Class AWS::IAM
In: lib/aws/iam/server_certificate_collection.rb
lib/aws/iam/resource.rb
lib/aws/iam/virtual_mfa_device_collection.rb
lib/aws/iam/errors.rb
lib/aws/iam/collection.rb
lib/aws/iam/group.rb
lib/aws/iam/account_alias_collection.rb
lib/aws/iam/user_policy.rb
lib/aws/iam/group_user_collection.rb
lib/aws/iam/signing_certificate.rb
lib/aws/iam/mfa_device.rb
lib/aws/iam/policy.rb
lib/aws/iam/signing_certificate_collection.rb
lib/aws/iam/virtual_mfa_device.rb
lib/aws/iam/request.rb
lib/aws/iam/policy_collection.rb
lib/aws/iam/user_policy_collection.rb
lib/aws/iam/client.rb
lib/aws/iam/group_policy_collection.rb
lib/aws/iam/mfa_device_collection.rb
lib/aws/iam/user_collection.rb
lib/aws/iam/server_certificate.rb
lib/aws/iam/access_key.rb
lib/aws/iam/user.rb
lib/aws/iam/user_group_collection.rb
lib/aws/iam/access_key_collection.rb
lib/aws/iam/group_collection.rb
lib/aws/iam/login_profile.rb
lib/aws/iam.rb
Parent: Object

This class is the starting point for working with AWS Identity and Access Management (IAM).

For more information about IAM:

# Credentials

You can setup default credentials for all AWS services via AWS.config:

    AWS.config(
      :access_key_id => 'YOUR_ACCESS_KEY_ID',
      :secret_access_key => 'YOUR_SECRET_ACCESS_KEY')

Or you can set them directly on the IAM interface:

    iam = AWS::IAM.new(
      :access_key_id => 'YOUR_ACCESS_KEY_ID',
      :secret_access_key => 'YOUR_SECRET_ACCESS_KEY')

# Account Summary

You can get account level information about entity usage and IAM quotas directly from an IAM interface object.

    summary = iam.account_summary

    puts "Num users: #{summary[:users]}"
    puts "Num user quota: #{summary[:users_quota]}"

For a complete list of summary attributes see the {account_summary} method.

# Account Aliases

Currently IAM only supports a single account alias for each AWS account. You can set the account alias on the IAM interface.

    iam.account_alias = 'myaccountalias'
    iam.account_alias
    #=> 'myaccountalias'

You can also remove your account alias:

    iam.remove_account_alias
    iam.account_alias
    #=> nil

# Access Keys

You can create up to 2 access for your account and 2 for each user. This makes it easy to rotate keys if you need to. You can also deactivate/activate access keys.

    # get your current access key
    old_access_key = iam.access_keys.first

    # create a new access key
    new_access_key = iam.access_keys.create
    new_access_key.credentials
    #=> { :access_key_id => 'ID', :secret_access_key => 'SECRET' }

    # go rotate your keys/credentials ...

    # now disable the old access key
    old_access_key.deactivate!

    # go make sure everything still works ...

    # all done, lets clean up
    old_access_key.delete

Users can also have access keys:

    u = iam.users['someuser']
    access_key = u.access_keys.create
    access_key.credentials
    #=> { :access_key_id => 'ID', :secret_access_key => 'SECRET' }

See {AccessKeyCollection} and {AccessKey} for more information about working with access keys.

# Users & Groups

Each AWS account can have multiple users. Users can be used to easily manage permissions. Users can also be organized into groups.

    user = iam.users.create('JohnDoe')
    group = iam.groups.create('Developers')

    # add a user to a group
    user.groups.add(group)

    # remove a user from a group
    user.groups.remove(group)

    # add a user to a group
    group.users.add(user)

    # remove a user from a group
    group.users.remove(user)

See {User}, {UserCollection}, {Group} and {GroupCollection} for more information on how to work with users and groups.

# Other Interfaces

Other useful IAM interfaces:

@!attribute [r] client

  @return [Client] the low-level IAM client object

Methods

Included Modules

Core::ServiceInterface

Classes and Modules

Module AWS::IAM::Collection
Module AWS::IAM::Errors
Module AWS::IAM::PolicyCollection
Class AWS::IAM::AccessKey
Class AWS::IAM::AccessKeyCollection
Class AWS::IAM::AccountAliasCollection
Class AWS::IAM::Client
Class AWS::IAM::Group
Class AWS::IAM::GroupCollection
Class AWS::IAM::GroupPolicyCollection
Class AWS::IAM::GroupUserCollection
Class AWS::IAM::LoginProfile
Class AWS::IAM::MFADevice
Class AWS::IAM::MFADeviceCollection
Class AWS::IAM::Policy
Class AWS::IAM::Request
Class AWS::IAM::Resource
Class AWS::IAM::ServerCertificate
Class AWS::IAM::ServerCertificateCollection
Class AWS::IAM::SigningCertificate
Class AWS::IAM::SigningCertificateCollection
Class AWS::IAM::User
Class AWS::IAM::UserCollection
Class AWS::IAM::UserGroupCollection
Class AWS::IAM::UserPolicy
Class AWS::IAM::UserPolicyCollection
Class AWS::IAM::VirtualMfaDevice
Class AWS::IAM::VirtualMfaDeviceCollection

Public Instance methods

Returns a collection that represents the access keys for this AWS account.

    iam = AWS::IAM.new
    iam.access_keys.each do |access_key|
      puts access_key.id
    end

@return [AccessKeyCollection] Returns a collection that represents all

  access keys for this AWS account.

