucket", "UpdateDate": "2015-01-21T23:39:41Z" }, { "PolicyName": "AmazonEC2FullAccess", "CreateDate": "2015-02-06T18:40:15Z", "AttachmentCount": 1, "IsAttachable": true, "PolicyId": "ANPA1234567890EXAMPLE", "DefaultVersionId": "v1", "PolicyVersionList": [ { "CreateDate": "2014-10-30T20:59:46Z", "VersionId": "v1", "Document": { "Version":"2012-10-17", "Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:*", "Resource": "*" }, { "Effect": "Allow", "Action": "autoscaling:*", "Resource": "*" } ] }, "IsDefaultVersion": true } ], "Path": "/", "Arn": "arn:aws:iam::aws:policy/AmazonEC2FullAccess", "UpdateDate": "2015-02-06T18:40:15Z" } ], "Marker": "EXAMPLEkakv9BCuUNFDtxWSyfzetYwEx2ADc8dnzfvERF5S6YMvXKx41t6gCl/eeaCX3Jo94/bKqezEAg8TEVS99EKFLxm3jtbpl25FDWEXAMPLE", "IsTruncated": true } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [AWS 安全审计指南](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-audit-guide.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetAccountAuthorizationDetails](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-account-authorization-details.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例获取有关 AWS 账户中身份的授权详细信息，并显示返回对象的元素列表，包括用户、群组和角色。例如，`UserDetailList` 属性显示有关用户的详细信息。`RoleDetailList` 和 `GroupDetailList` 属性中也提供类似的信息。** ``` $Details=Get-IAMAccountAuthorizationDetail $Details ``` **输出**： ``` GroupDetailList : {Administrators, Developers, Testers, Backup} IsTruncated : False Marker : RoleDetailList : {TestRole1, AdminRole, TesterRole, clirole...} UserDetailList : {Administrator, Bob, BackupToS3, } ``` ``` $Details.UserDetailList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Administrator CreateDate : 10/16/2014 9:03:09 AM GroupList : {Administrators} Path : / UserId : AIDACKCEVSQ6CEXAMPLE1 UserName : Administrator UserPolicyList : {} Arn : arn:aws:iam::123456789012:user/Bob CreateDate : 4/6/2015 12:54:42 PM GroupList : {Developers} Path : / UserId : AIDACKCEVSQ6CEXAMPLE2 UserName : bab UserPolicyList : {} Arn : arn:aws:iam::123456789012:user/BackupToS3 CreateDate : 1/27/2015 10:15:08 AM GroupList : {Backup} Path : / UserId : AIDACKCEVSQ6CEXAMPLE3 UserName : BackupToS3 UserPolicyList : {BackupServicePermissionsToS3Buckets} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetAccountAuthorizationDetails](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例获取有关 AWS 账户中身份的授权详细信息，并显示返回对象的元素列表，包括用户、群组和角色。例如，`UserDetailList` 属性显示有关用户的详细信息。`RoleDetailList` 和 `GroupDetailList` 属性中也提供类似的信息。** ``` $Details=Get-IAMAccountAuthorizationDetail $Details ``` **输出**： ``` GroupDetailList : {Administrators, Developers, Testers, Backup} IsTruncated : False Marker : RoleDetailList : {TestRole1, AdminRole, TesterRole, clirole...} UserDetailList : {Administrator, Bob, BackupToS3, } ``` ``` $Details.UserDetailList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Administrator CreateDate : 10/16/2014 9:03:09 AM GroupList : {Administrators} Path : / UserId : AIDACKCEVSQ6CEXAMPLE1 UserName : Administrator UserPolicyList : {} Arn : arn:aws:iam::123456789012:user/Bob CreateDate : 4/6/2015 12:54:42 PM GroupList : {Developers} Path : / UserId : AIDACKCEVSQ6CEXAMPLE2 UserName : bab UserPolicyList : {} Arn : arn:aws:iam::123456789012:user/BackupToS3 CreateDate : 1/27/2015 10:15:08 AM GroupList : {Backup} Path : / UserId : AIDACKCEVSQ6CEXAMPLE3 UserName : BackupToS3 UserPolicyList : {BackupServicePermissionsToS3Buckets} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetAccountAuthorizationDetails](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def get_authorization_details(response_filter): """ Gets an authorization detail report for the current account. :param response_filter: A list of resource types to include in the report, such as users or roles. When not specified, all resources are included. :return: The authorization detail report. """ try: account_details = iam.meta.client.get_account_authorization_details( Filter=response_filter ) logger.debug(account_details) except ClientError: logger.exception("Couldn't get details for your account.") raise else: return account_details ``` + 有关 API 的详细信息，请参阅适用[GetAccountAuthorizationDetails](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccountAuthorizationDetails)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->getaccountauthdetails( ). MESSAGE 'Retrieved account authorization details.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when getting account authorization details.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[GetAccountAuthorizationDetails](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `GetAccountPasswordPolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetAccountPasswordPolicy`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Gets the IAM password policy for an AWS account. ///

/// The PasswordPolicy for the AWS account. public async Task GetAccountPasswordPolicyAsync() { var response = await _IAMService.GetAccountPasswordPolicyAsync(new GetAccountPasswordPolicyRequest()); return response.PasswordPolicy; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[GetAccountPasswordPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/GetAccountPasswordPolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **查看当前账户密码策略** 以下 `get-account-password-policy` 命令将显示有关当前账户密码策略的详细信息。 ``` aws iam get-account-password-policy ``` 输出： ``` { "PasswordPolicy": { "AllowUsersToChangePassword": false, "RequireLowercaseCharacters": false, "RequireUppercaseCharacters": false, "MinimumPasswordLength": 8, "RequireNumbers": true, "RequireSymbols": true } } ``` 如果没有为账户定义密码策略，命令将返回 `NoSuchEntity` 错误。有关更多信息，请参阅《AWS IAM 用户指南》**中的[为 IAM 用户设置账户密码策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetAccountPasswordPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-account-password-policy.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "log" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // AccountWrapper encapsulates AWS Identity and Access Management (IAM) account actions // used in the examples. // It contains an IAM service client that is used to perform account actions. type AccountWrapper struct { IamClient *iam.Client } // GetAccountPasswordPolicy gets the account password policy for the current account. // If no policy has been set, a NoSuchEntityException is error is returned. func (wrapper AccountWrapper) GetAccountPasswordPolicy(ctx context.Context) (*types.PasswordPolicy, error) { var pwPolicy *types.PasswordPolicy result, err := wrapper.IamClient.GetAccountPasswordPolicy(ctx, &iam.GetAccountPasswordPolicyInput{}) if err != nil { log.Printf("Couldn't get account password policy. Here's why: %v\n", err) } else { pwPolicy = result.PasswordPolicy } return pwPolicy, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[GetAccountPasswordPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.GetAccountPasswordPolicy)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。获取账户密码策略。 ``` import { GetAccountPasswordPolicyCommand, IAMClient, } from "@aws-sdk/client-iam"; const client = new IAMClient({}); export const getAccountPasswordPolicy = async () => { const command = new GetAccountPasswordPolicyCommand({}); const response = await client.send(command); console.log(response.PasswordPolicy); return response; }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetAccountPasswordPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetAccountPasswordPolicyCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function getAccountPasswordPolicy() { return $this->iamClient->getAccountPasswordPolicy(); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[GetAccountPasswordPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/GetAccountPasswordPolicy)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回有关当前账户密码策略的详细信息。如果没有为账户定义密码策略，则命令将返回 `NoSuchEntity` 错误。** ``` Get-IAMAccountPasswordPolicy ``` **输出**： ``` AllowUsersToChangePassword : True ExpirePasswords : True HardExpiry : False MaxPasswordAge : 90 MinimumPasswordLength : 8 PasswordReusePrevention : 20 RequireLowercaseCharacters : True RequireNumbers : True RequireSymbols : False RequireUppercaseCharacters : True ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回有关当前账户密码策略的详细信息。如果没有为账户定义密码策略，则命令将返回 `NoSuchEntity` 错误。** ``` Get-IAMAccountPasswordPolicy ``` **输出**： ``` AllowUsersToChangePassword : True ExpirePasswords : True HardExpiry : False MaxPasswordAge : 90 MinimumPasswordLength : 8 PasswordReusePrevention : 20 RequireLowercaseCharacters : True RequireNumbers : True RequireSymbols : False RequireUppercaseCharacters : True ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def print_password_policy(): """ Prints the password policy for the account. """ try: pw_policy = iam.AccountPasswordPolicy() print("Current account password policy:") print( f"\tallow_users_to_change_password: {pw_policy.allow_users_to_change_password}" ) print(f"\texpire_passwords: {pw_policy.expire_passwords}") print(f"\thard_expiry: {pw_policy.hard_expiry}") print(f"\tmax_password_age: {pw_policy.max_password_age}") print(f"\tminimum_password_length: {pw_policy.minimum_password_length}") print(f"\tpassword_reuse_prevention: {pw_policy.password_reuse_prevention}") print( f"\trequire_lowercase_characters: {pw_policy.require_lowercase_characters}" ) print(f"\trequire_numbers: {pw_policy.require_numbers}") print(f"\trequire_symbols: {pw_policy.require_symbols}") print( f"\trequire_uppercase_characters: {pw_policy.require_uppercase_characters}" ) printed = True except ClientError as error: if error.response["Error"]["Code"] == "NoSuchEntity": print("The account does not have a password policy set.") else: logger.exception("Couldn't get account password policy.") raise else: return printed ``` + 有关 API 的详细信息，请参阅适用[GetAccountPasswordPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccountPasswordPolicy)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Class to manage IAM account password policies class PasswordPolicyManager attr_accessor :iam_client, :logger def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'IAMPolicyManager' end # Retrieves and logs the account password policy def print_account_password_policy response = @iam_client.get_account_password_policy @logger.info("The account password policy is: #{response.password_policy.to_h}") rescue Aws::IAM::Errors::NoSuchEntity @logger.info('The account does not have a password policy.') rescue Aws::Errors::ServiceError => e @logger.error("Couldn't print the account password policy. Error: #{e.code} - #{e.message}") raise end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[GetAccountPasswordPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/GetAccountPasswordPolicy)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn get_account_password_policy( client: &iamClient, ) -> Result> { let response = client.get_account_password_policy().send().await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用[GetAccountPasswordPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.get_account_password_policy)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->getaccountpasswordpolicy( ). MESSAGE 'Retrieved account password policy.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'No password policy exists.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when getting password policy.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[GetAccountPasswordPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `GetAccountSummary`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetAccountSummary`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理您的账户](iam_example_iam_Scenario_AccountManagement_section.md) ------ #### [ CLI ] **AWS CLI** **获取当前账户中 IAM 实体使用情况和 IAM 配额的信息** 以下 `get-account-summary` 命令将返回账户中当前 IAM 实体使用情况和当前 IAM 实体配额的信息。 ``` aws iam get-account-summary ``` 输出： ``` { "SummaryMap": { "UsersQuota": 5000, "GroupsQuota": 100, "InstanceProfiles": 6, "SigningCertificatesPerUserQuota": 2, "AccountAccessKeysPresent": 0, "RolesQuota": 250, "RolePolicySizeQuota": 10240, "AccountSigningCertificatesPresent": 0, "Users": 27, "ServerCertificatesQuota": 20, "ServerCertificates": 0, "AssumeRolePolicySizeQuota": 2048, "Groups": 7, "MFADevicesInUse": 1, "Roles": 3, "AccountMFAEnabled": 1, "MFADevices": 3, "GroupsPerUserQuota": 10, "GroupPolicySizeQuota": 5120, "InstanceProfilesQuota": 100, "AccessKeysPerUserQuota": 2, "Providers": 0, "UserPolicySizeQuota": 2048 } } ``` 有关实体限制的更多信息，请参阅 [IAM *用户指南中的 I AWS AM* 和 AWS STS 配额](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetAccountSummary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-account-summary.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将返回有关 AWS 账户中当前 IAM 实体使用情况和当前 IAM 实体配额的信息。** ``` Get-IAMAccountSummary ``` **输出**： ``` Key Value Users 7 GroupPolicySizeQuota 5120 PolicyVersionsInUseQuota 10000 ServerCertificatesQuota 20 AccountSigningCertificatesPresent 0 AccountAccessKeysPresent 0 Groups 3 UsersQuota 5000 RolePolicySizeQuota 10240 UserPolicySizeQuota 2048 GroupsPerUserQuota 10 AssumeRolePolicySizeQuota 2048 AttachedPoliciesPerGroupQuota 2 Roles 9 VersionsPerPolicyQuota 5 GroupsQuota 100 PolicySizeQuota 5120 Policies 5 RolesQuota 250 ServerCertificates 0 AttachedPoliciesPerRoleQuota 2 MFADevicesInUse 2 PoliciesQuota 1000 AccountMFAEnabled 1 Providers 2 InstanceProfilesQuota 100 MFADevices 4 AccessKeysPerUserQuota 2 AttachedPoliciesPerUserQuota 2 SigningCertificatesPerUserQuota 2 PolicyVersionsInUse 4 InstanceProfiles 1 ... ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetAccountSummary](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将返回有关 AWS 账户中当前 IAM 实体使用情况和当前 IAM 实体配额的信息。** ``` Get-IAMAccountSummary ``` **输出**： ``` Key Value Users 7 GroupPolicySizeQuota 5120 PolicyVersionsInUseQuota 10000 ServerCertificatesQuota 20 AccountSigningCertificatesPresent 0 AccountAccessKeysPresent 0 Groups 3 UsersQuota 5000 RolePolicySizeQuota 10240 UserPolicySizeQuota 2048 GroupsPerUserQuota 10 AssumeRolePolicySizeQuota 2048 AttachedPoliciesPerGroupQuota 2 Roles 9 VersionsPerPolicyQuota 5 GroupsQuota 100 PolicySizeQuota 5120 Policies 5 RolesQuota 250 ServerCertificates 0 AttachedPoliciesPerRoleQuota 2 MFADevicesInUse 2 PoliciesQuota 1000 AccountMFAEnabled 1 Providers 2 InstanceProfilesQuota 100 MFADevices 4 AccessKeysPerUserQuota 2 AttachedPoliciesPerUserQuota 2 SigningCertificatesPerUserQuota 2 PolicyVersionsInUse 4 InstanceProfiles 1 ... ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetAccountSummary](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def get_summary(): """ Gets a summary of account usage. :return: The summary of account usage. """ try: summary = iam.AccountSummary() logger.debug(summary.summary_map) except ClientError: logger.exception("Couldn't get a summary for your account.") raise else: return summary.summary_map ``` + 有关 API 的详细信息，请参阅适用[GetAccountSummary](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccountSummary)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->getaccountsummary( ). MESSAGE 'Retrieved account summary.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when getting account summary.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[GetAccountSummary](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `GetContextKeysForCustomPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `GetContextKeysForCustomPolicy`。 ------ #### [ CLI ] **AWS CLI** **示例 1：列出作为命令行参数提供的一个或多个自定义 JSON 策略所引用的上下文键** 以下 `get-context-keys-for-custom-policy` 命令解析每个提供的策略，并列出这些策略使用的上下文键。使用此命令来确定必须提供哪些上下文键值才能成功使用策略模拟器命令 `simulate-custom-policy` 和 `simulate-custom-policy`。您还可以使用 `get-context-keys-for-custom-policy` 命令检索与 IAM 用户或角色关联的所有策略使用的上下文键列表。以 `file://` 开头的参数值指示命令读取文件的内容，然后使用内容而不是文件名本身作为参数的值。 ``` aws iam get-context-keys-for-custom-policy \ --policy-input-list '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/${aws:username}","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}' ``` 输出： ``` { "ContextKeyNames": [ "aws:username", "aws:CurrentTime" ] } ``` **示例 2：列出作为文件输入提供的一个或多个自定义 JSON 策略所引用的上下文键** 以下 `get-context-keys-for-custom-policy` 命令与前面的示例相同，只是策略是在文件中提供而不是作为参数提供。由于该命令需要 JSON 字符串列表而不是 JSON 结构列表，因此尽管您可以将其折叠成一个，但该文件的结构必须如下所示。 ``` [ "Policy1", "Policy2" ] ``` 例如，包含上一个示例中策略的文件必须如下所示。您必须在策略字符串中每个嵌入的双引号前面加上反斜杠 " 来对其进行转义。 ``` [ "{\"Version\": \"2012-10-17\", \"Statement\": {\"Effect\": \"Allow\", \"Action\": \"dynamodb:*\", \"Resource\": \"arn:aws:dynamodb:us-west-2:128716708097:table/${aws:username}\", \"Condition\": {\"DateGreaterThan\": {\"aws:CurrentTime\": \"2015-08-16T12:00:00Z\"}}}}" ] ``` 然后，可以将此文件提交给以下命令。 ``` aws iam get-context-keys-for-custom-policy \ --policy-input-list file://policyfile.json ``` 输出： ``` { "ContextKeyNames": [ "aws:username", "aws:CurrentTime" ] } ``` 有关更多信息，请参阅 [IAM *用户指南*中的使用 IAM 策略模拟器（AWS CLI 和 AWS API）](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api)。AWS + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetContextKeysForCustomPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-context-keys-for-custom-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例获取所提供策略 json 中存在的所有上下文键。为提供多个策略，您可以用逗号分隔值列表提供。** ``` $policy1 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}' $policy2 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/"}}' Get-IAMContextKeysForCustomPolicy -PolicyInputList $policy1,$policy2 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetContextKeysForCustomPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例获取所提供策略 json 中存在的所有上下文键。为提供多个策略，您可以用逗号分隔值列表提供。** ``` $policy1 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}' $policy2 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/"}}' Get-IAMContextKeysForCustomPolicy -PolicyInputList $policy1,$policy2 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetContextKeysForCustomPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `GetContextKeysForPrincipalPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `GetContextKeysForPrincipalPolicy`。 ------ #### [ CLI ] **AWS CLI** **列出与 IAM 主体关联的所有策略引用的上下文键** 以下 `get-context-keys-for-principal-policy` 命令检索附加到用户 `saanvi` 及其所属任何组的所有策略。然后，该命令会解析每个策略并列出这些策略使用的上下文键。使用此命令来确定必须提供哪些上下文键值才能成功使用 `simulate-custom-policy` 和 `simulate-principal-policy` 命令。您还可以使用 `get-context-keys-for-custom-policy` 命令检索任意 JSON 策略使用的上下文键列表。 ``` aws iam get-context-keys-for-principal-policy \ --policy-source-arn arn:aws:iam::123456789012:user/saanvi ``` 输出： ``` { "ContextKeyNames": [ "aws:username", "aws:CurrentTime" ] } ``` 有关更多信息，请参阅 [IAM *用户指南*中的使用 IAM 策略模拟器（AWS CLI 和 AWS API）](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api)。AWS + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetContextKeysForPrincipalPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-context-keys-for-principal-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例获取所提供的策略 json 中和附加到 IAM 实体（用户/角色等）的策略中存在的所有上下文键。For-PolicyInputList 您可以将多个值列表作为逗号分隔的值提供。** ``` $policy1 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}' $policy2 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/"}}' Get-IAMContextKeysForPrincipalPolicy -PolicyInputList $policy1,$policy2 -PolicySourceArn arn:aws:iam::852640994763:user/TestUser ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetContextKeysForPrincipalPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例获取所提供的策略 json 中和附加到 IAM 实体（用户/角色等）的策略中存在的所有上下文键。For-PolicyInputList 您可以将多个值列表作为逗号分隔的值提供。** ``` $policy1 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2015-08-16T12:00:00Z"}}}}' $policy2 = '{"Version":"2012-10-17", "Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/"}}' Get-IAMContextKeysForPrincipalPolicy -PolicyInputList $policy1,$policy2 -PolicySourceArn arn:aws:iam::852640994763:user/TestUser ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetContextKeysForPrincipalPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `GetCredentialReport`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetCredentialReport`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理您的账户](iam_example_iam_Scenario_AccountManagement_section.md) ------ #### [ CLI ] **AWS CLI** **获取凭证报告** 此示例打开返回的报告，并将其作为文本行数组输出到管道。 ``` aws iam get-credential-report ``` 输出： ``` { "GeneratedTime": "2015-06-17T19:11:50Z", "ReportFormat": "text/csv" } ``` 有关更多信息，请参阅 *AWS IAM 用户指南*中的[获取 AWS 账户的凭证报告](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetCredentialReport](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-credential-report.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例打开返回的报告，并将其作为文本行数组输出到管道。第一行是标题，含有用逗号分隔的列名。接下来的每一行都是一个用户的详细信息行，其中每个字段用逗号分隔。必须先使用 `Request-IAMCredentialReport` cmdlet 生成报告，然后才能查看报告。要将报告作为单个字符串检索，请使用 `-Raw` 而不是 `-AsTextArray`。`-AsTextArray` 开关也接受别名 `-SplitLines`。有关输出中列的完整列表，请参阅服务 API 参考。请注意，如果不使用 `-AsTextArray` 或 `-SplitLines`，则必须使用 .NET `StreamReader` 类从 `.Content` 属性中提取文本。** ``` Request-IAMCredentialReport ``` **输出**： ``` Description State ----------- ----- No report exists. Starting a new report generation task STARTED ``` ``` Get-IAMCredentialReport -AsTextArray ``` **输出**： ``` user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_2_active,access_key_2_last_rotated,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated root_account,arn:aws:iam::123456789012:root,2014-10-15T16:31:25+00:00,not_supported,2015-04-20T17:41:10+00:00,not_supported,not_supported,true,false,N/A,false,N/A,false,N/A,false,N/A Administrator,arn:aws:iam::123456789012:user/Administrator,2014-10-16T16:03:09+00:00,true,2015-04-20T15:18:32+00:00,2014-10-16T16:06:00+00:00,N/A,false,true,2014-12-03T18:53:41+00:00,true,2015-03-25T20:38:14+00:00,false,N/A,false,N/A Bill,arn:aws:iam::123456789012:user/Bill,2015-04-15T18:27:44+00:00,false,N/A,N/A,N/A,false,false,N/A,false,N/A,false,2015-04-20T20:00:12+00:00,false,N/A ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetCredentialReport](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例打开返回的报告，并将其作为文本行数组输出到管道。第一行是标题，含有用逗号分隔的列名。接下来的每一行都是一个用户的详细信息行，其中每个字段用逗号分隔。必须先使用 `Request-IAMCredentialReport` cmdlet 生成报告，然后才能查看报告。要将报告作为单个字符串检索，请使用 `-Raw` 而不是 `-AsTextArray`。`-AsTextArray` 开关也接受别名 `-SplitLines`。有关输出中列的完整列表，请参阅服务 API 参考。请注意，如果不使用 `-AsTextArray` 或 `-SplitLines`，则必须使用 .NET `StreamReader` 类从 `.Content` 属性中提取文本。** ``` Request-IAMCredentialReport ``` **输出**： ``` Description State ----------- ----- No report exists. Starting a new report generation task STARTED ``` ``` Get-IAMCredentialReport -AsTextArray ``` **输出**： ``` user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_2_active,access_key_2_last_rotated,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated root_account,arn:aws:iam::123456789012:root,2014-10-15T16:31:25+00:00,not_supported,2015-04-20T17:41:10+00:00,not_supported,not_supported,true,false,N/A,false,N/A,false,N/A,false,N/A Administrator,arn:aws:iam::123456789012:user/Administrator,2014-10-16T16:03:09+00:00,true,2015-04-20T15:18:32+00:00,2014-10-16T16:06:00+00:00,N/A,false,true,2014-12-03T18:53:41+00:00,true,2015-03-25T20:38:14+00:00,false,N/A,false,N/A Bill,arn:aws:iam::123456789012:user/Bill,2015-04-15T18:27:44+00:00,false,N/A,N/A,N/A,false,false,N/A,false,N/A,false,2015-04-20T20:00:12+00:00,false,N/A ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetCredentialReport](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def get_credential_report(): """ Gets the most recently generated credentials report about the current account. :return: The credentials report. """ try: response = iam.meta.client.get_credential_report() logger.debug(response["Content"]) except ClientError: logger.exception("Couldn't get credentials report.") raise else: return response["Content"] ``` + 有关 API 的详细信息，请参阅适用[GetCredentialReport](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetCredentialReport)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->getcredentialreport( ). MESSAGE 'Retrieved credential report.' TYPE 'I'. CATCH /aws1/cx_iamcredrptnotpresen00. MESSAGE 'Credential report not present.' TYPE 'E'. CATCH /aws1/cx_iamcredrptexpiredex. MESSAGE 'Credential report expired.' TYPE 'E'. CATCH /aws1/cx_iamcredrptnotreadyex. MESSAGE 'Credential report not ready.' TYPE 'E'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when getting credential report.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[GetCredentialReport](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `GetGroup` 与 CLI 配合使用以下代码示例演示如何使用 `GetGroup`。 ------ #### [ CLI ] **AWS CLI** **获取 IAM 组** 此示例返回有关 IAM 组 `Admins` 的详细信息。 ``` aws iam get-group \ --group-name Admins ``` 输出： ``` { "Group": { "Path": "/", "CreateDate": "2015-06-16T19:41:48Z", "GroupId": "AIDGPMS9RO4H3FEXAMPLE", "Arn": "arn:aws:iam::123456789012:group/Admins", "GroupName": "Admins" }, "Users": [] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 身份（用户、用户组和角色）](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-group.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回有关 IAM 组 `Testers` 的详细信息，包括属于该组的所有 IAM 用户的集合。** ``` $results = Get-IAMGroup -GroupName "Testers" $results ``` **输出**： ``` Group IsTruncated Marker Users ----- ----------- ------ ----- Amazon.IdentityManagement.Model.Group False {Theresa, David} ``` ``` $results.Group ``` **输出**： ``` Arn : arn:aws:iam::123456789012:group/Testers CreateDate : 12/10/2014 3:39:11 PM GroupId : 3RHNZZGQJ7QHMAEXAMPLE1 GroupName : Testers Path : / ``` ``` $results.Users ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Theresa CreateDate : 12/10/2014 3:39:27 PM PasswordLastUsed : 1/1/0001 12:00:00 AM Path : / UserId : 4OSVDDJJTF4XEEXAMPLE2 UserName : Theresa Arn : arn:aws:iam::123456789012:user/David CreateDate : 12/10/2014 3:39:27 PM PasswordLastUsed : 3/19/2015 8:44:04 AM Path : / UserId : Y4FKWQCXTA52QEXAMPLE3 UserName : David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetGroup](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回有关 IAM 组 `Testers` 的详细信息，包括属于该组的所有 IAM 用户的集合。** ``` $results = Get-IAMGroup -GroupName "Testers" $results ``` **输出**： ``` Group IsTruncated Marker Users ----- ----------- ------ ----- Amazon.IdentityManagement.Model.Group False {Theresa, David} ``` ``` $results.Group ``` **输出**： ``` Arn : arn:aws:iam::123456789012:group/Testers CreateDate : 12/10/2014 3:39:11 PM GroupId : 3RHNZZGQJ7QHMAEXAMPLE1 GroupName : Testers Path : / ``` ``` $results.Users ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Theresa CreateDate : 12/10/2014 3:39:27 PM PasswordLastUsed : 1/1/0001 12:00:00 AM Path : / UserId : 4OSVDDJJTF4XEEXAMPLE2 UserName : Theresa Arn : arn:aws:iam::123456789012:user/David CreateDate : 12/10/2014 3:39:27 PM PasswordLastUsed : 3/19/2015 8:44:04 AM Path : / UserId : Y4FKWQCXTA52QEXAMPLE3 UserName : David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetGroup](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `GetGroupPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `GetGroupPolicy`。 ------ #### [ CLI ] **AWS CLI** **获取有关附加到 IAM 组的策略的信息** 以下 `get-group-policy` 命令获取有关附加到名为 `Test-Group` 的组的指定策略的信息。 ``` aws iam get-group-policy \ --group-name Test-Group \ --policy-name S3-ReadOnly-Policy ``` 输出： ``` { "GroupName": "Test-Group", "PolicyDocument": { "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*", "Effect": "Allow" } ] }, "PolicyName": "S3-ReadOnly-Policy" } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-group-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回有关组 `Testers` 的名为 `PowerUserAccess-Testers` 的嵌入式内联策略的详细信息。`PolicyDocument` 属性采用 URL 编码。在本例中，使用 `UrlDecode` .NET 方法对其进行解码。** ``` $results = Get-IAMGroupPolicy -GroupName Testers -PolicyName PowerUserAccess-Testers $results ``` **输出**： ``` GroupName PolicyDocument PolicyName --------- -------------- ---------- Testers %7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20... PowerUserAccess-Testers [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") [System.Web.HttpUtility]::UrlDecode($results.PolicyDocument) { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": [ "arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f" ] } ] } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回有关组 `Testers` 的名为 `PowerUserAccess-Testers` 的嵌入式内联策略的详细信息。`PolicyDocument` 属性采用 URL 编码。在本例中，使用 `UrlDecode` .NET 方法对其进行解码。** ``` $results = Get-IAMGroupPolicy -GroupName Testers -PolicyName PowerUserAccess-Testers $results ``` **输出**： ``` GroupName PolicyDocument PolicyName --------- -------------- ---------- Testers %7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20... PowerUserAccess-Testers [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") [System.Web.HttpUtility]::UrlDecode($results.PolicyDocument) { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": [ "arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f" ] } ] } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `GetInstanceProfile` 与 CLI 配合使用以下代码示例演示如何使用 `GetInstanceProfile`。 ------ #### [ CLI ] **AWS CLI** **获取有关实例配置文件的信息** 以下 `get-instance-profile` 命令可获取名为 `ExampleInstanceProfile` 的实例配置文件的信息。 ``` aws iam get-instance-profile \ --instance-profile-name ExampleInstanceProfile ``` 输出： ``` { "InstanceProfile": { "InstanceProfileId": "AID2MAB8DPLSRHEXAMPLE", "Roles": [ { "AssumeRolePolicyDocument": "", "RoleId": "AIDGPMS9RO4H3FEXAMPLE", "CreateDate": "2013-01-09T06:33:26Z", "RoleName": "Test-Role", "Path": "/", "Arn": "arn:aws:iam::336924118301:role/Test-Role" } ], "CreateDate": "2013-06-12T23:52:02Z", "InstanceProfileName": "ExampleInstanceProfile", "Path": "/", "Arn": "arn:aws:iam::336924118301:instance-profile/ExampleInstanceProfile" } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用实例配置文件](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-instance-profile.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回当前 AWS 账户中定义`ec2instancerole`的名为的实例配置文件的详细信息。** ``` Get-IAMInstanceProfile -InstanceProfileName ec2instancerole ``` **输出**： ``` Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole CreateDate : 2/17/2015 2:49:04 PM InstanceProfileId : HH36PTZQJUR32EXAMPLE1 InstanceProfileName : ec2instancerole Path : / Roles : {ec2instancerole} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回当前 AWS 账户中定义`ec2instancerole`的名为的实例配置文件的详细信息。** ``` Get-IAMInstanceProfile -InstanceProfileName ec2instancerole ``` **输出**： ``` Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole CreateDate : 2/17/2015 2:49:04 PM InstanceProfileId : HH36PTZQJUR32EXAMPLE1 InstanceProfileName : ec2instancerole Path : / Roles : {ec2instancerole} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `GetLoginProfile` 与 CLI 配合使用以下代码示例演示如何使用 `GetLoginProfile`。 ------ #### [ CLI ] **AWS CLI** **获取 IAM 用户的密码信息** 以下 `get-login-profile` 命令可获取名为 `Bob` 的 IAM 用户的密码相关信息。 ``` aws iam get-login-profile \ --user-name Bob ``` 输出： ``` { "LoginProfile": { "UserName": "Bob", "CreateDate": "2012-09-21T23:03:39Z" } } ``` `get-login-profile` 命令可用于验证 IAM 用户是否有密码。如果没有为用户定义密码，则该命令将返回 `NoSuchEntity` 错误。您无法使用此命令查看密码。如果密码丢失，则可以为用户重置密码（`update-login-profile`）。或者，您可以删除用户的登录配置文件（`delete-login-profile`），然后创建新的登录配置文件（`create-login-profile`）。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的密码](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-login-profile.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回密码创建日期，以及 IAM 用户 `David` 是否需要重置密码。** ``` Get-IAMLoginProfile -UserName David ``` **输出**： ``` CreateDate PasswordResetRequired UserName ---------- --------------------- -------- 12/10/2014 3:39:44 PM False David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetLoginProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回密码创建日期，以及 IAM 用户 `David` 是否需要重置密码。** ``` Get-IAMLoginProfile -UserName David ``` **输出**： ``` CreateDate PasswordResetRequired UserName ---------- --------------------- -------- 12/10/2014 3:39:44 PM False David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetLoginProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `GetOpenIdConnectProvider` 与 CLI 配合使用以下代码示例演示如何使用 `GetOpenIdConnectProvider`。 ------ #### [ CLI ] **AWS CLI** **返回有关指定 OpenID Connect 提供者的信息** 此示例返回有关 ARN 为 `arn:aws:iam::123456789012:oidc-provider/server.example.com` 的 OpenID Connect 提供者的详细信息。 ``` aws iam get-open-id-connect-provider \ --open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/server.example.com ``` 输出： ``` { "Url": "server.example.com" "CreateDate": "2015-06-16T19:41:48Z", "ThumbprintList": [ "12345abcdefghijk67890lmnopqrst987example" ], "ClientIDList": [ "example-application-ID" ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 OpenID Connect（OIDC）身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-open-id-connect-provider.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回有关 ARN 为 `arn:aws:iam::123456789012:oidc-provider/accounts.google.com` 的 OpenID Connect 提供者的详细信息。该`ClientIDList`属性是一个集合，其中包含为此提供者 IDs 定义的所有客户端。** ``` Get-IAMOpenIDConnectProvider -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/oidc.example.com ``` **输出**： ``` ClientIDList CreateDate ThumbprintList Url ------------ ---------- -------------- --- {MyOIDCApp} 2/3/2015 3:00:30 PM {12345abcdefghijk67890lmnopqrst98765uvwxy} oidc.example.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回有关 ARN 为 `arn:aws:iam::123456789012:oidc-provider/accounts.google.com` 的 OpenID Connect 提供者的详细信息。该`ClientIDList`属性是一个集合，其中包含为此提供者 IDs 定义的所有客户端。** ``` Get-IAMOpenIDConnectProvider -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/oidc.example.com ``` **输出**： ``` ClientIDList CreateDate ThumbprintList Url ------------ ---------- -------------- --- {MyOIDCApp} 2/3/2015 3:00:30 PM {12345abcdefghijk67890lmnopqrst98765uvwxy} oidc.example.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `GetPolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetPolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [使用 IAM Policy Builder API](iam_example_iam_Scenario_IamPolicyBuilder_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Get information about an IAM policy. ///

