[英]How to get IAM Policy Document via boto
I am trying to get the details of a aws IAM Policy via boto to be able to backup or replicate IAM policies via script.我正在尝试通过 boto 获取 aws IAM 策略的详细信息,以便能够通过脚本备份或复制 IAM 策略。 I have searched the docs of boto 2 and 3 but did not find any possibility to get the json data of a configured policy.
我已经搜索了 boto 2 和 3 的文档,但没有找到任何获取配置策略的 json 数据的可能性。
What I (successfully) did:我(成功)做了什么:
But I cannot find a way to retrieve the associated JSON data ('Policy Document' in Management Console) to get it in boto.但是我找不到一种方法来检索关联的 JSON 数据(管理控制台中的“策略文档”)以在 boto 中获取它。
What I tried with boto:我用 boto 尝试了什么:
import boto.iam
REGION_NAME = 'eu-west-1'
iam_conn = boto.iam.connect_to_region(REGION_NAME)
arn = 'arn:myproperlyformattedarn'
p = iam_conn.get_policy(arn)
print p
result:结果:
{
"get_policy_response": {
"response_metadata": {
"request_id": "XXXXX-XXXX-XXXX-XXXX-XXXX"
},
"get_policy_result": {
"policy": {
"update_date": "2016-04-15T12:51:21Z",
"create_date": "2016-04-15T12:51:21Z",
"is_attachable": "true",
"policy_name": "My_Policy_Name",
"default_version_id": "v1",
"attachment_count": "1",
"path": "/",
"arn": "arn:aws:iam::123456789:policy/VerticaTest_GetConfigsFromS3",
"policy_id": "XXXSOMELONGSTRINGXXXX"
}
}
}
}
What I am after is something like this (the policy document in Management Console):我所追求的是这样的(管理控制台中的策略文档):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
]
}
Please move to boto3.请移至 boto3。
Approach this from the policy side: Identify the Policy ARN, Identify the Policy DefaultVersionId using the ARN, Retrieve the PolicyDocument using ARN and DefaultVersionId.从策略方面解决这个问题:识别策略 ARN,使用 ARN 识别策略 DefaultVersionId,使用 ARN 和 DefaultVersionId 检索 PolicyDocument。
import boto3
import json
arn = 'arn:aws:iam::aws:policy/AdministratorAccess'
iam = boto3.client('iam')
policy = iam.get_policy(
PolicyArn = arn
)
policy_version = iam.get_policy_version(
PolicyArn = arn,
VersionId = policy['Policy']['DefaultVersionId']
)
print(json.dumps(policy_version['PolicyVersion']['Document']))
print(json.dumps(policy_version['PolicyVersion']['Document']['Statement']))
Run this code and pipe the output to "jq ."运行此代码并将输出通过管道传输到“jq”。 and you get the following output:
你会得到以下输出:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
[
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
You specifically requested the Actions / Statement in your question.您在问题中特别要求了行动/声明。 I printed the 'Document' and 'Statement' properties to show the differences.
我打印了“文档”和“声明”属性以显示差异。
http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_policy http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_policy_version http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_policy http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM .Client.get_policy_version
Please switch to boto3 as there is better support and documentation.请切换到 boto3,因为有更好的支持和文档。 As in boto3 documentation, get_policy() doesn't give you policydocument.
在 boto3 文档中,get_policy() 不会为您提供 policydocument。
The best I can get is get_account_authorization_details()我能得到的最好的是 get_account_authorization_details()
http://boto3.readthedocs.org/en/latest/reference/services/iam.html#IAM.Client.get_account_authorization_details http://boto3.readthedocs.org/en/latest/reference/services/iam.html#IAM.Client.get_account_authorization_details
I did a quick check under cli, just substitute all the command to boto3 then you are all good to go.我在 cli 下进行了快速检查,只需将所有命令替换为 boto3,然后就可以了。
aws iam get-account-authorization-details --filter 'LocalManagedPolicy'
I think you can use the following:我认为您可以使用以下内容:
get_policy(policy_arn)
Get policy information.
Parameters: policy_arn (string) – The ARN of the policy to get information for
get_policy_version(policy_arn, version_id)¶
Get policy information.
Parameters:
policy_arn (string) – The ARN of the policy to get information for a specific version
version_id (string) – The id of the version to get information for
http://boto.cloudhackers.com/en/latest/ref/iam.html http://boto.cloudhackers.com/en/latest/ref/iam.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.