Iam client

This page contains examples with the Iam client. See the client introduction for a more detailed description how to use a client. You may also want to consider the authentication documentation to understand the many ways you can authenticate with AWS.

The Iam package could be installed with Composer.

composer require async-aws/iam

A new client object may be instantiated by:

use AsyncAws\Iam\IamClient; $iam = new IamClient();

The authentication parameters is read from the environment by default. You can also specify a AWS access id and secret:

use AsyncAws\Iam\IamClient; $iam = new IamClient([ 'accessKeyId' => 'my_access_key', 'accessKeySecret' => 'my_access_secret', 'region' => 'eu-central-1', ]);

For all available options, see the configuration reference.

Usage

List Users

use AsyncAws\Iam\IamClient; use AsyncAws\Iam\Input\ListUsersRequest; $iam = new IamClient(); $users = $iam->listUsers(new ListUsersRequest([ 'PathPrefix' => '/division_engineering/subdivision_web', ])); foreach ($users as $user) { echo $user->getUserName().' '.($user->getPasswordLastUsed() ? $user->getPasswordLastUsed()->format('Y-m-d') : '').PHP_EOL; }

Create / Delete a user's individual policy document

use AsyncAws\Iam\IamClient; use AsyncAws\Iam\Input\PutUserPolicyRequest; use AsyncAws\Iam\Input\DeleteUserPolicyRequest; $iam = new IamClient(); $iam->putUserPolicy(new PutUserPolicyRequest([ 'UserName' => 'Thomas', 'PolicyName' => 'Disallow Access To Everything', 'PolicyDocument' => '{"Version":"2012-10-17","Statement":{"Effect":"Deny","Action":"*","Resource":"*"}}', ])); // Uh-oh, that policy is a bit *too* restrictive, let's delete it $iam->deleteUserPolicy(new DeleteUserPolicyRequest([ 'UserName' => 'Thomas', 'PolicyName' => 'Disallow Access To Everything', ]));

Create service-specific credentials

use AsyncAws\Iam\IamClient; use AsyncAws\Iam\Input\CreateServiceSpecificCredentialRequest; $iam = new IamClient(); $creds = $iam->createServiceSpecificCredential(new CreateServiceSpecificCredentialRequest([ 'UserName' => 'Thomas', 'ServiceName' => 'codecommit.amazonaws.com', ])); echo $creds->getServiceSpecificCredential()->getServiceUserName(); // example: thomas-at-123456789012 echo $creds->getServiceSpecificCredential()->getServicePassword(); // example: xTBAr/czp+D3EXAMPLE47lrJ6/43r2zqGwR3EXAMPLE=

List service-specific credentials

use AsyncAws\Iam\IamClient; use AsyncAws\Iam\Input\ListServiceSpecificCredentialsRequest; $iam = new IamClient(); // list *all* service-specific credentials for this user $result = $iam->listServiceSpecificCredentials(new ListServiceSpecificCredentialsRequest([ 'UserName' => 'Thomas', ])); echo $result->getServiceSpecificCredentials()[0]->getServiceUserName(); // example: thomas-at-123456789012 echo $result->getServiceSpecificCredentials()[0]->getServiceSpecificCredentialId(); // example: ACCA67890FGHIEXAMPLE echo $result->getServiceSpecificCredentials()[0]->getServiceName(); // example: codecommit.amazonaws.com echo $result->getServiceSpecificCredentials()[1]->getServiceUserName(); // example: thomas-at-123456789012 echo $result->getServiceSpecificCredentials()[1]->getServiceSpecificCredentialId(); // example: IHGF09876ACCAEXAMPLE echo $result->getServiceSpecificCredentials()[1]->getServiceName(); // example: dynamodb.amazonaws.com // filter by AWS service $result = $iam->listServiceSpecificCredentials(new ListServiceSpecificCredentialsRequest([ 'UserName' => 'Thomas', 'ServiceName' => 'dynamodb.amazonaws.com', echo $result->getServiceSpecificCredentials()[0]->getServiceUserName(); // example: thomas-at-123456789012 echo $result->getServiceSpecificCredentials()[0]->getServiceSpecificCredentialId(); // example: IHGF09876ACCAEXAMPLE echo $result->getServiceSpecificCredentials()[0]->getServiceName(); // example: dynamodb.amazonaws.com ]));

Delete service-specific credentials

use AsyncAws\Iam\IamClient; use AsyncAws\Iam\Input\DeleteServiceSpecificCredentialRequest; $iam = new IamClient(); $iam->deleteServiceSpecificCredential(new DeleteServiceSpecificCredentialRequest([ // UserName is not required if the user owning the credentials is the same user as is authenticated via the SDK // put simply, this means that if you're deleting your own credentials you *do not* need to supply this parameter. // In all other cases you should probably include it. // see https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteServiceSpecificCredential.html for more details 'UserName' => 'Thomas', 'ServiceSpecificCredentialId' => 'ACCA67890FGHIEXAMPLE' ]));

The source code to this page is found on GitHub.