public static String getPublicReadPolicy(String bucket_name) { Policy bucket_policy = new Policy().withStatements( new Statement(Statement.Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(S3Actions.GetObject) .withResources(new Resource( "arn:aws:s3:::" + bucket_name + "/*"))); return bucket_policy.toJson(); }
.withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(queueARN)); statement.setConditions(conditions);
private void setupQueueAndTopic() { String randomSeed = UUID.randomUUID().toString(); String queueName = "glacier-archive-transfer-" + randomSeed; String topicName = "glacier-archive-transfer-" + randomSeed; queueUrl = sqs.createQueue(new CreateQueueRequest(queueName)).getQueueUrl(); topicArn = sns.createTopic(new CreateTopicRequest(topicName)).getTopicArn(); String queueARN = sqs.getQueueAttributes(new GetQueueAttributesRequest(queueUrl).withAttributeNames("QueueArn")).getAttributes().get("QueueArn"); Policy sqsPolicy = new Policy().withStatements( new Statement(Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(queueARN)) .withConditions(ConditionFactory.newSourceArnCondition(topicArn))); sqs.setQueueAttributes(new SetQueueAttributesRequest(queueUrl, newAttributes("Policy", sqsPolicy.toJson()))); sns.subscribe(new SubscribeRequest(topicArn, "sqs", queueARN)); }
.withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(sqsQueueArn)) .withConditions(ConditionFactory.newSourceArnCondition(snsTopicArn)));
@Test public void testMultipleConditionKeysForConditionType() throws Exception { Policy policy = new Policy(); policy.withStatements(new Statement(Effect.Allow) .withResources(new Resource("arn:aws:sqs:us-east-1:987654321000:MyQueue")) .withPrincipals(Principal.AllUsers) .withActions(new TestAction("foo")) .withConditions( new StringCondition(StringComparisonType.StringNotLike, "key1", "foo"), new StringCondition(StringComparisonType.StringNotLike, "key1", "bar"))); policy = Policy.fromJson(policy.toJson()); assertEquals(1, policy.getStatements().size()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals(1, statements.get(0).getActions().size()); assertEquals("foo", statements.get(0).getActions().get(0).getActionName()); assertEquals(1, statements.get(0).getConditions().size()); assertEquals("StringNotLike", statements.get(0).getConditions().get(0).getType()); assertEquals("key1", statements.get(0).getConditions().get(0).getConditionKey()); assertEquals(2, statements.get(0).getConditions().get(0).getValues().size()); assertEquals("foo", statements.get(0).getConditions().get(0).getValues().get(0)); assertEquals("bar", statements.get(0).getConditions().get(0).getValues().get(1)); }
.withPrincipals(Principal.AllUsers) .withActions(new TestAction("action1")) .withResources(new Resource("resource")) .withConditions( new IpAddressCondition("192.168.143.0/24")), .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action2")) .withResources(new Resource("resource")) .withConditions(new IpAddressCondition("10.1.2.0/24")), new Statement(Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action3")) .withResources(new Resource("resource")) .withConditions(new IpAddressCondition(IpAddressComparisonType.NotIpAddress, "192.168.143.188/32")));
Policy policy = new Policy(); policy.withStatements(new Statement(Effect.Allow) .withResources(new Resource("resource")) .withPrincipals(new Principal("accountId1"), new Principal("accountId2")) .withActions(new TestAction("action"))); .withResources(new Resource("resource")) .withPrincipals(new Principal(Services.AmazonEC2), new Principal(Services.AmazonElasticTranscoder)) policy.withStatements(new Statement(Effect.Allow).withResources(new Resource("resource")) .withPrincipals(Principal.All) .withActions(new TestAction("action"))); .withResources(new Resource("resource")) .withPrincipals(Principal.AllUsers, Principal.AllServices, Principal.AllWebProviders)
.withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(sqsQueueArn)) .withConditions(ConditionFactory.newSourceArnCondition(snsTopicArn)));
statements.add(new Statement(Statement.Effect.Allow) .withActions(S3Actions.ListObjects) .withResources(new Resource("arn:aws:s3:::" + s3BucketAndKey[0]))); switch (mode) { case READ: statements.add(new Statement(Statement.Effect.Allow) .withActions(S3Actions.GetObject) .withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*"))); break; case WRITE: statements.add(new Statement(Statement.Effect.Allow) .withActions(S3Actions.PutObject) .withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*"))); break; statements.add(new Statement(Statement.Effect.Allow) .withActions(DynamoDBv2Actions.DescribeTable) .withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table)))); switch (mode) { case READ: statements.add(new Statement(Statement.Effect.Allow) .withActions(DynamoDBv2Actions.Scan) .withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table)))); break; case WRITE: .withResources(new Resource(String.format("arn:aws:elasticmapreduce:*:*:cluster/%s", cluster))));
.withPrincipals(new Principal("*")) .withConditions(ConditionFactory.newSourceArnCondition(snsTopicARN)) .withResources(new Resource(sqsQueueARN)); Policy policy = new Policy("SubscriptionPermission").withStatements(statement);
