DeleteRole() 공개 메소드

Deletes the specified role. The role must not have any policies attached. For more information about roles, go to Working with Roles.

Make sure you do not have any Amazon EC2 instances running with the role you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications running on the instance.

/// The request was rejected because it attempted to delete a resource that has attached /// subordinate entities. The error message describes these entities. /// /// The request was rejected because it attempted to create resources beyond the current /// AWS account limits. The error message describes the limit exceeded. /// /// The request was rejected because it referenced an entity that does not exist. The /// error message describes the entity. /// /// The request processing has failed because of an unknown error, exception or failure. ///
public DeleteRole ( DeleteRoleRequest request ) : Amazon.IdentityManagement.Model.DeleteRoleResponse
request Amazon.IdentityManagement.Model.DeleteRoleRequest Container for the necessary parameters to execute the DeleteRole service method.
리턴 Amazon.IdentityManagement.Model.DeleteRoleResponse
예제 #1
0
        public virtual void PrepMode_RemoveRoles(AmazonIdentityManagementServiceClient iamClient, params string[] roles)
        {
            foreach (var roleName in roles)
            {
                try
                {
                    iamClient.GetRole(new GetRoleRequest {RoleName = roleName});
                    Console.WriteLine("Removing old role {0}.", roleName);
                    // Remove existing policies
                    var listRolePoliciesResponse =
                        iamClient.ListRolePolicies(new ListRolePoliciesRequest {RoleName = roleName});
                    foreach (var policyName in listRolePoliciesResponse.PolicyNames)
                    {
                        var deleteRolePolicyRequest = new DeleteRolePolicyRequest
                        {
                            PolicyName = policyName,
                            RoleName = roleName
                        };
                        iamClient.DeleteRolePolicy(deleteRolePolicyRequest);
                    }
                    iamClient.DeleteRole(new DeleteRoleRequest {RoleName = roleName});
                }
                catch (NoSuchEntityException)
                {

                    // Role doesn't exist, so don't do anything.
                    // Gobble the exception and loop.
                    break;
                }
            }
        }
예제 #2
0
        public static void Test(string identityProvider)
        {
            // Login with credentials to create the role
            // credentials are defined in app.config
            var iamClient = new AmazonIdentityManagementServiceClient();
            string providerURL = null,
                   providerAppIdName = null,
                   providerUserIdName = null,
                   providerAppId = null;

            switch (identityProvider)
            {
                case "Facebook":
                    providerURL = "graph.facebook.com";
                    providerAppIdName = "app_id";
                    providerUserIdName = "id";
                    break;
                case "Google":
                    providerURL = "accounts.google.com";
                    providerAppIdName = "aud";
                    providerUserIdName = "sub";
                    break;
                case "Amazon":
                    providerURL = "www.amazon.com";
                    providerAppIdName = "app_id";
                    providerUserIdName = "user_id";
                    break;
            }

            //identity provider specific AppId is loaded from app.config (e.g)
            //  FacebookProviderAppId. GoogleProviderAppId, AmazonProviderAppId
            providerAppId = ConfigurationManager.AppSettings[identityProvider +
                                                               "ProviderAppId"];

            // Since the string is passed to String.Format, '{' & '}' has to be escaped.
            // Policy document specifies who can invoke AssumeRoleWithWebIdentity
            string trustPolicyTemplate = @"{{
                  ""Version"": ""2012-10-17"",
                  ""Statement"": [
                        {{
                              ""Effect"": ""Allow"",
                              ""Principal"": {{ ""Federated"": ""{1}"" }},
                              ""Action"": ""sts:AssumeRoleWithWebIdentity"",
                              ""Condition"": {{
                                    ""StringEquals"": {{""{1}:{2}"": ""{3}""}}
                              }}
                        }}
                  ]
                }}";

            // Defines what permissions to grant when AssumeRoleWithWebIdentity is called
            string accessPolicyTemplate = @"{{
                    ""Version"": ""2012-10-17"",
                    ""Statement"": [
                    {{
                        ""Effect"":""Allow"",
                        ""Action"":[""s3:GetObject"", ""s3:PutObject"", ""s3:DeleteObject""],
                        ""Resource"": [
                                ""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}"",
                                ""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}/*""
                        ]
                    }}
                    ]
                }}";

            // Create Trust policy
            CreateRoleRequest createRoleRequest = new CreateRoleRequest
            {
                RoleName = "federationtestrole",
                AssumeRolePolicyDocument = string.Format(trustPolicyTemplate,
                                                            identityProvider,
                                                            providerURL,
                                                            providerAppIdName,
                                                            providerAppId)
            };
            Console.WriteLine("\nTrust Policy Document:\n{0}\n",
                createRoleRequest.AssumeRolePolicyDocument);
            CreateRoleResponse createRoleResponse = iamClient.CreateRole(createRoleRequest);

            // Create Access policy (Permissions)
            PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest
            {
                PolicyName = "federationtestrole-rolepolicy",
                RoleName = "federationtestrole",
                PolicyDocument = string.Format(accessPolicyTemplate,
                                                identityProvider,
                                                providerURL,
                                                providerAppIdName,
                                                providerAppId,
                                                providerUserIdName)

            };
            Console.WriteLine("\nAccess Policy Document (Permissions):\n{0}\n",
                                                putRolePolicyRequest.PolicyDocument);
            PutRolePolicyResponse putRolePolicyResponse = iamClient.PutRolePolicy(
                                                               putRolePolicyRequest);

            // Sleep for the policy to replicate
            System.Threading.Thread.Sleep(5000);
            AmazonS3Config config = new AmazonS3Config
            {
                ServiceURL = "s3.amazonaws.com",
                RegionEndpoint = Amazon.RegionEndpoint.USEast1
            };

            Federation federationTest = new Federation();
            AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = null;

            switch (identityProvider)
            {
                case "Facebook":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingFacebook(
                                providerAppId,
                                createRoleResponse.Role.Arn);
                    break;
                case "Google":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingGoogle(
                                providerAppId,
                                createRoleResponse.Role.Arn);

                    //Uncomment to perform two step process
                    //assumeRoleWithWebIdentityResponse =
                    //    federationTest.GetTemporaryCredentialUsingGoogle(
                    //            providerAppId,
                    //            ConfigurationManager.AppSettings["GoogleProviderAppIdSecret"],
                    //            createRoleResponse.Role.Arn);
                    break;
                case "Amazon":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingAmazon(
                                ConfigurationManager.AppSettings["AmazonProviderClientId"],
                                createRoleResponse.Role.Arn);
                    break;
            }

            S3Test s3Test = new S3Test();
            s3Test.CreateS3Bucket("federationtestbucket",
                identityProvider + "/" +
                assumeRoleWithWebIdentityResponse.SubjectFromWebIdentityToken,
                assumeRoleWithWebIdentityResponse.Credentials, config);

            DeleteRolePolicyResponse deleteRolePolicyResponse =
                iamClient.DeleteRolePolicy(new DeleteRolePolicyRequest
                {
                    PolicyName = "federationtestrole-rolepolicy",
                    RoleName = "federationtestrole"
                });

            DeleteRoleResponse deleteRoleResponse =
                iamClient.DeleteRole(new DeleteRoleRequest
                {
                    RoleName = "federationtestrole"
                });
        }