我正在尝试创建具有特定权限的角色,但未成功:
这是我的许可:
String jsonRole = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": [" +
" \"s3:PutObject\"," +
" \"s3:GetObject\"," +
" \"s3:GetObjectVersion\"," +
" \"s3:DeleteObject\"," +
" \"s3:DeleteObjectVersion\"" +
" ]," +
" \"Resource\": \"arn:aws:s3:::"+artifactsBucket+"/"+company.getCompanyId()+"/*\"" +
" }" +
" ]" +
"}";
和创建角色的命令:
AmazonIdentityManagement client = AmazonIdentityManagementClientBuilder.standard().build();
CreateRoleRequest request = new CreateRoleRequest().withPath("/companies-bucket-roles/").withRoleName(company.getName()+"-"+consoleUser.getConsoleUserId());
但是我不知道如何向角色添加权限。我在文档中什么都没找到。 有什么主意吗?
预先感谢
答案 0 :(得分:2)
如果要创建角色并添加策略,这是完整的代码:
String jsonPolicyDocument = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": [" +
" \"s3:PutObject\"," +
" \"s3:GetObject\"," +
" \"s3:GetObjectVersion\"," +
" \"s3:DeleteObject\"," +
" \"s3:DeleteObjectVersion\"" +
" ]," +
" \"Resource\": \"arn:aws:s3:::"+artifactsBucket+"/"+company.getCompanyId()+"/*\"" +
" }" +
" ]" +
"}";
String assumeRolePolicyDocument = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Principal\": {" +
" \"Federated\": \"cognito-identity.amazonaws.com\"" +
" }," +
" \"Action\": \"sts:AssumeRoleWithWebIdentity\"," +
" \"Condition\": {" +
" \"StringEquals\": {" +
" \"cognito-identity.amazonaws.com:aud\": \""+poolId+"\"" +
" }," +
" \"ForAnyValue:StringLike\": {" +
" \"cognito-identity.amazonaws.com:amr\": \"authenticated\"" +
" }" +
" }" +
" }" +
" ]" +
"}";
AmazonIdentityManagement client = AmazonIdentityManagementClientBuilder.standard().build();
// First create a policy
CreatePolicyRequest policyRequest = new CreatePolicyRequest()
.withPolicyName("company_" + company.getCompanyId() + "_s3bucket" + "_policy")
.withPolicyDocument(jsonPolicyDocument)
.withDescription("Policy created for the company "+company.getCompanyId()+". This policy give access to S3 bucket for this company");
CreatePolicyResult policyResponse = client.createPolicy(policyRequest);
String roleName = "company_" + company.getCompanyId() + "_role";
CreateRoleRequest request = new CreateRoleRequest()
.withPath("/"+rolesFolder+"/")
.withRoleName(roleName)
.withAssumeRolePolicyDocument(assumeRolePolicyDocument)
.withDescription("Role created for the company "+company.getCompanyId()+". This Role has for example policy for S3 bucket");
CreateRoleResult response = client.createRole(request);
// Attach the policy to the role
AttachRolePolicyRequest attachRequest = new AttachRolePolicyRequest()
.withRoleName(roleName)
.withPolicyArn(policyResponse.getPolicy().getArn());
AttachRolePolicyResult attachRolePolicyResult = client.attachRolePolicy(attachRequest);
logger.info(attachRolePolicyResult);