将 DetachRolePolicy 与 AWS SDK 或 CLI 配合使用
以下代码示例演示如何使用 DetachRolePolicy。
操作示例是大型程序的代码摘录,必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文:
- .NET
- 
            - 适用于 .NET 的 SDK
- 
注意查看 GitHub,了解更多信息。查找完整示例,了解如何在 AWS 代码示例存储库 中进行设置和运行。 /// <summary> /// Detach an IAM policy from an IAM role. /// </summary> /// <param name="policyArn">The Amazon Resource Name (ARN) of the IAM policy.</param> /// <param name="roleName">The name of the IAM role.</param> /// <returns>A Boolean value indicating the success of the action.</returns> public async Task<bool> DetachRolePolicyAsync(string policyArn, string roleName) { var response = await _IAMService.DetachRolePolicyAsync(new DetachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; }- 
                    有关 API 详细信息,请参阅《适用于 .NET 的 AWS SDK API 参考》中的 DetachRolePolicy。 
 
- 
                    
 
- Bash
- 
            - AWS CLI 及 Bash 脚本
- 
注意查看 GitHub,了解更多信息。查找完整示例,了解如何在 AWS 代码示例存储库 中进行设置和运行。 ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_detach_role_policy # # This function detaches an IAM policy to a tole. # # Parameters: # -n role_name -- The name of the IAM role. # -p policy_ARN -- The IAM policy document ARN.. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_detach_role_policy() { local role_name policy_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_detach_role_policy" echo "Detaches an AWS Identity and Access Management (IAM) policy to an IAM role." echo " -n role_name The name of the IAM role." echo " -p policy_ARN -- The IAM policy document ARN." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; p) policy_arn="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi if [[ -z "$policy_arn" ]]; then errecho "ERROR: You must provide a policy ARN with the -p parameter." usage return 1 fi response=$(aws iam detach-role-policy \ --role-name "$role_name" \ --policy-arn "$policy_arn") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports detach-role-policy operation failed.\n$response" return 1 fi echo "$response" return 0 }- 
                    有关 API 详细信息,请参阅《AWS CLI Command Reference》中的 DetachRolePolicy。 
 
- 
                    
 
- C++
- 
            - SDK for C++
- 
注意查看 GitHub,了解更多信息。查找完整示例,学习如何在 AWS 代码示例存储库 中进行设置和运行。 Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::DetachRolePolicyRequest detachRequest; detachRequest.SetRoleName(roleName); detachRequest.SetPolicyArn(policyArn); auto detachOutcome = iam.DetachRolePolicy(detachRequest); if (!detachOutcome.IsSuccess()) { std::cerr << "Failed to detach policy " << policyArn << " from role " << roleName << ": " << detachOutcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully detached policy " << policyArn << " from role " << roleName << std::endl; } return detachOutcome.IsSuccess();- 
                    有关 API 详细信息,请参阅《适用于 C++ 的 AWS SDK API 参考》中的 DetachRolePolicy。 
 
- 
                    
 
- CLI
- 
            - AWS CLI
- 
             
                    要从角色分离策略 此示例将从名为 FedTesterRole的角色删除具有 ARNarn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy的托管策略。aws iam detach-role-policy \ --role-nameFedTesterRole\ --policy-arnarn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy此命令不生成任何输出。 有关更多信息,请参阅《AWS IAM 用户指南》中的修改角色。 - 
                    有关 API 详细信息,请参阅《AWS CLI 命令参考》中的 DetachRolePolicy 。 
 
- 
                    
 
- Go
- 
            - SDK for Go V2
- 
注意查看 GitHub,了解更多信息。在 AWS 代码示例存储库 中查找完整示例,了解如何进行设置和运行。 import ( "context" "encoding/json" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/iam/types" ) // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // DetachRolePolicy detaches a policy from a role. func (wrapper RoleWrapper) DetachRolePolicy(ctx context.Context, roleName string, policyArn string) error { _, err := wrapper.IamClient.DetachRolePolicy(ctx, &iam.DetachRolePolicyInput{ PolicyArn: aws.String(policyArn), RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't detach policy from role %v. Here's why: %v\n", roleName, err) } return err }- 
                    有关 API 详细信息,请参阅《适用于 Go 的 AWS SDK API 参考》中的 DetachRolePolicy 。 
 
- 
                    
 
- Java
- 
            - 适用于 Java 的 SDK 2.x
- 
注意查看 GitHub,了解更多信息。在 AWS 代码示例存储库 中查找完整示例,了解如何进行设置和运行。 import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DetachRolePolicy { public static void main(String[] args) { final String usage = """ Usage: <roleName> <policyArn>\s Where: roleName - A role name that you can obtain from the AWS Management Console.\s policyArn - A policy ARN that you can obtain from the AWS Management Console.\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String roleName = args[0]; String policyArn = args[1]; Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder() .region(region) .build(); detachPolicy(iam, roleName, policyArn); System.out.println("Done"); iam.close(); } public static void detachPolicy(IamClient iam, String roleName, String policyArn) { try { DetachRolePolicyRequest request = DetachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.detachRolePolicy(request); System.out.println("Successfully detached policy " + policyArn + " from role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } }- 
                    有关 API 详细信息,请参阅《AWS SDK for Java 2.x API 参考》中的 DetachRolePolicy。 
 