@Override public String subscribeSnsToQueue(String snsTopic, String queueName) { try { String queueUrl = sqs.getQueueUrl(queueName).getQueueUrl(); LOG.info("Subscribing SNS topic {} to the queue: {}", snsTopic, queueUrl); String queueArn = sqs.getQueueAttributes(queueUrl, ImmutableList.of("QueueArn")).getAttributes().get("QueueArn"); Policy policy = new Policy().withStatements( new Statement(Statement.Effect.Allow) .withActions(SQSActions.SendMessage) .withPrincipals(Principal.All) .withResources(new Resource(queueArn)) .withConditions(ConditionFactory.newSourceArnCondition(snsTopic))); sqs.setQueueAttributes(new SetQueueAttributesRequest() .withQueueUrl(queueUrl) .addAttributesEntry(QueueAttributeName.Policy.toString(), policy.toJson()) ); String snsSubscriptionArn = sns.subscribe(snsTopic, "sqs", queueArn).getSubscriptionArn(); LOG.info("Subscribed SNS to dedicated SQS queue. subscriptionArn: {}", snsSubscriptionArn); return snsSubscriptionArn; } catch (AmazonClientException e) { LOG.info("Failed to subscribe to subscribe SNS to SQS queue", e); throw new RuntimeException(e); } }
private QueueConfig setupSQS(String sqsQueueName) { QueueConfig config = new QueueConfig(); CreateQueueRequest request = new CreateQueueRequest().withQueueName(sqsQueueName); CreateQueueResult result = sqsClient.createQueue(request); config.sqsQueueURL = result.getQueueUrl(); GetQueueAttributesRequest qRequest = new GetQueueAttributesRequest().withQueueUrl(config.sqsQueueURL) .withAttributeNames("QueueArn"); GetQueueAttributesResult qResult = sqsClient.getQueueAttributes(qRequest); config.sqsQueueARN = qResult.getAttributes().get("QueueArn"); Policy sqsPolicy = new Policy().withStatements(new Statement(Effect.Allow).withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage).withResources(new Resource(config.sqsQueueARN))); Map<String, String> queueAttributes = new HashMap<String, String>(); queueAttributes.put("Policy", sqsPolicy.toJson()); sqsClient.setQueueAttributes(new SetQueueAttributesRequest(config.sqsQueueURL, queueAttributes)); return config; }
/** * For retrieving vault inventory. For initializing SQS for determining when * job completed. Does nothing if member snsTopicName is null. Sets members * sqsQueueURL, sqsQueueARN, and sqsClient. */ private void setupSQS() { // If no sqsQueueName setup then simply return if (sqsQueueName == null) return; CreateQueueRequest request = new CreateQueueRequest() .withQueueName(sqsQueueName); CreateQueueResult result = sqsClient.createQueue(request); sqsQueueURL = result.getQueueUrl(); GetQueueAttributesRequest qRequest = new GetQueueAttributesRequest() .withQueueUrl(sqsQueueURL).withAttributeNames("QueueArn"); GetQueueAttributesResult qResult = sqsClient .getQueueAttributes(qRequest); sqsQueueARN = qResult.getAttributes().get("QueueArn"); Policy sqsPolicy = new Policy().withStatements(new Statement( Effect.Allow).withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(sqsQueueARN))); Map<String, String> queueAttributes = new HashMap<String, String>(); queueAttributes.put("Policy", sqsPolicy.toJson()); sqsClient.setQueueAttributes(new SetQueueAttributesRequest(sqsQueueURL, queueAttributes)); }
private void setupQueueAndTopic() { String randomSeed = UUID.randomUUID().toString(); String queueName = "glacier-archive-transfer-" + randomSeed; String topicName = "glacier-archive-transfer-" + randomSeed; queueUrl = sqs.createQueue(new CreateQueueRequest(queueName)).getQueueUrl(); topicArn = sns.createTopic(new CreateTopicRequest(topicName)).getTopicArn(); String queueARN = sqs.getQueueAttributes(new GetQueueAttributesRequest(queueUrl).withAttributeNames("QueueArn")).getAttributes().get("QueueArn"); Policy sqsPolicy = new Policy().withStatements( new Statement(Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(queueARN)) .withConditions(ConditionFactory.newSourceArnCondition(topicArn))); sqs.setQueueAttributes(new SetQueueAttributesRequest(queueUrl, newAttributes("Policy", sqsPolicy.toJson()))); sns.subscribe(new SubscribeRequest(topicArn, "sqs", queueARN)); }
.withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(sqsQueueArn)) .withConditions(ConditionFactory.newSourceArnCondition(snsTopicArn)));
private static BasicSessionCredentials getSessionCredentials() { AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard().withCredentials( new AWSStaticCredentialsProvider(new BasicAWSCredentials(EMBULK_S3_TEST_ACCESS_KEY_ID, EMBULK_S3_TEST_SECRET_ACCESS_KEY)) ).build(); GetFederationTokenRequest getFederationTokenRequest = new GetFederationTokenRequest(); getFederationTokenRequest.setDurationSeconds(7200); getFederationTokenRequest.setName("dummy"); Policy policy = new Policy().withStatements(new Statement(Statement.Effect.Allow) .withActions(S3Actions.ListObjects, S3Actions.GetObject) .withResources( new Resource("arn:aws:s3:::" + EMBULK_S3_TEST_BUCKET + "/" + EMBULK_S3_TEST_PATH_PREFIX + "/*"), new Resource("arn:aws:s3:::" + EMBULK_S3_TEST_BUCKET))); getFederationTokenRequest.setPolicy(policy.toJson()); GetFederationTokenResult federationTokenResult = stsClient.getFederationToken(getFederationTokenRequest); Credentials sessionCredentials = federationTokenResult.getCredentials(); return new BasicSessionCredentials( sessionCredentials.getAccessKeyId(), sessionCredentials.getSecretAccessKey(), sessionCredentials.getSessionToken()); } }