boto3 获取每个服务的可用操作
[英]boto3 get available actions per service
问题描述
I want to programatically get all the actions a user is allowed to do across aws services.
我想以编程方式获取允许用户跨 aws 服务执行的所有操作。 I've tried to fiddle with simulate_principal_policy but it seems this method expects a list of all actions, and I don't want to maintain a hard-coded list.我试图摆弄simulate_principal_policy,但似乎这种方法需要所有操作的列表,我不想维护一个硬编码列表。
I also tried to call it with iam:* for example and got a generic 'implicitDeny' response so I know the user is not permitted all the actions but I require a higher granularity of actions.例如,我还尝试使用 iam:* 调用它并得到一个通用的“implicitDeny”响应,因此我知道不允许用户执行所有操作,但我需要更高粒度的操作。
Any ideas as to how do I get the action list dynamically?关于如何动态获取动作列表的任何想法? Thanks!谢谢!
2 个解决方案
解决方案1
1 2018-08-20 21:20:38
To start with, there is no programmatic way to retrieve all possible actions (regardless of whether they are permitted to use an action).首先,没有编程方式来检索所有可能的操作(无论是否允许它们使用某个操作)。
You would need to construct a list of possible actions before checking the security.在检查安全性之前,您需要构建一个可能的操作列表。 As an example, the boto3 SDK for Python contains an internal list of commands that it uses to validate commands before sending them to AWS.例如, boto3于 Python 的boto3 SDK 包含一个内部命令列表,用于在将命令发送到 AWS 之前对其进行验证。
Once you have a particular action, you could use Access the Policy Simulator API to validate whether a given user would be allowed to make a particular API call.一旦您有了特定的操作,您就可以使用访问策略模拟器 API来验证是否允许给定用户进行特定的 API 调用。 This is much easier than attempting to parse the various Allow and Deny permissions associated with a given user.这比尝试解析与给定用户关联的各种Allow和Deny权限要容易得多。
However, a call might be denied based upon the specific parameters of the call .但是,可能会根据呼叫的特定参数拒绝呼叫。 For example, a user might have permissions to terminate any Amazon EC2 instance that has a particular tag, but cannot terminate all instances.例如,用户可能有权终止具有特定标签的任何 Amazon EC2 实例,但不能终止所有实例。 To correctly test this, an InstanceId would need to be provided to the simulation.为了正确测试这一点,需要为模拟提供InstanceId 。
Also, permissions might be restricted by IP Address and even Time of Day.此外,权限可能会受到 IP 地址甚至一天中的时间的限制。 Thus, while a user would have permission to call an Action, where and when they do it will have an impact on whether the Action is permitted.因此,虽然用户有权调用 Action,但他们在何时何地调用将对是否允许该 Action 产生影响。
Bottom line: It ain't easy!一句话简介:不容易! AWS will validate permissions at the time of the call. AWS 将在调用时验证权限。 Use the Policy Simulator to obtain similar validation results.使用策略模拟器获得类似的验证结果。
解决方案2
1 2021-06-24 14:40:06
I am surprised no one has answered this question correctly.我很惊讶没有人正确回答这个问题。 Here is code that uses boto3 that addresses the OP's question directly:这是使用boto3直接解决 OP 问题的代码:
import boto3
session = boto3.Session('us-east-1')
for service in session.get_available_services ():
service_client = session.client (service)
print (service)
print (service_client.meta.service_model.operation_names)
IAM, however, is a special case as it won't be listed in the get_available_services() call above:但是,IAM 是一种特殊情况,因为它不会在上面的get_available_services()调用中列出:
IAM = session.client ('iam')
print ('iam')
print (IAM.meta.service_model.operation_names)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.