The AWS SDK for Java 1.x reached end-of-support on December 31, 2025. We recommend that you migrate to the AWS SDK for Java 2.x to continue receiving new features, availability improvements, and security updates.
Working with IAM Policies
Creating a Policy
To create a new policy, provide the policy’s name and a JSON-formatted policy document in a CreatePolicyRequest to the AmazonIdentityManagementClient’s createPolicy method.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.CreatePolicyRequest; import com.amazonaws.services.identitymanagement.model.CreatePolicyResult;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); CreatePolicyRequest request = new CreatePolicyRequest() .withPolicyName(policy_name) .withPolicyDocument(POLICY_DOCUMENT); CreatePolicyResult response = iam.createPolicy(request);
IAM policy documents are JSON strings with a well-documented syntax. Here is an example that provides access to make particular requests to DynamoDB.
public static final String POLICY_DOCUMENT = "{" + " \"Version\": \"2012-10-17\", " + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"logs:CreateLogGroup\"," + " \"Resource\": \"%s\"" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"dynamodb:DeleteItem\"," + " \"dynamodb:GetItem\"," + " \"dynamodb:PutItem\"," + " \"dynamodb:Scan\"," + " \"dynamodb:UpdateItem\"" + " ]," + " \"Resource\": \"RESOURCE_ARN\"" + " }" + " ]" + "}";
See the complete example
Getting a Policy
To retrieve an existing policy, call the AmazonIdentityManagementClient’s getPolicy method, providing the policy’s ARN within a GetPolicyRequest object.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.GetPolicyRequest; import com.amazonaws.services.identitymanagement.model.GetPolicyResult;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); GetPolicyRequest request = new GetPolicyRequest() .withPolicyArn(policy_arn); GetPolicyResult response = iam.getPolicy(request);
See the complete example
Attaching a Role Policy
You can attach a policy to an IAMhttp://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html[role] by calling the AmazonIdentityManagementClient’s attachRolePolicy method, providing it with the role name and policy ARN in an AttachRolePolicyRequest.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.AttachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.AttachedPolicy;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); AttachRolePolicyRequest attach_request = new AttachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(POLICY_ARN); iam.attachRolePolicy(attach_request);
See the complete example
Listing Attached Role Policies
List attached policies on a role by calling the AmazonIdentityManagementClient’s listAttachedRolePolicies method. It takes a ListAttachedRolePoliciesRequest object that contains the role name to list the policies for.
Call getAttachedPolicies on the returned ListAttachedRolePoliciesResult object to get the list of attached policies. Results may be truncated; if the ListAttachedRolePoliciesResult object’s getIsTruncated method returns true, call the ListAttachedRolePoliciesRequest object’s setMarker method and use it to call listAttachedRolePolicies again to get the next batch of results.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesRequest; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesResult; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); ListAttachedRolePoliciesRequest request = new ListAttachedRolePoliciesRequest() .withRoleName(role_name); List<AttachedPolicy> matching_policies = new ArrayList<>(); boolean done = false; while(!done) { ListAttachedRolePoliciesResult response = iam.listAttachedRolePolicies(request); matching_policies.addAll( response.getAttachedPolicies() .stream() .filter(p -> p.getPolicyName().equals(role_name)) .collect(Collectors.toList())); if(!response.getIsTruncated()) { done = true; } request.setMarker(response.getMarker()); }
See the complete example
Detaching a Role Policy
To detach a policy from a role, call the AmazonIdentityManagementClient’s detachRolePolicy method, providing it with the role name and policy ARN in a DetachRolePolicyRequest.
Imports
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyResult;
Code
final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); DetachRolePolicyRequest request = new DetachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(policy_arn); DetachRolePolicyResult response = iam.detachRolePolicy(request);
See the complete example
More Information
-
Overview of IAM Policies in the IAM User Guide.
-
AWS IAM Policy Reference in the IAM User Guide.
-
CreatePolicy in the IAM API Reference
-
GetPolicy in the IAM API Reference
-
AttachRolePolicy in the IAM API Reference
-
ListAttachedRolePolicies in the IAM API Reference
-
DetachRolePolicy in the IAM API Reference