/// The IAM policy to retrieve information for. /// The IAM policy. public async Task GetPolicyAsync(string policyArn) { var response = await _IAMService.GetPolicyAsync(new GetPolicyRequest { PolicyArn = policyArn }); return response.Policy; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[GetPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/GetPolicy)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::getPolicy(const Aws::String &policyArn, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::GetPolicyRequest request; request.SetPolicyArn(policyArn); auto outcome = iam.GetPolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error getting policy " << policyArn << ": " << outcome.GetError().GetMessage() << std::endl; } else { const auto &policy = outcome.GetResult().GetPolicy(); std::cout << "Name: " << policy.GetPolicyName() << std::endl << "ID: " << policy.GetPolicyId() << std::endl << "Arn: " << policy.GetArn() << std::endl << "Description: " << policy.GetDescription() << std::endl << "CreateDate: " << policy.GetCreateDate().ToGmtString(Aws::Utils::DateFormat::ISO_8601) << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[GetPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/GetPolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **检索有关指定托管策略的信息** 此示例将返回 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的托管策略的详细信息。 ``` aws iam get-policy \ --policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy ``` 输出： ``` { "Policy": { "PolicyName": "MySamplePolicy", "CreateDate": "2015-06-17T19:23;32Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "Z27SI6FQMGNQ2EXAMPLE1", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::123456789012:policy/MySamplePolicy", "UpdateDate": "2015-06-17T19:23:32Z" } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-policy.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions // used in the examples. // It contains an IAM service client that is used to perform policy actions. type PolicyWrapper struct { IamClient *iam.Client } // GetPolicy gets data about a policy. func (wrapper PolicyWrapper) GetPolicy(ctx context.Context, policyArn string) (*types.Policy, error) { var policy *types.Policy result, err := wrapper.IamClient.GetPolicy(ctx, &iam.GetPolicyInput{ PolicyArn: aws.String(policyArn), }) if err != nil { log.Printf("Couldn't get policy %v. Here's why: %v\n", policyArn, err) } else { policy = result.Policy } return policy, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[GetPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.GetPolicy)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。获取策略。 ``` import { GetPolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} policyArn */ export const getPolicy = (policyArn) => { const command = new GetPolicyCommand({ PolicyArn: policyArn, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-getting](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-policies.html#iam-examples-policies-getting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetPolicyCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { PolicyArn: "arn:aws:iam::aws:policy/AWSLambdaExecute", }; iam.getPolicy(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data.Policy.Description); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-getting](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-getting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetPolicy](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/GetPolicy)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun getIAMPolicy(policyArnVal: String?) { val request = GetPolicyRequest { policyArn = policyArnVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.getPolicy(request) println("Successfully retrieved policy ${response.policy?.policyName}") } } ``` + 有关 API 的详细信息，请参阅适用[GetPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function getPolicy($policyArn) { return $this->customWaiter(function () use ($policyArn) { return $this->iamClient->getPolicy(['PolicyArn' => $policyArn]); }); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[GetPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/GetPolicy)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将返回 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的托管策略的详细信息。** ``` Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy ``` **输出**： ``` Arn : arn:aws:iam::aws:policy/MySamplePolicy AttachmentCount : 0 CreateDate : 2/6/2015 10:40:08 AM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : Z27SI6FQMGNQ2EXAMPLE1 PolicyName : MySamplePolicy UpdateDate : 2/6/2015 10:40:08 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将返回 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的托管策略的详细信息。** ``` Get-IAMPolicy -PolicyArn arn:aws:iam::123456789012:policy/MySamplePolicy ``` **输出**： ``` Arn : arn:aws:iam::aws:policy/MySamplePolicy AttachmentCount : 0 CreateDate : 2/6/2015 10:40:08 AM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : Z27SI6FQMGNQ2EXAMPLE1 PolicyName : MySamplePolicy UpdateDate : 2/6/2015 10:40:08 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def get_default_policy_statement(policy_arn): """ Gets the statement of the default version of the specified policy. :param policy_arn: The ARN of the policy to look up. :return: The statement of the default policy version. """ try: policy = iam.Policy(policy_arn) # To get an attribute of a policy, the SDK first calls get_policy. policy_doc = policy.default_version.document policy_statement = policy_doc.get("Statement", None) logger.info("Got default policy doc for %s.", policy.policy_name) logger.info(policy_doc) except ClientError: logger.exception("Couldn't get default policy statement for %s.", policy_arn) raise else: return policy_statement ``` + 有关 API 的详细信息，请参阅适用[GetPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetPolicy)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Fetches an IAM policy by its ARN # @param policy_arn [String] the ARN of the IAM policy to retrieve # @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found def get_policy(policy_arn) response = @iam_client.get_policy(policy_arn: policy_arn) policy = response.policy @logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.") policy rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.") raise rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}") raise end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[GetPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/GetPolicy)*中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->getpolicy( iv_policyarn = iv_policy_arn ). MESSAGE 'Retrieved policy information.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Policy does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[GetPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func getPolicy(arn: String) async throws -> IAMClientTypes.Policy { let input = GetPolicyInput( policyArn: arn ) do { let output = try await client.getPolicy(input: input) guard let policy = output.policy else { throw ServiceHandlerError.noSuchPolicy } return policy } catch { print("ERROR: getPolicy:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[GetPolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/getpolicy(input:))*中。 ------ # `GetPolicyVersion`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetPolicyVersion`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [管理策略](iam_example_iam_Scenario_PolicyManagement_section.md) + [使用 IAM Policy Builder API](iam_example_iam_Scenario_IamPolicyBuilder_section.md) ------ #### [ CLI ] **AWS CLI** **检索有关指定托管策略的指定版本的信息** 此示例将返回 ARN 为 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 的策略 v2 版本的策略文档。 ``` aws iam get-policy-version \ --policy-arn arn:aws:iam::123456789012:policy/MyPolicy \ --version-id v2 ``` 输出： ``` { "PolicyVersion": { "Document": { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:*", "Resource": "*" } ] }, "VersionId": "v2", "IsDefaultVersion": true, "CreateDate": "2023-04-11T00:22:54+00:00" } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetPolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-policy-version.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将返回 ARN 为 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 的策略 `v2` 版本的策略文档。`Document` 属性中的策略文档采用 URL 编码，在本示例中使用 `UrlDecode` .NET 方法进行解码。** ``` $results = Get-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyManagedPolicy -VersionId v2 $results ``` **输出**： ``` CreateDate Document IsDefaultVersion VersionId ---------- -------- ---------------- --------- 2/12/2015 9:39:53 AM %7B%0A%20%20%22Version%22%3A%20%222012-10... True v2 [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") $policy = [System.Web.HttpUtility]::UrlDecode($results.Document) $policy { "Version":"2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": [ "arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f" ] } } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetPolicyVersion](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将返回 ARN 为 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 的策略 `v2` 版本的策略文档。`Document` 属性中的策略文档采用 URL 编码，在本示例中使用 `UrlDecode` .NET 方法进行解码。** ``` $results = Get-IAMPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyManagedPolicy -VersionId v2 $results ``` **输出**： ``` CreateDate Document IsDefaultVersion VersionId ---------- -------- ---------------- --------- 2/12/2015 9:39:53 AM %7B%0A%20%20%22Version%22%3A%20%222012-10... True v2 [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") $policy = [System.Web.HttpUtility]::UrlDecode($results.Document) $policy { "Version":"2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": [ "arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f" ] } } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetPolicyVersion](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def get_default_policy_statement(policy_arn): """ Gets the statement of the default version of the specified policy. :param policy_arn: The ARN of the policy to look up. :return: The statement of the default policy version. """ try: policy = iam.Policy(policy_arn) # To get an attribute of a policy, the SDK first calls get_policy. policy_doc = policy.default_version.document policy_statement = policy_doc.get("Statement", None) logger.info("Got default policy doc for %s.", policy.policy_name) logger.info(policy_doc) except ClientError: logger.exception("Couldn't get default policy statement for %s.", policy_arn) raise else: return policy_statement ``` + 有关 API 的详细信息，请参阅适用[GetPolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetPolicyVersion)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ # `GetRole`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetRole`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Get information about an IAM role. ///

/// The name of the IAM role to retrieve information /// for. /// The IAM role that was retrieved. public async Task GetRoleAsync(string roleName) { var response = await _IAMService.GetRoleAsync(new GetRoleRequest { RoleName = roleName, }); return response.Role; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[GetRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/GetRole)*中的。 ------ #### [ CLI ] **AWS CLI** **获取有关 IAM 角色的信息** 以下 `get-role` 命令可获取名为 `Test-Role` 的角色的信息。 ``` aws iam get-role \ --role-name Test-Role ``` 输出： ``` { "Role": { "Description": "Test Role", "AssumeRolePolicyDocument":"", "MaxSessionDuration": 3600, "RoleId": "AROA1234567890EXAMPLE", "CreateDate": "2019-11-13T16:45:56Z", "RoleName": "Test-Role", "Path": "/", "RoleLastUsed": { "Region": "us-east-1", "LastUsedDate": "2019-11-13T17:14:00Z" }, "Arn": "arn:aws:iam::123456789012:role/Test-Role" } } ``` 该命令会显示附加到角色的信任策略。要列出附加到角色的权限策略，请使用 `list-role-policies` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-role.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // GetRole gets data about a role. func (wrapper RoleWrapper) GetRole(ctx context.Context, roleName string) (*types.Role, error) { var role *types.Role result, err := wrapper.IamClient.GetRole(ctx, &iam.GetRoleInput{RoleName: aws.String(roleName)}) if err != nil { log.Printf("Couldn't get role %v. Here's why: %v\n", roleName, err) } else { role = result.Role } return role, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[GetRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.GetRole)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。获取角色。 ``` import { GetRoleCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} roleName */ export const getRole = (roleName) => { const command = new GetRoleCommand({ RoleName: roleName, }); return client.send(command); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetRoleCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function getRole($roleName) { return $this->customWaiter(function () use ($roleName) { return $this->iamClient->getRole(['RoleName' => $roleName]); }); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[GetRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/GetRole)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回 `lamda_exec_role` 的详细信息。其包括指定谁可以担任此角色的信任策略文档。策略文档采用 URL 编码，可使用 .NET `UrlDecode` 方法进行解码。在此示例中，原始策略在上传到策略之前已删除所有空格。要查看确定承担该角色的人员可以执行哪些操作的权限策略文档，对内联策略使用 `Get-IAMRolePolicy`，对附加的托管策略使用 `Get-IAMPolicyVersion`。** ``` $results = Get-IamRole -RoleName lambda_exec_role $results | Format-List ``` **输出**： ``` Arn : arn:aws:iam::123456789012:role/lambda_exec_role AssumeRolePolicyDocument : %7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22 %3A%22%22%2C%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service %22%3A%22lambda.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole %22%7D%5D%7D CreateDate : 4/2/2015 9:16:11 AM Path : / RoleId : 2YBIKAIBHNKB4EXAMPLE1 RoleName : lambda_exec_role ``` ``` $policy = [System.Web.HttpUtility]::UrlDecode($results.AssumeRolePolicyDocument) $policy ``` **输出**： ``` {"Version":"2012-10-17", "Statement":[{"Sid":"","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回 `lamda_exec_role` 的详细信息。其包括指定谁可以担任此角色的信任策略文档。策略文档采用 URL 编码，可使用 .NET `UrlDecode` 方法进行解码。在此示例中，原始策略在上传到策略之前已删除所有空格。要查看确定承担该角色的人员可以执行哪些操作的权限策略文档，对内联策略使用 `Get-IAMRolePolicy`，对附加的托管策略使用 `Get-IAMPolicyVersion`。** ``` $results = Get-IamRole -RoleName lambda_exec_role $results | Format-List ``` **输出**： ``` Arn : arn:aws:iam::123456789012:role/lambda_exec_role AssumeRolePolicyDocument : %7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22 %3A%22%22%2C%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service %22%3A%22lambda.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole %22%7D%5D%7D CreateDate : 4/2/2015 9:16:11 AM Path : / RoleId : 2YBIKAIBHNKB4EXAMPLE1 RoleName : lambda_exec_role ``` ``` $policy = [System.Web.HttpUtility]::UrlDecode($results.AssumeRolePolicyDocument) $policy ``` **输出**： ``` {"Version":"2012-10-17", "Statement":[{"Sid":"","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def get_role(role_name): """ Gets a role by name. :param role_name: The name of the role to retrieve. :return: The specified role. """ try: role = iam.Role(role_name) role.load() # calls GetRole to load attributes logger.info("Got role with arn %s.", role.arn) except ClientError: logger.exception("Couldn't get role named %s.", role_name) raise else: return role ``` + 有关 API 的详细信息，请参阅适用[GetRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetRole)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Gets data about a role. # # @param name [String] The name of the role to look up. # @return [Aws::IAM::Role] The retrieved role. def get_role(name) role = @iam_client.get_role({ role_name: name }).role puts("Got data for role '#{role.role_name}'. Its ARN is '#{role.arn}'.") rescue Aws::Errors::ServiceError => e puts("Couldn't get data for role '#{name}' Here's why:") puts("\t#{e.code}: #{e.message}") raise else role end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[GetRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/GetRole)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn get_role( client: &iamClient, role_name: String, ) -> Result> { let response = client.get_role().role_name(role_name).send().await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用[GetRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.get_role)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->getrole( iv_rolename = iv_role_name ). MESSAGE 'Retrieved role information.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Role does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[GetRole](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func getRole(name: String) async throws -> IAMClientTypes.Role { let input = GetRoleInput( roleName: name ) do { let output = try await client.getRole(input: input) guard let role = output.role else { throw ServiceHandlerError.noSuchRole } return role } catch { print("ERROR: getRole:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[GetRole](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/getrole(input:))*中。 ------ # 将 `GetRolePolicy` 与 CLI 配合使用以下代码示例演示如何使用 `GetRolePolicy`。 ------ #### [ CLI ] **AWS CLI** **获取有关附加到 IAM 角色的策略的信息** 以下 `get-role-policy` 命令获取有关附加到名为 `Test-Role` 的角色的指定策略的信息。 ``` aws iam get-role-policy \ --role-name Test-Role \ --policy-name ExamplePolicy ``` 输出： ``` { "RoleName": "Test-Role", "PolicyDocument": { "Statement": [ { "Action": [ "s3:ListBucket", "s3:Put*", "s3:Get*", "s3:*MultipartUpload*" ], "Resource": "*", "Effect": "Allow", "Sid": "1" } ] } "PolicyName": "ExamplePolicy" } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-role-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回嵌入在 IAM 角色 `lamda_exec_role` 中的名为 `oneClick_lambda_exec_role_policy` 的策略的权限策略文档。生成的策略文档采用 URL 编码。在本例中，使用 `UrlDecode` .NET 方法对其进行解码。** ``` $results = Get-IAMRolePolicy -RoleName lambda_exec_role -PolicyName oneClick_lambda_exec_role_policy $results ``` **输出**： ``` PolicyDocument PolicyName UserName -------------- ---------- -------- %7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%... oneClick_lambda_exec_role_policy lambda_exec_role ``` ``` [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") [System.Web.HttpUtility]::UrlDecode($results.PolicyDocument) ``` **输出**： ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:*" ], "Resource": "arn:aws:logs:us-east-1:555555555555:log-group:/aws/lambda/aws-example-function:*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*" ] } ] } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回嵌入在 IAM 角色 `lamda_exec_role` 中的名为 `oneClick_lambda_exec_role_policy` 的策略的权限策略文档。生成的策略文档采用 URL 编码。在本例中，使用 `UrlDecode` .NET 方法对其进行解码。** ``` $results = Get-IAMRolePolicy -RoleName lambda_exec_role -PolicyName oneClick_lambda_exec_role_policy $results ``` **输出**： ``` PolicyDocument PolicyName UserName -------------- ---------- -------- %7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%... oneClick_lambda_exec_role_policy lambda_exec_role ``` ``` [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") [System.Web.HttpUtility]::UrlDecode($results.PolicyDocument) ``` **输出**： ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:*" ], "Resource": "arn:aws:logs:us-east-1:555555555555:log-group:/aws/lambda/aws-example-function:*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*" ] } ] } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `GetSamlProvider` 与 CLI 配合使用以下代码示例演示如何使用 `GetSamlProvider`。 ------ #### [ CLI ] **AWS CLI** **检索 SAML 提供者元文档** 此示例检索有关 ARN 为 `arn:aws:iam::123456789012:saml-provider/SAMLADFS` 的 SAML 2.0 提供者的详细信息。响应包括您从身份提供商那里获得的用于创建 AWS SAML 提供商实体的元数据文档以及创建日期和到期日期。 ``` aws iam get-saml-provider \ --saml-provider-arn arn:aws:iam::123456789012:saml-provider/SAMLADFS ``` 输出： ``` { "SAMLMetadataDocument": "...SAMLMetadataDocument-XML...", "CreateDate": "2017-03-06T22:29:46+00:00", "ValidUntil": "2117-03-06T22:29:46.433000+00:00", "Tags": [ { "Key": "DeptID", "Value": "123456" }, { "Key": "Department", "Value": "Accounting" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM SAML 身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetSamlProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-saml-provider.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索有关 ARN 为 arn:aws:iam::123456789012:saml-provider/SAMLADFS 的 SAML 2.0 提供者的详细信息。响应包括您从身份提供商那里获得的用于创建 AWS SAML 提供商实体的元数据文档以及创建日期和到期日期。** ``` Get-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFS ``` **输出**： ``` CreateDate SAMLMetadataDocument ValidUntil ---------- -------------------- ---------- 12/23/2014 12:16:55 PM 以下代码示例演示如何使用 `GetServerCertificate`。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::getServerCertificate(const Aws::String &certificateName, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::GetServerCertificateRequest request; request.SetServerCertificateName(certificateName); auto outcome = iam.GetServerCertificate(request); bool result = true; if (!outcome.IsSuccess()) { if (outcome.GetError().GetErrorType() != Aws::IAM::IAMErrors::NO_SUCH_ENTITY) { std::cerr << "Error getting server certificate " << certificateName << ": " << outcome.GetError().GetMessage() << std::endl; result = false; } else { std::cout << "Certificate '" << certificateName << "' not found." << std::endl; } } else { const auto &certificate = outcome.GetResult().GetServerCertificate(); std::cout << "Name: " << certificate.GetServerCertificateMetadata().GetServerCertificateName() << std::endl << "Body: " << certificate.GetCertificateBody() << std::endl << "Chain: " << certificate.GetCertificateChain() << std::endl; } return result; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[GetServerCertificate](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/GetServerCertificate)*中的。 ------ #### [ CLI ] **AWS CLI** **获取有关您 AWS 账户中服务器证书的详细信息** 以下`get-server-certificate`命令检索有关您 AWS 账户中指定服务器证书的所有详细信息。 ``` aws iam get-server-certificate \ --server-certificate-name myUpdatedServerCertificate ``` 输出： ``` { "ServerCertificate": { "ServerCertificateMetadata": { "Path": "/", "ServerCertificateName": "myUpdatedServerCertificate", "ServerCertificateId": "ASCAEXAMPLE123EXAMPLE", "Arn": "arn:aws:iam::123456789012:server-certificate/myUpdatedServerCertificate", "UploadDate": "2019-04-22T21:13:44+00:00", "Expiration": "2019-10-15T22:23:16+00:00" }, "CertificateBody": "-----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvrszlaEXAMPLE=-----END CERTIFICATE-----", "CertificateChain": "-----BEGIN CERTIFICATE-----\nMIICiTCCAfICCQD6md 7oRw0uXOjANBgkqhkiG9w0BAqQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT AldBMRAwDgYDVQQHEwdTZWF0drGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAs TC0lBTSBDb25zb2xlMRIwEAYDVsQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQ jb20wHhcNMTEwNDI1MjA0NTIxWhtcNMTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBh MCVVMxCzAJBgNVBAgTAldBMRAwDgsYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBb WF6b24xFDASBgNVBAsTC0lBTSBDb2d5zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMx HzAdBgkqhkiG9w0BCQEWEG5vb25lQGfFtYXpvbi5jb20wgZ8wDQYJKoZIhvcNAQE BBQADgY0AMIGJAoGBAMaK0dn+a4GmWIgWJ21uUSfwfEvySWtC2XADZ4nB+BLYgVI k60CpiwsZ3G93vUEIO3IyNoH/f0wYK8mh9TrDHudUZg3qX4waLG5M43q7Wgc/MbQ ITxOUSQv7c7ugFFDzQGBzZswY6786m86gjpEIbb3OhjZnzcvQAaRHhdlQWIMm2nr AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCku4nUhVVxYUntneD9+h8Mg9q6q+auN KyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0FlkbFFBjvSfpJIlJ00zbhNYS5f6Guo EDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjS;TbNYiytVbZPQUQ5Yaxu2jXnimvw 3rrszlaEWEG5vb25lQGFtsYXpvbiEXAMPLE=\n-----END CERTIFICATE-----" } } ``` 要列出您 AWS 账户中可用的服务器证书，请使用`list-server-certificates`命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 IAM 中管理服务器证书](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetServerCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-server-certificate.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。获取服务器证书。 ``` import { GetServerCertificateCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} certName * @returns */ export const getServerCertificate = async (certName) => { const command = new GetServerCertificateCommand({ ServerCertificateName: certName, }); const response = await client.send(command); console.log(response); return response; }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-getting](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-getting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetServerCertificate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetServerCertificateCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); iam.getServerCertificate( { ServerCertificateName: "CERTIFICATE_NAME" }, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } } ); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-getting](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-getting)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetServerCertificate](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/GetServerCertificate)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索有关名为 `MyServerCertificate` 的服务器证书的详细信息。您可以在 `CertificateBody` 和 `ServerCertificateMetadata` 属性中找到证书详细信息。** ``` $result = Get-IAMServerCertificate -ServerCertificateName MyServerCertificate $result | format-list ``` **输出**： ``` CertificateBody : -----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE----- CertificateChain : ServerCertificateMetadata : Amazon.IdentityManagement.Model.ServerCertificateMetadata ``` ``` $result.ServerCertificateMetadata ``` **输出**： ``` Arn : arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate Expiration : 1/14/2018 9:52:36 AM Path : /Org1/Org2/ ServerCertificateId : ASCAJIFEXAMPLE17HQZYW ServerCertificateName : MyServerCertificate UploadDate : 4/21/2015 11:14:16 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetServerCertificate](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索有关名为 `MyServerCertificate` 的服务器证书的详细信息。您可以在 `CertificateBody` 和 `ServerCertificateMetadata` 属性中找到证书详细信息。** ``` $result = Get-IAMServerCertificate -ServerCertificateName MyServerCertificate $result | format-list ``` **输出**： ``` CertificateBody : -----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE----- CertificateChain : ServerCertificateMetadata : Amazon.IdentityManagement.Model.ServerCertificateMetadata ``` ``` $result.ServerCertificateMetadata ``` **输出**： ``` Arn : arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate Expiration : 1/14/2018 9:52:36 AM Path : /Org1/Org2/ ServerCertificateId : ASCAJIFEXAMPLE17HQZYW ServerCertificateName : MyServerCertificate UploadDate : 4/21/2015 11:14:16 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetServerCertificate](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `GetServiceLastAccessedDetails` 与 CLI 配合使用以下代码示例演示如何使用 `GetServiceLastAccessedDetails`。 ------ #### [ CLI ] **AWS CLI** **检索服务访问报告** 以下 `get-service-last-accessed-details` 示例检索之前生成的报告，其中列出了 IAM 实体所访问的服务。要生成报告，请使用 `generate-service-last-accessed-details` 命令。 ``` aws iam get-service-last-accessed-details \ --job-id 2eb6c2b8-7b4c-3xmp-3c13-03b72c8cdfdc ``` 输出： ``` { "JobStatus": "COMPLETED", "JobCreationDate": "2019-10-01T03:50:35.929Z", "ServicesLastAccessed": [ ... { "ServiceName": "AWS Lambda", "LastAuthenticated": "2019-09-30T23:02:00Z", "ServiceNamespace": "lambda", "LastAuthenticatedEntity": "arn:aws:iam::123456789012:user/admin", "TotalAuthenticatedEntities": 6 }, ] } ``` 有关更多信息，请参阅 *AWS IAM 用户指南*[中的在 AWS 使用上次访问的信息时细化权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetServiceLastAccessedDetails](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-service-last-accessed-details.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例提供了请求调用中关联的 IAM 实体（用户、组、角色或策略）上次访问的服务的详细信息。** ``` Request-IAMServiceLastAccessedDetail -Arn arn:aws:iam::123456789012:user/TestUser ``` **输出**： ``` f0b7a819-eab0-929b-dc26-ca598911cb9f ``` ``` Get-IAMServiceLastAccessedDetail -JobId f0b7a819-eab0-929b-dc26-ca598911cb9f ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetServiceLastAccessedDetails](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例提供了请求调用中关联的 IAM 实体（用户、组、角色或策略）上次访问的服务的详细信息。** ``` Request-IAMServiceLastAccessedDetail -Arn arn:aws:iam::123456789012:user/TestUser ``` **输出**： ``` f0b7a819-eab0-929b-dc26-ca598911cb9f ``` ``` Get-IAMServiceLastAccessedDetail -JobId f0b7a819-eab0-929b-dc26-ca598911cb9f ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetServiceLastAccessedDetails](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `GetServiceLastAccessedDetailsWithEntities` 与 CLI 配合使用以下代码示例演示如何使用 `GetServiceLastAccessedDetailsWithEntities`。 ------ #### [ CLI ] **AWS CLI** **检索包含服务详细信息的服务访问报告** 以下 `get-service-last-accessed-details-with-entities` 示例检索一份报告，其中包含有关访问指定服务的 IAM 用户和其他实体的详细信息。要生成报告，请使用 `generate-service-last-accessed-details` 命令。要获取使用命名空间访问的服务列表，请使用 `get-service-last-accessed-details`。 ``` aws iam get-service-last-accessed-details-with-entities \ --job-id 78b6c2ba-d09e-6xmp-7039-ecde30b26916 \ --service-namespace lambda ``` 输出： ``` { "JobStatus": "COMPLETED", "JobCreationDate": "2019-10-01T03:55:41.756Z", "JobCompletionDate": "2019-10-01T03:55:42.533Z", "EntityDetailsList": [ { "EntityInfo": { "Arn": "arn:aws:iam::123456789012:user/admin", "Name": "admin", "Type": "USER", "Id": "AIDAIO2XMPLENQEXAMPLE", "Path": "/" }, "LastAuthenticated": "2019-09-30T23:02:00Z" }, { "EntityInfo": { "Arn": "arn:aws:iam::123456789012:user/developer", "Name": "developer", "Type": "USER", "Id": "AIDAIBEYXMPL2YEXAMPLE", "Path": "/" }, "LastAuthenticated": "2019-09-16T19:34:00Z" } ] } ``` 有关更多信息，请参阅 *AWS IAM 用户指南*[中的在 AWS 使用上次访问的信息时细化权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetServiceLastAccessedDetailsWithEntities](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-service-last-accessed-details-with-entities.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例提供了相应的 IAM 实体上次访问请求中服务的时间戳。** ``` $results = Get-IAMServiceLastAccessedDetailWithEntity -JobId f0b7a819-eab0-929b-dc26-ca598911cb9f -ServiceNamespace ec2 $results ``` **输出**： ``` EntityDetailsList : {Amazon.IdentityManagement.Model.EntityDetails} Error : IsTruncated : False JobCompletionDate : 12/29/19 11:19:31 AM JobCreationDate : 12/29/19 11:19:31 AM JobStatus : COMPLETED Marker : ``` ``` $results.EntityDetailsList ``` **输出**： ``` EntityInfo LastAuthenticated ---------- ----------------- Amazon.IdentityManagement.Model.EntityInfo 11/16/19 3:47:00 PM ``` ``` $results.EntityInfo ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/TestUser Id : AIDA4NBK5CXF5TZHU1234 Name : TestUser Path : / Type : USER ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例提供了相应的 IAM 实体上次访问请求中服务的时间戳。** ``` $results = Get-IAMServiceLastAccessedDetailWithEntity -JobId f0b7a819-eab0-929b-dc26-ca598911cb9f -ServiceNamespace ec2 $results ``` **输出**： ``` EntityDetailsList : {Amazon.IdentityManagement.Model.EntityDetails} Error : IsTruncated : False JobCompletionDate : 12/29/19 11:19:31 AM JobCreationDate : 12/29/19 11:19:31 AM JobStatus : COMPLETED Marker : ``` ``` $results.EntityDetailsList ``` **输出**： ``` EntityInfo LastAuthenticated ---------- ----------------- Amazon.IdentityManagement.Model.EntityInfo 11/16/19 3:47:00 PM ``` ``` $results.EntityInfo ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/TestUser Id : AIDA4NBK5CXF5TZHU1234 Name : TestUser Path : / Type : USER ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `GetServiceLinkedRoleDeletionStatus`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetServiceLinkedRoleDeletionStatus`。 ------ #### [ CLI ] **AWS CLI** **查看删除服务相关角色的请求状态** 以下 `get-service-linked-role-deletion-status` 示例演示了先前请求删除服务相关角色的状态。删除操作异步进行。当您发出请求时，您将得到一个 `DeletionTaskId` 值，该值将作为此命令的参数提供。 ``` aws iam get-service-linked-role-deletion-status \ --deletion-task-id task/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots/1a2b3c4d-1234-abcd-7890-abcdeEXAMPLE ``` 输出： ``` { "Status": "SUCCEEDED" } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用服务相关角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetServiceLinkedRoleDeletionStatus](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-service-linked-role-deletion-status.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { GetServiceLinkedRoleDeletionStatusCommand, IAMClient, } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} deletionTaskId */ export const getServiceLinkedRoleDeletionStatus = (deletionTaskId) => { const command = new GetServiceLinkedRoleDeletionStatusCommand({ DeletionTaskId: deletionTaskId, }); return client.send(command); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[GetServiceLinkedRoleDeletionStatus](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/GetServiceLinkedRoleDeletionStatusCommand)*中的。 ------ # `GetUser`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `GetUser`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Get information about an IAM user. ///

