DeleteRolePolicy() публичный Метод

Deletes the specified inline policy that is embedded in the specified IAM role.

A role can also have managed policies attached to it. To detach a managed policy from a role, use DetachRolePolicy. For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

/// The request was rejected because it attempted to create resources beyond the current /// AWS account limits. The error message describes the limit exceeded. /// /// The request was rejected because it referenced an entity that does not exist. The /// error message describes the entity. /// /// The request processing has failed because of an unknown error, exception or failure. ///
public DeleteRolePolicy ( DeleteRolePolicyRequest request ) : Amazon.IdentityManagement.Model.DeleteRolePolicyResponse
request Amazon.IdentityManagement.Model.DeleteRolePolicyRequest Container for the necessary parameters to execute the DeleteRolePolicy service method.
Результат Amazon.IdentityManagement.Model.DeleteRolePolicyResponse
Пример #1
0
        public virtual void PrepMode_RemoveRoles(AmazonIdentityManagementServiceClient iamClient, params string[] roles)
        {
            foreach (var roleName in roles)
            {
                try
                {
                    iamClient.GetRole(new GetRoleRequest {RoleName = roleName});
                    Console.WriteLine("Removing old role {0}.", roleName);
                    // Remove existing policies
                    var listRolePoliciesResponse =
                        iamClient.ListRolePolicies(new ListRolePoliciesRequest {RoleName = roleName});
                    foreach (var policyName in listRolePoliciesResponse.PolicyNames)
                    {
                        var deleteRolePolicyRequest = new DeleteRolePolicyRequest
                        {
                            PolicyName = policyName,
                            RoleName = roleName
                        };
                        iamClient.DeleteRolePolicy(deleteRolePolicyRequest);
                    }
                    iamClient.DeleteRole(new DeleteRoleRequest {RoleName = roleName});
                }
                catch (NoSuchEntityException)
                {

                    // Role doesn't exist, so don't do anything.
                    // Gobble the exception and loop.
                    break;
                }
            }
        }
Пример #2
0
        public static void Test(string identityProvider)
        {
            // Login with credentials to create the role
            // credentials are defined in app.config
            var iamClient = new AmazonIdentityManagementServiceClient();
            string providerURL = null,
                   providerAppIdName = null,
                   providerUserIdName = null,
                   providerAppId = null;

            switch (identityProvider)
            {
                case "Facebook":
                    providerURL = "graph.facebook.com";
                    providerAppIdName = "app_id";
                    providerUserIdName = "id";
                    break;
                case "Google":
                    providerURL = "accounts.google.com";
                    providerAppIdName = "aud";
                    providerUserIdName = "sub";
                    break;
                case "Amazon":
                    providerURL = "www.amazon.com";
                    providerAppIdName = "app_id";
                    providerUserIdName = "user_id";
                    break;
            }

            //identity provider specific AppId is loaded from app.config (e.g)
            //  FacebookProviderAppId. GoogleProviderAppId, AmazonProviderAppId
            providerAppId = ConfigurationManager.AppSettings[identityProvider +
                                                               "ProviderAppId"];

            // Since the string is passed to String.Format, '{' & '}' has to be escaped.
            // Policy document specifies who can invoke AssumeRoleWithWebIdentity
            string trustPolicyTemplate = @"{{
                  ""Version"": ""2012-10-17"",
                  ""Statement"": [
                        {{
                              ""Effect"": ""Allow"",
                              ""Principal"": {{ ""Federated"": ""{1}"" }},
                              ""Action"": ""sts:AssumeRoleWithWebIdentity"",
                              ""Condition"": {{
                                    ""StringEquals"": {{""{1}:{2}"": ""{3}""}}
                              }}
                        }}
                  ]
                }}";

            // Defines what permissions to grant when AssumeRoleWithWebIdentity is called
            string accessPolicyTemplate = @"{{
                    ""Version"": ""2012-10-17"",
                    ""Statement"": [
                    {{
                        ""Effect"":""Allow"",
                        ""Action"":[""s3:GetObject"", ""s3:PutObject"", ""s3:DeleteObject""],
                        ""Resource"": [
                                ""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}"",
                                ""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}/*""
                        ]
                    }}
                    ]
                }}";

            // Create Trust policy
            CreateRoleRequest createRoleRequest = new CreateRoleRequest
            {
                RoleName = "federationtestrole",
                AssumeRolePolicyDocument = string.Format(trustPolicyTemplate,
                                                            identityProvider,
                                                            providerURL,
                                                            providerAppIdName,
                                                            providerAppId)
            };
            Console.WriteLine("\nTrust Policy Document:\n{0}\n",
                createRoleRequest.AssumeRolePolicyDocument);
            CreateRoleResponse createRoleResponse = iamClient.CreateRole(createRoleRequest);

            // Create Access policy (Permissions)
            PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest
            {
                PolicyName = "federationtestrole-rolepolicy",
                RoleName = "federationtestrole",
                PolicyDocument = string.Format(accessPolicyTemplate,
                                                identityProvider,
                                                providerURL,
                                                providerAppIdName,
                                                providerAppId,
                                                providerUserIdName)

            };
            Console.WriteLine("\nAccess Policy Document (Permissions):\n{0}\n",
                                                putRolePolicyRequest.PolicyDocument);
            PutRolePolicyResponse putRolePolicyResponse = iamClient.PutRolePolicy(
                                                               putRolePolicyRequest);

            // Sleep for the policy to replicate
            System.Threading.Thread.Sleep(5000);
            AmazonS3Config config = new AmazonS3Config
            {
                ServiceURL = "s3.amazonaws.com",
                RegionEndpoint = Amazon.RegionEndpoint.USEast1
            };

            Federation federationTest = new Federation();
            AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = null;

            switch (identityProvider)
            {
                case "Facebook":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingFacebook(
                                providerAppId,
                                createRoleResponse.Role.Arn);
                    break;
                case "Google":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingGoogle(
                                providerAppId,
                                createRoleResponse.Role.Arn);

                    //Uncomment to perform two step process
                    //assumeRoleWithWebIdentityResponse =
                    //    federationTest.GetTemporaryCredentialUsingGoogle(
                    //            providerAppId,
                    //            ConfigurationManager.AppSettings["GoogleProviderAppIdSecret"],
                    //            createRoleResponse.Role.Arn);
                    break;
                case "Amazon":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingAmazon(
                                ConfigurationManager.AppSettings["AmazonProviderClientId"],
                                createRoleResponse.Role.Arn);
                    break;
            }

            S3Test s3Test = new S3Test();
            s3Test.CreateS3Bucket("federationtestbucket",
                identityProvider + "/" +
                assumeRoleWithWebIdentityResponse.SubjectFromWebIdentityToken,
                assumeRoleWithWebIdentityResponse.Credentials, config);

            DeleteRolePolicyResponse deleteRolePolicyResponse =
                iamClient.DeleteRolePolicy(new DeleteRolePolicyRequest
                {
                    PolicyName = "federationtestrole-rolepolicy",
                    RoleName = "federationtestrole"
                });

            DeleteRoleResponse deleteRoleResponse =
                iamClient.DeleteRole(new DeleteRoleRequest
                {
                    RoleName = "federationtestrole"
                });
        }