NAME¶
VM::EC2::Security::Policy -- Simple IAM policy generator for EC2
SYNOPSIS¶
my $policy = VM::EC2::Security::Policy->new;
$policy->allow('Describe*','CreateVolume','delete_volume');
$policy->deny('DescribeVolumes');
print $policy->as_string;
DESCRIPTION¶
This is a very simple Identity and Access Management (IAM) policy statement
generator that works sufficiently well to create policies to control access
EC2 resources. It is not fully general across all AWS services.
METHODS¶
This section describes the methods available to VM::EC2::Security::Policy. You
will create a new, empty, policy using
new(), grant access to EC2
actions using
allow(), and deny access to EC2 actions using
deny(). When you are done, either call
as_string(), or just use
the policy object in a string context, to get a properly-formatted policy
string.
allow() and
deny() return the modified object, allowing you to
chain methods. For example:
my $p = VM::EC2::Security::Policy->new
->allow('Describe*')
->deny('DescribeImages','DescribeInstances');
print $p;
$policy = VM::EC2::Security::Policy-> new()¶
This class method creates a new, empty policy object. The default policy object
denies all access to EC2 resources.
$policy->allow('action1','action2','action3',...)¶
Grant access to the listed EC2 actions. You may specify actions using Amazon's
MixedCase notation (e.g. "DescribeInstances"), or using VM::EC2's
more Perlish underscore notation (e.g. "describe_instances"). You
can find the list of actions in VM::EC2, or in the Amazon API documentation at
http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/OperationList-query.html.
The "*" wildcard allows you to indicate a series of matching
operations. For example, to allow all Describe operations:
$policy->allow('Describe*')
As described earlier,
allow() returns the object, making it easy to chain
methods.
$policy->deny('action1','action2','action3',...)¶
Similar to
allow(), but in this case denies access to certain actions.
Deny statements take precedence over allow statements.
As described earlier,
deny() returns the object, making it easy to chain
methods.
$string = $policy->as_string¶
Converts the policy into a JSON string that can be passed to VM::EC2->
get_federation_token(), or other AWS libraries.
STRING OVERLOADING¶
When used in a string context, this object will interpolate into the policy JSON
string using
as_string().
SEE ALSO¶
VM::EC2 VM::EC2::Generic
AUTHOR¶
Lincoln Stein <lincoln.stein@gmail.com>.
Copyright (c) 2011 Ontario Institute for Cancer Research
This package and its accompanying libraries is free software; you can
redistribute it and/or modify it under the terms of the GPL (either version 1,
or at your option, any later version) or the Artistic License 2.0. Refer to
LICENSE for the full license text. In addition, please see DISCLAIMER.txt for
disclaimers of warranty.