Net::Amazon::IAM - Perl interface to the Amazon Identity and Access Management.
This is Net::Amazon::IAM version 0.05
IAM Query API version: '2010-05-08'
use Net::Amazon::IAM; my $iam = Net::Amazon::IAM->new( AWSAccessKeyId => 'PUBLIC_KEY_HERE', SecretAccessKey => 'SECRET_KEY_HERE', return_errors => 0, # which is default ); # prepare user policy document my $policy_document = { Version => '2012-10-17', Statement => [ { Effect => 'Allow', Action => [ 's3:Get*', 's3:List*', ], Resource => [ 'arn:aws:s3:::sometestbucket', 'arn:aws:s3:::sometestbucket/*', ], }, ], }; try { # create new user my $user = $iam->create_user( UserName => 'testuser', Path => '/path/to/test/users/', ); # Add an inline user policy document. my $policy = $iam->put_user_policy ( PolicyName => 'somtestpolicy', UserName => 'sometestuser', PolicyDocument => $policy_document, ); print $user->UserId . "\n"; print $policy->PolicyId . "\n"; } catch { my $error = shift(); print $error->as_string() . "\n"; }
If an error occurs while communicating with IAM, these methods will throw a Net::Amazon::IAM::Error exception.
This module is a Perl interface to Amazon's Identity and Access Management (IAM). It uses the Query API to communicate with Amazon's Web Services framework.
This is the constructor, it will return you a Net::Amazon::IAM object to work with. It takes these parameters:
Your AWS access key.
Your secret key, WARNING! don't give this out or someone will be able to use your account and incur charges on your behalf.
A flag to turn on debugging. Among other useful things, it will make the failing api calls print a stack trace. It is turned off by default.
A flag to enable returning errors as objects instead of throwing them as exceptions.
Create new IAM user
New user username
Where to create new user
Returns a Net::Amazon::IAM::User object on success or Net::Amazon::IAM::Error on fail.
Delete IAM User
What user should be deleted
Returns true on success or Net::Amazon::IAM::Error on fail.
Get IAM user details
Updates the name and/or the path of the specified user.
Name of the user to update. If you're changing the name of the user, this is the original user name.
New path for the user. Include this parameter only if you're changing the user's path.
New name for the user. Include this parameter only if you're changing the user's name.
Lists the IAM users that have the specified path prefix. If no path prefix is specified, the action returns all users in the AWS account.
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
Use this parameter only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true. This parameter is optional. If you do not include it, it defaults to 100.
The path prefix for filtering the results. For example: /division_abc/subdivision_xyz/, which would get all user names whose path starts with /division_abc/subdivision_xyz/.
Returns Net::Amazon::IAM::Users object on success or Net::Amazon::IAM::Error on fail.
Adds the specified user to the specified group.
The name of the group to update.
The name of the user to add.
Removes the specified user from the specified group.
The name of the user to remove.
Creates a new group.
The name of the group to create.
The path to the group.
Returns Net::Amazon::IAM::Group object on success or Net::Amazon::IAM::Error on fail.
Returns group details and list of users that are in the specified group.
The name of the group.
Use this only when paginating results to indicate the maximum number of groups you want in the response. If there are additional groups beyond the maximum you specify, the IsTruncated response element is true. This parameter is optional. If you do not include it, it defaults to 100.
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
Returns Net::Amazon::IAM::GetGroupResult object on success or Net::Amazon::IAM::Error on fail.
Deletes the specified group. The group must not contain any users or have any attached policies.
The name of the group to delete.
Lists the groups that have the specified path prefix.
The path prefix for filtering the results. For example, the prefix /division_abc/subdivision_xyz/ gets all groups whose path starts with /division_abc/subdivision_xyz/.
Returns Net::Amazon::IAM::Groups object on success or Net::Amazon::IAM::Error on fail.
Creates a new managed policy for your AWS account.
The name of the policy document.
The policy document.
A friendly description of the policy.
The path for the policy.
Returns Net::Amazon::IAM::Policy object on success or Net::Amazon::IAM::Error on fail.
Retrieves information about the specified managed policy.
The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.
Deletes the specified managed policy.
Lists all the managed policies that are available to your account, including your own customer managed policies and all AWS managed policies.
You can filter the list of policies that is returned using the optional OnlyAttached, Scope, and PathPrefix parameters. For example, to list only the customer managed policies in your AWS account, set Scope to Local. To list only AWS managed policies, set Scope to AWS.
A flag to filter the results to only the attached policies. When OnlyAttached is true, the returned list contains only the policies that are attached to a user, group, or role. When OnlyAttached is false, or when the parameter is not included, all policies are returned.
The path prefix for filtering the results. If it is not included, it defaults to a slash (/), listing all policies.
The scope to use for filtering the results.
To list only AWS managed policies, set Scope to AWS. To list only the customer managed policies in your AWS account, set Scope to Local. If it is not included, or if it is set to All, all policies are returned.
Maximum number of policies to retrieve.