- 
                    
 
- JavaScript
- 
            - SDK for JavaScript (v3)
- 
注意查看 GitHub,了解更多信息。在 AWS 代码示例存储库 中查找完整示例,了解如何进行设置和运行。 分离策略。 import { DetachRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} policyArn * @param {string} roleName */ export const detachRolePolicy = (policyArn, roleName) => { const command = new DetachRolePolicyCommand({ PolicyArn: policyArn, RoleName: roleName, }); return client.send(command); };- 
                    有关更多信息,请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》。 
- 
                    有关 API 详细信息,请参阅《适用于 JavaScript 的 AWS SDK API 参考》中的 DetachRolePolicy。 
 
- 
                    
- SDK for JavaScript (v2)
- 
注意查看 GitHub,了解更多信息。查找完整示例,了解如何在 AWS 代码示例存储库 中进行设置和运行。 // Load the AWS SDK for Node.js var AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); // Create the IAM service object var iam = new AWS.IAM({ apiVersion: "2010-05-08" }); var paramsRoleList = { RoleName: process.argv[2], }; iam.listAttachedRolePolicies(paramsRoleList, function (err, data) { if (err) { console.log("Error", err); } else { var myRolePolicies = data.AttachedPolicies; myRolePolicies.forEach(function (val, index, array) { if (myRolePolicies[index].PolicyName === "AmazonDynamoDBFullAccess") { var params = { PolicyArn: "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess", RoleName: process.argv[2], }; iam.detachRolePolicy(params, function (err, data) { if (err) { console.log("Unable to detach policy from role", err); } else { console.log("Policy detached from role successfully"); process.exit(); } }); } }); } });- 
                    有关更多信息,请参阅《适用于 JavaScript 的 AWS SDK 开发人员指南》。 
- 
                    有关 API 详细信息,请参阅《适用于 JavaScript 的 AWS SDK API 参考》中的 DetachRolePolicy。 
 
- 
                    
 
- Kotlin
- 
            - SDK for Kotlin
- 
注意查看 GitHub,了解更多信息。查找完整示例,学习如何在 AWS 代码示例存储库 中进行设置和运行。 suspend fun detachPolicy( roleNameVal: String, policyArnVal: String, ) { val request = DetachRolePolicyRequest { roleName = roleNameVal policyArn = policyArnVal } IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient -> iamClient.detachRolePolicy(request) println("Successfully detached policy $policyArnVal from role $roleNameVal") } }- 
                    有关 API 详细信息,请参阅《AWS SDK for Kotlin API 参考》中的 DetachRolePolicy 
 
- 
                    
 
- PowerShell
- 
            - Tools for PowerShell V4
- 
             
                    示例 1:此示例将 ARN 为 arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy的托管组策略与名为FedTesterRole的角色分离。Unregister-IAMRolePolicy -RoleName FedTesterRole -PolicyArn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy示例 2:此示例查找附加到名为 FedTesterRole的角色的所有托管策略,并将其与该角色分离。Get-IAMAttachedRolePolicyList -RoleName FedTesterRole | Unregister-IAMRolePolicy -Rolename FedTesterRole- 
                    有关 API 详细信息,请参阅《AWS Tools for PowerShell Cmdlet Reference (V4)》中的 DetachRolePolicy。 
 
- 
                    
- Tools for PowerShell V5
- 
             
                    示例 1:此示例将 ARN 为 arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy的托管组策略与名为FedTesterRole的角色分离。Unregister-IAMRolePolicy -RoleName FedTesterRole -PolicyArn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy示例 2:此示例查找附加到名为 FedTesterRole的角色的所有托管策略,并将其与该角色分离。Get-IAMAttachedRolePolicyList -RoleName FedTesterRole | Unregister-IAMRolePolicy -Rolename FedTesterRole- 
                    有关 API 详细信息,请参阅《AWS Tools for PowerShell Cmdlet 参考 (V5)》中的 DetachRolePolicy。 
 
- 
                    
 
- Python
- 
            - 适用于 Python 的 SDK (Boto3)
- 
注意查看 GitHub,了解更多信息。在 AWS 代码示例存储库 中查找完整示例,了解如何进行设置和运行。 使用 Boto3 策略对象从角色分离策略。 def detach_from_role(role_name, policy_arn): """ Detaches a policy from a role. :param role_name: The name of the role. **Note** this is the name, not the ARN. :param policy_arn: The ARN of the policy. """ try: iam.Policy(policy_arn).detach_role(RoleName=role_name) logger.info("Detached policy %s from role %s.", policy_arn, role_name) except ClientError: logger.exception( "Couldn't detach policy %s from role %s.", policy_arn, role_name ) raise使用 Boto3 角色对象从角色分离策略。 def detach_policy(role_name, policy_arn): """ Detaches a policy from a role. :param role_name: The name of the role. **Note** this is the name, not the ARN. :param policy_arn: The ARN of the policy. """ try: iam.Role(role_name).detach_policy(PolicyArn=policy_arn) logger.info("Detached policy %s from role %s.", policy_arn, role_name) except ClientError: logger.exception( "Couldn't detach policy %s from role %s.", policy_arn, role_name ) raise- 
                    有关 API 详细信息,请参阅《AWS SDK for Python(Boto3)API 参考》中的 DetachRolePolicy。 
 