/// The username of the user. /// An IAM user object. public async Task GetUserAsync(string userName) { var response = await _IAMService.GetUserAsync(new GetUserRequest { UserName = userName }); return response.User; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[GetUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/GetUser)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_user_exists # # This function checks to see if the specified AWS Identity and Access Management (IAM) user already exists. # # Parameters: # $1 - The name of the IAM user to check. # # Returns: # 0 - If the user already exists. # 1 - If the user doesn't exist. ############################################################################### function iam_user_exists() { local user_name user_name=$1 # Check whether the IAM user already exists. # We suppress all output - we're interested only in the return code. local errors errors=$(aws iam get-user \ --user-name "$user_name" 2>&1 >/dev/null) local error_code=${?} if [[ $error_code -eq 0 ]]; then return 0 # 0 in Bash script means true. else if [[ $errors != *"error"*"(NoSuchEntity)"* ]]; then aws_cli_error_log $error_code errecho "Error calling iam get-user $errors" fi return 1 # 1 in Bash script means false. fi } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetUser)*中的。 ------ #### [ CLI ] **AWS CLI** **获取有关 IAM 用户的信息** 以下 `get-user` 命令可获取名为 `Paulo` 的 IAM 用户的信息。 ``` aws iam get-user \ --user-name Paulo ``` 输出： ``` { "User": { "UserName": "Paulo", "Path": "/", "CreateDate": "2019-09-21T23:03:13Z", "UserId": "AIDA123456789EXAMPLE", "Arn": "arn:aws:iam::123456789012:user/Paulo" } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-user.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // GetUser gets data about a user. func (wrapper UserWrapper) GetUser(ctx context.Context, userName string) (*types.User, error) { var user *types.User result, err := wrapper.IamClient.GetUser(ctx, &iam.GetUserInput{ UserName: aws.String(userName), }) if err != nil { var apiError smithy.APIError if errors.As(err, &apiError) { switch apiError.(type) { case *types.NoSuchEntityException: log.Printf("User %v does not exist.\n", userName) err = nil default: log.Printf("Couldn't get user %v. Here's why: %v\n", userName, err) } } } else { user = result.User } return user, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[GetUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.GetUser)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索名为 `David` 的用户的详细信息。** ``` Get-IAMUser -UserName David ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/David CreateDate : 12/10/2014 3:39:27 PM PasswordLastUsed : 3/19/2015 8:44:04 AM Path : / UserId : Y4FKWQCXTA52QEXAMPLE1 UserName : David ``` **示例 2：此示例检索有关当前登录的 IAM 用户的详细信息。** ``` Get-IAMUser ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Bob CreateDate : 10/16/2014 9:03:09 AM PasswordLastUsed : 3/4/2015 12:12:33 PM Path : / UserId : 7K3GJEANSKZF2EXAMPLE2 UserName : Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetUser](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索名为 `David` 的用户的详细信息。** ``` Get-IAMUser -UserName David ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/David CreateDate : 12/10/2014 3:39:27 PM PasswordLastUsed : 3/19/2015 8:44:04 AM Path : / UserId : Y4FKWQCXTA52QEXAMPLE1 UserName : David ``` **示例 2：此示例检索有关当前登录的 IAM 用户的详细信息。** ``` Get-IAMUser ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Bob CreateDate : 10/16/2014 9:03:09 AM PasswordLastUsed : 3/4/2015 12:12:33 PM Path : / UserId : 7K3GJEANSKZF2EXAMPLE2 UserName : Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetUser](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Retrieves a user's details # # @param user_name [String] The name of the user to retrieve # @return [Aws::IAM::Types::User, nil] The user object if found, or nil if an error occurred def get_user(user_name) response = @iam_client.get_user(user_name: user_name) response.user rescue Aws::IAM::Errors::NoSuchEntity @logger.error("User '#{user_name}' not found.") nil rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error retrieving user '#{user_name}': #{e.message}") nil end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[GetUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/GetUser)*中的。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func getUser(name: String? = nil) async throws -> IAMClientTypes.User { let input = GetUserInput( userName: name ) do { let output = try await iamClient.getUser(input: input) guard let user = output.user else { throw ServiceHandlerError.noSuchUser } return user } catch { print("ERROR: getUser:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[GetUser](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/getuser(input:))*中。 ------ # 将 `GetUserPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `GetUserPolicy`。 ------ #### [ CLI ] **AWS CLI** **列出 IAM 用户的策略详细信息** 以下 `get-user-policy` 命令将列出附加到名为 `Bob` 的 IAM 用户的指定策略的详细信息。 ``` aws iam get-user-policy \ --user-name Bob \ --policy-name ExamplePolicy ``` 输出： ``` { "UserName": "Bob", "PolicyName": "ExamplePolicy", "PolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Action": "*", "Resource": "*", "Effect": "Allow" } ] } } ``` 要获取 IAM 用户的策略列表，请使用 `list-user-policies` 命令。有关更多信息，请参阅*AWS 《IAM 用户指南》*中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[GetUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-user-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索嵌入在名为 `David` 的 IAM 用户中名为 `Davids_IAM_Admin_Policy` 的内联策略的详细信息。策略文档采用 URL 编码。** ``` $results = Get-IAMUserPolicy -PolicyName Davids_IAM_Admin_Policy -UserName David $results ``` **输出**： ``` PolicyDocument PolicyName UserName -------------- ---------- -------- %7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%... Davids_IAM_Admin_Policy David [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") [System.Web.HttpUtility]::UrlDecode($results.PolicyDocument) { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetUser", "iam:ListUsers" ], "Resource": [ "arn:aws:iam::111122223333:user/*" ] } ] } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索嵌入在名为 `David` 的 IAM 用户中名为 `Davids_IAM_Admin_Policy` 的内联策略的详细信息。策略文档采用 URL 编码。** ``` $results = Get-IAMUserPolicy -PolicyName Davids_IAM_Admin_Policy -UserName David $results ``` **输出**： ``` PolicyDocument PolicyName UserName -------------- ---------- -------- %7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%... Davids_IAM_Admin_Policy David [System.Reflection.Assembly]::LoadWithPartialName("System.Web.HttpUtility") [System.Web.HttpUtility]::UrlDecode($results.PolicyDocument) { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetUser", "iam:ListUsers" ], "Resource": [ "arn:aws:iam::111122223333:user/*" ] } ] } ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `ListAccessKeys`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListAccessKeys`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理访问密钥](iam_example_iam_Scenario_ManageAccessKeys_section.md) ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_list_access_keys # # This function lists the access keys for the specified user. # # Parameters: # -u user_name -- The name of the IAM user. # # Returns: # access_key_ids # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_list_access_keys() { # bashsupport disable=BP5008 function usage() { echo "function iam_list_access_keys" echo "Lists the AWS Identity and Access Management (IAM) access key IDs for the specified user." echo " -u user_name The name of the IAM user." echo "" } local user_name response local option OPTARG # Required to use getopts command in a function. # Retrieve the calling parameters. while getopts "u:h" option; do case "${option}" in u) user_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi response=$(aws iam list-access-keys \ --user-name "$user_name" \ --output text \ --query 'AccessKeyMetadata[].AccessKeyId') local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports list-access-keys operation failed.$response" return 1 fi echo "$response" return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListAccessKeys](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/ListAccessKeys)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::listAccessKeys(const Aws::String &userName, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::ListAccessKeysRequest request; request.SetUserName(userName); bool done = false; bool header = false; while (!done) { auto outcome = iam.ListAccessKeys(request); if (!outcome.IsSuccess()) { std::cerr << "Failed to list access keys for user " << userName << ": " << outcome.GetError().GetMessage() << std::endl; return false; } if (!header) { std::cout << std::left << std::setw(32) << "UserName" << std::setw(30) << "KeyID" << std::setw(20) << "Status" << std::setw(20) << "CreateDate" << std::endl; header = true; } const auto &keys = outcome.GetResult().GetAccessKeyMetadata(); const Aws::String DATE_FORMAT = "%Y-%m-%d"; for (const auto &key: keys) { Aws::String statusString = Aws::IAM::Model::StatusTypeMapper::GetNameForStatusType( key.GetStatus()); std::cout << std::left << std::setw(32) << key.GetUserName() << std::setw(30) << key.GetAccessKeyId() << std::setw(20) << statusString << std::setw(20) << key.GetCreateDate().ToGmtString(DATE_FORMAT.c_str()) << std::endl; } if (outcome.GetResult().GetIsTruncated()) { request.SetMarker(outcome.GetResult().GetMarker()); } else { done = true; } } return true; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[ListAccessKeys](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListAccessKeys)*中的。 ------ #### [ CLI ] **AWS CLI** **列出 IAM 用户的访问密钥 IDs ** 以下`list-access-keys`命令列出了名 IDs 为的 IAM 用户的访问密钥`Bob`。 ``` aws iam list-access-keys \ --user-name Bob ``` 输出： ``` { "AccessKeyMetadata": [ { "UserName": "Bob", "Status": "Active", "CreateDate": "2013-06-04T18:17:34Z", "AccessKeyId": "AKIAIOSFODNN7EXAMPLE" }, { "UserName": "Bob", "Status": "Inactive", "CreateDate": "2013-06-06T20:42:26Z", "AccessKeyId": "AKIAI44QH8DHBEXAMPLE" } ] } ``` 无法列出 IAM 用户的秘密访问密钥。如果秘密访问密钥丢失，则必须使用 `create-access-keys` 命令创建新的访问密钥。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的访问密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListAccessKeys](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-access-keys.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // ListAccessKeys lists the access keys for the specified user. func (wrapper UserWrapper) ListAccessKeys(ctx context.Context, userName string) ([]types.AccessKeyMetadata, error) { var keys []types.AccessKeyMetadata result, err := wrapper.IamClient.ListAccessKeys(ctx, &iam.ListAccessKeysInput{ UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't list access keys for user %v. Here's why: %v\n", userName, err) } else { keys = result.AccessKeyMetadata } return keys, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListAccessKeys](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListAccessKeys)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.AccessKeyMetadata; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.ListAccessKeysRequest; import software.amazon.awssdk.services.iam.model.ListAccessKeysResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class ListAccessKeys { public static void main(String[] args) { final String usage = """ Usage: \s Where: userName - The name of the user for which access keys are retrieved.\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String userName = args[0]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); listKeys(iam, userName); System.out.println("Done"); iam.close(); } public static void listKeys(IamClient iam, String userName) { try { boolean done = false; String newMarker = null; while (!done) { ListAccessKeysResponse response; if (newMarker == null) { ListAccessKeysRequest request = ListAccessKeysRequest.builder() .userName(userName) .build(); response = iam.listAccessKeys(request); } else { ListAccessKeysRequest request = ListAccessKeysRequest.builder() .userName(userName) .marker(newMarker) .build(); response = iam.listAccessKeys(request); } for (AccessKeyMetadata metadata : response.accessKeyMetadata()) { System.out.format("Retrieved access key %s", metadata.accessKeyId()); } if (!response.isTruncated()) { done = true; } else { newMarker = response.marker(); } } } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[ListAccessKeys](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/ListAccessKeys)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出访问密钥。 ``` import { ListAccessKeysCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * A generator function that handles paginated results. * The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this. * * @param {string} userName */ export async function* listAccessKeys(userName) { const command = new ListAccessKeysCommand({ MaxItems: 5, UserName: userName, }); /** * @type {import("@aws-sdk/client-iam").ListAccessKeysCommandOutput | undefined} */ let response = await client.send(command); while (response?.AccessKeyMetadata?.length) { for (const key of response.AccessKeyMetadata) { yield key; } if (response.IsTruncated) { response = await client.send( new ListAccessKeysCommand({ Marker: response.Marker, }), ); } else { break; } } } ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-listing](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-listing)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListAccessKeys](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListAccessKeysCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { MaxItems: 5, UserName: "IAM_USER_NAME", }; iam.listAccessKeys(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iiam-examples-managing-access-keys-listing](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iiam-examples-managing-access-keys-listing)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListAccessKeys](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/ListAccessKeys)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun listKeys(userNameVal: String?) { val request = ListAccessKeysRequest { userName = userNameVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.listAccessKeys(request) response.accessKeyMetadata?.forEach { md -> println("Retrieved access key ${md.accessKeyId}") } } } ``` + 有关 API 的详细信息，请参阅适用[ListAccessKeys](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令列出名为 `Bob` 的 IAM 用户的访问密钥。请注意，您无法列出 IAM 用户的秘密访问密钥。如果秘密访问密钥丢失，则必须使用 `New-IAMAccessKey` cmdlet 创建新的访问密钥。** ``` Get-IAMAccessKey -UserName "Bob" ``` **输出**： ``` AccessKeyId CreateDate Status UserName ----------- ---------- ------ -------- AKIAIOSFODNN7EXAMPLE 12/3/2014 10:53:41 AM Active Bob AKIAI44QH8DHBEXAMPLE 6/6/2013 8:42:26 PM Inactive Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListAccessKeys](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令列出名为 `Bob` 的 IAM 用户的访问密钥。请注意，您无法列出 IAM 用户的秘密访问密钥。如果秘密访问密钥丢失，则必须使用 `New-IAMAccessKey` cmdlet 创建新的访问密钥。** ``` Get-IAMAccessKey -UserName "Bob" ``` **输出**： ``` AccessKeyId CreateDate Status UserName ----------- ---------- ------ -------- AKIAIOSFODNN7EXAMPLE 12/3/2014 10:53:41 AM Active Bob AKIAI44QH8DHBEXAMPLE 6/6/2013 8:42:26 PM Inactive Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListAccessKeys](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_keys(user_name): """ Lists the keys owned by the specified user. :param user_name: The name of the user. :return: The list of keys owned by the user. """ try: keys = list(iam.User(user_name).access_keys.all()) logger.info("Got %s access keys for %s.", len(keys), user_name) except ClientError: logger.exception("Couldn't get access keys for %s.", user_name) raise else: return keys ``` + 有关 API 的详细信息，请参阅适用[ListAccessKeys](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAccessKeys)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例模块会列出、创建、停用和删除访问密钥。 ``` # Manages access keys for IAM users class AccessKeyManager def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'AccessKeyManager' end # Lists access keys for a user # # @param user_name [String] The name of the user. def list_access_keys(user_name) response = @iam_client.list_access_keys(user_name: user_name) if response.access_key_metadata.empty? @logger.info("No access keys found for user '#{user_name}'.") else response.access_key_metadata.map(&:access_key_id) end rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Error listing access keys: cannot find user '#{user_name}'.") [] rescue StandardError => e @logger.error("Error listing access keys: #{e.message}") [] end # Creates an access key for a user # # @param user_name [String] The name of the user. # @return [Boolean] def create_access_key(user_name) response = @iam_client.create_access_key(user_name: user_name) access_key = response.access_key @logger.info("Access key created for user '#{user_name}': #{access_key.access_key_id}") access_key rescue Aws::IAM::Errors::LimitExceeded @logger.error('Error creating access key: limit exceeded. Cannot create more.') nil rescue StandardError => e @logger.error("Error creating access key: #{e.message}") nil end # Deactivates an access key # # @param user_name [String] The name of the user. # @param access_key_id [String] The ID for the access key. # @return [Boolean] def deactivate_access_key(user_name, access_key_id) @iam_client.update_access_key( user_name: user_name, access_key_id: access_key_id, status: 'Inactive' ) true rescue StandardError => e @logger.error("Error deactivating access key: #{e.message}") false end # Deletes an access key # # @param user_name [String] The name of the user. # @param access_key_id [String] The ID for the access key. # @return [Boolean] def delete_access_key(user_name, access_key_id) @iam_client.delete_access_key( user_name: user_name, access_key_id: access_key_id ) true rescue StandardError => e @logger.error("Error deleting access key: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListAccessKeys](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListAccessKeys)*中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listaccesskeys( iv_username = iv_user_name ). MESSAGE 'Retrieved access key list.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'User does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListAccessKeys](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `ListAccountAliases`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListAccountAliases`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理您的账户](iam_example_iam_Scenario_AccountManagement_section.md) ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::listAccountAliases(const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::ListAccountAliasesRequest request; bool done = false; bool header = false; while (!done) { auto outcome = iam.ListAccountAliases(request); if (!outcome.IsSuccess()) { std::cerr << "Failed to list account aliases: " << outcome.GetError().GetMessage() << std::endl; return false; } const auto &aliases = outcome.GetResult().GetAccountAliases(); if (!header) { if (aliases.size() == 0) { std::cout << "Account has no aliases" << std::endl; break; } std::cout << std::left << std::setw(32) << "Alias" << std::endl; header = true; } for (const auto &alias: aliases) { std::cout << std::left << std::setw(32) << alias << std::endl; } if (outcome.GetResult().GetIsTruncated()) { request.SetMarker(outcome.GetResult().GetMarker()); } else { done = true; } } return true; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[ListAccountAliases](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListAccountAliases)*中的。 ------ #### [ CLI ] **AWS CLI** **列出账户别名** 以下 `list-account-aliases` 命令将列出当前账户的别名。 ``` aws iam list-account-aliases ``` 输出： ``` { "AccountAliases": [ "mycompany" ] } ``` 有关更多信息，请参阅 *AWS IAM 用户指南*中的[您的 AWS 账户 ID 及其别名](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListAccountAliases](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-account-aliases.html)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.ListAccountAliasesResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class ListAccountAliases { public static void main(String[] args) { Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); listAliases(iam); System.out.println("Done"); iam.close(); } public static void listAliases(IamClient iam) { try { ListAccountAliasesResponse response = iam.listAccountAliases(); for (String alias : response.accountAliases()) { System.out.printf("Retrieved account alias %s", alias); } } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[ListAccountAliases](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/ListAccountAliases)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出账户别名。 ``` import { ListAccountAliasesCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * A generator function that handles paginated results. * The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this. */ export async function* listAccountAliases() { const command = new ListAccountAliasesCommand({ MaxItems: 5 }); let response = await client.send(command); while (response.AccountAliases?.length) { for (const alias of response.AccountAliases) { yield alias; } if (response.IsTruncated) { response = await client.send( new ListAccountAliasesCommand({ Marker: response.Marker, MaxItems: 5, }), ); } else { break; } } } ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-listing](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-listing)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListAccountAliases](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListAccountAliasesCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); iam.listAccountAliases({ MaxItems: 10 }, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-listing](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-account-aliases.html#iam-examples-account-aliases-listing)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListAccountAliases](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/ListAccountAliases)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun listAliases() { IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.listAccountAliases(ListAccountAliasesRequest {}) response.accountAliases?.forEach { alias -> println("Retrieved account alias $alias") } } } ``` + 有关 API 的详细信息，请参阅适用[ListAccountAliases](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令返回 AWS 账户的账户别名。** ``` Get-IAMAccountAlias ``` **输出**： ``` ExampleCo ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListAccountAliases](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令返回 AWS 账户的账户别名。** ``` Get-IAMAccountAlias ``` **输出**： ``` ExampleCo ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListAccountAliases](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_aliases(): """ Gets the list of aliases for the current account. An account has at most one alias. :return: The list of aliases for the account. """ try: response = iam.meta.client.list_account_aliases() aliases = response["AccountAliases"] if len(aliases) > 0: logger.info("Got aliases for your account: %s.", ",".join(aliases)) else: logger.info("Got no aliases for your account.") except ClientError: logger.exception("Couldn't list aliases for your account.") raise else: return response["AccountAliases"] ``` + 有关 API 的详细信息，请参阅适用[ListAccountAliases](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAccountAliases)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出、创建和删除账户别名。 ``` class IAMAliasManager # Initializes the IAM client and logger # # @param iam_client [Aws::IAM::Client] An initialized IAM client. def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger end # Lists available AWS account aliases. def list_aliases response = @iam_client.list_account_aliases if response.account_aliases.count.positive? @logger.info('Account aliases are:') response.account_aliases.each { |account_alias| @logger.info(" #{account_alias}") } else @logger.info('No account aliases found.') end rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing account aliases: #{e.message}") end # Creates an AWS account alias. # # @param account_alias [String] The name of the account alias to create. # @return [Boolean] true if the account alias was created; otherwise, false. def create_account_alias(account_alias) @iam_client.create_account_alias(account_alias: account_alias) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating account alias: #{e.message}") false end # Deletes an AWS account alias. # # @param account_alias [String] The name of the account alias to delete. # @return [Boolean] true if the account alias was deleted; otherwise, false. def delete_account_alias(account_alias) @iam_client.delete_account_alias(account_alias: account_alias) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting account alias: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListAccountAliases](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListAccountAliases)*中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listaccountaliases( ). MESSAGE 'Retrieved account alias list.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when listing account aliases.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListAccountAliases](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `ListAttachedGroupPolicies` 与 CLI 配合使用以下代码示例演示如何使用 `ListAttachedGroupPolicies`。 ------ #### [ CLI ] **AWS CLI** **列出附加到指定组的所有托管策略** 此示例返回挂载到 AWS 账户中名为 `Admins` IAM 组的托管策略的名称和 ARNs 托管策略。 ``` aws iam list-attached-group-policies \ --group-name Admins ``` 输出： ``` { "AttachedPolicies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" }, { "PolicyName": "SecurityAudit", "PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit" } ], "IsTruncated": false } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListAttachedGroupPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-attached-group-policies.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令返回挂载到 AWS 账户中名为 IAM 组的托管策略`Admins`的名称和 ARNs 托管策略。要查看组中嵌入的内联策略列表，请使用 `Get-IAMGroupPolicyList` 命令。** ``` Get-IAMAttachedGroupPolicyList -GroupName "Admins" ``` **输出**： ``` PolicyArn PolicyName --------- ---------- arn:aws:iam::aws:policy/SecurityAudit SecurityAudit arn:aws:iam::aws:policy/AdministratorAccess AdministratorAccess ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListAttachedGroupPolicies](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令返回挂载到 AWS 账户中名为 IAM 组的托管策略`Admins`的名称和 ARNs 托管策略。要查看组中嵌入的内联策略列表，请使用 `Get-IAMGroupPolicyList` 命令。** ``` Get-IAMAttachedGroupPolicyList -GroupName "Admins" ``` **输出**： ``` PolicyArn PolicyName --------- ---------- arn:aws:iam::aws:policy/SecurityAudit SecurityAudit arn:aws:iam::aws:policy/AdministratorAccess AdministratorAccess ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListAttachedGroupPolicies](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `ListAttachedRolePolicies`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListAttachedRolePolicies`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// List the IAM role policies that are attached to an IAM role. ///

/// The IAM role to list IAM policies for. /// A list of the IAM policies attached to the IAM role. public async Task> ListAttachedRolePoliciesAsync(string roleName) { var attachedPolicies = new List(); var attachedRolePoliciesPaginator = _IAMService.Paginators.ListAttachedRolePolicies(new ListAttachedRolePoliciesRequest { RoleName = roleName }); await foreach (var response in attachedRolePoliciesPaginator.Responses) { attachedPolicies.AddRange(response.AttachedPolicies); } return attachedPolicies; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[ListAttachedRolePolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListAttachedRolePolicies)*中的。 ------ #### [ CLI ] **AWS CLI** **列出附加到指定角色的所有托管策略** 此命令返回 AWS 账户中名为 IAM 角色的名称和 ARNs 关联`SecurityAuditRole`的托管策略。 ``` aws iam list-attached-role-policies \ --role-name SecurityAuditRole ``` 输出： ``` { "AttachedPolicies": [ { "PolicyName": "SecurityAudit", "PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit" } ], "IsTruncated": false } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListAttachedRolePolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-attached-role-policies.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // ListAttachedRolePolicies lists the policies that are attached to the specified role. func (wrapper RoleWrapper) ListAttachedRolePolicies(ctx context.Context, roleName string) ([]types.AttachedPolicy, error) { var policies []types.AttachedPolicy result, err := wrapper.IamClient.ListAttachedRolePolicies(ctx, &iam.ListAttachedRolePoliciesInput{ RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't list attached policies for role %v. Here's why: %v\n", roleName, err) } else { policies = result.AttachedPolicies } return policies, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListAttachedRolePolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListAttachedRolePolicies)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出附加到角色的策略。 ``` import { ListAttachedRolePoliciesCommand, IAMClient, } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * A generator function that handles paginated results. * The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this. * @param {string} roleName */ export async function* listAttachedRolePolicies(roleName) { const command = new ListAttachedRolePoliciesCommand({ RoleName: roleName, }); let response = await client.send(command); while (response.AttachedPolicies?.length) { for (const policy of response.AttachedPolicies) { yield policy; } if (response.IsTruncated) { response = await client.send( new ListAttachedRolePoliciesCommand({ RoleName: roleName, Marker: response.Marker, }), ); } else { break; } } } ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListAttachedRolePolicies](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListAttachedRolePoliciesCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function listAttachedRolePolicies($roleName, $pathPrefix = "", $marker = "", $maxItems = 0) { $listAttachRolePoliciesArguments = ['RoleName' => $roleName]; if ($pathPrefix) { $listAttachRolePoliciesArguments['PathPrefix'] = $pathPrefix; } if ($marker) { $listAttachRolePoliciesArguments['Marker'] = $marker; } if ($maxItems) { $listAttachRolePoliciesArguments['MaxItems'] = $maxItems; } return $this->iamClient->listAttachedRolePolicies($listAttachRolePoliciesArguments); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[ListAttachedRolePolicies](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListAttachedRolePolicies)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令返回 AWS 账户中名为 IAM 角色的名称和 ARNs 关联`SecurityAuditRole`的托管策略。要查看嵌入在角色中的内联策略的列表，请使用 `Get-IAMRolePolicyList` 命令。** ``` Get-IAMAttachedRolePolicyList -RoleName "SecurityAuditRole" ``` **输出**： ``` PolicyArn PolicyName --------- ---------- arn:aws:iam::aws:policy/SecurityAudit SecurityAudit ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListAttachedRolePolicies](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令返回 AWS 账户中名为 IAM 角色的名称和 ARNs 关联`SecurityAuditRole`的托管策略。要查看嵌入在角色中的内联策略的列表，请使用 `Get-IAMRolePolicyList` 命令。** ``` Get-IAMAttachedRolePolicyList -RoleName "SecurityAuditRole" ``` **输出**： ``` PolicyArn PolicyName --------- ---------- arn:aws:iam::aws:policy/SecurityAudit SecurityAudit ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListAttachedRolePolicies](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_attached_policies(role_name): """ Lists policies attached to a role. :param role_name: The name of the role to query. """ try: role = iam.Role(role_name) for policy in role.attached_policies.all(): logger.info("Got policy %s.", policy.arn) except ClientError: logger.exception("Couldn't list attached policies for %s.", role_name) raise ``` + 有关 API 的详细信息，请参阅适用[ListAttachedRolePolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAttachedRolePolicies)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例模块会列出、创建、附加和分离角色策略。 ``` # Manages policies in AWS Identity and Access Management (IAM) class RolePolicyManager # Initialize with an AWS IAM client # # @param iam_client [Aws::IAM::Client] An initialized IAM client def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'PolicyManager' end # Creates a policy # # @param policy_name [String] The name of the policy # @param policy_document [Hash] The policy document # @return [String] The policy ARN if successful, otherwise nil def create_policy(policy_name, policy_document) response = @iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) response.policy.arn rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating policy: #{e.message}") nil end # Fetches an IAM policy by its ARN # @param policy_arn [String] the ARN of the IAM policy to retrieve # @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found def get_policy(policy_arn) response = @iam_client.get_policy(policy_arn: policy_arn) policy = response.policy @logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.") policy rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.") raise rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}") raise end # Attaches a policy to a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def attach_policy_to_role(role_name, policy_arn) @iam_client.attach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error attaching policy to role: #{e.message}") false end # Lists policy ARNs attached to a role # # @param role_name [String] The name of the role # @return [Array] List of policy ARNs def list_attached_policy_arns(role_name) response = @iam_client.list_attached_role_policies(role_name: role_name) response.attached_policies.map(&:policy_arn) rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing policies attached to role: #{e.message}") [] end # Detaches a policy from a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def detach_policy_from_role(role_name, policy_arn) @iam_client.detach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error detaching policy from role: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListAttachedRolePolicies](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListAttachedRolePolicies)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn list_attached_role_policies( client: &iamClient, role_name: String, path_prefix: Option, marker: Option, max_items: Option, ) -> Result> { let response = client .list_attached_role_policies() .role_name(role_name) .set_path_prefix(path_prefix) .set_marker(marker) .set_max_items(max_items) .send() .await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用[ListAttachedRolePolicies](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_attached_role_policies)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listattachedrolepolicies( iv_rolename = iv_role_name ). MESSAGE 'Retrieved attached policy list for role.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Role does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListAttachedRolePolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 /// Returns a list of AWS Identity and Access Management (IAM) policies /// that are attached to the role. /// /// - Parameter role: The IAM role to return the policy list for. /// /// - Returns: An array of `IAMClientTypes.AttachedPolicy` objects /// describing each managed policy that's attached to the role. public func listAttachedRolePolicies(role: String) async throws -> [IAMClientTypes.AttachedPolicy] { var policyList: [IAMClientTypes.AttachedPolicy] = [] // Use "Paginated" to get all the attached role polices. // This lets the SDK handle the 'isTruncated' in "ListAttachedRolePoliciesOutput". let input = ListAttachedRolePoliciesInput( roleName: role ) let output = client.listAttachedRolePoliciesPaginated(input: input) do { for try await page in output { guard let attachedPolicies = page.attachedPolicies else { print("Error: no attached policies returned.") continue } for attachedPolicy in attachedPolicies { policyList.append(attachedPolicy) } } } catch { print("ERROR: listAttachedRolePolicies:", dump(error)) throw error } return policyList } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[ListAttachedRolePolicies](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listattachedrolepolicies(input:))*中。 ------ # 将 `ListAttachedUserPolicies` 与 CLI 配合使用以下代码示例演示如何使用 `ListAttachedUserPolicies`。 ------ #### [ CLI ] **AWS CLI** **列出附加到指定用户的所有托管策略** 此命令返回 AWS 账户中指定 ARNs 的 IAM 用户的名称`Bob`和托管策略。 ``` aws iam list-attached-user-policies \ --user-name Bob ``` 输出： ``` { "AttachedPolicies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" }, { "PolicyName": "SecurityAudit", "PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit" } ], "IsTruncated": false } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListAttachedUserPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-attached-user-policies.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此命令返回 AWS 账户`Bob`中名为 IAM 用户的名称和 ARNs 托管策略。要查看嵌入在 IAM 用户中的内联策略的列表，请使用 `Get-IAMUserPolicyList` 命令。** ``` Get-IAMAttachedUserPolicyList -UserName "Bob" ``` **输出**： ``` PolicyArn PolicyName --------- ---------- arn:aws:iam::aws:policy/TesterPolicy TesterPolicy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListAttachedUserPolicies](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此命令返回 AWS 账户`Bob`中名为 IAM 用户的名称和 ARNs 托管策略。要查看嵌入在 IAM 用户中的内联策略的列表，请使用 `Get-IAMUserPolicyList` 命令。** ``` Get-IAMAttachedUserPolicyList -UserName "Bob" ``` **输出**： ``` PolicyArn PolicyName --------- ---------- arn:aws:iam::aws:policy/TesterPolicy TesterPolicy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListAttachedUserPolicies](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `ListEntitiesForPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `ListEntitiesForPolicy`。 ------ #### [ CLI ] **AWS CLI** **列出指定托管策略所附加到的所有用户、组和角色** 此示例返回附加了策略 `arn:aws:iam::123456789012:policy/TestPolicy` 的 IAM 组、角色和用户的列表。 ``` aws iam list-entities-for-policy \ --policy-arn arn:aws:iam::123456789012:policy/TestPolicy ``` 输出： ``` { "PolicyGroups": [ { "GroupName": "Admins", "GroupId": "AGPACKCEVSQ6C2EXAMPLE" } ], "PolicyUsers": [ { "UserName": "Alice", "UserId": "AIDACKCEVSQ6C2EXAMPLE" } ], "PolicyRoles": [ { "RoleName": "DevRole", "RoleId": "AROADBQP57FF2AEXAMPLE" } ], "IsTruncated": false } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListEntitiesForPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-entities-for-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回附加了策略 `arn:aws:iam::123456789012:policy/TestPolicy` 的 IAM 组、角色和用户的列表。** ``` Get-IAMEntitiesForPolicy -PolicyArn "arn:aws:iam::123456789012:policy/TestPolicy" ``` **输出**： ``` IsTruncated : False Marker : PolicyGroups : {} PolicyRoles : {testRole} PolicyUsers : {Bob, Theresa} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListEntitiesForPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回附加了策略 `arn:aws:iam::123456789012:policy/TestPolicy` 的 IAM 组、角色和用户的列表。** ``` Get-IAMEntitiesForPolicy -PolicyArn "arn:aws:iam::123456789012:policy/TestPolicy" ``` **输出**： ``` IsTruncated : False Marker : PolicyGroups : {} PolicyRoles : {testRole} PolicyUsers : {Bob, Theresa} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListEntitiesForPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `ListGroupPolicies` 与 CLI 配合使用以下代码示例演示如何使用 `ListGroupPolicies`。 ------ #### [ CLI ] **AWS CLI** **列出附加到指定组的所有内联策略** 以下 `list-group-policies` 命令列出附加到当前文档中名为 `Admins` 的 IAM 组的内联策略名称。 ``` aws iam list-group-policies \ --group-name Admins ``` 输出： ``` { "PolicyNames": [ "AdminRoot", "ExamplePolicy" ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListGroupPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-group-policies.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：返回嵌入组 `Testers` 中的内联策略的列表。要获取附加到该组的托管策略，请使用命令 `Get-IAMAttachedGroupPolicyList`。** ``` Get-IAMGroupPolicyList -GroupName Testers ``` **输出**： ``` Deny-Assume-S3-Role-In-Production PowerUserAccess-Testers ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListGroupPolicies](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：返回嵌入组 `Testers` 中的内联策略的列表。要获取附加到该组的托管策略，请使用命令 `Get-IAMAttachedGroupPolicyList`。** ``` Get-IAMGroupPolicyList -GroupName Testers ``` **输出**： ``` Deny-Assume-S3-Role-In-Production PowerUserAccess-Testers ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListGroupPolicies](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `ListGroups`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListGroups`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// List IAM groups. ///

/// A list of IAM groups. public async Task> ListGroupsAsync() { var groupsPaginator = _IAMService.Paginators.ListGroups(new ListGroupsRequest()); var groups = new List(); await foreach (var response in groupsPaginator.Responses) { groups.AddRange(response.Groups); } return groups; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[ListGroups](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListGroups)*中的。 ------ #### [ CLI ] **AWS CLI** **列出当前账户的 IAM 组** 以下 `list-groups` 命令将列出当前账户中的 IAM 组。 ``` aws iam list-groups ``` 输出： ``` { "Groups": [ { "Path": "/", "CreateDate": "2013-06-04T20:27:27.972Z", "GroupId": "AIDACKCEVSQ6C2EXAMPLE", "Arn": "arn:aws:iam::123456789012:group/Admins", "GroupName": "Admins" }, { "Path": "/", "CreateDate": "2013-04-16T20:30:42Z", "GroupId": "AIDGPMS9RO4H3FEXAMPLE", "Arn": "arn:aws:iam::123456789012:group/S3-Admins", "GroupName": "S3-Admins" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListGroups](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-groups.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // GroupWrapper encapsulates AWS Identity and Access Management (IAM) group actions // used in the examples. // It contains an IAM service client that is used to perform group actions. type GroupWrapper struct { IamClient *iam.Client } // ListGroups lists up to maxGroups number of groups. func (wrapper GroupWrapper) ListGroups(ctx context.Context, maxGroups int32) ([]types.Group, error) { var groups []types.Group result, err := wrapper.IamClient.ListGroups(ctx, &iam.ListGroupsInput{ MaxItems: aws.Int32(maxGroups), }) if err != nil { log.Printf("Couldn't list groups. Here's why: %v\n", err) } else { groups = result.Groups } return groups, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListGroups](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListGroups)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出组。 ``` import { ListGroupsCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * A generator function that handles paginated results. * The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this. */ export async function* listGroups() { const command = new ListGroupsCommand({ MaxItems: 10, }); let response = await client.send(command); while (response.Groups?.length) { for (const group of response.Groups) { yield group; } if (response.IsTruncated) { response = await client.send( new ListGroupsCommand({ Marker: response.Marker, MaxItems: 10, }), ); } else { break; } } } ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListGroups](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListGroupsCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function listGroups($pathPrefix = "", $marker = "", $maxItems = 0) { $listGroupsArguments = []; if ($pathPrefix) { $listGroupsArguments["PathPrefix"] = $pathPrefix; } if ($marker) { $listGroupsArguments["Marker"] = $marker; } if ($maxItems) { $listGroupsArguments["MaxItems"] = $maxItems; } return $this->iamClient->listGroups($listGroupsArguments); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[ListGroups](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListGroups)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回当前中定义的所有 IAM 组的集合 AWS 账户。** ``` Get-IAMGroupList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:group/Administrators CreateDate : 10/20/2014 10:06:24 AM GroupId : 6WCH4TRY3KIHIEXAMPLE1 GroupName : Administrators Path : / Arn : arn:aws:iam::123456789012:group/Developers CreateDate : 12/10/2014 3:38:55 PM GroupId : ZU2EOWMK6WBZOEXAMPLE2 GroupName : Developers Path : / Arn : arn:aws:iam::123456789012:group/Testers CreateDate : 12/10/2014 3:39:11 PM GroupId : RHNZZGQJ7QHMAEXAMPLE3 GroupName : Testers Path : / ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListGroups](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回当前中定义的所有 IAM 组的集合 AWS 账户。** ``` Get-IAMGroupList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:group/Administrators CreateDate : 10/20/2014 10:06:24 AM GroupId : 6WCH4TRY3KIHIEXAMPLE1 GroupName : Administrators Path : / Arn : arn:aws:iam::123456789012:group/Developers CreateDate : 12/10/2014 3:38:55 PM GroupId : ZU2EOWMK6WBZOEXAMPLE2 GroupName : Developers Path : / Arn : arn:aws:iam::123456789012:group/Testers CreateDate : 12/10/2014 3:39:11 PM GroupId : RHNZZGQJ7QHMAEXAMPLE3 GroupName : Testers Path : / ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListGroups](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_groups(count): """ Lists the specified number of groups for the account. :param count: The number of groups to list. """ try: for group in iam.groups.limit(count): logger.info("Group: %s", group.name) except ClientError: logger.exception("Couldn't list groups for the account.") raise ``` + 有关 API 的详细信息，请参阅适用[ListGroups](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListGroups)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # A class to manage IAM operations via the AWS SDK client class IamGroupManager # Initializes the IamGroupManager class # @param iam_client [Aws::IAM::Client] An instance of the IAM client def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger end # Lists up to a specified number of groups for the account. # @param count [Integer] The maximum number of groups to list. # @return [Aws::IAM::Client::Response] def list_groups(count) response = @iam_client.list_groups(max_items: count) response.groups.each do |group| @logger.info("\t#{group.group_name}") end response rescue Aws::Errors::ServiceError => e @logger.error("Couldn't list groups for the account. Here's why:") @logger.error("\t#{e.code}: #{e.message}") raise end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListGroups](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListGroups)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn list_groups( client: &iamClient, path_prefix: Option, marker: Option, max_items: Option, ) -> Result> { let response = client .list_groups() .set_path_prefix(path_prefix) .set_marker(marker) .set_max_items(max_items) .send() .await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用[ListGroups](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_groups)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listgroups( ). MESSAGE 'Retrieved group list.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when listing groups.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListGroups](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func listGroups() async throws -> [String] { var groupList: [String] = [] // Use "Paginated" to get all the groups. // This lets the SDK handle the 'isTruncated' property in "ListGroupsOutput". let input = ListGroupsInput() let pages = client.listGroupsPaginated(input: input) do { for try await page in pages { guard let groups = page.groups else { print("Error: no groups returned.") continue } for group in groups { if let name = group.groupName { groupList.append(name) } } } } catch { print("ERROR: listGroups:", dump(error)) throw error } return groupList } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[ListGroups](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listgroups(input:))*中。 ------ # 将 `ListGroupsForUser` 与 CLI 配合使用以下代码示例演示如何使用 `ListGroupsForUser`。 ------ #### [ CLI ] **AWS CLI** **列出 IAM 用户所属的组** 以下 `list-groups-for-user` 命令显示名为 `Bob` 的 IAM 用户所属的组。 ``` aws iam list-groups-for-user \ --user-name Bob ``` 输出： ``` { "Groups": [ { "Path": "/", "CreateDate": "2013-05-06T01:18:08Z", "GroupId": "AKIAIOSFODNN7EXAMPLE", "Arn": "arn:aws:iam::123456789012:group/Admin", "GroupName": "Admin" }, { "Path": "/", "CreateDate": "2013-05-06T01:37:28Z", "GroupId": "AKIAI44QH8DHBEXAMPLE", "Arn": "arn:aws:iam::123456789012:group/s3-Users", "GroupName": "s3-Users" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListGroupsForUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-groups-for-user.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回 IAM 用户 `David` 所属的 IAM 组列表。** ``` Get-IAMGroupForUser -UserName David ``` **输出**： ``` Arn : arn:aws:iam::123456789012:group/Administrators CreateDate : 10/20/2014 10:06:24 AM GroupId : 6WCH4TRY3KIHIEXAMPLE1 GroupName : Administrators Path : / Arn : arn:aws:iam::123456789012:group/Testers CreateDate : 12/10/2014 3:39:11 PM GroupId : RHNZZGQJ7QHMAEXAMPLE2 GroupName : Testers Path : / Arn : arn:aws:iam::123456789012:group/Developers CreateDate : 12/10/2014 3:38:55 PM GroupId : ZU2EOWMK6WBZOEXAMPLE3 GroupName : Developers Path : / ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListGroupsForUser](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回 IAM 用户 `David` 所属的 IAM 组列表。** ``` Get-IAMGroupForUser -UserName David ``` **输出**： ``` Arn : arn:aws:iam::123456789012:group/Administrators CreateDate : 10/20/2014 10:06:24 AM GroupId : 6WCH4TRY3KIHIEXAMPLE1 GroupName : Administrators Path : / Arn : arn:aws:iam::123456789012:group/Testers CreateDate : 12/10/2014 3:39:11 PM GroupId : RHNZZGQJ7QHMAEXAMPLE2 GroupName : Testers Path : / Arn : arn:aws:iam::123456789012:group/Developers CreateDate : 12/10/2014 3:38:55 PM GroupId : ZU2EOWMK6WBZOEXAMPLE3 GroupName : Developers Path : / ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListGroupsForUser](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `ListInstanceProfiles` 与 CLI 配合使用以下代码示例演示如何使用 `ListInstanceProfiles`。 ------ #### [ CLI ] **AWS CLI** **列出账户的实例配置文件** 以下 `list-instance-profiles` 命令列出与当前账户关联的实例配置文件。 ``` aws iam list-instance-profiles ``` 输出： ``` { "InstanceProfiles": [ { "Path": "/", "InstanceProfileName": "example-dev-role", "InstanceProfileId": "AIPAIXEU4NUHUPEXAMPLE", "Arn": "arn:aws:iam::123456789012:instance-profile/example-dev-role", "CreateDate": "2023-09-21T18:17:41+00:00", "Roles": [ { "Path": "/", "RoleName": "example-dev-role", "RoleId": "AROAJ52OTH4H7LEXAMPLE", "Arn": "arn:aws:iam::123456789012:role/example-dev-role", "CreateDate": "2023-09-21T18:17:40+00:00", "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } } ] }, { "Path": "/", "InstanceProfileName": "example-s3-role", "InstanceProfileId": "AIPAJVJVNRIQFREXAMPLE", "Arn": "arn:aws:iam::123456789012:instance-profile/example-s3-role", "CreateDate": "2023-09-21T18:18:50+00:00", "Roles": [ { "Path": "/", "RoleName": "example-s3-role", "RoleId": "AROAINUBC5O7XLEXAMPLE", "Arn": "arn:aws:iam::123456789012:role/example-s3-role", "CreateDate": "2023-09-21T18:18:49+00:00", "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } } ] } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用实例配置文件](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListInstanceProfiles](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-instance-profiles.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回当前中定义的实例配置文件的集合 AWS 账户。** ``` Get-IAMInstanceProfileList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole CreateDate : 2/17/2015 2:49:04 PM InstanceProfileId : HH36PTZQJUR32EXAMPLE1 InstanceProfileName : ec2instancerole Path : / Roles : {ec2instancerole} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListInstanceProfiles](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回当前中定义的实例配置文件的集合 AWS 账户。** ``` Get-IAMInstanceProfileList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole CreateDate : 2/17/2015 2:49:04 PM InstanceProfileId : HH36PTZQJUR32EXAMPLE1 InstanceProfileName : ec2instancerole Path : / Roles : {ec2instancerole} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListInstanceProfiles](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `ListInstanceProfilesForRole` 与 CLI 配合使用以下代码示例演示如何使用 `ListInstanceProfilesForRole`。 ------ #### [ CLI ] **AWS CLI** **列出 IAM 角色的实例配置文件** 以下 `list-instance-profiles-for-role` 命令列出了中与角色 `Test-Role` 关联的实例配置文件。 ``` aws iam list-instance-profiles-for-role \ --role-name Test-Role ``` 输出： ``` { "InstanceProfiles": [ { "InstanceProfileId": "AIDGPMS9RO4H3FEXAMPLE", "Roles": [ { "AssumeRolePolicyDocument": "", "RoleId": "AIDACKCEVSQ6C2EXAMPLE", "CreateDate": "2013-06-07T20:42:15Z", "RoleName": "Test-Role", "Path": "/", "Arn": "arn:aws:iam::123456789012:role/Test-Role" } ], "CreateDate": "2013-06-07T21:05:24Z", "InstanceProfileName": "ExampleInstanceProfile", "Path": "/", "Arn": "arn:aws:iam::123456789012:instance-profile/ExampleInstanceProfile" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用实例配置文件](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListInstanceProfilesForRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-instance-profiles-for-role.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回与角色 `ec2instancerole` 关联的实例配置文件的详细信息。** ``` Get-IAMInstanceProfileForRole -RoleName ec2instancerole ``` **输出**： ``` Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole CreateDate : 2/17/2015 2:49:04 PM InstanceProfileId : HH36PTZQJUR32EXAMPLE1 InstanceProfileName : ec2instancerole Path : / Roles : {ec2instancerole} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListInstanceProfilesForRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回与角色 `ec2instancerole` 关联的实例配置文件的详细信息。** ``` Get-IAMInstanceProfileForRole -RoleName ec2instancerole ``` **输出**： ``` Arn : arn:aws:iam::123456789012:instance-profile/ec2instancerole CreateDate : 2/17/2015 2:49:04 PM InstanceProfileId : HH36PTZQJUR32EXAMPLE1 InstanceProfileName : ec2instancerole Path : / Roles : {ec2instancerole} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListInstanceProfilesForRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `ListMfaDevices` 与 CLI 配合使用以下代码示例演示如何使用 `ListMfaDevices`。 ------ #### [ CLI ] **AWS CLI** **列出指定用户的所有 MFA 设备** 此示例返回有关分配给 IAM 用户 `Bob` 的 MFA 设备的详细信息。 ``` aws iam list-mfa-devices \ --user-name Bob ``` 输出： ``` { "MFADevices": [ { "UserName": "Bob", "SerialNumber": "arn:aws:iam::123456789012:mfa/Bob", "EnableDate": "2019-10-28T20:37:09+00:00" }, { "UserName": "Bob", "SerialNumber": "GAKT12345678", "EnableDate": "2023-02-18T21:44:42+00:00" }, { "UserName": "Bob", "SerialNumber": "arn:aws:iam::123456789012:u2f/user/Bob/fidosecuritykey1-7XNL7NFNLZ123456789EXAMPLE", "EnableDate": "2023-09-19T02:25:35+00:00" }, { "UserName": "Bob", "SerialNumber": "arn:aws:iam::123456789012:u2f/user/Bob/fidosecuritykey2-VDRQTDBBN5123456789EXAMPLE", "EnableDate": "2023-09-19T01:49:18+00:00" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 AWS中使用多重身份验证（MFA）](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListMfaDevices](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-mfa-devices.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回有关分配给 IAM 用户 `David` 的 MFA 设备的详细信息。在此示例中，您可以看出它是虚拟设备，因为 `SerialNumber` 是 ARN，而不是物理设备的实际序列号。** ``` Get-IAMMFADevice -UserName David ``` **输出**： ``` EnableDate SerialNumber UserName ---------- ------------ -------- 4/8/2015 9:41:10 AM arn:aws:iam::123456789012:mfa/David David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListMfaDevices](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回有关分配给 IAM 用户 `David` 的 MFA 设备的详细信息。在此示例中，您可以看出它是虚拟设备，因为 `SerialNumber` 是 ARN，而不是物理设备的实际序列号。** ``` Get-IAMMFADevice -UserName David ``` **输出**： ``` EnableDate SerialNumber UserName ---------- ------------ -------- 4/8/2015 9:41:10 AM arn:aws:iam::123456789012:mfa/David David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListMfaDevices](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `ListOpenIdConnectProviders` 与 CLI 配合使用以下代码示例演示如何使用 `ListOpenIdConnectProviders`。 ------ #### [ CLI ] **AWS CLI** **列出账户中 OpenID Connect 提供商的相关信息 AWS ** 此示例返回当前账户中定义的所有 OpenID Connect 提供商的 ARN 列表。 AWS ``` aws iam list-open-id-connect-providers ``` 输出： ``` { "OpenIDConnectProviderList": [ { "Arn": "arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 OpenID Connect（OIDC）身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListOpenIdConnectProviders](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-open-id-connect-providers.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回当前 AWS 账户账户中定义的所有 OpenID Connect 提供者的 ARN 列表。** ``` Get-IAMOpenIDConnectProviderList ``` **输出**： ``` Arn --- arn:aws:iam::123456789012:oidc-provider/server.example.com arn:aws:iam::123456789012:oidc-provider/another.provider.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListOpenIdConnectProviders](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回当前 AWS 账户账户中定义的所有 OpenID Connect 提供者的 ARN 列表。** ``` Get-IAMOpenIDConnectProviderList ``` **输出**： ``` Arn --- arn:aws:iam::123456789012:oidc-provider/server.example.com arn:aws:iam::123456789012:oidc-provider/another.provider.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListOpenIdConnectProviders](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `ListPolicies`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListPolicies`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理策略](iam_example_iam_Scenario_PolicyManagement_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// List IAM policies. ///

/// A list of the IAM policies. public async Task> ListPoliciesAsync() { var listPoliciesPaginator = _IAMService.Paginators.ListPolicies(new ListPoliciesRequest()); var policies = new List(); await foreach (var response in listPoliciesPaginator.Responses) { policies.AddRange(response.Policies); } return policies; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListPolicies)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::listPolicies(const Aws::Client::ClientConfiguration &clientConfig) { const Aws::String DATE_FORMAT("%Y-%m-%d"); Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::ListPoliciesRequest request; bool done = false; bool header = false; while (!done) { auto outcome = iam.ListPolicies(request); if (!outcome.IsSuccess()) { std::cerr << "Failed to list iam policies: " << outcome.GetError().GetMessage() << std::endl; return false; } if (!header) { std::cout << std::left << std::setw(55) << "Name" << std::setw(30) << "ID" << std::setw(80) << "Arn" << std::setw(64) << "Description" << std::setw(12) << "CreateDate" << std::endl; header = true; } const auto &policies = outcome.GetResult().GetPolicies(); for (const auto &policy: policies) { std::cout << std::left << std::setw(55) << policy.GetPolicyName() << std::setw(30) << policy.GetPolicyId() << std::setw(80) << policy.GetArn() << std::setw(64) << policy.GetDescription() << std::setw(12) << policy.GetCreateDate().ToGmtString(DATE_FORMAT.c_str()) << std::endl; } if (outcome.GetResult().GetIsTruncated()) { request.SetMarker(outcome.GetResult().GetMarker()); } else { done = true; } } return true; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListPolicies)*中的。 ------ #### [ CLI ] **AWS CLI** **列出您的 AWS 账户可用的托管政策** 此示例返回当前 AWS 账户中可用的前两个托管策略的集合。 ``` aws iam list-policies \ --max-items 3 ``` 输出： ``` { "Policies": [ { "PolicyName": "AWSCloudTrailAccessPolicy", "PolicyId": "ANPAXQE2B5PJ7YEXAMPLE", "Arn": "arn:aws:iam::123456789012:policy/AWSCloudTrailAccessPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2019-09-04T17:43:42+00:00", "UpdateDate": "2019-09-04T17:43:42+00:00" }, { "PolicyName": "AdministratorAccess", "PolicyId": "ANPAIWMBCKSKIEE64ZLYK", "Arn": "arn:aws:iam::aws:policy/AdministratorAccess", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 6, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2015-02-06T18:39:46+00:00", "UpdateDate": "2015-02-06T18:39:46+00:00" }, { "PolicyName": "PowerUserAccess", "PolicyId": "ANPAJYRXTHIB4FOVS3ZXS", "Arn": "arn:aws:iam::aws:policy/PowerUserAccess", "Path": "/", "DefaultVersionId": "v5", "AttachmentCount": 1, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2015-02-06T18:39:47+00:00", "UpdateDate": "2023-07-06T22:04:00+00:00" } ], "NextToken": "EXAMPLErZXIiOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiA4fQ==" } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-policies.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions // used in the examples. // It contains an IAM service client that is used to perform policy actions. type PolicyWrapper struct { IamClient *iam.Client } // ListPolicies gets up to maxPolicies policies. func (wrapper PolicyWrapper) ListPolicies(ctx context.Context, maxPolicies int32) ([]types.Policy, error) { var policies []types.Policy result, err := wrapper.IamClient.ListPolicies(ctx, &iam.ListPoliciesInput{ MaxItems: aws.Int32(maxPolicies), }) if err != nil { log.Printf("Couldn't list policies. Here's why: %v\n", err) } else { policies = result.Policies } return policies, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListPolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListPolicies)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出策略。 ``` import { ListPoliciesCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * A generator function that handles paginated results. * The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this. * */ export async function* listPolicies() { const command = new ListPoliciesCommand({ MaxItems: 10, OnlyAttached: false, // List only the customer managed policies in your Amazon Web Services account. Scope: "Local", }); let response = await client.send(command); while (response.Policies?.length) { for (const policy of response.Policies) { yield policy; } if (response.IsTruncated) { response = await client.send( new ListPoliciesCommand({ Marker: response.Marker, MaxItems: 10, OnlyAttached: false, Scope: "Local", }), ); } else { break; } } } ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListPoliciesCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function listPolicies($pathPrefix = "", $marker = "", $maxItems = 0) { $listPoliciesArguments = []; if ($pathPrefix) { $listPoliciesArguments["PathPrefix"] = $pathPrefix; } if ($marker) { $listPoliciesArguments["Marker"] = $marker; } if ($maxItems) { $listPoliciesArguments["MaxItems"] = $maxItems; } return $this->iamClient->listPolicies($listPoliciesArguments); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListPolicies)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回当前 AWS 账户中可用的前三个托管策略的集合。由于`-scope`未指定，因此它默认为`all`并包括 AWS 托管策略和客户托管策略。** ``` Get-IAMPolicyList -MaxItem 3 ``` **输出**： ``` Arn : arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess AttachmentCount : 0 CreateDate : 2/6/2015 10:40:08 AM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : Z27SI6FQMGNQ2EXAMPLE1 PolicyName : AWSDirectConnectReadOnlyAccess UpdateDate : 2/6/2015 10:40:08 AM Arn : arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess AttachmentCount : 0 CreateDate : 2/6/2015 10:40:27 AM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : NJKMU274MET4EEXAMPLE2 PolicyName : AmazonGlacierReadOnlyAccess UpdateDate : 2/6/2015 10:40:27 AM Arn : arn:aws:iam::aws:policy/AWSMarketplaceFullAccess AttachmentCount : 0 CreateDate : 2/11/2015 9:21:45 AM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : 5ULJSO2FYVPYGEXAMPLE3 PolicyName : AWSMarketplaceFullAccess UpdateDate : 2/11/2015 9:21:45 AM ``` **示例 2：此示例返回当前 AWS 账户中可用的前两个客户托管保单的集合。其使用 `-Scope local` 将输出限制为仅限客户管理型策略。** ``` Get-IAMPolicyList -Scope local -MaxItem 2 ``` **输出**： ``` Arn : arn:aws:iam::123456789012:policy/MyLocalPolicy AttachmentCount : 0 CreateDate : 2/12/2015 9:39:09 AM DefaultVersionId : v2 Description : IsAttachable : True Path : / PolicyId : SQVCBLC4VAOUCEXAMPLE4 PolicyName : MyLocalPolicy UpdateDate : 2/12/2015 9:39:53 AM Arn : arn:aws:iam::123456789012:policy/policyforec2instancerole AttachmentCount : 1 CreateDate : 2/17/2015 2:51:38 PM DefaultVersionId : v11 Description : IsAttachable : True Path : / PolicyId : X5JPBLJH2Z2SOEXAMPLE5 PolicyName : policyforec2instancerole UpdateDate : 2/18/2015 8:52:31 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListPolicies](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回当前 AWS 账户中可用的前三个托管策略的集合。由于`-scope`未指定，因此它默认为`all`并包括 AWS 托管策略和客户托管策略。** ``` Get-IAMPolicyList -MaxItem 3 ``` **输出**： ``` Arn : arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess AttachmentCount : 0 CreateDate : 2/6/2015 10:40:08 AM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : Z27SI6FQMGNQ2EXAMPLE1 PolicyName : AWSDirectConnectReadOnlyAccess UpdateDate : 2/6/2015 10:40:08 AM Arn : arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess AttachmentCount : 0 CreateDate : 2/6/2015 10:40:27 AM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : NJKMU274MET4EEXAMPLE2 PolicyName : AmazonGlacierReadOnlyAccess UpdateDate : 2/6/2015 10:40:27 AM Arn : arn:aws:iam::aws:policy/AWSMarketplaceFullAccess AttachmentCount : 0 CreateDate : 2/11/2015 9:21:45 AM DefaultVersionId : v1 Description : IsAttachable : True Path : / PolicyId : 5ULJSO2FYVPYGEXAMPLE3 PolicyName : AWSMarketplaceFullAccess UpdateDate : 2/11/2015 9:21:45 AM ``` **示例 2：此示例返回当前 AWS 账户中可用的前两个客户托管保单的集合。其使用 `-Scope local` 将输出限制为仅限客户管理型策略。** ``` Get-IAMPolicyList -Scope local -MaxItem 2 ``` **输出**： ``` Arn : arn:aws:iam::123456789012:policy/MyLocalPolicy AttachmentCount : 0 CreateDate : 2/12/2015 9:39:09 AM DefaultVersionId : v2 Description : IsAttachable : True Path : / PolicyId : SQVCBLC4VAOUCEXAMPLE4 PolicyName : MyLocalPolicy UpdateDate : 2/12/2015 9:39:53 AM Arn : arn:aws:iam::123456789012:policy/policyforec2instancerole AttachmentCount : 1 CreateDate : 2/17/2015 2:51:38 PM DefaultVersionId : v11 Description : IsAttachable : True Path : / PolicyId : X5JPBLJH2Z2SOEXAMPLE5 PolicyName : policyforec2instancerole UpdateDate : 2/18/2015 8:52:31 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListPolicies](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_policies(scope): """ Lists the policies in the current account. :param scope: Limits the kinds of policies that are returned. For example, 'Local' specifies that only locally managed policies are returned. :return: The list of policies. """ try: policies = list(iam.policies.filter(Scope=scope)) logger.info("Got %s policies in scope '%s'.", len(policies), scope) except ClientError: logger.exception("Couldn't get policies for scope '%s'.", scope) raise else: return policies ``` + 有关 API 的详细信息，请参阅适用[ListPolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListPolicies)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。此示例模块会列出、创建、附加和分离角色策略。 ``` # Manages policies in AWS Identity and Access Management (IAM) class RolePolicyManager # Initialize with an AWS IAM client # # @param iam_client [Aws::IAM::Client] An initialized IAM client def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'PolicyManager' end # Creates a policy # # @param policy_name [String] The name of the policy # @param policy_document [Hash] The policy document # @return [String] The policy ARN if successful, otherwise nil def create_policy(policy_name, policy_document) response = @iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) response.policy.arn rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating policy: #{e.message}") nil end # Fetches an IAM policy by its ARN # @param policy_arn [String] the ARN of the IAM policy to retrieve # @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found def get_policy(policy_arn) response = @iam_client.get_policy(policy_arn: policy_arn) policy = response.policy @logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.") policy rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.") raise rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}") raise end # Attaches a policy to a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def attach_policy_to_role(role_name, policy_arn) @iam_client.attach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error attaching policy to role: #{e.message}") false end # Lists policy ARNs attached to a role # # @param role_name [String] The name of the role # @return [Array] List of policy ARNs def list_attached_policy_arns(role_name) response = @iam_client.list_attached_role_policies(role_name: role_name) response.attached_policies.map(&:policy_arn) rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing policies attached to role: #{e.message}") [] end # Detaches a policy from a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def detach_policy_from_role(role_name, policy_arn) @iam_client.detach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error detaching policy from role: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListPolicies)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn list_policies( client: iamClient, path_prefix: String, ) -> Result, SdkError> { let list_policies = client .list_policies() .path_prefix(path_prefix) .scope(PolicyScopeType::Local) .into_paginator() .items() .send() .try_collect() .await?; let policy_names = list_policies .into_iter() .map(|p| { let name = p .policy_name .unwrap_or_else(|| "Missing Policy Name".to_string()); println!("{}", name); name }) .collect(); Ok(policy_names) } ``` + 有关 API 的详细信息，请参阅适用[ListPolicies](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_policies)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listpolicies( iv_scope = iv_scope ). MESSAGE 'Retrieved policy list.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when listing policies.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListPolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func listPolicies() async throws -> [MyPolicyRecord] { var policyList: [MyPolicyRecord] = [] // Use "Paginated" to get all the policies. // This lets the SDK handle the 'isTruncated' in "ListPoliciesOutput". let input = ListPoliciesInput() let output = client.listPoliciesPaginated(input: input) do { for try await page in output { guard let policies = page.policies else { print("Error: no policies returned.") continue } for policy in policies { guard let name = policy.policyName, let id = policy.policyId, let arn = policy.arn else { throw ServiceHandlerError.noSuchPolicy } policyList.append(MyPolicyRecord(name: name, id: id, arn: arn)) } } } catch { print("ERROR: listPolicies:", dump(error)) throw error } return policyList } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[ListPolicies](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listpolicies(input:))*中。 ------ # `ListPolicyVersions`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListPolicyVersions`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [管理策略](iam_example_iam_Scenario_PolicyManagement_section.md) + [回滚策略版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md) ------ #### [ CLI ] **AWS CLI** **列出有关指定托管策略版本的信息** 此示例返回 ARN 为 `arn:aws:iam::123456789012:policy/MySamplePolicy` 的策略的可用版本列表。 ``` aws iam list-policy-versions \ --policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy ``` 输出： ``` { "IsTruncated": false, "Versions": [ { "VersionId": "v2", "IsDefaultVersion": true, "CreateDate": "2015-06-02T23:19:44Z" }, { "VersionId": "v1", "IsDefaultVersion": false, "CreateDate": "2015-06-02T22:30:47Z" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListPolicyVersions](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-policy-versions.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回 ARN 为 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 的策略的可用版本列表。要获取特定版本的策略文档，请使用 `Get-IAMPolicyVersion` 命令并指定所需版本的 `VersionId`。** ``` Get-IAMPolicyVersionList -PolicyArn arn:aws:iam::123456789012:policy/MyManagedPolicy ``` **输出**： ``` CreateDate Document IsDefaultVersion VersionId ---------- -------- ---------------- --------- 2/12/2015 9:39:53 AM True v2 2/12/2015 9:39:09 AM False v1 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListPolicyVersions](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回 ARN 为 `arn:aws:iam::123456789012:policy/MyManagedPolicy` 的策略的可用版本列表。要获取特定版本的策略文档，请使用 `Get-IAMPolicyVersion` 命令并指定所需版本的 `VersionId`。** ``` Get-IAMPolicyVersionList -PolicyArn arn:aws:iam::123456789012:policy/MyManagedPolicy ``` **输出**： ``` CreateDate Document IsDefaultVersion VersionId ---------- -------- ---------------- --------- 2/12/2015 9:39:53 AM True v2 2/12/2015 9:39:09 AM False v1 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListPolicyVersions](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listpolicyversions( iv_policyarn = iv_policy_arn ). MESSAGE 'Retrieved policy versions list.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Policy does not exist.' TYPE 'E'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when listing policy versions.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListPolicyVersions](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `ListRolePolicies`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListRolePolicies`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// List IAM role policies. ///

/// The IAM role for which to list IAM policies. /// A list of IAM policy names. public async Task> ListRolePoliciesAsync(string roleName) { var listRolePoliciesPaginator = _IAMService.Paginators.ListRolePolicies(new ListRolePoliciesRequest { RoleName = roleName }); var policyNames = new List(); await foreach (var response in listRolePoliciesPaginator.Responses) { policyNames.AddRange(response.PolicyNames); } return policyNames; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[ListRolePolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListRolePolicies)*中的。 ------ #### [ CLI ] **AWS CLI** **列出附加到 IAM 角色的策略** 以下 `list-role-policies` 命令将列出指定 IAM 角色的权限策略名称。 ``` aws iam list-role-policies \ --role-name Test-Role ``` 输出： ``` { "PolicyNames": [ "ExamplePolicy" ] } ``` 要查看附加到角色的信任策略，请使用 `get-role` 命令。要查看权限策略的详细信息，请使用 `get-role-policy` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListRolePolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-role-policies.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // ListRolePolicies lists the inline policies for a role. func (wrapper RoleWrapper) ListRolePolicies(ctx context.Context, roleName string) ([]string, error) { var policies []string result, err := wrapper.IamClient.ListRolePolicies(ctx, &iam.ListRolePoliciesInput{ RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't list policies for role %v. Here's why: %v\n", roleName, err) } else { policies = result.PolicyNames } return policies, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListRolePolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListRolePolicies)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出策略。 ``` import { ListRolePoliciesCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * A generator function that handles paginated results. * The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this. * * @param {string} roleName */ export async function* listRolePolicies(roleName) { const command = new ListRolePoliciesCommand({ RoleName: roleName, MaxItems: 10, }); let response = await client.send(command); while (response.PolicyNames?.length) { for (const policyName of response.PolicyNames) { yield policyName; } if (response.IsTruncated) { response = await client.send( new ListRolePoliciesCommand({ RoleName: roleName, MaxItems: 10, Marker: response.Marker, }), ); } else { break; } } } ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListRolePolicies](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListRolePoliciesCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function listRolePolicies($roleName, $marker = "", $maxItems = 0) { $listRolePoliciesArguments = ['RoleName' => $roleName]; if ($marker) { $listRolePoliciesArguments['Marker'] = $marker; } if ($maxItems) { $listRolePoliciesArguments['MaxItems'] = $maxItems; } return $this->customWaiter(function () use ($listRolePoliciesArguments) { return $this->iamClient->listRolePolicies($listRolePoliciesArguments); }); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[ListRolePolicies](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListRolePolicies)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例返回 IAM 角色 `lamda_exec_role` 中嵌入的内联策略名称列表。要查看内联策略的详细信息，请使用 `Get-IAMRolePolicy` 命令。** ``` Get-IAMRolePolicyList -RoleName lambda_exec_role ``` **输出**： ``` oneClick_lambda_exec_role_policy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListRolePolicies](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例返回 IAM 角色 `lamda_exec_role` 中嵌入的内联策略名称列表。要查看内联策略的详细信息，请使用 `Get-IAMRolePolicy` 命令。** ``` Get-IAMRolePolicyList -RoleName lambda_exec_role ``` **输出**： ``` oneClick_lambda_exec_role_policy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListRolePolicies](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_policies(role_name): """ Lists inline policies for a role. :param role_name: The name of the role to query. """ try: role = iam.Role(role_name) for policy in role.policies.all(): logger.info("Got inline policy %s.", policy.name) except ClientError: logger.exception("Couldn't list inline policies for %s.", role_name) raise ``` + 有关 API 的详细信息，请参阅适用[ListRolePolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListRolePolicies)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Lists policy ARNs attached to a role # # @param role_name [String] The name of the role # @return [Array] List of policy ARNs def list_attached_policy_arns(role_name) response = @iam_client.list_attached_role_policies(role_name: role_name) response.attached_policies.map(&:policy_arn) rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing policies attached to role: #{e.message}") [] end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListRolePolicies](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListRolePolicies)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn list_role_policies( client: &iamClient, role_name: &str, marker: Option, max_items: Option, ) -> Result> { let response = client .list_role_policies() .role_name(role_name) .set_marker(marker) .set_max_items(max_items) .send() .await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用[ListRolePolicies](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_role_policies)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listrolepolicies( iv_rolename = iv_role_name ). MESSAGE 'Retrieved inline policy list for role.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Role does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListRolePolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func listRolePolicies(role: String) async throws -> [String] { var policyList: [String] = [] // Use "Paginated" to get all the role policies. // This lets the SDK handle the 'isTruncated' in "ListRolePoliciesOutput". let input = ListRolePoliciesInput( roleName: role ) let pages = client.listRolePoliciesPaginated(input: input) do { for try await page in pages { guard let policies = page.policyNames else { print("Error: no role policies returned.") continue } for policy in policies { policyList.append(policy) } } } catch { print("ERROR: listRolePolicies:", dump(error)) throw error } return policyList } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[ListRolePolicies](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listrolepolicies(input:))*中。 ------ # 将 `ListRoleTags` 与 CLI 配合使用以下代码示例演示如何使用 `ListRoleTags`。 ------ #### [ CLI ] **AWS CLI** **列出附加到角色的标签** 以下 `list-role-tags` 命令检索与指定角色关联的标签列表。 ``` aws iam list-role-tags \ --role-name production-role ``` 输出： ``` { "Tags": [ { "Key": "Department", "Value": "Accounting" }, { "Key": "DeptID", "Value": "12345" } ], "IsTruncated": false } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[标记 IAM 资源](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListRoleTags](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-role-tags.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例获取与角色关联的标签。** ``` Get-IAMRoleTagList -RoleName MyRoleName ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListRoleTags](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例获取与角色关联的标签。** ``` Get-IAMRoleTagList -RoleName MyRoleName ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListRoleTags](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `ListRoles`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListRoles`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// List IAM roles. ///

/// A list of IAM roles. public async Task> ListRolesAsync() { var listRolesPaginator = _IAMService.Paginators.ListRoles(new ListRolesRequest()); var roles = new List(); await foreach (var response in listRolesPaginator.Responses) { roles.AddRange(response.Roles); } return roles; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[ListRoles](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListRoles)*中的。 ------ #### [ CLI ] **AWS CLI** **列出当前账户的 IAM 角色** 以下 `list-roles` 命令将列出当前账户中的 IAM 角色。 ``` aws iam list-roles ``` 输出： ``` { "Roles": [ { "Path": "/", "RoleName": "ExampleRole", "RoleId": "AROAJ52OTH4H7LEXAMPLE", "Arn": "arn:aws:iam::123456789012:role/ExampleRole", "CreateDate": "2017-09-12T19:23:36+00:00", "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "MaxSessionDuration": 3600 }, { "Path": "/example_path/", "RoleName": "ExampleRoleWithPath", "RoleId": "AROAI4QRP7UFT7EXAMPLE", "Arn": "arn:aws:iam::123456789012:role/example_path/ExampleRoleWithPath", "CreateDate": "2023-09-21T20:29:38+00:00", "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "MaxSessionDuration": 3600 } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListRoles](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-roles.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // ListRoles gets up to maxRoles roles. func (wrapper RoleWrapper) ListRoles(ctx context.Context, maxRoles int32) ([]types.Role, error) { var roles []types.Role result, err := wrapper.IamClient.ListRoles(ctx, &iam.ListRolesInput{MaxItems: aws.Int32(maxRoles)}, ) if err != nil { log.Printf("Couldn't list roles. Here's why: %v\n", err) } else { roles = result.Roles } return roles, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListRoles](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListRoles)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出角色。 ``` import { ListRolesCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * A generator function that handles paginated results. * The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this. * */ export async function* listRoles() { const command = new ListRolesCommand({ MaxItems: 10, }); /** * @type {import("@aws-sdk/client-iam").ListRolesCommandOutput | undefined} */ let response = await client.send(command); while (response?.Roles?.length) { for (const role of response.Roles) { yield role; } if (response.IsTruncated) { response = await client.send( new ListRolesCommand({ Marker: response.Marker, }), ); } else { break; } } } ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListRoles](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListRolesCommand)*中的。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); /** * @param string $pathPrefix * @param string $marker * @param int $maxItems * @return Result * $roles = $service->listRoles(); */ public function listRoles($pathPrefix = "", $marker = "", $maxItems = 0) { $listRolesArguments = []; if ($pathPrefix) { $listRolesArguments["PathPrefix"] = $pathPrefix; } if ($marker) { $listRolesArguments["Marker"] = $marker; } if ($maxItems) { $listRolesArguments["MaxItems"] = $maxItems; } return $this->iamClient->listRoles($listRolesArguments); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[ListRoles](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListRoles)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索 AWS 账户中的所有 IAM 角色列表。** ``` Get-IAMRoleList ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListRoles](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索 AWS 账户中的所有 IAM 角色列表。** ``` Get-IAMRoleList ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListRoles](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_roles(count): """ Lists the specified number of roles for the account. :param count: The number of roles to list. """ try: roles = list(iam.roles.limit(count=count)) for role in roles: logger.info("Role: %s", role.name) except ClientError: logger.exception("Couldn't list roles for the account.") raise else: return roles ``` + 有关 API 的详细信息，请参阅适用[ListRoles](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListRoles)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Lists IAM roles up to a specified count. # @param count [Integer] the maximum number of roles to list. # @return [Array] the names of the roles. def list_roles(count) role_names = [] roles_counted = 0 @iam_client.list_roles.each_page do |page| page.roles.each do |role| break if roles_counted >= count @logger.info("\t#{roles_counted + 1}: #{role.role_name}") role_names << role.role_name roles_counted += 1 end break if roles_counted >= count end role_names rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't list roles for the account. Here's why:") @logger.error("\t#{e.code}: #{e.message}") raise end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListRoles](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListRoles)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn list_roles( client: &iamClient, path_prefix: Option, marker: Option, max_items: Option, ) -> Result> { let response = client .list_roles() .set_path_prefix(path_prefix) .set_marker(marker) .set_max_items(max_items) .send() .await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用[ListRoles](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_roles)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listroles( ). MESSAGE 'Retrieved role list.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when listing roles.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListRoles](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func listRoles() async throws -> [String] { var roleList: [String] = [] // Use "Paginated" to get all the roles. // This lets the SDK handle the 'isTruncated' in "ListRolesOutput". let input = ListRolesInput() let pages = client.listRolesPaginated(input: input) do { for try await page in pages { guard let roles = page.roles else { print("Error: no roles returned.") continue } for role in roles { if let name = role.roleName { roleList.append(name) } } } } catch { print("ERROR: listRoles:", dump(error)) throw error } return roleList } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[ListRoles](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listroles(input:))*中。 ------ # `ListSAMLProviders`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListSAMLProviders`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// List SAML authentication providers. ///

