[英]Function for adding parameters in IAM policy
I have been working on a boto script for creating an IAM user policy from a function.我一直在研究用于从 function 创建 IAM 用户策略的 boto 脚本。 I want to add the region, instance_type and ebs_volume restriction, inside the policy.
我想在策略中添加区域、instance_type 和 ebs_volume 限制。 I want the output to be in the json format.
我希望 output 采用 json 格式。 I am not sure how to proceed with it.Name of the file is template_function.py This is the function
我不知道如何继续。文件的名称是 template_function.py 这是 function
def create_aws_iam_policy_template(**template):
print()
create_aws_iam_policy_template(region = "us-east-1", instance_type = "t2.micro", volume_size = "12")
This is the policy which is store in another file in the same directory "metatemplate.py"这是存储在同一目录“metatemplate.py”中的另一个文件中的策略
import json
import template_function
import boto3
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
f"arn:aws:ec2:{region}::instance/*",
f"arn:aws:ec2:{region}::network-interface/*",
f"arn:aws:ec2:{region}::key-pair/*",
f"arn:aws:ec2:{region}::security-group/*",
f"arn:aws:ec2:{region}::subnet/*",
f"arn:aws:ec2:{region}::volume/*",
f"arn:aws:ec2:{region}::image/ami-*"
],
"Condition": {
"ForAllValues:NumericLessThanEquals": {
"ec2:VolumeSize": f"{volume_size}"
},
"ForAllValues:StringEquals": {
"ec2:InstanceType": f"{instance_type}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": f"arn:aws:ec2:{region}::instance/*",
"Condition": {
"ForAllValues:StringEquals": {
"ec2:InstanceType": f"{region}"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"iam:ListInstanceProfiles",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair"
],
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": f"{start_time}"
},
"DateLessThanEquals": {
"aws:CurrentTime": f"{end_time}"
}
}
}
]
}
response = iam.create_policy(
PolicyName='GoodPolicy',
PolicyDocument=json.dumps(some_policy)
)
Create a Python object that has the same members as you want to see in the JSON, then in your code import json
and call json.dumps(your_python_object)
. Create a Python object that has the same members as you want to see in the JSON, then in your code
import json
and call json.dumps(your_python_object)
. That will turn your object into a JSON string.这会将您的 object 变成 JSON 字符串。
Then call the create_policy API and pass in the string you get from json.dumps as the PolicyDocument
parameter.然后调用create_policy API并将您从 json.dumps 获得的字符串作为
PolicyDocument
参数传递。
There are multiple ways to do this.有多种方法可以做到这一点。 Below is one
下面是一个
import json
from jinja2 import Template
policy = '''
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:{{region}}::instance/*",
"arn:aws:ec2:{{region}}::network-interface/*",
"arn:aws:ec2:{{region}}::key-pair/*",
"arn:aws:ec2:{{region}}::security-group/*",
"arn:aws:ec2:{{region}}::subnet/*",
"arn:aws:ec2:{{region}}::volume/*",
"arn:aws:ec2:{{region}}::image/ami-*"
],
"Condition": {
"ForAllValues:NumericLessThanEquals": {
"ec2:VolumeSize": "{{volume_size}}"
},
"ForAllValues:StringEquals": {
"ec2:InstanceType": "{{instance_type}}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:{{region}}::instance/*",
"Condition": {
"ForAllValues:StringEquals": {
"ec2:InstanceType": "{{region}}"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"iam:ListInstanceProfiles",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair"
],
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "{{start_time}}"
},
"DateLessThanEquals": {
"aws:CurrentTime": "{{end_time}}"
}
}
}
]
}
'''
tm = Template(policy)
parsed_policy = tm.render(egion='us-east-1',start_time='1-2-3', end_time='3-4-5', volume_size='2', instance_type='t2.micro')
print(json.dumps(parsed_policy))
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.