List of usage examples for com.amazonaws.auth.policy Principal Principal
public Principal(String provider, String id, boolean stripHyphen)
From source file:com.nike.cerberus.service.KmsPolicyService.java
License:Apache License
public String generateStandardKmsPolicy(final String iamRoleAccountId, final String iamRoleName) { Policy kmsPolicy = new Policy(); Statement rootUserStatement = new Statement(Statement.Effect.Allow); rootUserStatement.withId("Root User Has All Actions"); rootUserStatement.withPrincipals(new Principal(AWS_PROVIDER, rootUserArn, false)); rootUserStatement.withActions(KmsActions.AllKmsActions); rootUserStatement.withResources(new Resource("*")); Statement keyAdministratorStatement = new Statement(Statement.Effect.Allow); keyAdministratorStatement.withId("Admin Role Has All Actions"); keyAdministratorStatement.withPrincipals(new Principal(AWS_PROVIDER, adminRoleArn, false)); keyAdministratorStatement.withActions(KmsActions.AllKmsActions); keyAdministratorStatement.withResources(new Resource("*")); Statement instanceUsageStatement = new Statement(Statement.Effect.Allow); instanceUsageStatement.withId("CMS Role Key Access"); instanceUsageStatement.withPrincipals(new Principal(AWS_PROVIDER, cmsRoleArn, false)); instanceUsageStatement.withActions(KmsActions.EncryptAction, KmsActions.DecryptAction, KmsActions.AllReEncryptActions, KmsActions.AllGenerateDataKeyActions, KmsActions.DescribeKey); instanceUsageStatement.withResources(new Resource("*")); Statement iamRoleUsageStatement = new Statement(Statement.Effect.Allow); iamRoleUsageStatement.withId("Target IAM Role Has Decrypt Action"); iamRoleUsageStatement.withPrincipals(new Principal(AWS_PROVIDER, String.format("arn:aws:iam::%s:role/%s", iamRoleAccountId, iamRoleName), false)); iamRoleUsageStatement.withActions(KmsActions.DecryptAction); iamRoleUsageStatement.withResources(new Resource("*")); kmsPolicy.withStatements(rootUserStatement, keyAdministratorStatement, instanceUsageStatement, iamRoleUsageStatement);//from w ww . j av a 2s. c om return kmsPolicy.toJson(); }