[英]How to get policy document for aws managed policy of a iam user in python boto3?
I'm able to retrieve the policy document for inline policies by "get_user_policy()" client.我可以通过“get_user_policy()”客户端检索内联策略的策略文档。 Is there any way to retrieve policy documents for AWS managed policies of IAM user..?
有什么方法可以检索 IAM 用户的 AWS 托管策略的策略文档..?
import boto3
client = boto3.client('iam')
policy = iam.get_user_policy(UserName="<string>",PolicyName = "<string>")
doc = dict((k,response[k]) for k in ['PolicyDocument']if k in policy)
print(doc)
It seems like we can get a policy document of managed policy using its arn.似乎我们可以使用它的 arn 来获取托管策略的策略文档。 But I'm not sure how to get arn for all the managed policies which were attached to particular IAM user.
但我不确定如何获取附加到特定 IAM 用户的所有托管策略的 arn。
So, How to get the policy document for aws managed policy of iam user in python?那么,如何在 python 中获取iam 用户的 aws 托管策略的策略文档?
Thanks in advance.提前致谢。
you can use the following link for getting all policies attached to a user.您可以使用以下链接获取附加到用户的所有策略。 fetch users and policies
获取用户和策略
then to get all the policy documents you can use然后获取您可以使用的所有政策文件
get_account_authorization_details get_account_authorization_details
I have created one user called test1 and attached IAMReadOnlyAccess and PowerUserAccess.我创建了一个名为 test1 的用户并附加了 IAMReadOnlyAccess 和 PowerUserAccess。 The catch was ARN difference for AWS managed policy and customer managed policy.
问题是 AWS 托管策略和客户托管策略的 ARN 差异。 For more info.
欲了解更多信息。
import boto3
iam_res = boto3.resource('iam')
user = iam_res.User('test1')
policy_iterator = user.attached_policies.all()
for each in policy_iterator:
if each.arn.startswith('arn:aws:iam::aws'):
print(each.default_version.document)
Here is the output.这是 output。
{'Statement': [{'Action': ['iam:GenerateCredentialReport',
'iam:GenerateServiceLastAccessedDetails',
'iam:Get*',
'iam:List*',
'iam:SimulateCustomPolicy',
'iam:SimulatePrincipalPolicy'],
'Effect': 'Allow',
'Resource': '*'}],
'Version': '2012-10-17'}
{'Statement': [{'Effect': 'Allow',
'NotAction': ['iam:*', 'organizations:*', 'account:*'],
'Resource': '*'},
{'Action': ['iam:CreateServiceLinkedRole',
'iam:DeleteServiceLinkedRole',
'iam:ListRoles',
'organizations:DescribeOrganization',
'account:ListRegions'],
'Effect': 'Allow',
'Resource': '*'}],
'Version': '2012-10-17'}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.