如何使用 boto 在 AWS iam 中获取用户的权限或组详细信息
[英]How to get the permission or group details of the users in AWS iam using boto
问题描述
I have successfully fetched the users from AWS IAM using the python boto module.
我已成功使用 python boto 模块从 AWS IAM 获取用户。
Code:代码:
import boto
from boto.iam.connection import IAMConnection
cfn = IAMConnection(aws_access_key_id='somekeyid',aws_secret_access_key ='secret_here')
data = cfn.get_all_users()
for user in data.users:
print user,"\n"
How do I get the Groups or Permissions the user is associated with?
I added this line of code to get the group associated with the users and I am getting the error mentioned down below.我添加了这行代码来获取与用户关联的组,并且出现下面提到的错误。
Added Code:添加代码:
group=cfn.get_groups_for_user("Shital")
print group
where "Shital" is the user that exists and is being fetched from above.其中“Shital”是存在并从上方获取的用户。 For test purposes, I am manually passing it to a function call.出于测试目的,我手动将其传递给函数调用。
Error:错误:
Traceback (most recent call last):
File "getuser.py", line 14, in <module>
pol=cfn.get_groups_for_user("Shita")
File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 509, in get_groups_for_user
list_marker='Groups')
File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 102, in get_response
raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 Forbidden
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>User: arn:aws:iam::586848946515:user/qa-api-users is not authorized to perform: iam:ListGroupsForUser on resource: user Shita</Message>
</Error>
<RequestId>7e9a4b56-95f0-11e7-9bb0-8b8eb22708c5</RequestId>
</ErrorResponse>
3 个解决方案
解决方案1
1 2018-01-02 02:17:20
Using credentials with suitable authority is essential for this query to work.使用具有适当权限的凭据对于此查询的工作至关重要。 As code_onkel points out, it makes sense to assign IAMFullAccess or AdministratorAccess as needed to complete the transaction successfully.正如 code_onkel 指出的那样,根据需要分配 IAMFullAccess 或 AdministratorAccess 以成功完成事务是有意义的。
解决方案2
0 2018-03-15 18:43:13
You are getting this error because you don't have permission to ListGroupUser.您收到此错误是因为您没有 ListGroupUser 的权限。 Because of that, you are getting this error User: arn:aws:iam::586848946515:user/qa-api-users is not authorized to perform: iam:ListGroupsForUser on resource: user Shita因此,您会收到此错误 User: arn:aws:iam::586848946515:user/qa-api-users is notauthorized to perform: iam:ListGroupsForUser on resource: user Shita
You can create a role will allow you to list user details and you can add that role to your profile or you can use assume role.您可以创建一个角色以允许您列出用户详细信息,并且您可以将该角色添加到您的个人资料中,或者您可以使用代入角色。 https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html
解决方案3
0 2019-12-25 20:29:19
There is several major caveats for this code:这段代码有几个主要的警告:
1 - It assumes that you are using the default policy versions for all policies. 1 - 假设您对所有策略使用默认策略版本。
2 - It assumes that you have the permissions required. 2 - 它假定您具有所需的权限。
3 - It is written using boto3 rather than the old boto. 3 - 它是使用 boto3 而不是旧的 boto 编写的。
Now that we have that out of the way, the code:现在我们已经解决了这个问题,代码:
#! /bin/python3
import boto3
USERNAME = '<The desired username>'
policy_names = []
def get_groups_by_username(username):
client = boto3.client('iam')
groups_json = client.list_groups_for_user(UserName=username)['Groups']
group_names = []
for group in groups_json:
group_names.append(group['GroupName'])
return group_names
def get_group_policies(user_groups):
client = boto3.client('iam')
global policy_names
for group in user_groups:
# This is for AWS managed policies and returns both the policy ARN and name
attached_group_policies = (client.list_attached_group_policies(GroupName=group)['AttachedPolicies'])
for policy in attached_group_policies:
policy_names.append(policy['PolicyName'])
# This is for inline policies and returns only the policy name
group_policies = (client.list_group_policies(GroupName=group)['PolicyNames'])
for policy in group_policies:
policy_names.append(policy)
def get_user_policies(username):
client = boto3.client('iam')
global policy_names
# This is for AWS managed policies and returns both the policy ARN and name
attached_user_policies = (client.list_attached_user_policies(UserName=username)['AttachedPolicies'])
for policy in attached_user_policies:
policy_names.append(policy['PolicyName'])
# This is for inline policies and returns only the policy name
user_policies = (client.list_user_policies(UserName=username)['PolicyNames'])
for policy in user_policies:
policy_names.append(policy)
get_user_policies(USERNAME)
groups = get_groups_by_username(USERNAME)
print("The user " + USERNAME + " belongs to the groups:")
print(groups)
get_group_policies(groups)
print("The user " + USERNAME + " has the following policies applied to it: ")
print(policy_names)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.