From f78a78bfbf6d59fa97854a8d701bde689977fd4f Mon Sep 17 00:00:00 2001 From: scmacdon Date: Tue, 14 Jan 2025 09:53:16 -0500 Subject: [PATCH] added a locl policy example --- .../s3/lockscenario/CreateObjectLockRole.java | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 javav2/example_code/s3/src/main/java/com/example/s3/lockscenario/CreateObjectLockRole.java diff --git a/javav2/example_code/s3/src/main/java/com/example/s3/lockscenario/CreateObjectLockRole.java b/javav2/example_code/s3/src/main/java/com/example/s3/lockscenario/CreateObjectLockRole.java new file mode 100644 index 00000000000..d3a87d0c875 --- /dev/null +++ b/javav2/example_code/s3/src/main/java/com/example/s3/lockscenario/CreateObjectLockRole.java @@ -0,0 +1,82 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + + +package com.example.s3.lockscenario; + +import software.amazon.awssdk.regions.Region; +import software.amazon.awssdk.services.iam.IamClient; +import software.amazon.awssdk.services.iam.model.CreateRoleRequest; +import software.amazon.awssdk.services.iam.model.PutRolePolicyRequest; + +public class CreateObjectLockRole { + public static void main(String[] args) { + createLockRole(); + } + + // snippet-start:[S3Lock.javav2.lock.role.main] + /** + * Creates an IAM role for AWS S3 Batch Operations to manage object locks. + */ + public static void createLockRole() { + final String roleName = "batch_operations-object-lock1"; + + // Trust policy + final String trustPolicy = "{" + + "\"Version\":\"2012-10-17\"," + + "\"Statement\":[{" + + "\"Effect\":\"Allow\"," + + "\"Principal\":{" + + "\"Service\":\"batchoperations.s3.amazonaws.com\"" + + "}," + + "\"Action\":\"sts:AssumeRole\"" + + "}]" + + "}"; + + // Permissions policy + final String bopsPermissions = "{" + + "\"Version\":\"2012-10-17\"," + + "\"Statement\":[" + + "{" + + "\"Effect\":\"Allow\"," + + "\"Action\":\"s3:GetBucketObjectLockConfiguration\"," + + "\"Resource\":\"arn:aws:s3:::amzn-s3-demo-manifest-bucket\"" + + "}," + + "{" + + "\"Effect\":\"Allow\"," + + "\"Action\":[\"s3:GetObject\",\"s3:GetObjectVersion\",\"s3:GetBucketLocation\"]," + + "\"Resource\":\"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*\"" + + "}," + + "{" + + "\"Effect\":\"Allow\"," + + "\"Action\":[\"s3:PutObject\",\"s3:GetBucketLocation\"]," + + "\"Resource\":\"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*\"" + + "}" + + "]" + + "}"; + + // Create IAM client + final IamClient iam = IamClient.builder() + .region(Region.US_WEST_2) + .build(); + + // Create the role with the trust policy + final CreateRoleRequest createRoleRequest = CreateRoleRequest.builder() + .assumeRolePolicyDocument(trustPolicy) + .roleName(roleName) + .build(); + + iam.createRole(createRoleRequest); + + // Attach the permissions policy to the role + final PutRolePolicyRequest putRolePolicyRequest = PutRolePolicyRequest.builder() + .policyDocument(bopsPermissions) + .policyName("batch_operations-permissions") + .roleName(roleName) + .build(); + + iam.putRolePolicy(putRolePolicyRequest); + System.out.println("The object lock role was created."); + } + // snippet-end:[S3Lock.javav2.lock.role.main] +}