使用 Boto 创建 IAM 策略时出现 MalformedPolicyDocumentException
[英]MalformedPolicyDocumentException while creating IAM policy using Boto
问题描述
I am working on a boto script to create an IAM policy using a python function.
我正在编写一个 boto 脚本,以使用 python function 创建 IAM 策略。 The policy has been converted to JSON format using "json.dumps()", but AWS would still not consider it as a valid format.该策略已使用“json.dumps()”转换为 JSON 格式,但 AWS 仍不会将其视为有效格式。 The function is: function 是:
##### Global variables ####
region="us-east-2"
instance_type="t2.micro"
ebs_volume_size="20"
meta_template_name="ec2_policy_meta_template"
###############################
start_time_1 = input("What's the start time")
end_time1 = input("What's the end time")
def create_aws_iam_policy_template(**kwargs):
template_data = {}
template_data["region"] = kwargs.get('region')
template_data["start_time"] = kwargs.get('end_time')
template_data["end_time"] = kwargs.get('start_time')
template_data["instance_type"] = kwargs.get('instance_type')
template_data["ebs_volume_size"] = kwargs.get('ebs_volume_size')
template_data["meta_template_name"] = kwargs.get('meta_template_name')
meta_template_dict = getattr(meta_templates, template_data["meta_template_name"])
meta_template_json = json.dumps(meta_template_dict)
template_json = Template(meta_template_json).render(template_data)
return template_json
template_json = create_aws_iam_policy_template(
region=region,
instance_type=instance_type,
ebs_volume_size=ebs_volume_size,
meta_template_name=meta_template_name,
start_time = start_time_1,
end_time = end_time1
)
This is what I am using to convert dict to JSON:这就是我用来将 dict 转换为 JSON 的方法:
app_json = json.dumps(template_json)
print(app_json)
This is the output of the IAM policy:这是 IAM 策略的 output:
"{"Version": "2012-10-17", "Statement": [{"Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": ["arn:aws:ec2:us-east-2::instance/ ", "arn:aws:ec2:us-east-2::network-interface/ ", "arn:aws:ec2:us-east-2::key-pair/ ", "arn:aws:ec2:us-east-2::security-group/ ", "arn:aws:ec2:us-east-2::subnet/ ", "arn:aws:ec2:us-east-2::volume/ ", "arn:aws:ec2:us-east-2::image/ami- "], "Condition": {"ForAllValues:NumericLessThanEquals": {"ec2:VolumeSize": "20"}, "ForAllValues:StringEquals": {"ec2:InstanceType": "t2.micro"}}}, {"Sid": "VisualEditor1", "Effect": "Allow", "Action": ["ec2:TerminateInstances", "ec2:StartInstances", "ec2:StopInstances"], "Resource": "arn:aws:ec2:us-east-2::instance/ ", "Condition": {"ForAllValues:StringEquals": {"ec2:InstanceType": "t2.micro"}}}, {"Sid": "VisualEditor2", "Effect": "Allow", "Action": ["ec2:Describe*", "ec2:GetConsole*", "cloudwatch:DescribeAlarms", "iam:ListInstanceProfiles", "cloudwatch:GetMetricStatistics", "ec2:DescribeKeyPairs" “{“版本”:“2012-10-17”,“声明”:[{“Sid”:“VisualEditor0”,“效果”:“允许”,“动作”:“ec2:RunInstances”,“资源”: ["arn:aws:ec2:us-east-2::instance/ ", "arn:aws:ec2:us-east-2::network-interface/ ", "arn:aws:ec2:us-east- 2::key-pair/ ”、“arn:aws:ec2:us-east-2::security-group/ ”、“arn:aws:ec2:us-east-2::subnet/ ”、“arn: aws:ec2:us-east-2::volume/ ", "arn:aws:ec2:us-east-2::image/ami- "], "条件": {"ForAllValues:NumericLessThanEquals": {"ec2 :VolumeSize": "20"}, "ForAllValues:StringEquals": {"ec2:InstanceType": "t2.micro"}}}, {"Sid": "VisualEditor1", "Effect": "Allow", "Action ": ["ec2:TerminateInstances", "ec2:StartInstances", "ec2:StopInstances"], "资源": "arn:aws:ec2:us-east-2::instance/ ", "条件": {" ForAllValues:StringEquals": {"ec2:InstanceType": "t2.micro"}}}, {"Sid": "VisualEditor2", "Effect": "Allow", "Action": ["ec2:Describe*", “ec2:GetConsole*”、“cloudwatch:DescribeAlarms”、“iam:ListInstanceProfiles”、“cloudwatch:GetMetricStatistics”、“ec2:DescribeKeyPairs” , "ec2:CreateKeyPair"], "Resource": "*", "Condition": {"DateGreaterThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}, "DateLessThanEquals": {"aws:CurrentTime": "2020-04-01T00:00:00Z"}}}]}" This is the error I am getting while trying to create an IAM policy: , "ec2:CreateKeyPair"], "Resource": "*", "Condition": {"DateGreaterThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}, "DateLessThanEquals": { "aws:CurrentTime": "2020-04-01T00:00:00Z"}}}]}" 这是我在尝试创建 IAM 策略时遇到的错误:
botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the CreatePolicy operation: Syntax errors in policy.
1 个解决方案
解决方案1
1 2021-02-09 13:59:34
The policy overall has too many warnings, even though I was able to create it via the console.尽管我能够通过控制台创建该策略,但总体而言该策略有太多警告。
For example, aws:CurrentTime should be somethink like below:例如, aws:CurrentTime应该如下所示:
"DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}
ec2:InstanceType condition doesnt have the corresponding condition's value specified. ec2:InstanceType条件没有指定相应的条件值。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-2::instance/",
"arn:aws:ec2:us-east-2::network-interface/",
"arn:aws:ec2:us-east-2::key-pair/",
"arn:aws:ec2:us-east-2::security-group/",
"arn:aws:ec2:us-east-2::subnet/",
"arn:aws:ec2:us-east-2::volume/",
"arn:aws:ec2:us-east-2::image/ami-"
],
"Condition": {
"ForAllValues:NumericLessThanEquals": {
"ec2:VolumeSize": "20"
},
"ForAllValues:StringEquals": {
"ec2:InstanceType": ""
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-2::instance/",
"Condition": {
"ForAllValues:StringEquals": {
"ec2:InstanceType": ""
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"iam:ListInstanceProfiles",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair"
],
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "30"
},
"DateLessThanEquals": {
"aws:CurrentTime": "20"
}
}
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.