堆栈内存溢出
  简体   繁体   English

Function 用于在 IAM 策略中添加参数

[英]Function for adding parameters in IAM policy

 原文  2021-01-04 17:54:27       python/ python-3.x/ amazon-web-services/ boto3/ amazon-iam

问题描述

I have been working on a boto script for creating an IAM user policy from a function.我一直在研究用于从 function 创建 IAM 用户策略的 boto 脚本。 I want to add the region, instance_type and ebs_volume restriction, inside the policy.我想在策略中添加区域、instance_type 和 ebs_volume 限制。 I want the output to be in the json format.我希望 output 采用 json 格式。 I am not sure how to proceed with it.Name of the file is template_function.py This is the function我不知道如何继续。文件的名称是 template_function.py 这是 function

def create_aws_iam_policy_template(**template):
  print()

create_aws_iam_policy_template(region = "us-east-1", instance_type = "t2.micro", volume_size = "12")

This is the policy which is store in another file in the same directory "metatemplate.py"这是存储在同一目录“metatemplate.py”中的另一个文件中的策略

    import json 
    import template_function
    import boto3
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "ec2:RunInstances",
                "Resource": [
                    f"arn:aws:ec2:{region}::instance/*",
                    f"arn:aws:ec2:{region}::network-interface/*",
                    f"arn:aws:ec2:{region}::key-pair/*",
                    f"arn:aws:ec2:{region}::security-group/*",
                    f"arn:aws:ec2:{region}::subnet/*",
                    f"arn:aws:ec2:{region}::volume/*",
                    f"arn:aws:ec2:{region}::image/ami-*"
                ],
                "Condition": {
                    "ForAllValues:NumericLessThanEquals": {
                        "ec2:VolumeSize": f"{volume_size}"
                    },
                    "ForAllValues:StringEquals": {
                        "ec2:InstanceType": f"{instance_type}"
                    }
                }
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "ec2:TerminateInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances"
                ],
                "Resource": f"arn:aws:ec2:{region}::instance/*",
                "Condition": {
                    "ForAllValues:StringEquals": {
                        "ec2:InstanceType": f"{region}"
                    }
                }
            },
            {
                "Sid": "VisualEditor2",
                "Effect": "Allow",
                "Action": [
                    "ec2:Describe*",
                    "ec2:GetConsole*",
                    "cloudwatch:DescribeAlarms",
                    "iam:ListInstanceProfiles",
                    "cloudwatch:GetMetricStatistics",
                    "ec2:DescribeKeyPairs",
                    "ec2:CreateKeyPair"
                ],
                "Resource": "*",
                "Condition": {
                    "DateGreaterThan": {
                        "aws:CurrentTime": f"{start_time}"
                    },
                    "DateLessThanEquals": {
                        "aws:CurrentTime": f"{end_time}"
                    }
                }
            }
        ]
    } 
    response = iam.create_policy(
       PolicyName='GoodPolicy',
       PolicyDocument=json.dumps(some_policy)
   )

2 个解决方案

解决方案1
 1  2021-01-04 18:50:29

Create a Python object that has the same members as you want to see in the JSON, then in your code import json and call json.dumps(your_python_object) . Create a Python object that has the same members as you want to see in the JSON, then in your code import json and call json.dumps(your_python_object) . That will turn your object into a JSON string.这会将您的 object 变成 JSON 字符串。

Then call the create_policy API and pass in the string you get from json.dumps as the PolicyDocument parameter.然后调用create_policy API并将您从 json.dumps 获得的字符串作为PolicyDocument参数传递。

解决方案2
 1  2021-01-04 20:43:24

There are multiple ways to do this.有多种方法可以做到这一点。 Below is one下面是一个

    import json
    from jinja2 import Template

    policy = '''
    {  
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "ec2:RunInstances",
                "Resource": [
                    "arn:aws:ec2:{{region}}::instance/*",
                    "arn:aws:ec2:{{region}}::network-interface/*",
                    "arn:aws:ec2:{{region}}::key-pair/*",
                    "arn:aws:ec2:{{region}}::security-group/*",
                    "arn:aws:ec2:{{region}}::subnet/*",
                    "arn:aws:ec2:{{region}}::volume/*",
                    "arn:aws:ec2:{{region}}::image/ami-*"
                ],
                "Condition": {
                    "ForAllValues:NumericLessThanEquals": {
                        "ec2:VolumeSize": "{{volume_size}}"
                    },
                    "ForAllValues:StringEquals": {
                        "ec2:InstanceType": "{{instance_type}}"
                    }
                }
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "ec2:TerminateInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances"
                ],
                "Resource": "arn:aws:ec2:{{region}}::instance/*",
                "Condition": {
                    "ForAllValues:StringEquals": {
                        "ec2:InstanceType": "{{region}}"
                    }
                }
            },
            {
                "Sid": "VisualEditor2",
                "Effect": "Allow",
                "Action": [
                    "ec2:Describe*",
                    "ec2:GetConsole*",
                    "cloudwatch:DescribeAlarms",
                    "iam:ListInstanceProfiles",
                    "cloudwatch:GetMetricStatistics",
                    "ec2:DescribeKeyPairs",
                    "ec2:CreateKeyPair"
                ],
                "Resource": "*",
                "Condition": {
                    "DateGreaterThan": {
                        "aws:CurrentTime": "{{start_time}}"
                    },
                    "DateLessThanEquals": {
                        "aws:CurrentTime": "{{end_time}}"
                    }
                }
            }
        ]
    }
    '''

    tm = Template(policy)
    parsed_policy = tm.render(egion='us-east-1',start_time='1-2-3', end_time='3-4-5', volume_size='2', instance_type='t2.micro')
    print(json.dumps(parsed_policy))

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 Boto 创建 IAM 策略时出现 MalformedPolicyDocumentException - MalformedPolicyDocumentException while creating IAM policy using Boto IAM 政策不允许我上传到 S3 - IAM Policy not allowing me to upload to S3 aws iam 上的令人困惑的错误:“策略中的语法错误” - confusing error on aws iam: "Syntax error in policy" AWS CDK 如何在 IAM 策略中包含委托人? - AWS CDK How to include principals in IAM policy? 如何通过 boto 获取 IAM 政策文件 - How to get IAM Policy Document via boto 通过 boto3 解析 IAM 策略文档响应 - Parse the IAM policy document response by boto3 运行Boto功能所需的最低IAM策略 - Minimum IAM policy required to run Boto functions AWS Chalice 需要 AWS IAM 策略 - AWS IAM Policy required for AWS Chalice AWS Lambda策略长度超出 - 向lambda函数添加规则 - AWS Lambda Policy Length Exceeded - adding rules to a lambda function 授予对 Opensearch 的访问权限 Lambda [IAM 和配置域级别访问策略] - Give access Lambda to Opensearch [IAM & Configure domain level access policy]
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM