added a locl policy example

scmacdon · rlhagerm · commit 649e09b30055 · 2025-01-29T09:59:13.000-06:00
diff --git a/javav2/example_code/s3/src/main/java/com/example/s3/lockscenario/CreateObjectLockRole.java b/javav2/example_code/s3/src/main/java/com/example/s3/lockscenario/CreateObjectLockRole.java
@@ -0,0 +1,82 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+
+package com.example.s3.lockscenario;
+
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.iam.IamClient;
+import software.amazon.awssdk.services.iam.model.CreateRoleRequest;
+import software.amazon.awssdk.services.iam.model.PutRolePolicyRequest;
+
+public class CreateObjectLockRole {
+    public static void main(String[] args) {
+        createLockRole();
+    }
+
+    // snippet-start:[S3Lock.javav2.lock.role.main]
+    /**
+     * Creates an IAM role for AWS S3 Batch Operations to manage object locks.
+     */
+    public static void createLockRole() {
+        final String roleName = "batch_operations-object-lock1";
+
+        // Trust policy
+        final String trustPolicy = "{"
+            + "\"Version\":\"2012-10-17\","
+            + "\"Statement\":[{"
+            + "\"Effect\":\"Allow\","
+            + "\"Principal\":{"
+            + "\"Service\":\"batchoperations.s3.amazonaws.com\""
+            + "},"
+            + "\"Action\":\"sts:AssumeRole\""
+            + "}]"
+            + "}";
+
+        // Permissions policy
+        final String bopsPermissions = "{"
+            + "\"Version\":\"2012-10-17\","
+            + "\"Statement\":["
+            + "{"
+            + "\"Effect\":\"Allow\","
+            + "\"Action\":\"s3:GetBucketObjectLockConfiguration\","
+            + "\"Resource\":\"arn:aws:s3:::amzn-s3-demo-manifest-bucket\""
+            + "},"
+            + "{"
+            + "\"Effect\":\"Allow\","
+            + "\"Action\":[\"s3:GetObject\",\"s3:GetObjectVersion\",\"s3:GetBucketLocation\"],"
+            + "\"Resource\":\"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*\""
+            + "},"
+            + "{"
+            + "\"Effect\":\"Allow\","
+            + "\"Action\":[\"s3:PutObject\",\"s3:GetBucketLocation\"],"
+            + "\"Resource\":\"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*\""
+            + "}"
+            + "]"
+            + "}";
+
+        // Create IAM client
+        final IamClient iam = IamClient.builder()
+            .region(Region.US_WEST_2)
+            .build();
+
+        // Create the role with the trust policy
+        final CreateRoleRequest createRoleRequest = CreateRoleRequest.builder()
+            .assumeRolePolicyDocument(trustPolicy)
+            .roleName(roleName)
+            .build();
+
+        iam.createRole(createRoleRequest);
+
+        // Attach the permissions policy to the role
+        final PutRolePolicyRequest putRolePolicyRequest = PutRolePolicyRequest.builder()
+            .policyDocument(bopsPermissions)
+            .policyName("batch_operations-permissions")
+            .roleName(roleName)
+            .build();
+
+        iam.putRolePolicy(putRolePolicyRequest);
+        System.out.println("The object lock role was created.");
+    }
+    // snippet-end:[S3Lock.javav2.lock.role.main]
+}