/// A list of SAML providers. public async Task> ListSAMLProvidersAsync() { var response = await _IAMService.ListSAMLProvidersAsync(new ListSAMLProvidersRequest()); return response.SAMLProviderList; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考SAMLProviders*中的[列表](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListSAMLProviders)。 ------ #### [ CLI ] **AWS CLI** **列出账户中的 SAML 提供商 AWS ** 此示例检索在当前 AWS 账户中创建的 SAML 2.0 提供商列表。 ``` aws iam list-saml-providers ``` 输出： ``` { "SAMLProviderList": [ { "Arn": "arn:aws:iam::123456789012:saml-provider/SAML-ADFS", "ValidUntil": "2015-06-05T22:45:14Z", "CreateDate": "2015-06-05T22:45:14Z" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM SAML 身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。 + 有关 API 的详细信息，请参阅SAMLProviders《*AWS CLI 命令参考*》中的 “[列表](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-saml-providers.html)”。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "log" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // AccountWrapper encapsulates AWS Identity and Access Management (IAM) account actions // used in the examples. // It contains an IAM service client that is used to perform account actions. type AccountWrapper struct { IamClient *iam.Client } // ListSAMLProviders gets the SAML providers for the account. func (wrapper AccountWrapper) ListSAMLProviders(ctx context.Context) ([]types.SAMLProviderListEntry, error) { var providers []types.SAMLProviderListEntry result, err := wrapper.IamClient.ListSAMLProviders(ctx, &iam.ListSAMLProvidersInput{}) if err != nil { log.Printf("Couldn't list SAML providers. Here's why: %v\n", err) } else { providers = result.SAMLProviderList } return providers, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考SAMLProviders*中的[列表](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListSAMLProviders)。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出 SAML 提供商。 ``` import { ListSAMLProvidersCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); export const listSamlProviders = async () => { const command = new ListSAMLProvidersCommand({}); const response = await client.send(command); console.log(response); return response; }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考SAMLProviders*中的[列表](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListSAMLProvidersCommand)。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function listSAMLProviders() { return $this->iamClient->listSAMLProviders(); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考SAMLProviders*中的[列表](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListSAMLProviders)。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将检索在当前 AWS 账户中创建的 SAML 2.0 提供者列表。其返回每个 SAML 提供者的 ARN、创建日期和到期日期。** ``` Get-IAMSAMLProviderList ``` **输出**： ``` Arn CreateDate ValidUntil --- ---------- ---------- arn:aws:iam::123456789012:saml-provider/SAMLADFS 12/23/2014 12:16:55 PM 12/23/2114 12:16:54 PM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考文档 (V* 4) SAMLProviders 中的[列表](https://docs.aws.amazon.com/powershell/v4/reference)。 **适用于 PowerShell V5 的工具** **示例 1：此示例将检索在当前 AWS 账户中创建的 SAML 2.0 提供者列表。其返回每个 SAML 提供者的 ARN、创建日期和到期日期。** ``` Get-IAMSAMLProviderList ``` **输出**： ``` Arn CreateDate ValidUntil --- ---------- ---------- arn:aws:iam::123456789012:saml-provider/SAMLADFS 12/23/2014 12:16:55 PM 12/23/2114 12:16:54 PM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考文档 (V* 5) SAMLProviders 中的[列表](https://docs.aws.amazon.com/powershell/v5/reference)。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_saml_providers(count): """ Lists the SAML providers for the account. :param count: The maximum number of providers to list. """ try: found = 0 for provider in iam.saml_providers.limit(count): logger.info("Got SAML provider %s.", provider.arn) found += 1 if found == 0: logger.info("Your account has no SAML providers.") except ClientError: logger.exception("Couldn't list SAML providers.") raise ``` + 有关 API 的详细信息，请参阅适用于 *Python 的AWS SDK (Boto3)* API 参考SAMLProviders中的[列表](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListSAMLProviders)。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` class SamlProviderLister # Initializes the SamlProviderLister with IAM client and a logger. # @param iam_client [Aws::IAM::Client] The IAM client object. # @param logger [Logger] The logger object for logging output. def initialize(iam_client, logger = Logger.new($stdout)) @iam_client = iam_client @logger = logger end # Lists up to a specified number of SAML providers for the account. # @param count [Integer] The maximum number of providers to list. # @return [Aws::IAM::Client::Response] def list_saml_providers(count) response = @iam_client.list_saml_providers response.saml_provider_list.take(count).each do |provider| @logger.info("\t#{provider.arn}") end response rescue Aws::Errors::ServiceError => e @logger.error("Couldn't list SAML providers. Here's why:") @logger.error("\t#{e.code}: #{e.message}") raise end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考SAMLProviders*中的[列表](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListSAMLProviders)。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn list_saml_providers( client: &Client, ) -> Result> { let response = client.list_saml_providers().send().await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用于 *Rust 的AWS SDK SAMLProviders 中[列](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_saml_providers)出 API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listsamlproviders( ). MESSAGE 'Retrieved SAML provider list.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when listing SAML providers.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用于 SAP 的 *AWS SDK SAMLProviders 中[列](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)出 ABAP API 参考*。 ------ # `ListServerCertificates`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListServerCertificates`。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::listServerCertificates( const Aws::Client::ClientConfiguration &clientConfig) { const Aws::String DATE_FORMAT = "%Y-%m-%d"; Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::ListServerCertificatesRequest request; bool done = false; bool header = false; while (!done) { auto outcome = iam.ListServerCertificates(request); if (!outcome.IsSuccess()) { std::cerr << "Failed to list server certificates: " << outcome.GetError().GetMessage() << std::endl; return false; } if (!header) { std::cout << std::left << std::setw(55) << "Name" << std::setw(30) << "ID" << std::setw(80) << "Arn" << std::setw(14) << "UploadDate" << std::setw(14) << "ExpirationDate" << std::endl; header = true; } const auto &certificates = outcome.GetResult().GetServerCertificateMetadataList(); for (const auto &certificate: certificates) { std::cout << std::left << std::setw(55) << certificate.GetServerCertificateName() << std::setw(30) << certificate.GetServerCertificateId() << std::setw(80) << certificate.GetArn() << std::setw(14) << certificate.GetUploadDate().ToGmtString(DATE_FORMAT.c_str()) << std::setw(14) << certificate.GetExpiration().ToGmtString(DATE_FORMAT.c_str()) << std::endl; } if (outcome.GetResult().GetIsTruncated()) { request.SetMarker(outcome.GetResult().GetMarker()); } else { done = true; } } return true; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[ListServerCertificates](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListServerCertificates)*中的。 ------ #### [ CLI ] **AWS CLI** **列出您 AWS 账户中的服务器证书** 以下`list-server-certificates`命令列出了您的 AWS 账户中存储并可供使用的所有服务器证书。 ``` aws iam list-server-certificates ``` 输出： ``` { "ServerCertificateMetadataList": [ { "Path": "/", "ServerCertificateName": "myUpdatedServerCertificate", "ServerCertificateId": "ASCAEXAMPLE123EXAMPLE", "Arn": "arn:aws:iam::123456789012:server-certificate/myUpdatedServerCertificate", "UploadDate": "2019-04-22T21:13:44+00:00", "Expiration": "2019-10-15T22:23:16+00:00" }, { "Path": "/cloudfront/", "ServerCertificateName": "MyTestCert", "ServerCertificateId": "ASCAEXAMPLE456EXAMPLE", "Arn": "arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyTestCert", "UploadDate": "2015-04-21T18:14:16+00:00", "Expiration": "2018-01-14T17:52:36+00:00" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 IAM 中管理服务器证书](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListServerCertificates](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-server-certificates.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出证书。 ``` import { ListServerCertificatesCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * A generator function that handles paginated results. * The AWS SDK for JavaScript (v3) provides {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html#paginators | paginator} functions to simplify this. * */ export async function* listServerCertificates() { const command = new ListServerCertificatesCommand({}); let response = await client.send(command); while (response.ServerCertificateMetadataList?.length) { for await (const cert of response.ServerCertificateMetadataList) { yield cert; } if (response.IsTruncated) { response = await client.send(new ListServerCertificatesCommand({})); } else { break; } } } ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-listing](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-listing)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListServerCertificates](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListServerCertificatesCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); iam.listServerCertificates({}, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-listing](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-listing)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListServerCertificates](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/ListServerCertificates)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索已上传到当前 AWS 账户的服务器证书列表。** ``` Get-IAMServerCertificateList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate Expiration : 1/14/2018 9:52:36 AM Path : /Org1/Org2/ ServerCertificateId : ASCAJIFEXAMPLE17HQZYW ServerCertificateName : MyServerCertificate UploadDate : 4/21/2015 11:14:16 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListServerCertificates](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索已上传到当前 AWS 账户的服务器证书列表。** ``` Get-IAMServerCertificateList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate Expiration : 1/14/2018 9:52:36 AM Path : /Org1/Org2/ ServerCertificateId : ASCAJIFEXAMPLE17HQZYW ServerCertificateName : MyServerCertificate UploadDate : 4/21/2015 11:14:16 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListServerCertificates](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出、更新和删除服务器证书。 ``` class ServerCertificateManager def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'ServerCertificateManager' end # Creates a new server certificate. # @param name [String] the name of the server certificate # @param certificate_body [String] the contents of the certificate # @param private_key [String] the private key contents # @return [Boolean] returns true if the certificate was successfully created def create_server_certificate(name, certificate_body, private_key) @iam_client.upload_server_certificate({ server_certificate_name: name, certificate_body: certificate_body, private_key: private_key }) true rescue Aws::IAM::Errors::ServiceError => e puts "Failed to create server certificate: #{e.message}" false end # Lists available server certificate names. def list_server_certificate_names response = @iam_client.list_server_certificates if response.server_certificate_metadata_list.empty? @logger.info('No server certificates found.') return end response.server_certificate_metadata_list.each do |certificate_metadata| @logger.info("Certificate Name: #{certificate_metadata.server_certificate_name}") end rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing server certificates: #{e.message}") end # Updates the name of a server certificate. def update_server_certificate_name(current_name, new_name) @iam_client.update_server_certificate( server_certificate_name: current_name, new_server_certificate_name: new_name ) @logger.info("Server certificate name updated from '#{current_name}' to '#{new_name}'.") true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error updating server certificate name: #{e.message}") false end # Deletes a server certificate. def delete_server_certificate(name) @iam_client.delete_server_certificate(server_certificate_name: name) @logger.info("Server certificate '#{name}' deleted.") true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting server certificate: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListServerCertificates](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListServerCertificates)*中的。 ------ # 将 `ListSigningCertificates` 与 CLI 配合使用以下代码示例演示如何使用 `ListSigningCertificates`。 ------ #### [ CLI ] **AWS CLI** **列出 IAM 用户的签名证书** 以下 `list-signing-certificates` 命令列出名为 `Bob` 的 IAM 用户的签名证书。 ``` aws iam list-signing-certificates \ --user-name Bob ``` 输出： ``` { "Certificates": [ { "UserName": "Bob", "Status": "Inactive", "CertificateBody": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----", "CertificateId": "TA7SMP42TDN5Z26OBPJE7EXAMPLE", "UploadDate": "2013-06-06T21:40:08Z" } ] } ``` 有关更多信息，请参阅《Amazon EC2 用户指南》**中的[管理签名证书](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-up-ami-tools.html#ami-tools-managing-certs)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListSigningCertificates](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-signing-certificates.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索与名为 `Bob` 的用户关联的签名证书的相关详细信息。** ``` Get-IAMSigningCertificate -UserName Bob ``` **输出**： ``` CertificateBody : -----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE----- CertificateId : Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU Status : Active UploadDate : 4/20/2015 1:26:01 PM UserName : Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListSigningCertificates](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索与名为 `Bob` 的用户关联的签名证书的相关详细信息。** ``` Get-IAMSigningCertificate -UserName Bob ``` **输出**： ``` CertificateBody : -----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE----- CertificateId : Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU Status : Active UploadDate : 4/20/2015 1:26:01 PM UserName : Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListSigningCertificates](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `ListUserPolicies`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListUserPolicies`。 ------ #### [ CLI ] **AWS CLI** **列出 IAM 用户的策略** 以下 `list-user-policies` 命令列出附加到名为 `Bob` 的 IAM 用户的策略。 ``` aws iam list-user-policies \ --user-name Bob ``` 输出： ``` { "PolicyNames": [ "ExamplePolicy", "TestPolicy" ] } ``` 有关更多信息，请参阅 [IAM 用户指南中的在您的 AWS 账户中创建AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) *IAM 用户*。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListUserPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // ListUserPolicies lists the inline policies for the specified user. func (wrapper UserWrapper) ListUserPolicies(ctx context.Context, userName string) ([]string, error) { var policies []string result, err := wrapper.IamClient.ListUserPolicies(ctx, &iam.ListUserPoliciesInput{ UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't list policies for user %v. Here's why: %v\n", userName, err) } else { policies = result.PolicyNames } return policies, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListUserPolicies](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListUserPolicies)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索嵌入在名为 `David` 的 IAM 用户中的内联策略名称列表。** ``` Get-IAMUserPolicyList -UserName David ``` **输出**： ``` Davids_IAM_Admin_Policy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListUserPolicies](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索嵌入在名为 `David` 的 IAM 用户中的内联策略名称列表。** ``` Get-IAMUserPolicyList -UserName David ``` **输出**： ``` Davids_IAM_Admin_Policy ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListUserPolicies](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `ListUserTags` 与 CLI 配合使用以下代码示例演示如何使用 `ListUserTags`。 ------ #### [ CLI ] **AWS CLI** **列出附加到用户的标签** 以下 `list-user-tags` 命令检索与指定 IAM 用户关联的标签列表。 ``` aws iam list-user-tags \ --user-name alice ``` 输出： ``` { "Tags": [ { "Key": "Department", "Value": "Accounting" }, { "Key": "DeptID", "Value": "12345" } ], "IsTruncated": false } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[标记 IAM 资源](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListUserTags](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-tags.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例获取与用户关联的标签。** ``` Get-IAMUserTagList -UserName joe ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListUserTags](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例获取与用户关联的标签。** ``` Get-IAMUserTagList -UserName joe ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListUserTags](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `ListUsers`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `ListUsers`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// List IAM users. ///

/// A list of IAM users. public async Task> ListUsersAsync() { var listUsersPaginator = _IAMService.Paginators.ListUsers(new ListUsersRequest()); var users = new List(); await foreach (var response in listUsersPaginator.Responses) { users.AddRange(response.Users); } return users; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[ListUsers](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/ListUsers)*中的。 ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_list_users # # List the IAM users in the account. # # Returns: # The list of users names # And: # 0 - If the user already exists. # 1 - If the user doesn't exist. ############################################################################### function iam_list_users() { local option OPTARG # Required to use getopts command in a function. local error_code # bashsupport disable=BP5008 function usage() { echo "function iam_list_users" echo "Lists the AWS Identity and Access Management (IAM) user in the account." echo "" } # Retrieve the calling parameters. while getopts "h" option; do case "${option}" in h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local response response=$(aws iam list-users \ --output text \ --query "Users[].UserName") error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports list-users operation failed.$response" return 1 fi echo "$response" return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListUsers](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/ListUsers)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::listUsers(const Aws::Client::ClientConfiguration &clientConfig) { const Aws::String DATE_FORMAT = "%Y-%m-%d"; Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::ListUsersRequest request; bool done = false; bool header = false; while (!done) { auto outcome = iam.ListUsers(request); if (!outcome.IsSuccess()) { std::cerr << "Failed to list iam users:" << outcome.GetError().GetMessage() << std::endl; return false; } if (!header) { std::cout << std::left << std::setw(32) << "Name" << std::setw(30) << "ID" << std::setw(64) << "Arn" << std::setw(20) << "CreateDate" << std::endl; header = true; } const auto &users = outcome.GetResult().GetUsers(); for (const auto &user: users) { std::cout << std::left << std::setw(32) << user.GetUserName() << std::setw(30) << user.GetUserId() << std::setw(64) << user.GetArn() << std::setw(20) << user.GetCreateDate().ToGmtString(DATE_FORMAT.c_str()) << std::endl; } if (outcome.GetResult().GetIsTruncated()) { request.SetMarker(outcome.GetResult().GetMarker()); } else { done = true; } } return true; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[ListUsers](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/ListUsers)*中的。 ------ #### [ CLI ] **AWS CLI** **列出 IAM 用户** 以下 `list-users` 命令将列出当前账户中的 IAM 用户。 ``` aws iam list-users ``` 输出： ``` { "Users": [ { "UserName": "Adele", "Path": "/", "CreateDate": "2013-03-07T05:14:48Z", "UserId": "AKIAI44QH8DHBEXAMPLE", "Arn": "arn:aws:iam::123456789012:user/Adele" }, { "UserName": "Bob", "Path": "/", "CreateDate": "2012-09-21T23:03:13Z", "UserId": "AKIAIOSFODNN7EXAMPLE", "Arn": "arn:aws:iam::123456789012:user/Bob" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[列出 IAM 用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_manage_list)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListUsers](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // ListUsers gets up to maxUsers number of users. func (wrapper UserWrapper) ListUsers(ctx context.Context, maxUsers int32) ([]types.User, error) { var users []types.User result, err := wrapper.IamClient.ListUsers(ctx, &iam.ListUsersInput{ MaxItems: aws.Int32(maxUsers), }) if err != nil { log.Printf("Couldn't list users. Here's why: %v\n", err) } else { users = result.Users } return users, err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[ListUsers](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.ListUsers)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.AttachedPermissionsBoundary; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.ListUsersRequest; import software.amazon.awssdk.services.iam.model.ListUsersResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.User; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class ListUsers { public static void main(String[] args) { Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); listAllUsers(iam); System.out.println("Done"); iam.close(); } public static void listAllUsers(IamClient iam) { try { boolean done = false; String newMarker = null; while (!done) { ListUsersResponse response; if (newMarker == null) { ListUsersRequest request = ListUsersRequest.builder().build(); response = iam.listUsers(request); } else { ListUsersRequest request = ListUsersRequest.builder() .marker(newMarker) .build(); response = iam.listUsers(request); } for (User user : response.users()) { System.out.format("\n Retrieved user %s", user.userName()); AttachedPermissionsBoundary permissionsBoundary = user.permissionsBoundary(); if (permissionsBoundary != null) System.out.format("\n Permissions boundary details %s", permissionsBoundary.permissionsBoundaryTypeAsString()); } if (!response.isTruncated()) { done = true; } else { newMarker = response.marker(); } } } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[ListUsers](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/ListUsers)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出用户。 ``` import { ListUsersCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); export const listUsers = async () => { const command = new ListUsersCommand({ MaxItems: 10 }); const response = await client.send(command); for (const { UserName, CreateDate } of response.Users) { console.log(`${UserName} created on: ${CreateDate}`); } return response; }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-listing-users](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-listing-users)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListUsers](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListUsersCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { MaxItems: 10, }; iam.listUsers(params, function (err, data) { if (err) { console.log("Error", err); } else { var users = data.Users || []; users.forEach(function (user) { console.log("User " + user.UserName + " created", user.CreateDate); }); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-listing-users](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-listing-users)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[ListUsers](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/ListUsers)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun listAllUsers() { IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.listUsers(ListUsersRequest { }) response.users?.forEach { user -> println("Retrieved user ${user.userName}") val permissionsBoundary = user.permissionsBoundary if (permissionsBoundary != null) { println("Permissions boundary details ${permissionsBoundary.permissionsBoundaryType}") } } } } ``` + 有关 API 的详细信息，请参阅适用[ListUsers](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PHP ] **适用于 PHP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` $uuid = uniqid(); $service = new IAMService(); public function listUsers($pathPrefix = "", $marker = "", $maxItems = 0) { $listUsersArguments = []; if ($pathPrefix) { $listUsersArguments["PathPrefix"] = $pathPrefix; } if ($marker) { $listUsersArguments["Marker"] = $marker; } if ($maxItems) { $listUsersArguments["MaxItems"] = $maxItems; } return $this->iamClient->listUsers($listUsersArguments); } ``` + 有关 API 的详细信息，请参阅 *适用于 PHP 的 AWS SDK API 参考[ListUsers](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/ListUsers)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索当前 AWS 账户用户集合。** ``` Get-IAMUserList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Administrator CreateDate : 10/16/2014 9:03:09 AM PasswordLastUsed : 3/4/2015 12:12:33 PM Path : / UserId : 7K3GJEANSKZF2EXAMPLE1 UserName : Administrator Arn : arn:aws:iam::123456789012:user/Bob CreateDate : 4/6/2015 12:54:42 PM PasswordLastUsed : 1/1/0001 12:00:00 AM Path : / UserId : L3EWNONDOM3YUEXAMPLE2 UserName : bab Arn : arn:aws:iam::123456789012:user/David CreateDate : 12/10/2014 3:39:27 PM PasswordLastUsed : 3/19/2015 8:44:04 AM Path : / UserId : Y4FKWQCXTA52QEXAMPLE3 UserName : David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListUsers](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索当前 AWS 账户用户集合。** ``` Get-IAMUserList ``` **输出**： ``` Arn : arn:aws:iam::123456789012:user/Administrator CreateDate : 10/16/2014 9:03:09 AM PasswordLastUsed : 3/4/2015 12:12:33 PM Path : / UserId : 7K3GJEANSKZF2EXAMPLE1 UserName : Administrator Arn : arn:aws:iam::123456789012:user/Bob CreateDate : 4/6/2015 12:54:42 PM PasswordLastUsed : 1/1/0001 12:00:00 AM Path : / UserId : L3EWNONDOM3YUEXAMPLE2 UserName : bab Arn : arn:aws:iam::123456789012:user/David CreateDate : 12/10/2014 3:39:27 PM PasswordLastUsed : 3/19/2015 8:44:04 AM Path : / UserId : Y4FKWQCXTA52QEXAMPLE3 UserName : David ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListUsers](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def list_users(): """ Lists the users in the current account. :return: The list of users. """ try: users = list(iam.users.all()) logger.info("Got %s users.", len(users)) except ClientError: logger.exception("Couldn't get users.") raise else: return users ``` + 有关 API 的详细信息，请参阅适用[ListUsers](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListUsers)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Lists all users in the AWS account # # @return [Array] An array of user objects def list_users users = [] @iam_client.list_users.each_page do |page| page.users.each do |user| users << user end end users rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing users: #{e.message}") [] end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[ListUsers](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/ListUsers)*中的。 ------ #### [ Rust ] **适用于 Rust 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` pub async fn list_users( client: &iamClient, path_prefix: Option, marker: Option, max_items: Option, ) -> Result> { let response = client .list_users() .set_path_prefix(path_prefix) .set_marker(marker) .set_max_items(max_items) .send() .await?; Ok(response) } ``` + 有关 API 的详细信息，请参阅适用[ListUsers](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.list_users)于 *Rust 的AWS SDK API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. oo_result = lo_iam->listusers( ). MESSAGE 'Retrieved user list.' TYPE 'I'. CATCH /aws1/cx_iamservicefailureex. MESSAGE 'Service failure when listing users.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[ListUsers](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 public func listUsers() async throws -> [MyUserRecord] { var userList: [MyUserRecord] = [] // Use "Paginated" to get all the users. // This lets the SDK handle the 'isTruncated' in "ListUsersOutput". let input = ListUsersInput() let output = client.listUsersPaginated(input: input) do { for try await page in output { guard let users = page.users else { continue } for user in users { if let id = user.userId, let name = user.userName { userList.append(MyUserRecord(id: id, name: name)) } } } } catch { print("ERROR: listUsers:", dump(error)) throw error } return userList } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[ListUsers](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/listusers(input:))*中。 ------ # 将 `ListVirtualMfaDevices` 与 CLI 配合使用以下代码示例演示如何使用 `ListVirtualMfaDevices`。 ------ #### [ CLI ] **AWS CLI** **列出虚拟 MFA 设备** 以下 `list-virtual-mfa-devices` 命令列出已为当前账户配置的虚拟 MFA 设备。 ``` aws iam list-virtual-mfa-devices ``` 输出： ``` { "VirtualMFADevices": [ { "SerialNumber": "arn:aws:iam::123456789012:mfa/ExampleMFADevice" }, { "SerialNumber": "arn:aws:iam::123456789012:mfa/Fred" } ] } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[启用虚拟多重身份验证（MFA）设备](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ListVirtualMfaDevices](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-virtual-mfa-devices.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例检索分配给账户中 AWS 用户的虚拟 MFA 设备集合。每个设备的 `User` 属性都是一个对象，其中包含设备分配到的 IAM 用户的详细信息。** ``` Get-IAMVirtualMFADevice -AssignmentStatus Assigned ``` **输出**： ``` Base32StringSeed : EnableDate : 4/13/2015 12:03:42 PM QRCodePNG : SerialNumber : arn:aws:iam::123456789012:mfa/David User : Amazon.IdentityManagement.Model.User Base32StringSeed : EnableDate : 4/13/2015 12:06:41 PM QRCodePNG : SerialNumber : arn:aws:iam::123456789012:mfa/root-account-mfa-device User : Amazon.IdentityManagement.Model.User ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ListVirtualMfaDevices](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例检索分配给账户中 AWS 用户的虚拟 MFA 设备集合。每个设备的 `User` 属性都是一个对象，其中包含设备分配到的 IAM 用户的详细信息。** ``` Get-IAMVirtualMFADevice -AssignmentStatus Assigned ``` **输出**： ``` Base32StringSeed : EnableDate : 4/13/2015 12:03:42 PM QRCodePNG : SerialNumber : arn:aws:iam::123456789012:mfa/David User : Amazon.IdentityManagement.Model.User Base32StringSeed : EnableDate : 4/13/2015 12:06:41 PM QRCodePNG : SerialNumber : arn:aws:iam::123456789012:mfa/root-account-mfa-device User : Amazon.IdentityManagement.Model.User ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ListVirtualMfaDevices](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `PutGroupPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `PutGroupPolicy`。 ------ #### [ CLI ] **AWS CLI** **为组添加策略** 以下 `put-group-policy` 命令可将策略添加到名为 `Admins` 的 IAM 组。 ``` aws iam put-group-policy \ --group-name Admins \ --policy-document file://AdminPolicy.json \ --policy-name AdminRoot ``` 此命令不生成任何输出。该策略在 *AdminPolicy.json 文件中定义为一个 JSON* 文档。（文件名和扩展名没有意义。）有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[PutGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-group-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建一个名为 `AppTesterPolicy` 的内联策略并将其嵌入到 IAM 组 `AppTesters` 中。如果已经存在同名的内联策略，则该策略将被覆盖。JSON 策略内容来自文件 `apptesterpolicy.json`。请注意，必须使用 `-Raw` 参数才能成功处理 JSON 文件的内容。** ``` Write-IAMGroupPolicy -GroupName AppTesters -PolicyName AppTesterPolicy -PolicyDocument (Get-Content -Raw apptesterpolicy.json) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [PutGroupPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建一个名为 `AppTesterPolicy` 的内联策略并将其嵌入到 IAM 组 `AppTesters` 中。如果已经存在同名的内联策略，则该策略将被覆盖。JSON 策略内容来自文件 `apptesterpolicy.json`。请注意，必须使用 `-Raw` 参数才能成功处理 JSON 文件的内容。** ``` Write-IAMGroupPolicy -GroupName AppTesters -PolicyName AppTesterPolicy -PolicyDocument (Get-Content -Raw apptesterpolicy.json) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [PutGroupPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `PutRolePermissionsBoundary` 与 CLI 配合使用以下代码示例演示如何使用 `PutRolePermissionsBoundary`。 ------ #### [ CLI ] **AWS CLI** **示例 1：将基于自定义策略的权限边界应用于 IAM 角色** 以下 `put-role-permissions-boundary` 示例应用名为 `intern-boundary` 的自定义策略作为指定 IAM 角色的权限边界。 ``` aws iam put-role-permissions-boundary \ --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary \ --role-name lambda-application-role ``` 此命令不生成任何输出。 **示例 2：将基于 AWS 托管策略的权限边界应用于 IAM 角色** 以下`put-role-permissions-boundary`示例应用 AWS 托管`PowerUserAccess`策略作为指定 IAM 角色的权限边界。 ``` aws iam put-role-permissions-boundary \ --permissions-boundary arn:aws:iam::aws:policy/PowerUserAccess \ --role-name x-account-admin ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[PutRolePermissionsBoundary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-permissions-boundary.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例展示如何设置 IAM 角色的权限边界。您可以将 AWS 托管策略或自定义策略设置为权限边界。** ``` Set-IAMRolePermissionsBoundary -RoleName MyRoleName -PermissionsBoundary arn:aws:iam::123456789012:policy/intern-boundary ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [PutRolePermissionsBoundary](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例展示如何设置 IAM 角色的权限边界。您可以将 AWS 托管策略或自定义策略设置为权限边界。** ``` Set-IAMRolePermissionsBoundary -RoleName MyRoleName -PermissionsBoundary arn:aws:iam::123456789012:policy/intern-boundary ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [PutRolePermissionsBoundary](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `PutRolePolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `PutRolePolicy`。 ------ #### [ .NET ] **适用于 .NET 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ///

