如何通过 boto 获取 IAM 政策文件

Question

I am trying to get the details of a aws IAM Policy via boto to be able to backup or replicate IAM policies via script. I have searched the docs of boto 2 and 3 but did not find any possibility to get the json data of a configured policy.

What I (successfully) did:

• Created a policy via IAM Management console
• Assigned it to a role
• Used it for creation of ec2 instances via boto

But I cannot find a way to retrieve the associated JSON data ('Policy Document' in Management Console) to get it in boto.

What I tried with boto:

import boto.iam
REGION_NAME = 'eu-west-1'
iam_conn = boto.iam.connect_to_region(REGION_NAME)
arn = 'arn:myproperlyformattedarn'
p = iam_conn.get_policy(arn)
print p

result:

{
    "get_policy_response": {
        "response_metadata": {
            "request_id": "XXXXX-XXXX-XXXX-XXXX-XXXX"
        },
        "get_policy_result": {
            "policy": {
                "update_date": "2016-04-15T12:51:21Z",
                "create_date": "2016-04-15T12:51:21Z",
                "is_attachable": "true",
                "policy_name": "My_Policy_Name",
                "default_version_id": "v1",
                "attachment_count": "1",
                "path": "/",
                "arn": "arn:aws:iam::123456789:policy/VerticaTest_GetConfigsFromS3",
                "policy_id": "XXXSOMELONGSTRINGXXXX"
            }
        }
    }
}

What I am after is something like this (the policy document in Management Console):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucketname",
                "arn:aws:s3:::mybucketname/*"
            ]
        }
    ]
}

Answer 1

Please move to boto3.

Approach this from the policy side: Identify the Policy ARN, Identify the Policy DefaultVersionId using the ARN, Retrieve the PolicyDocument using ARN and DefaultVersionId.

import boto3
import json

arn = 'arn:aws:iam::aws:policy/AdministratorAccess'

iam = boto3.client('iam')
policy = iam.get_policy(
    PolicyArn = arn
)
policy_version = iam.get_policy_version(
    PolicyArn = arn, 
    VersionId = policy['Policy']['DefaultVersionId']
)

print(json.dumps(policy_version['PolicyVersion']['Document']))
print(json.dumps(policy_version['PolicyVersion']['Document']['Statement']))

Run this code and pipe the output to "jq ." and you get the following output:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

[
  {
    "Action": "*",
    "Resource": "*",
    "Effect": "Allow"
  }
]

You specifically requested the Actions / Statement in your question. I printed the 'Document' and 'Statement' properties to show the differences.

http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_policy http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_policy_version

Answer 2

Please switch to boto3 as there is better support and documentation. As in boto3 documentation, get_policy() doesn't give you policydocument.

The best I can get is get_account_authorization_details()

http://boto3.readthedocs.org/en/latest/reference/services/iam.html#IAM.Client.get_account_authorization_details

I did a quick check under cli, just substitute all the command to boto3 then you are all good to go.

aws iam get-account-authorization-details --filter 'LocalManagedPolicy'

Answer 3

I think you can use the following:

get_policy(policy_arn)
Get policy information.

Parameters: policy_arn (string) – The ARN of the policy to get information for

get_policy_version(policy_arn, version_id)¶
Get policy information.

Parameters: 
policy_arn (string) – The ARN of the policy to get information for a specific version
version_id (string) – The id of the version to get information for

http://boto.cloudhackers.com/en/latest/ref/iam.html