If IsTruncated is true, this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Example: my $policies = $iam->list_policies( MaxItems => 1 );
while($policies->IsTruncated eq 'true') { for my $policy(@{$policies->{'Policies'}}) { print $policy->PolicyId . "\n"; } $policies = $iam->list_policies( MaxItems => 50, Marker => $policies->Marker, ); }
Returns Net::Amazon::IAM::Policies on success or Net::Amazon::IAM::Error on fail. When no policies found, the Policies attribute will be just empty array.
Retrieves information about the specified version of the specified managed policy, including the policy document.
Identifies the policy version to retrieve.
Returns Net::Amazon::IAM::PolicyVersion on success or Net::Amazon::IAM::Error on fail.
Sets the specified version of the specified policy as the policy's default (operative) version.
The version of the policy to set as the default (operative) version.
Lists information about the versions of the specified managed policy, including the version that is set as the policy's default version.
Use this parameter only when paginating results to indicate the maximum number of policy versions you want in the response.
Returns Net::Amazon::IAM::PolicyVersions on success or Net::Amazon::IAM::Error on fail.
Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version.
Optionally, you can set the new version as the policy's default version. The default version is the operative version; that is, the version that is in effect for the IAM users, groups, and roles that the policy is attached to.
Specifies whether to set this version as the policy's default version.
When this parameter is true, the new policy version becomes the operative version; that is, the version that is in effect for the IAM users, groups, and roles that the policy is attached to.
The policy version to delete.
Adds (or updates) an inline policy document that is embedded in the specified user.
The policy document. Must be HashRef.
The name of the user to associate the policy with.
Retrieves the specified inline policy document that is embedded in the specified user.
The name of the policy document to get.
The name of the user who the policy is associated with.
Returns Net::Amazon::IAM::UserPolicy object on success or Net::Amazon::IAM::Error on fail.
Deletes the specified inline policy that is embedded in the specified user.
The name identifying the policy document to delete.
The name (friendly name, not ARN) identifying the user that the policy is embedded in.
Lists the names of the inline policies embedded in the specified user.
The name of the user to list policies for.
When found one or more policies, this method will return ArrayRef with policy names. Once no policies found, will return undef. Net::Amazon::IAM::Error will be returned on error.
Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active. If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.
Important:
To ensure the security of your AWS account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.
The user name that the new key will belong to.
Returns Net::Amazon::IAM::AccessKey object on success or Net::Amazon::IAM::Error on fail.
Deletes the access key associated with the specified user.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.
The access key ID for the access key ID and secret access key you want to delete.
The name of the user whose key you want to delete.
Changes the status of the specified access key from Active to Inactive, or vice versa. This action can be used to disable a user's key as part of a key rotation work flow.
If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.
The access key ID of the secret access key you want to update.
The status you want to assign to the secret access key. Active means the key can be used for API calls to AWS, while Inactive means the key cannot be used.
The name of the user whose key you want to update.
Returns information about the access key IDs associated with the specified user. If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.
The name of the user.
Returns Net::Amazon::IAM::AccessKeysList on success. If specified user has no keys, "Keys" attribute of Net::Amazon::IAM::AccessKeysList object will be just empty array. Returns Net::Amazon::IAM::Error on fail.
Creates a new role for your AWS account.
The example policy grants permission to an EC2 instance to assume the role. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }
The policy that grants an entity permission to assume the role.
The name of the role to create.
The path to the role.
Returns Net::Amazon::IAM::Role object on success or Net::Amazon::IAM::Error on fail.
Retrieves information about the specified role.
The name of the role to get information about.
Use this parameter only when paginating results to indicate the maximum number of roles you want in the response. If there are additional roles beyond the maximum you specify, the IsTruncated response element is true. This parameter is optional. If you do not include it, it defaults to 100.
The path prefix for filtering the results. For example, the prefix /application_abc/component_xyz/ gets all roles whose path starts with /application_abc/component_xyz/.
This parameter is optional. If it is not included, it defaults to a slash (/), listing all roles.
Returns Net::Amazon::IAM::Roles object on success or Net::Amazon::IAM::Error on fail.
Deletes the specified role. The role must not have any policies attached.
Make sure you do not have any Amazon EC2 instances running with the role you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications running on the instance.
The name of the role to delete.
Adds (or updates) an inline policy document that is embedded in the specified role.
The name of the role to associate the policy with.
Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user.
The seed information contained in the QR code and the Base32 string should be treated like any other secret access information, such as your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.
The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device.
The path for the virtual MFA device.
Returns Net::Amazon::IAM::VirtualMFADevice object on success or Net::Amazon::IAM::Error on fail.
This method wasn't tested
Deletes a virtual MFA device.
Note:
You must deactivate a user's virtual MFA device before you can delete it.
The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the same as the ARN.
Lists the virtual MFA devices under the AWS account by assignment status.
Use this parameter only when paginating results to indicate the maximum number of VirtualMFADevices you want in the response. If there are additional devices beyond the maximum you specify, the IsTruncated response element is true. This parameter is optional. If you do not include it, it defaults to 100.