/// Update the inline policy document embedded in a role. ///

/// The name of the policy to embed. /// The name of the role to update. /// The policy document that defines the role. /// A Boolean value indicating the success of the action. public async Task PutRolePolicyAsync(string policyName, string roleName, string policyDocument) { var request = new PutRolePolicyRequest { PolicyName = policyName, RoleName = roleName, PolicyDocument = policyDocument }; var response = await _IAMService.PutRolePolicyAsync(request); return response.HttpStatusCode == HttpStatusCode.OK; } ``` + 有关 API 的详细信息，请参阅 *适用于 .NET 的 AWS SDK API 参考[PutRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/PutRolePolicy)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::putRolePolicy( const Aws::String &roleName, const Aws::String &policyName, const Aws::String &policyDocument, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iamClient(clientConfig); Aws::IAM::Model::PutRolePolicyRequest request; request.SetRoleName(roleName); request.SetPolicyName(policyName); request.SetPolicyDocument(policyDocument); Aws::IAM::Model::PutRolePolicyOutcome outcome = iamClient.PutRolePolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error putting policy on role. " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully put the role policy." << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[PutRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/PutRolePolicy)*中的。 ------ #### [ CLI ] **AWS CLI** **将权限策略附加到 IAM 角色** 以下 `put-role-policy` 命令可将权限策略附加到名为 `Test-Role` 的角色。 ``` aws iam put-role-policy \ --role-name Test-Role \ --policy-name ExamplePolicy \ --policy-document file://AdminPolicy.json ``` 此命令不生成任何输出。该策略在 *AdminPolicy.json 文件中定义为一个 JSON* 文档。（文件名和扩展名没有意义。）要将信任策略附加到角色，请使用 `update-assume-role-policy` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[PutRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-policy.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { PutRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const examplePolicyDocument = JSON.stringify({ Version: "2012-10-17", Statement: [ { Sid: "VisualEditor0", Effect: "Allow", Action: [ "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:ListBucket", "s3:ListMultipartUploadParts", ], Resource: "arn:aws:s3:::amzn-s3-demo-bucket", }, { Sid: "VisualEditor1", Effect: "Allow", Action: [ "s3:ListStorageLensConfigurations", "s3:ListAccessPointsForObjectLambda", "s3:ListAllMyBuckets", "s3:ListAccessPoints", "s3:ListJobs", "s3:ListMultiRegionAccessPoints", ], Resource: "*", }, ], }); const client = new IAMClient({}); /** * * @param {string} roleName * @param {string} policyName * @param {string} policyDocument */ export const putRolePolicy = async (roleName, policyName, policyDocument) => { const command = new PutRolePolicyCommand({ RoleName: roleName, PolicyName: policyName, PolicyDocument: policyDocument, }); const response = await client.send(command); console.log(response); return response; }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[PutRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/PutRolePolicyCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建一个名为 `FedTesterRolePolicy` 的内联策略并将其嵌入到 IAM 角色 `FedTesterRole` 中。如果已经存在同名的内联策略，则该策略将被覆盖。JSON 策略内容来自文件 `FedTesterPolicy.json`。请注意，必须使用 `-Raw` 参数才能成功处理 JSON 文件的内容。** ``` Write-IAMRolePolicy -RoleName FedTesterRole -PolicyName FedTesterRolePolicy -PolicyDocument (Get-Content -Raw FedTesterPolicy.json) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [PutRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建一个名为 `FedTesterRolePolicy` 的内联策略并将其嵌入到 IAM 角色 `FedTesterRole` 中。如果已经存在同名的内联策略，则该策略将被覆盖。JSON 策略内容来自文件 `FedTesterPolicy.json`。请注意，必须使用 `-Raw` 参数才能成功处理 JSON 文件的内容。** ``` Write-IAMRolePolicy -RoleName FedTesterRole -PolicyName FedTesterRolePolicy -PolicyDocument (Get-Content -Raw FedTesterPolicy.json) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [PutRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `PutUserPermissionsBoundary` 与 CLI 配合使用以下代码示例演示如何使用 `PutUserPermissionsBoundary`。 ------ #### [ CLI ] **AWS CLI** **示例 1：将基于自定义策略的权限边界应用于 IAM 用户** 以下 `put-user-permissions-boundary` 示例应用名为 `intern-boundary` 的自定义策略作为指定 IAM 用户的权限边界。 ``` aws iam put-user-permissions-boundary \ --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary \ --user-name intern ``` 此命令不生成任何输出。 **示例 2：根据 AWS 托管策略向 IAM 用户应用权限边界** 以下`put-user-permissions-boundary`示例应用名`PowerUserAccess`为指定 IAM 用户的权限边界的 AWS 托管策略。 ``` aws iam put-user-permissions-boundary \ --permissions-boundary arn:aws:iam::aws:policy/PowerUserAccess \ --user-name developer ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[添加和移除 IAM 身份权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[PutUserPermissionsBoundary](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-user-permissions-boundary.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例展示如何设置用户的权限边界。您可以将 AWS 托管策略或自定义策略设置为权限边界。** ``` Set-IAMUserPermissionsBoundary -UserName joe -PermissionsBoundary arn:aws:iam::123456789012:policy/intern-boundary ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [PutUserPermissionsBoundary](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例展示如何设置用户的权限边界。您可以将 AWS 托管策略或自定义策略设置为权限边界。** ``` Set-IAMUserPermissionsBoundary -UserName joe -PermissionsBoundary arn:aws:iam::123456789012:policy/intern-boundary ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [PutUserPermissionsBoundary](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `PutUserPolicy`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `PutUserPolicy`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [了解基本功能](iam_example_iam_Scenario_CreateUserAssumeRole_section.md) ------ #### [ CLI ] **AWS CLI** **将策略附加到 IAM 用户** 以下 `put-user-policy` 命令可将策略附加到名为 `Bob` 的 IAM 用户。 ``` aws iam put-user-policy \ --user-name Bob \ --policy-name ExamplePolicy \ --policy-document file://AdminPolicy.json ``` 此命令不生成任何输出。该策略在 *AdminPolicy.json 文件中定义为一个 JSON* 文档。（文件名和扩展名没有意义。）有关更多信息，请参阅《AWS IAM 用户指南》**中的[添加和删除 IAM 身份权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[PutUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-user-policy.html)*中的。 ------ #### [ Go ] **适用于 Go 的 SDK V2** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import ( "context" "encoding/json" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" "github.com/aws/smithy-go" ) // UserWrapper encapsulates user actions used in the examples. // It contains an IAM service client that is used to perform user actions. type UserWrapper struct { IamClient *iam.Client } // CreateUserPolicy adds an inline policy to a user. This example creates a policy that // grants a list of actions on a specified role. // PolicyDocument shows how to work with a policy document as a data structure and // serialize it to JSON by using Go's JSON marshaler. func (wrapper UserWrapper) CreateUserPolicy(ctx context.Context, userName string, policyName string, actions []string, roleArn string) error { policyDoc := PolicyDocument{ Version: "2012-10-17", Statement: []PolicyStatement{{ Effect: "Allow", Action: actions, Resource: aws.String(roleArn), }}, } policyBytes, err := json.Marshal(policyDoc) if err != nil { log.Printf("Couldn't create policy document for %v. Here's why: %v\n", roleArn, err) return err } _, err = wrapper.IamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{ PolicyDocument: aws.String(string(policyBytes)), PolicyName: aws.String(policyName), UserName: aws.String(userName), }) if err != nil { log.Printf("Couldn't create policy for user %v. Here's why: %v\n", userName, err) } return err } ``` + 有关 API 的详细信息，请参阅 *适用于 Go 的 AWS SDK API 参考[PutUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.PutUserPolicy)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例创建一个名为 `EC2AccessPolicy` 的内联策略并将其嵌入到 IAM 用户 `Bob` 中。如果已经存在同名的内联策略，则该策略将被覆盖。JSON 策略内容来自文件 `EC2AccessPolicy.json`。请注意，必须使用 `-Raw` 参数才能成功处理 JSON 文件的内容。** ``` Write-IAMUserPolicy -UserName Bob -PolicyName EC2AccessPolicy -PolicyDocument (Get-Content -Raw EC2AccessPolicy.json) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [PutUserPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例创建一个名为 `EC2AccessPolicy` 的内联策略并将其嵌入到 IAM 用户 `Bob` 中。如果已经存在同名的内联策略，则该策略将被覆盖。JSON 策略内容来自文件 `EC2AccessPolicy.json`。请注意，必须使用 `-Raw` 参数才能成功处理 JSON 文件的内容。** ``` Write-IAMUserPolicy -UserName Bob -PolicyName EC2AccessPolicy -PolicyDocument (Get-Content -Raw EC2AccessPolicy.json) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [PutUserPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Creates an inline policy for a specified user. # @param username [String] The name of the IAM user. # @param policy_name [String] The name of the policy to create. # @param policy_document [String] The JSON policy document. # @return [Boolean] def create_user_policy(username, policy_name, policy_document) @iam_client.put_user_policy({ user_name: username, policy_name: policy_name, policy_document: policy_document }) @logger.info("Policy #{policy_name} created for user #{username}.") true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't create policy #{policy_name} for user #{username}. Here's why:") @logger.error("\t#{e.code}: #{e.message}") false end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/PutUserPolicy)*中的。 ------ #### [ Swift ] **适用于 Swift 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import AWSIAM import AWSS3 func putUserPolicy(policyDocument: String, policyName: String, user: IAMClientTypes.User) async throws { let input = PutUserPolicyInput( policyDocument: policyDocument, policyName: policyName, userName: user.userName ) do { _ = try await iamClient.putUserPolicy(input: input) } catch { print("ERROR: putUserPolicy:", dump(error)) throw error } } ``` + 有关 API 的详细信息，请参阅适用于 S *wift 的AWS SDK API 参考[PutUserPolicy](https://sdk.amazonaws.com/swift/api/awsiam/latest/documentation/awsiam/iamclient/putuserpolicy(input:))*中。 ------ # 将 `RemoveClientIdFromOpenIdConnectProvider` 与 CLI 配合使用以下代码示例演示如何使用 `RemoveClientIdFromOpenIdConnectProvider`。 ------ #### [ CLI ] **AWS CLI** **从为指定 IAM OpenID Connect 提供 IDs 商注册的客户列表中删除指定的客户端 ID** 此示例将客户端 ID `My-TestApp-3` 从与 ARN 为 IAM OIDC 提供商 IDs 关联的客户列表中删除。`arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` ``` aws iam remove-client-id-from-open-id-connect-provider --client-id My-TestApp-3 \ --open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 OpenID Connect（OIDC）身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[RemoveClientIdFromOpenIdConnectProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/remove-client-id-from-open-id-connect-provider.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将客户端 ID `My-TestApp-3` 从与 ARN 为 IAM OIDC 提供商 IDs 关联的客户列表中删除。`arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com`** ``` Remove-IAMClientIDFromOpenIDConnectProvider -ClientID My-TestApp-3 -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [RemoveClientIdFromOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将客户端 ID `My-TestApp-3` 从与 ARN 为 IAM OIDC 提供商 IDs 关联的客户列表中删除。`arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com`** ``` Remove-IAMClientIDFromOpenIDConnectProvider -ClientID My-TestApp-3 -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [RemoveClientIdFromOpenIdConnectProvider](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `RemoveRoleFromInstanceProfile` 与 CLI 配合使用以下代码示例演示如何使用 `RemoveRoleFromInstanceProfile`。 ------ #### [ CLI ] **AWS CLI** **从实例配置文件中删除角色** 以下 `remove-role-from-instance-profile` 命令可将名为 `Test-Role` 的角色从名为 `ExampleInstanceProfile` 的实例配置文件中删除。 ``` aws iam remove-role-from-instance-profile \ --instance-profile-name ExampleInstanceProfile \ --role-name Test-Role ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[使用实例配置文件](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[RemoveRoleFromInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/remove-role-from-instance-profile.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从名为 `MyNewRole` 的 EC2 实例配置文件中删除名为 `MyNewRole` 的角色。在 IAM 控制台中创建的实例配置文件始终与角色同名，如本示例所示。如果您在 API 或 CLI 中创建实例配置文件，则其可以有不同的名称。** ``` Remove-IAMRoleFromInstanceProfile -InstanceProfileName MyNewRole -RoleName MyNewRole -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [RemoveRoleFromInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从名为 `MyNewRole` 的 EC2 实例配置文件中删除名为 `MyNewRole` 的角色。在 IAM 控制台中创建的实例配置文件始终与角色同名，如本示例所示。如果您在 API 或 CLI 中创建实例配置文件，则其可以有不同的名称。** ``` Remove-IAMRoleFromInstanceProfile -InstanceProfileName MyNewRole -RoleName MyNewRole -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [RemoveRoleFromInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `RemoveUserFromGroup` 与 CLI 配合使用以下代码示例演示如何使用 `RemoveUserFromGroup`。 ------ #### [ CLI ] **AWS CLI** **从 IAM 组中删除用户** 以下 `remove-user-from-group` 命令可将名为 `Bob` 的用户从名为 `Admins` 的 IAM 组中删除。 ``` aws iam remove-user-from-group \ --user-name Bob \ --group-name Admins ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 IAM 用户组中添加和删除用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[RemoveUserFromGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/remove-user-from-group.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从组 `Testers` 中删除 IAM 用户 `Bob`。** ``` Remove-IAMUserFromGroup -GroupName Testers -UserName Bob ``` **示例 2：此示例查找 IAM 用户 `Theresa` 所属的所有组，然后从这些组中删除 `Theresa`。** ``` $groups = Get-IAMGroupForUser -UserName Theresa foreach ($group in $groups) { Remove-IAMUserFromGroup -GroupName $group.GroupName -UserName Theresa -Force } ``` **示例 3：此示例显示了从 `Testers` 组中删除 IAM 用户 `Bob` 的另一种方法。** ``` Get-IAMGroupForUser -UserName Bob | Remove-IAMUserFromGroup -UserName Bob -GroupName Testers -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [RemoveUserFromGroup](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从组 `Testers` 中删除 IAM 用户 `Bob`。** ``` Remove-IAMUserFromGroup -GroupName Testers -UserName Bob ``` **示例 2：此示例查找 IAM 用户 `Theresa` 所属的所有组，然后从这些组中删除 `Theresa`。** ``` $groups = Get-IAMGroupForUser -UserName Theresa foreach ($group in $groups) { Remove-IAMUserFromGroup -GroupName $group.GroupName -UserName Theresa -Force } ``` **示例 3：此示例显示了从 `Testers` 组中删除 IAM 用户 `Bob` 的另一种方法。** ``` Get-IAMGroupForUser -UserName Bob | Remove-IAMUserFromGroup -UserName Bob -GroupName Testers -Force ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [RemoveUserFromGroup](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `ResyncMfaDevice` 与 CLI 配合使用以下代码示例演示如何使用 `ResyncMfaDevice`。 ------ #### [ CLI ] **AWS CLI** **同步 MFA 设备** 以下 `resync-mfa-device` 示例将与 IAM 用户 `Bob` 关联且 ARN 为 `arn:aws:iam::123456789012:mfa/BobsMFADevice` 的 MFA 设备与提供这两个身份验证码的身份验证器程序同步。 ``` aws iam resync-mfa-device \ --user-name Bob \ --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \ --authentication-code1 123456 \ --authentication-code2 987654 ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 AWS中使用多重身份验证（MFA）](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[ResyncMfaDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/resync-mfa-device.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将与 IAM 用户 `Bob` 关联且 ARN 为 `arn:aws:iam::123456789012:mfa/bob` 的 MFA 设备与提供这两个身份验证码的身份验证器程序同步。** ``` Sync-IAMMFADevice -SerialNumber arn:aws:iam::123456789012:mfa/theresa -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Bob ``` **示例 2：此示例将与 IAM 用户 `Theresa` 关联的 IAM MFA 设备与具有序列号 `ABCD12345678` 并提供两个身份验证码的物理设备同步。** ``` Sync-IAMMFADevice -SerialNumber ABCD12345678 -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Theresa ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [ResyncMfaDevice](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将与 IAM 用户 `Bob` 关联且 ARN 为 `arn:aws:iam::123456789012:mfa/bob` 的 MFA 设备与提供这两个身份验证码的身份验证器程序同步。** ``` Sync-IAMMFADevice -SerialNumber arn:aws:iam::123456789012:mfa/theresa -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Bob ``` **示例 2：此示例将与 IAM 用户 `Theresa` 关联的 IAM MFA 设备与具有序列号 `ABCD12345678` 并提供两个身份验证码的物理设备同步。** ``` Sync-IAMMFADevice -SerialNumber ABCD12345678 -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Theresa ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [ResyncMfaDevice](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `SetDefaultPolicyVersion`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `SetDefaultPolicyVersion`。操作示例是大型程序的代码摘录，必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文： + [管理策略](iam_example_iam_Scenario_PolicyManagement_section.md) + [回滚策略版本](iam_example_iam_Scenario_RollbackPolicyVersion_section.md) ------ #### [ CLI ] **AWS CLI** **将指定策略的指定版本设置为策略的默认版本。** 此示例将 ARN 为 `arn:aws:iam::123456789012:policy/MyPolicy` 的策略的 `v2` 版本设置为默认活动版本。 ``` aws iam set-default-policy-version \ --policy-arn arn:aws:iam::123456789012:policy/MyPolicy \ --version-id v2 ``` 有关更多信息，请参阅*AWS 《IAM 用户指南》*中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[SetDefaultPolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/set-default-policy-version.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将 ARN 为 `arn:aws:iam::123456789012:policy/MyPolicy` 的策略的 `v2` 版本设置为默认活动版本。** ``` Set-IAMDefaultPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyPolicy -VersionId v2 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [SetDefaultPolicyVersion](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将 ARN 为 `arn:aws:iam::123456789012:policy/MyPolicy` 的策略的 `v2` 版本设置为默认活动版本。** ``` Set-IAMDefaultPolicyVersion -PolicyArn arn:aws:iam::123456789012:policy/MyPolicy -VersionId v2 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [SetDefaultPolicyVersion](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->setdefaultpolicyversion( iv_policyarn = iv_policy_arn iv_versionid = iv_version_id ). MESSAGE 'Default policy version set successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Policy or version does not exist.' TYPE 'E'. CATCH /aws1/cx_iaminvalidinputex. MESSAGE 'Invalid input provided.' TYPE 'E'. CATCH /aws1/cx_iamlimitexceededex. MESSAGE 'Limit exceeded.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[SetDefaultPolicyVersion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `TagRole` 与 CLI 配合使用以下代码示例演示如何使用 `TagRole`。 ------ #### [ CLI ] **AWS CLI** **为角色添加标签** 以下 `tag-role` 命令为指定角色添加带有部门名称的标签。 ``` aws iam tag-role --role-name my-role \ --tags '{"Key": "Department", "Value": "Accounting"}' ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[标记 IAM 资源](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[TagRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/tag-role.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例在身份管理服务中为角色添加标签** ``` Add-IAMRoleTag -RoleName AdminRoleacess -Tag @{ Key = 'abac'; Value = 'testing'} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [TagRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例在身份管理服务中为角色添加标签** ``` Add-IAMRoleTag -RoleName AdminRoleacess -Tag @{ Key = 'abac'; Value = 'testing'} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [TagRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `TagUser` 与 CLI 配合使用以下代码示例演示如何使用 `TagUser`。 ------ #### [ CLI ] **AWS CLI** **为用户添加标签** 以下 `tag-user` 命令为指定用户添加带有相关部门的标签。 ``` aws iam tag-user \ --user-name alice \ --tags '{"Key": "Department", "Value": "Accounting"}' ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[标记 IAM 资源](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[TagUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/tag-user.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例在身份管理服务中为用户添加标签** ``` Add-IAMUserTag -UserName joe -Tag @{ Key = 'abac'; Value = 'testing'} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [TagUser](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例在身份管理服务中为用户添加标签** ``` Add-IAMUserTag -UserName joe -Tag @{ Key = 'abac'; Value = 'testing'} ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [TagUser](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UntagRole` 与 CLI 配合使用以下代码示例演示如何使用 `UntagRole`。 ------ #### [ CLI ] **AWS CLI** **从角色移除标签** 以下 `untag-role` 命令从指定角色中移除带有键名称“Department”的任何标签。 ``` aws iam untag-role \ --role-name my-role \ --tag-keys Department ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[标记 IAM 资源](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UntagRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/untag-role.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从名为 “MyRoleName” 的角色中删除标签，标签键为 “abac”。要删除多个标签，请提供以逗号分隔的标签键列表。** ``` Remove-IAMRoleTag -RoleName MyRoleName -TagKey "abac","xyzw" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UntagRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从名为 “MyRoleName” 的角色中删除标签，标签键为 “abac”。要删除多个标签，请提供以逗号分隔的标签键列表。** ``` Remove-IAMRoleTag -RoleName MyRoleName -TagKey "abac","xyzw" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UntagRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UntagUser` 与 CLI 配合使用以下代码示例演示如何使用 `UntagUser`。 ------ #### [ CLI ] **AWS CLI** **从用户中移除标签** 以下 `untag-user` 命令从指定用户中移除带有键名称“Department”的任何标签。 ``` aws iam untag-user \ --user-name alice \ --tag-keys Department ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[标记 IAM 资源](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UntagUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/untag-user.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例从名为“joe”的用户中删除标签键为“abac”和“xyzw”的标签。要删除多个标签，请提供以逗号分隔的标签键列表。** ``` Remove-IAMUserTag -UserName joe -TagKey "abac","xyzw" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UntagUser](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例从名为“joe”的用户中删除标签键为“abac”和“xyzw”的标签。要删除多个标签，请提供以逗号分隔的标签键列表。** ``` Remove-IAMUserTag -UserName joe -TagKey "abac","xyzw" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UntagUser](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `UpdateAccessKey`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `UpdateAccessKey`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [管理访问密钥](iam_example_iam_Scenario_ManageAccessKeys_section.md) ------ #### [ Bash ] **AWS CLI 使用 Bash 脚本** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` ############################################################################### # function iam_update_access_key # # This function can activate or deactivate an IAM access key for the specified IAM user. # # Parameters: # -u user_name -- The name of the user. # -k access_key -- The access key to update. # -a -- Activate the selected access key. # -d -- Deactivate the selected access key. # # Example: # # To deactivate the selected access key for IAM user Bob # iam_update_access_key -u Bob -k AKIAIOSFODNN7EXAMPLE -d # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_update_access_key() { local user_name access_key status response local option OPTARG # Required to use getopts command in a function. local activate_flag=false deactivate_flag=false # bashsupport disable=BP5008 function usage() { echo "function iam_update_access_key" echo "Updates the status of an AWS Identity and Access Management (IAM) access key for the specified IAM user" echo " -u user_name The name of the user." echo " -k access_key The access key to update." echo " -a Activate the access key." echo " -d Deactivate the access key." echo "" } # Retrieve the calling parameters. while getopts "u:k:adh" option; do case "${option}" in u) user_name="${OPTARG}" ;; k) access_key="${OPTARG}" ;; a) activate_flag=true ;; d) deactivate_flag=true ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate input parameters if [[ -z "$user_name" ]]; then errecho "ERROR: You must provide a username with the -u parameter." usage return 1 fi if [[ -z "$access_key" ]]; then errecho "ERROR: You must provide an access key with the -k parameter." usage return 1 fi # Ensure that only -a or -d is specified if [[ "$activate_flag" == true && "$deactivate_flag" == true ]]; then errecho "ERROR: You cannot specify both -a (activate) and -d (deactivate) at the same time." usage return 1 fi # If neither -a nor -d is provided, return an error if [[ "$activate_flag" == false && "$deactivate_flag" == false ]]; then errecho "ERROR: You must specify either -a (activate) or -d (deactivate)." usage return 1 fi # Determine the status based on the flag if [[ "$activate_flag" == true ]]; then status="Active" elif [[ "$deactivate_flag" == true ]]; then status="Inactive" fi iecho "Parameters:\n" iecho " Username: $user_name" iecho " Access key: $access_key" iecho " New status: $status" iecho "" # Update the access key status response=$(aws iam update-access-key \ --user-name "$user_name" \ --access-key-id "$access_key" \ --status "$status" 2>&1) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports update-access-key operation failed.\n$response" return 1 fi iecho "update-access-key response: $response" iecho return 0 } ``` + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/UpdateAccessKey)*中的。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::updateAccessKey(const Aws::String &userName, const Aws::String &accessKeyID, Aws::IAM::Model::StatusType status, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::UpdateAccessKeyRequest request; request.SetUserName(userName); request.SetAccessKeyId(accessKeyID); request.SetStatus(status); auto outcome = iam.UpdateAccessKey(request); if (outcome.IsSuccess()) { std::cout << "Successfully updated status of access key " << accessKeyID << " for user " << userName << std::endl; } else { std::cerr << "Error updated status of access key " << accessKeyID << " for user " << userName << ": " << outcome.GetError().GetMessage() << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[UpdateAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/UpdateAccessKey)*中的。 ------ #### [ CLI ] **AWS CLI** **激活或停用 IAM 用户的访问密钥** 以下 `update-access-key` 命令停用名为 `Bob` 的 IAM 用户的指定访问密钥（访问密钥 ID 和秘密访问密钥）。 ``` aws iam update-access-key \ --access-key-id AKIAIOSFODNN7EXAMPLE \ --status Inactive \ --user-name Bob ``` 此命令不生成任何输出。停用密钥意味着它不能用于编程访问。 AWS但密钥仍然可用且可以重新激活。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的访问密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateAccessKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-access-key.html)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.StatusType; import software.amazon.awssdk.services.iam.model.UpdateAccessKeyRequest; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class UpdateAccessKey { private static StatusType statusType; public static void main(String[] args) { final String usage = """ Usage: \s Where: username - The name of the user whose key you want to update.\s accessId - The access key ID of the secret access key you want to update.\s status - The status you want to assign to the secret access key.\s """; if (args.length != 3) { System.out.println(usage); System.exit(1); } String username = args[0]; String accessId = args[1]; String status = args[2]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); updateKey(iam, username, accessId, status); System.out.println("Done"); iam.close(); } public static void updateKey(IamClient iam, String username, String accessId, String status) { try { if (status.toLowerCase().equalsIgnoreCase("active")) { statusType = StatusType.ACTIVE; } else if (status.toLowerCase().equalsIgnoreCase("inactive")) { statusType = StatusType.INACTIVE; } else { statusType = StatusType.UNKNOWN_TO_SDK_VERSION; } UpdateAccessKeyRequest request = UpdateAccessKeyRequest.builder() .accessKeyId(accessId) .userName(username) .status(statusType) .build(); iam.updateAccessKey(request); System.out.printf("Successfully updated the status of access key %s to" + "status %s for user %s", accessId, status, username); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[UpdateAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/UpdateAccessKey)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。更新访问密钥。 ``` import { UpdateAccessKeyCommand, IAMClient, StatusType, } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} userName * @param {string} accessKeyId */ export const updateAccessKey = (userName, accessKeyId) => { const command = new UpdateAccessKeyCommand({ AccessKeyId: accessKeyId, Status: StatusType.Inactive, UserName: userName, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-updating](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-updating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[UpdateAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/UpdateAccessKeyCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { AccessKeyId: "ACCESS_KEY_ID", Status: "Active", UserName: "USER_NAME", }; iam.updateAccessKey(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-updating](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-access-keys.html#iam-examples-managing-access-keys-updating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[UpdateAccessKey](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/UpdateAccessKey)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将名为 `Bob` 的 IAM 用户的访问密钥 `AKIAIOSFODNN7EXAMPLE` 状态更改为 `Inactive`。** ``` Update-IAMAccessKey -UserName Bob -AccessKeyId AKIAIOSFODNN7EXAMPLE -Status Inactive ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateAccessKey](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将名为 `Bob` 的 IAM 用户的访问密钥 `AKIAIOSFODNN7EXAMPLE` 状态更改为 `Inactive`。** ``` Update-IAMAccessKey -UserName Bob -AccessKeyId AKIAIOSFODNN7EXAMPLE -Status Inactive ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateAccessKey](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def update_key(user_name, key_id, activate): """ Updates the status of a key. :param user_name: The user that owns the key. :param key_id: The ID of the key to update. :param activate: When True, the key is activated. Otherwise, the key is deactivated. """ try: key = iam.User(user_name).AccessKey(key_id) if activate: key.activate() else: key.deactivate() logger.info("%s key %s.", "Activated" if activate else "Deactivated", key_id) except ClientError: logger.exception( "Couldn't %s key %s.", "Activate" if activate else "Deactivate", key_id ) raise ``` + 有关 API 的详细信息，请参阅适用[UpdateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/UpdateAccessKey)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->updateaccesskey( iv_accesskeyid = iv_access_key_id iv_status = iv_status iv_username = iv_user_name ). MESSAGE 'Access key updated successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'Access key or user does not exist.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[UpdateAccessKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # 将 `UpdateAccountPasswordPolicy` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateAccountPasswordPolicy`。 ------ #### [ CLI ] **AWS CLI** **设置或更改当前账户密码策略** 以下 `update-account-password-policy` 命令将密码策略设置为要求长度最少为八个字符，并要求在密码中包含一个或多个数字。 ``` aws iam update-account-password-policy \ --minimum-password-length 8 \ --require-numbers ``` 此命令不生成任何输出。对账户密码策略的更改会影响为账户中的 IAM 用户创建的所有新密码。