@return [String,nil] Returns the account alias. If this account has

  no alias, then `nil` is returned.

Sets the account alias for this AWS account. @param [String] account_alias @return [String] Returns the account alias passed.

@api private

Returns the account password policy details as a hash. This method returns nil if no password policy has been set for this account.

    # set the policy
    iam.update_account_password_policy :minimum_password_length => 8

    iam.account_password_policy
    #=> {:require_symbols=>false, :require_numbers=>false, :require_uppercase_characters=>false, :require_lowercase_characters=>false, :minimum_password_length=>8}

@return [Hash,nil]

Retrieves account level information about account entity usage and IAM quotas. The returned hash contains the following keys:

  • `:users` - Number of users for the AWS account
  • `:users_quota` - Maximum users allowed for the AWS account
  • `:groups` - Number of Groups for the AWS account
  • `:groups_quota` - Maximum Groups allowed for the AWS account
  • `:server_certificates` - Number of Server Certificates for the AWS account
  • `:server_certificates_quota` - Maximum Server Certificates allowed for the AWS account
  • `:user_policy_size_quota` - Maximum allowed size for user policy documents (in kilobytes)
  • `:group_policy_size_quota` - Maximum allowed size for Group policy documents (in kilobyes)
  • `:groups_per_user_quota` - Maximum number of groups a user can belong to
  • `:signing_certificates_per_user_quota` - Maximum number of X509 certificates allowed for a user
  • `:access_keys_per_user_quota` - Maximum number of access keys that can be created per user

@return [Hash]

Changes the web password associated with the current IAM user. In order to change your password you must configure the sdk to use your IAM user credentials.

To change a user password, you must be using credentials from the user you want to change:

    # pass in a key pair generated for the user you want to change
    # the password for
    iam = AWS::IAM.new(:access_key_id => '...', :secret_access_key => '...)
    iam.change_password('old-password', 'new-password')

@param [String] old_password

@param [String] new_password

@return [nil]

Removes the account password policy. @return [nil]

Returns a collection that represents all AWS groups for this account:

@example Getting a group by name

  group = iam.groups['groupname']

@example Enumerating groups

  iam.groups.each do |group|
    puts group.name
  end

@return [GroupCollection] Returns a collection that represents all of

  the IAM groups for this AWS account.

Deletes the account alias (if one exists). @return [nil]

@note Currently, Amazon Elastic Load Balancing is the only

  service to support the use of server certificates with
  IAM. Using server certificates with Amazon Elastic Load
  Balancing is described in the
  {http://docs.amazonwebservices.com/ElasticLoadBalancing/latest/DeveloperGuide/US_SettingUpLoadBalancerHTTPSIntegrated.html
  Amazon Elastic Load Balancing} Developer Guide.

Returns a collection that represents the server certificates for this AWS account.

    iam = AWS::IAM.new
    iam.server_certificates.each do |cert|
      # ...
    end

@return [ServerCertificateCollection] Returns a collection that

  represents server certificates for this AWS account.

Returns a collection that represents the signing certificates for this AWS account.

    iam = AWS::IAM.new
    iam.signing_certificates.each do |cert|
      # ...
    end

If you need to access the signing certificates of a specific user, see {User#signing_certificates}.

@return [SigningCertificateCollection] Returns a collection that

  represents signing certificates for this AWS account.

Updates the account password policy for all IAM accounts. @param [Hash] options @option options [Integer] :minimum_password_length @option options [Boolean] :require_symbols @option options [Boolean] :require_numbers @option options [Boolean] :require_uppercase_characters @option options [Boolean] :require_lowercase_characters @return [nil]

Returns a collection that represents all AWS users for this account:

@example Getting a user by name

  user = iam.users['username']

@example Enumerating users

  iam.users.each do |user|
    puts user.name
  end

@return [UserCollection] Returns a collection that represents all of

  the IAM users for this AWS account.

Returns a collection that represents the virtual MFA devices that are not assigned to an IAM user.

    iam = AWS::IAM.new
    iam.virtual_mfa_devices.each do |cert|
      # ...
    end

@return [VirtualMfaDeviceCollection] Returns a collection that

  represents the virtual MFA devices that are not assigned to an
  IAM user.

[Validate]