The status (unassigned or assigned) of the devices to list. If you do not specify an AssignmentStatus, the action defaults to Any which lists both assigned and unassigned virtual MFA devices.
Valid Values: Assigned | Unassigned | Any
Returns Net::Amazon::IAM::MFADevices object on success or Net::Amazon::IAM::Error on fail.
Enables the specified MFA device and associates it with the specified user name. When enabled, the MFA device is required for every subsequent login by the user name associated with the device.
An authentication code emitted by the device.
A subsequent authentication code emitted by the device.
The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
The name of the user for whom you want to enable the MFA device.
The name of the user whose MFA device you want to deactivate.
Use this parameter only when paginating results to indicate the maximum number of MFADevices you want in the response. If there are additional devices beyond the maximum you specify, the IsTruncated response element is true. This parameter is optional. If you do not include it, it defaults to 100.
The name of the user whose MFA devices you want to list.
Creates a new instance profile.
The name of the instance profile to create.
The path to the instance profile.
Returns Net::Amazon::IAM::InstanceProfile object on success or Net::Amazon::IAM::Error on fail.
Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role.
The name of the instance profile to get information about.
Lists the instance profiles that have the specified path prefix.
Use this parameter only when paginating results to indicate the maximum number of instance profiles you want in the response. If there are additional instance profiles beyond the maximum you specify, the IsTruncated response element is true. This parameter is optional. If you do not include it, it defaults to 100.
The path prefix for filtering the results. For example, the prefix /application_abc/component_xyz/ gets all instance profiles whose path starts with /application_abc/component_xyz/.
Returns Net::Amazon::IAM::InstanceProfiles object on success or Net::Amazon::IAM::Error on fail.
Deletes the specified instance profile. The instance profile must not have an associated role.
The name of the instance profile to delete.
Adds the specified role to the specified instance profile.
The name of the instance profile to update.
The name of the role to add.
Removes the specified role from the specified instance profile.
Make sure you do not have any Amazon EC2 instances running with the role you are about to remove from the instance profile. Removing a role from an instance profile that is associated with a running instance will break any applications running on the instance.
The name of the role to remove.
Lists the instance profiles that have the specified associated role.
The name of the role to list instance profiles for.
The name of the user to create a password for.
The new password for the user.
Specifies whether the user is required to set a new password on next sign-in.
Returns Net::Amazon::IAM::LoginProfile object on success or Net::Amazon::IAM::Error on fail.
Deletes the password for the specified user, which terminates the user's ability to access AWS services through the AWS Management Console.
Important: Deleting a user's password does not prevent a user from accessing IAM through the command line interface or the API. To prevent all user access you must also either make the access key inactive or delete it. For more information about making keys inactive or deleting them, see update_access_key and delete_access_key.
The name of the user whose password you want to delete.
Retrieves the user name and password-creation date for the specified user. If the user has not been assigned a password, the action returns a 404 (NoSuchEntity) error.
The name of the user whose login profile you want to retrieve.
Changes the password for the specified user.
The name of the user whose password you want to update.
The new password for the specified user.
Require the specified user to set a new password on next sign-in.
Updates the policy that grants an entity permission to assume a role.
The name of the role to update.
Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect provider.
This action is idempotent; it does not fail or return an error if you add an existing client ID to the provider.
The client ID (also known as audience) to add to the IAM OpenID Connect provider.
The Amazon Resource Name (ARN) of the IAM OpenID Connect (OIDC) provider to add the client ID to.
Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)
You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider.
A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s). Typically this list includes only one entry. However, IAM lets you have up to five thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates.
The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.
You must provide at least one thumbprint when creating an IAM OIDC provider. For example, if the OIDC provider is server.example.com and the provider stores its keys at "https://keys.server.example.com/openid-connect", the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com.
The URL of the identity provider. The URL must begin with "https://" and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a host name, like "https://server.example.org" or "https://example.com".
You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.
Returns OpenIDConnectProviderArn on success or Net::Amazon::IAM::Error on fail.
Deletes an IAM OpenID Connect identity provider.
Deleting an OIDC provider does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a provider that has been deleted will fail.
This action is idempotent; it does not fail or return an error if you call the action for a provider that was already deleted.
The Amazon Resource Name (ARN) of the IAM OpenID Connect provider to delete.
The name of the group the policy is associated with.
Returns Net::Amazon::IAM::GroupPolicy on success or Net::Amazon::IAM::Error on fail.
* missing some ( a lot of ) methods
* missing tests
* list_user_policies returns just an ArrayRef.
http://docs.aws.amazon.com/IAM/latest/APIReference/Welcome.html
Igor Tsigankov <tsiganenok@gmail.com>
Copyright (c) 2015 Igor Tsigankov.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
To install Net::Amazon::IAM, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Net::Amazon::IAM
CPAN shell
perl -MCPAN -e shell install Net::Amazon::IAM
For more information on module installation, please visit the detailed CPAN module installation guide.