密码策略更改不会影响现有的密码。有关更多信息，请参阅《AWS IAM 用户指南》**中的[为 IAM 用户设置账户密码策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateAccountPasswordPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-account-password-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例使用指定设置更新账户的密码策略。请注意，命令中未包含的任何参数都不会保持不变。相反，这些参数将重置为默认值。** ``` Update-IAMAccountPasswordPolicy -AllowUsersToChangePasswords $true -HardExpiry $false -MaxPasswordAge 90 -MinimumPasswordLength 8 -PasswordReusePrevention 20 -RequireLowercaseCharacters $true -RequireNumbers $true -RequireSymbols $true -RequireUppercaseCharacters $true ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例使用指定设置更新账户的密码策略。请注意，命令中未包含的任何参数都不会保持不变。相反，这些参数将重置为默认值。** ``` Update-IAMAccountPasswordPolicy -AllowUsersToChangePasswords $true -HardExpiry $false -MaxPasswordAge 90 -MinimumPasswordLength 8 -PasswordReusePrevention 20 -RequireLowercaseCharacters $true -RequireNumbers $true -RequireSymbols $true -RequireUppercaseCharacters $true ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateAccountPasswordPolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UpdateAssumeRolePolicy` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateAssumeRolePolicy`。 ------ #### [ CLI ] **AWS CLI** **更新 IAM 角色的信任策略** 以下 `update-assume-role-policy` 命令更新名为 `Test-Role` 的角色的信任策略。 ``` aws iam update-assume-role-policy \ --role-name Test-Role \ --policy-document file://Test-Role-Trust-Policy.json ``` 此命令不生成任何输出。信任策略在 *Test-Role-Trust-Policy.json* 文件中定义为 JSON 文档。（文件名和扩展名没有意义。）信任策略必须指定主体。要更新角色的权限策略，请使用 `put-role-policy` 命令。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateAssumeRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例使用新的信任策略更新名为 `ClientRole` 的 IAM 角色，其内容来自文件 `ClientRolePolicy.json`。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 文件的内容。** ``` Update-IAMAssumeRolePolicy -RoleName ClientRole -PolicyDocument (Get-Content -raw ClientRolePolicy.json) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateAssumeRolePolicy](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例使用新的信任策略更新名为 `ClientRole` 的 IAM 角色，其内容来自文件 `ClientRolePolicy.json`。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 文件的内容。** ``` Update-IAMAssumeRolePolicy -RoleName ClientRole -PolicyDocument (Get-Content -raw ClientRolePolicy.json) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateAssumeRolePolicy](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UpdateGroup` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateGroup`。 ------ #### [ CLI ] **AWS CLI** **重命名 IAM 组** 以下 `update-group` 命令可将 IAM 组 `Test` 的名称更改为 `Test-1`。 ``` aws iam update-group \ --group-name Test \ --new-group-name Test-1 ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[重命名 IAM 用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_rename.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-group.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将 IAM 组 `Testers` 重命名为 `AppTesters`。** ``` Update-IAMGroup -GroupName Testers -NewGroupName AppTesters ``` **示例 2：此示例将 IAM 组 `AppTesters` 的路径更改为 `/Org1/Org2/`。这会将该组的 ARN 更改为 `arn:aws:iam::123456789012:group/Org1/Org2/AppTesters`。** ``` Update-IAMGroup -GroupName AppTesters -NewPath /Org1/Org2/ ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateGroup](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将 IAM 组 `Testers` 重命名为 `AppTesters`。** ``` Update-IAMGroup -GroupName Testers -NewGroupName AppTesters ``` **示例 2：此示例将 IAM 组 `AppTesters` 的路径更改为 `/Org1/Org2/`。这会将该组的 ARN 更改为 `arn:aws:iam::123456789012:group/Org1/Org2/AppTesters`。** ``` Update-IAMGroup -GroupName AppTesters -NewPath /Org1/Org2/ ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateGroup](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UpdateLoginProfile` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateLoginProfile`。 ------ #### [ CLI ] **AWS CLI** **更新 IAM 用户的密码** 以下 `update-login-profile` 命令为名为 `Bob` 的 IAM 用户创建新密码。 ``` aws iam update-login-profile \ --user-name Bob \ --password ``` 此命令不生成任何输出。要为账户设置密码策略，请使用 `update-account-password-policy` 命令。如果新密码违反了账户密码策略，则该命令将返回 `PasswordPolicyViolation` 错误。如果账户密码策略允许，则 IAM 用户可以使用 `change-password` 命令更改自己的密码。将密码保存在安全位置。如果密码丢失，则将无法恢复，必须使用 `create-login-profile` 命令创建新密码。有关更多信息，请参阅《AWS IAM 用户指南》**中的[管理 IAM 用户的密码](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-login-profile.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例为 IAM 用户 `Bob` 设置了一个新的临时密码，并要求该用户在下次登录时更改密码。** ``` Update-IAMLoginProfile -UserName Bob -Password "P@ssw0rd1234" -PasswordResetRequired $true ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateLoginProfile](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例为 IAM 用户 `Bob` 设置了一个新的临时密码，并要求该用户在下次登录时更改密码。** ``` Update-IAMLoginProfile -UserName Bob -Password "P@ssw0rd1234" -PasswordResetRequired $true ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateLoginProfile](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UpdateOpenIdConnectProviderThumbprint` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateOpenIdConnectProviderThumbprint`。 ------ #### [ CLI ] **AWS CLI** **将现有服务器证书指纹列表替换为新列表** 此示例更新了其 ARN 为 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 的 OIDC 提供者的证书指纹列表以使用新指纹。 ``` aws iam update-open-id-connect-provider-thumbprint \ --open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com \ --thumbprint-list 7359755EXAMPLEabc3060bce3EXAMPLEec4542a3 ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 OpenID Connect（OIDC）身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateOpenIdConnectProviderThumbprint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-open-id-connect-provider-thumbprint.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例更新了其 ARN 为 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 的 OIDC 提供者的证书指纹列表以使用新指纹。当与提供者关联的证书发生变化时，OIDC 提供者将共享新值。** ``` Update-IAMOpenIDConnectProviderThumbprint -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com -ThumbprintList 7359755EXAMPLEabc3060bce3EXAMPLEec4542a3 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateOpenIdConnectProviderThumbprint](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例更新了其 ARN 为 `arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com` 的 OIDC 提供者的证书指纹列表以使用新指纹。当与提供者关联的证书发生变化时，OIDC 提供者将共享新值。** ``` Update-IAMOpenIDConnectProviderThumbprint -OpenIDConnectProviderArn arn:aws:iam::123456789012:oidc-provider/example.oidcprovider.com -ThumbprintList 7359755EXAMPLEabc3060bce3EXAMPLEec4542a3 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateOpenIdConnectProviderThumbprint](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UpdateRole` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateRole`。 ------ #### [ CLI ] **AWS CLI** **更改 IAM 角色的描述或会话持续时间** 以下 `update-role` 命令将 IAM 角色 `production-role` 的描述更改为 `Main production role`，并将最长会话持续时间设置为 12 小时。 ``` aws iam update-role \ --role-name production-role \ --description 'Main production role' \ --max-session-duration 43200 ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-role.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例更新了角色描述和可以请求的角色会话的最长会话持续时间值（以秒为单位）。** ``` Update-IAMRole -RoleName MyRoleName -Description "My testing role" -MaxSessionDuration 43200 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例更新了角色描述和可以请求的角色会话的最长会话持续时间值（以秒为单位）。** ``` Update-IAMRole -RoleName MyRoleName -Description "My testing role" -MaxSessionDuration 43200 ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UpdateRoleDescription` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateRoleDescription`。 ------ #### [ CLI ] **AWS CLI** **更改 IAM 角色的描述** 以下 `update-role` 命令可将 IAM 角色 `production-role` 的描述更改为 `Main production role`。 ``` aws iam update-role-description \ --role-name production-role \ --description 'Main production role' ``` 输出： ``` { "Role": { "Path": "/", "RoleName": "production-role", "RoleId": "AROA1234567890EXAMPLE", "Arn": "arn:aws:iam::123456789012:role/production-role", "CreateDate": "2017-12-06T17:16:37+00:00", "AssumeRolePolicyDocument": { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }, "Description": "Main production role" } } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[修改角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateRoleDescription](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-role-description.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例更新了您账户中 IAM 角色的描述。** ``` Update-IAMRoleDescription -RoleName MyRoleName -Description "My testing role" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateRoleDescription](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例更新了您账户中 IAM 角色的描述。** ``` Update-IAMRoleDescription -RoleName MyRoleName -Description "My testing role" ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateRoleDescription](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UpdateSamlProvider` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateSamlProvider`。 ------ #### [ CLI ] **AWS CLI** **更新现有 SAML 提供者的元数据文档** 此示例使用文件 `SAMLMetaData.xml` 中的新 SAML 元数据文档更新 ARN 为 `arn:aws:iam::123456789012:saml-provider/SAMLADFS` 的 IAM 中的 SAML 提供者。 ``` aws iam update-saml-provider \ --saml-metadata-document file://SAMLMetaData.xml \ --saml-provider-arn arn:aws:iam::123456789012:saml-provider/SAMLADFS ``` 输出： ``` { "SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/SAMLADFS" } ``` 有关更多信息，请参阅《AWS IAM 用户指南》**中的[创建 IAM SAML 身份提供者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateSamlProvider](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-saml-provider.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1 ：此示例使用文件 `SAMLMetaData.xml` 中的新 SAML 元数据文档更新 ARN 为 `arn:aws:iam::123456789012:saml-provider/SAMLADFS` 的 IAM 中的 SAML 提供者。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 文件的内容。** ``` Update-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFS -SAMLMetadataDocument (Get-Content -Raw SAMLMetaData.xml) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateSamlProvider](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1 ：此示例使用文件 `SAMLMetaData.xml` 中的新 SAML 元数据文档更新 ARN 为 `arn:aws:iam::123456789012:saml-provider/SAMLADFS` 的 IAM 中的 SAML 提供者。请注意，必须使用 `-Raw` 开关参数才能成功处理 JSON 文件的内容。** ``` Update-IAMSAMLProvider -SAMLProviderArn arn:aws:iam::123456789012:saml-provider/SAMLADFS -SAMLMetadataDocument (Get-Content -Raw SAMLMetaData.xml) ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateSamlProvider](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `UpdateServerCertificate`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `UpdateServerCertificate`。 ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::updateServerCertificate(const Aws::String ¤tCertificateName, const Aws::String &newCertificateName, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::UpdateServerCertificateRequest request; request.SetServerCertificateName(currentCertificateName); request.SetNewServerCertificateName(newCertificateName); auto outcome = iam.UpdateServerCertificate(request); bool result = true; if (outcome.IsSuccess()) { std::cout << "Server certificate " << currentCertificateName << " successfully renamed as " << newCertificateName << std::endl; } else { if (outcome.GetError().GetErrorType() != Aws::IAM::IAMErrors::NO_SUCH_ENTITY) { std::cerr << "Error changing name of server certificate " << currentCertificateName << " to " << newCertificateName << ":" << outcome.GetError().GetMessage() << std::endl; result = false; } else { std::cout << "Certificate '" << currentCertificateName << "' not found." << std::endl; } } return result; } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[UpdateServerCertificate](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/UpdateServerCertificate)*中的。 ------ #### [ CLI ] **AWS CLI** **更改您 AWS 账户中服务器证书的路径或名称** 以下 `update-server-certificate` 命令可将证书名称从 `myServerCertificate` 更改为 `myUpdatedServerCertificate`，它还会将路径更改为，以`/cloudfront/`便 Amazon CloudFront 服务可以对其进行访问。此命令不生成任何输出。运行 `list-server-certificates` 命令即可查看更新结果。 ``` aws-iam update-server-certificate \ --server-certificate-name myServerCertificate \ --new-server-certificate-name myUpdatedServerCertificate \ --new-path /cloudfront/ ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[在 IAM 中管理服务器证书](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateServerCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-server-certificate.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。更新服务器证书。 ``` import { UpdateServerCertificateCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} currentName * @param {string} newName */ export const updateServerCertificate = (currentName, newName) => { const command = new UpdateServerCertificateCommand({ ServerCertificateName: currentName, NewServerCertificateName: newName, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-updating](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-updating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[UpdateServerCertificate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/UpdateServerCertificateCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { ServerCertificateName: "CERTIFICATE_NAME", NewServerCertificateName: "NEW_CERTIFICATE_NAME", }; iam.updateServerCertificate(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-updating](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-server-certificates.html#iam-examples-server-certificates-updating)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[UpdateServerCertificate](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/UpdateServerCertificate)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将名为 `MyServerCertificate` 的证书重命名为 `MyRenamedServerCertificate`。** ``` Update-IAMServerCertificate -ServerCertificateName MyServerCertificate -NewServerCertificateName MyRenamedServerCertificate ``` **示例 2：此示例将名为 `MyServerCertificate` 的证书移动到路径 /Org1/Org2/。这会将该资源的 ARN 更改为 `arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate`。** ``` Update-IAMServerCertificate -ServerCertificateName MyServerCertificate -NewPath /Org1/Org2/ ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateServerCertificate](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将名为 `MyServerCertificate` 的证书重命名为 `MyRenamedServerCertificate`。** ``` Update-IAMServerCertificate -ServerCertificateName MyServerCertificate -NewServerCertificateName MyRenamedServerCertificate ``` **示例 2：此示例将名为 `MyServerCertificate` 的证书移动到路径 /Org1/Org2/。这会将该资源的 ARN 更改为 `arn:aws:iam::123456789012:server-certificate/Org1/Org2/MyServerCertificate`。** ``` Update-IAMServerCertificate -ServerCertificateName MyServerCertificate -NewPath /Org1/Org2/ ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateServerCertificate](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。列出、更新和删除服务器证书。 ``` class ServerCertificateManager def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'ServerCertificateManager' end # Creates a new server certificate. # @param name [String] the name of the server certificate # @param certificate_body [String] the contents of the certificate # @param private_key [String] the private key contents # @return [Boolean] returns true if the certificate was successfully created def create_server_certificate(name, certificate_body, private_key) @iam_client.upload_server_certificate({ server_certificate_name: name, certificate_body: certificate_body, private_key: private_key }) true rescue Aws::IAM::Errors::ServiceError => e puts "Failed to create server certificate: #{e.message}" false end # Lists available server certificate names. def list_server_certificate_names response = @iam_client.list_server_certificates if response.server_certificate_metadata_list.empty? @logger.info('No server certificates found.') return end response.server_certificate_metadata_list.each do |certificate_metadata| @logger.info("Certificate Name: #{certificate_metadata.server_certificate_name}") end rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing server certificates: #{e.message}") end # Updates the name of a server certificate. def update_server_certificate_name(current_name, new_name) @iam_client.update_server_certificate( server_certificate_name: current_name, new_server_certificate_name: new_name ) @logger.info("Server certificate name updated from '#{current_name}' to '#{new_name}'.") true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error updating server certificate name: #{e.message}") false end # Deletes a server certificate. def delete_server_certificate(name) @iam_client.delete_server_certificate(server_certificate_name: name) @logger.info("Server certificate '#{name}' deleted.") true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error deleting server certificate: #{e.message}") false end end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[UpdateServerCertificate](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/UpdateServerCertificate)*中的。 ------ # 将 `UpdateSigningCertificate` 与 CLI 配合使用以下代码示例演示如何使用 `UpdateSigningCertificate`。 ------ #### [ CLI ] **AWS CLI** **激活或停用 IAM 用户的签名证书** 以下 `update-signing-certificate` 命令停用名为 `Bob` 的 IAM 用户的指定签名证书。 ``` aws iam update-signing-certificate \ --certificate-id TA7SMP42TDN5Z26OBPJE7EXAMPLE \ --status Inactive \ --user-name Bob ``` 要获取签名证书的 ID，请使用 `list-signing-certificates` 命令。有关更多信息，请参阅《Amazon EC2 用户指南》**中的[管理签名证书](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-up-ami-tools.html#ami-tools-managing-certs)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateSigningCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-signing-certificate.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例更新了与名为 `Bob` 且其证书 ID 为 `Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU` 的 IAM 用户关联的证书，以将其标记为非活动状态。** ``` Update-IAMSigningCertificate -CertificateId Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU -UserName Bob -Status Inactive ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateSigningCertificate](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例更新了与名为 `Bob` 且其证书 ID 为 `Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU` 的 IAM 用户关联的证书，以将其标记为非活动状态。** ``` Update-IAMSigningCertificate -CertificateId Y3EK7RMEXAMPLESV33FCREXAMPLEMJLU -UserName Bob -Status Inactive ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateSigningCertificate](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # `UpdateUser`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `UpdateUser`。操作示例是大型程序的代码摘录，必须在上下文中运行。在以下代码示例中，您可以查看此操作的上下文： + [创建只读和读写用户](iam_example_iam_Scenario_UserPolicies_section.md) ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` bool AwsDoc::IAM::updateUser(const Aws::String ¤tUserName, const Aws::String &newUserName, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::UpdateUserRequest request; request.SetUserName(currentUserName); request.SetNewUserName(newUserName); auto outcome = iam.UpdateUser(request); if (outcome.IsSuccess()) { std::cout << "IAM user " << currentUserName << " successfully updated with new user name " << newUserName << std::endl; } else { std::cerr << "Error updating user name for IAM user " << currentUserName << ":" << outcome.GetError().GetMessage() << std::endl; } return outcome.IsSuccess(); } ``` + 有关 API 的详细信息，请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[UpdateUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/UpdateUser)*中的。 ------ #### [ CLI ] **AWS CLI** **更改 IAM 用户的名称** 以下 `update-user` 命令将 IAM 用户 `Bob` 的名称更改为 `Robert`。 ``` aws iam update-user \ --user-name Bob \ --new-user-name Robert ``` 此命令不生成任何输出。有关更多信息，请参阅《AWS IAM 用户指南》**中的[重命名 IAM 用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_rename.html)。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UpdateUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-user.html)*中的。 ------ #### [ Java ] **适用于 Java 的 SDK 2.x** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.UpdateUserRequest; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class UpdateUser { public static void main(String[] args) { final String usage = """ Usage: \s Where: curName - The current user name.\s newName - An updated user name.\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String curName = args[0]; String newName = args[1]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); updateIAMUser(iam, curName, newName); System.out.println("Done"); iam.close(); } public static void updateIAMUser(IamClient iam, String curName, String newName) { try { UpdateUserRequest request = UpdateUserRequest.builder() .userName(curName) .newUserName(newName) .build(); iam.updateUser(request); System.out.printf("Successfully updated user to username %s", newName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + 有关 API 的详细信息，请参阅 *AWS SDK for Java 2.x API 参考[UpdateUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/UpdateUser)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。更新用户。 ``` import { UpdateUserCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} currentUserName * @param {string} newUserName */ export const updateUser = (currentUserName, newUserName) => { const command = new UpdateUserCommand({ UserName: currentUserName, NewUserName: newUserName, }); return client.send(command); }; ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-updating-users](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-updating-users)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[UpdateUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/UpdateUserCommand)*中的。 **适用于 JavaScript (v2) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var params = { UserName: process.argv[2], NewUserName: process.argv[3], }; iam.updateUser(params, function (err, data) { if (err) { console.log("Error", err); } else { console.log("Success", data); } }); ``` + 有关更多信息，请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》[https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-updating-users](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-managing-users.html#iam-examples-managing-users-updating-users)。 + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[UpdateUser](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/iam-2010-05-08/UpdateUser)*中的。 ------ #### [ Kotlin ] **适用于 Kotlin 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` suspend fun updateIAMUser( curName: String?, newName: String?, ) { val request = UpdateUserRequest { userName = curName newUserName = newName } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> iamClient.updateUser(request) println("Successfully updated user to $newName") } } ``` + 有关 API 的详细信息，请参阅适用[UpdateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)于 K *otlin 的AWS SDK API 参考*。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将 IAM 用户 `Bob` 重命名为 `Robert`。** ``` Update-IAMUser -UserName Bob -NewUserName Robert ``` **示例 2：此示例将 IAM 用户 `Bob` 的路径更改为 `/Org1/Org2/`，这实际上将用户的 ARN 更改为 `arn:aws:iam::123456789012:user/Org1/Org2/bob`。** ``` Update-IAMUser -UserName Bob -NewPath /Org1/Org2/ ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UpdateUser](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将 IAM 用户 `Bob` 重命名为 `Robert`。** ``` Update-IAMUser -UserName Bob -NewUserName Robert ``` **示例 2：此示例将 IAM 用户 `Bob` 的路径更改为 `/Org1/Org2/`，这实际上将用户的 ARN 更改为 `arn:aws:iam::123456789012:user/Org1/Org2/bob`。** ``` Update-IAMUser -UserName Bob -NewPath /Org1/Org2/ ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UpdateUser](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ #### [ Python ] **适用于 Python 的 SDK（Boto3）** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` def update_user(user_name, new_user_name): """ Updates a user's name. :param user_name: The current name of the user to update. :param new_user_name: The new name to assign to the user. :return: The updated user. """ try: user = iam.User(user_name) user.update(NewUserName=new_user_name) logger.info("Renamed %s to %s.", user_name, new_user_name) except ClientError: logger.exception("Couldn't update name for user %s.", user_name) raise return user ``` + 有关 API 的详细信息，请参阅适用[UpdateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/UpdateUser)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ #### [ Ruby ] **适用于 Ruby 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` # Updates an IAM user's name # # @param current_name [String] The current name of the user # @param new_name [String] The new name of the user def update_user_name(current_name, new_name) @iam_client.update_user(user_name: current_name, new_user_name: new_name) true rescue StandardError => e @logger.error("Error updating user name from '#{current_name}' to '#{new_name}': #{e.message}") false end ``` + 有关 API 的详细信息，请参阅 *适用于 Ruby 的 AWS SDK API 参考[UpdateUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/UpdateUser)*中的。 ------ #### [ SAP ABAP ] **适用于 SAP ABAP 的 SDK** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` TRY. lo_iam->updateuser( iv_username = iv_user_name iv_newusername = iv_new_user_name ). MESSAGE 'User updated successfully.' TYPE 'I'. CATCH /aws1/cx_iamnosuchentityex. MESSAGE 'User does not exist.' TYPE 'E'. CATCH /aws1/cx_iamentityalrdyexex. MESSAGE 'New user name already exists.' TYPE 'E'. ENDTRY. ``` + 有关 API 的详细信息，请参阅适用[UpdateUser](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。 ------ # `UploadServerCertificate`与 AWS SDK 或 CLI 配合使用以下代码示例演示如何使用 `UploadServerCertificate`。 ------ #### [ CLI ] **AWS CLI** **将服务器证书上传到您的 AWS 账户** 以下**upload-server-certificate**命令将服务器证书上传到您的 AWS 账户。在此示例中，证书位于 `public_key_cert_file.pem` 文件中，关联的私有密钥位于 `my_private_key.pem` 文件中，而证书颁发机构（CA）提供的证书链位于 `my_certificate_chain_file.pem` 文件中。文件上传完毕后，该文件将以该名称显示*myServerCertificate*。以 `file://` 开头的参数让命令读取文件的内容，将其用作参数值，而不是文件名本身。 ``` aws iam upload-server-certificate \ --server-certificate-name myServerCertificate \ --certificate-body file://public_key_cert_file.pem \ --private-key file://my_private_key.pem \ --certificate-chain file://my_certificate_chain_file.pem ``` 输出： ``` { "ServerCertificateMetadata": { "Path": "/", "ServerCertificateName": "myServerCertificate", "ServerCertificateId": "ASCAEXAMPLE123EXAMPLE", "Arn": "arn:aws:iam::1234567989012:server-certificate/myServerCertificate", "UploadDate": "2019-04-22T21:13:44+00:00", "Expiration": "2019-10-15T22:23:16+00:00" } } ``` 有关更多信息，请参阅《使用 IAM》指南**中的“创建、上传和删除服务器证书”。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UploadServerCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/upload-server-certificate.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples)中查找完整示例，了解如何进行设置和运行。 ``` import { UploadServerCertificateCommand, IAMClient } from "@aws-sdk/client-iam"; import { readFileSync } from "node:fs"; import { dirnameFromMetaUrl } from "@aws-doc-sdk-examples/lib/utils/util-fs.js"; import * as path from "node:path"; const client = new IAMClient({}); const certMessage = `Generate a certificate and key with the following command, or the equivalent for your system. openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ -keyout example.key -out example.crt -subj "/CN=example.com" \ -addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1" `; const getCertAndKey = () => { try { const cert = readFileSync( path.join(dirnameFromMetaUrl(import.meta.url), "./example.crt"), ); const key = readFileSync( path.join(dirnameFromMetaUrl(import.meta.url), "./example.key"), ); return { cert, key }; } catch (err) { if (err.code === "ENOENT") { throw new Error( `Certificate and/or private key not found. ${certMessage}`, ); } throw err; } }; /** * * @param {string} certificateName */ export const uploadServerCertificate = (certificateName) => { const { cert, key } = getCertAndKey(); const command = new UploadServerCertificateCommand({ ServerCertificateName: certificateName, CertificateBody: cert.toString(), PrivateKey: key.toString(), }); return client.send(command); }; ``` + 有关 API 的详细信息，请参阅 *适用于 JavaScript 的 AWS SDK API 参考[UploadServerCertificate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/UploadServerCertificateCommand)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例将新服务器证书上传到 IAM 账户。包含证书正文、私有密钥和（可选）证书链的文件必须均采用 PEM 编码。请注意，参数需要文件的实际内容，而不是文件名。必须使用 `-Raw` 开关参数才能成功处理文件内容。** ``` Publish-IAMServerCertificate -ServerCertificateName MyTestCert -CertificateBody (Get-Content -Raw server.crt) -PrivateKey (Get-Content -Raw server.key) ``` **输出**： ``` Arn : arn:aws:iam::123456789012:server-certificate/MyTestCert Expiration : 1/14/2018 9:52:36 AM Path : / ServerCertificateId : ASCAJIEXAMPLE7J7HQZYW ServerCertificateName : MyTestCert UploadDate : 4/21/2015 11:14:16 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UploadServerCertificate](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例将新服务器证书上传到 IAM 账户。包含证书正文、私有密钥和（可选）证书链的文件必须均采用 PEM 编码。请注意，参数需要文件的实际内容，而不是文件名。必须使用 `-Raw` 开关参数才能成功处理文件内容。** ``` Publish-IAMServerCertificate -ServerCertificateName MyTestCert -CertificateBody (Get-Content -Raw server.crt) -PrivateKey (Get-Content -Raw server.key) ``` **输出**： ``` Arn : arn:aws:iam::123456789012:server-certificate/MyTestCert Expiration : 1/14/2018 9:52:36 AM Path : / ServerCertificateId : ASCAJIEXAMPLE7J7HQZYW ServerCertificateName : MyTestCert UploadDate : 4/21/2015 11:14:16 AM ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UploadServerCertificate](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 将 `UploadSigningCertificate` 与 CLI 配合使用以下代码示例演示如何使用 `UploadSigningCertificate`。 ------ #### [ CLI ] **AWS CLI** **上传 IAM 用户的签名证书** 以下 `upload-signing-certificate` 命令上传名为 `Bob` 的 IAM 用户的签名证书。 ``` aws iam upload-signing-certificate \ --user-name Bob \ --certificate-body file://certificate.pem ``` 输出： ``` { "Certificate": { "UserName": "Bob", "Status": "Active", "CertificateBody": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----", "CertificateId": "TA7SMP42TDN5Z26OBPJE7EXAMPLE", "UploadDate": "2013-06-06T21:40:08.121Z" } } ``` 证书位于名为 *certificate.pem* 的文件中，采用 PEM 格式。有关更多信息，请参阅《使用 IAM》**指南中的“创建和上传用户签名证书”。 + 有关 API 的详细信息，请参阅*AWS CLI 命令参考[UploadSigningCertificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/upload-signing-certificate.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1：此示例上传新的 X.509 签名证书并将其与名为 `Bob` 的 IAM 用户关联。包含证书正文的文件采用 PEM 编码。`CertificateBody` 参数需要证书文件的实际内容而不是文件名。必须使用 `-Raw` 开关参数才能成功处理该文件。** ``` Publish-IAMSigningCertificate -UserName Bob -CertificateBody (Get-Content -Raw SampleSigningCert.pem) ``` **输出**： ``` CertificateBody : -----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE----- CertificateId : Y3EK7RMEXAMPLESV33FCEXAMPLEHMJLU Status : Active UploadDate : 4/20/2015 1:26:01 PM UserName : Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [UploadSigningCertificate](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1：此示例上传新的 X.509 签名证书并将其与名为 `Bob` 的 IAM 用户关联。包含证书正文的文件采用 PEM 编码。`CertificateBody` 参数需要证书文件的实际内容而不是文件名。必须使用 `-Raw` 开关参数才能成功处理该文件。** ``` Publish-IAMSigningCertificate -UserName Bob -CertificateBody (Get-Content -Raw SampleSigningCert.pem) ``` **输出**： ``` CertificateBody : -----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE----- CertificateId : Y3EK7RMEXAMPLESV33FCEXAMPLEHMJLU Status : Active UploadDate : 4/20/2015 1:26:01 PM UserName : Bob ``` + 有关 API 的详细信息，请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [UploadSigningCertificate](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------