- 
                    
 
- Ruby
- 
            - 适用于 Ruby 的 SDK
- 
注意查看 GitHub,了解更多信息。在 AWS 代码示例存储库 中查找完整示例,了解如何进行设置和运行。 此示例模块会列出、创建、附加和分离角色策略。 # Manages policies in AWS Identity and Access Management (IAM) class RolePolicyManager # Initialize with an AWS IAM client # # @param iam_client [Aws::IAM::Client] An initialized IAM client def initialize(iam_client, logger: Logger.new($stdout)) @iam_client = iam_client @logger = logger @logger.progname = 'PolicyManager' end # Creates a policy # # @param policy_name [String] The name of the policy # @param policy_document [Hash] The policy document # @return [String] The policy ARN if successful, otherwise nil def create_policy(policy_name, policy_document) response = @iam_client.create_policy( policy_name: policy_name, policy_document: policy_document.to_json ) response.policy.arn rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error creating policy: #{e.message}") nil end # Fetches an IAM policy by its ARN # @param policy_arn [String] the ARN of the IAM policy to retrieve # @return [Aws::IAM::Types::GetPolicyResponse] the policy object if found def get_policy(policy_arn) response = @iam_client.get_policy(policy_arn: policy_arn) policy = response.policy @logger.info("Got policy '#{policy.policy_name}'. Its ID is: #{policy.policy_id}.") policy rescue Aws::IAM::Errors::NoSuchEntity @logger.error("Couldn't get policy '#{policy_arn}'. The policy does not exist.") raise rescue Aws::IAM::Errors::ServiceError => e @logger.error("Couldn't get policy '#{policy_arn}'. Here's why: #{e.code}: #{e.message}") raise end # Attaches a policy to a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def attach_policy_to_role(role_name, policy_arn) @iam_client.attach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error attaching policy to role: #{e.message}") false end # Lists policy ARNs attached to a role # # @param role_name [String] The name of the role # @return [Array<String>] List of policy ARNs def list_attached_policy_arns(role_name) response = @iam_client.list_attached_role_policies(role_name: role_name) response.attached_policies.map(&:policy_arn) rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error listing policies attached to role: #{e.message}") [] end # Detaches a policy from a role # # @param role_name [String] The name of the role # @param policy_arn [String] The policy ARN # @return [Boolean] true if successful, false otherwise def detach_policy_from_role(role_name, policy_arn) @iam_client.detach_role_policy( role_name: role_name, policy_arn: policy_arn ) true rescue Aws::IAM::Errors::ServiceError => e @logger.error("Error detaching policy from role: #{e.message}") false end end- 
                    有关 API 详细信息,请参阅《适用于 Ruby 的 AWS SDK API 参考》中的 DetachRolePolicy。 
 
- 
                    
 
- Rust
- 
            - 适用于 Rust 的 SDK
- 
注意查看 GitHub,了解更多信息。在 AWS 代码示例存储库 中查找完整示例,了解如何进行设置和运行。 pub async fn detach_role_policy( client: &iamClient, role_name: &str, policy_arn: &str, ) -> Result<(), iamError> { client .detach_role_policy() .role_name(role_name) .policy_arn(policy_arn) .send() .await?; Ok(()) }- 
                    有关 API 详细信息,请参阅《AWS SDK for Rust API 参考》中的 DetachRolePolicy 。 
 
- 
                    
 
- Swift
- 
            - SDK for Swift
- 
注意查看 GitHub,了解更多信息。在 AWS 代码示例存储库 中查找完整示例,了解如何进行设置和运行。 import AWSIAM import AWSS3 public func detachRolePolicy(policy: IAMClientTypes.Policy, role: IAMClientTypes.Role) async throws { let input = DetachRolePolicyInput( policyArn: policy.arn, roleName: role.roleName ) do { _ = try await iamClient.detachRolePolicy(input: input) } catch { print("ERROR: detachRolePolicy:", dump(error)) throw error } }- 
                    有关 API 详细信息,请参阅《AWS SDK for Swift API 参考》中的 DetachRolePolicy 。 
 
- 
                    
 
有关 AWS SDK 开发人员指南和代码示例的完整列表,请参阅 将此服务与 AWS 开发工具包结合使用。本主题还包括有关入门的信息以及有关先前的 SDK 版本的详细信息。