I have a S3 bucket read policy :
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
Based on a cloud trail logs when new bucket is created , I am creating an event which will invoke a Lambda function.
Able to read json for the policy and add a new resource (bucket) to the same policy. Is there a direct python API to be invoked which will update an existing IAM policy with new resource ?
I found the right way of doing it:
You have to create a policy version (including your policy changes) of your existing policy and tag it as default. As so the new version will replace the existing policy.
Get your existing policy :
policy = iam.Policy('arn:aws:iam::' + ACCOUNT_ID + ':policy/' + POLICY_NAME)
Get JSON from this policy:
policyJson = policy.default_version.document
Change it as you want:
policyJson['Statement'].append({
'Action': '*',
'Resource': 'arn:aws:ec2:::*/*',
'Effect': 'Allow'
})
Create a policy version with the new JSON and the option SetAsDefault to True
response = client.create_policy_version(
PolicyArn= 'arn:aws:iam::' + ACCOUNT_ID + ':policy/' + POLICY_NAME,
PolicyDocument= json.dumps(policyJson),
SetAsDefault= True
)
Delete the previous version (optional but recommanded max 5 versions ):
response = client.delete_policy_version(
PolicyArn= 'arn:aws:iam::' + ACCOUNT_ID + ':policy/' + POLICY_NAME,
VersionId= version.version_id
)
And you're good to go!
Thomas.
Ref: IAM DOC
You have to get the IAM policy, then delete and finally create it again with modified JSON as it was previously suggested.
Code Snippet
import boto3, json
# Create IAM client
iam = boto3.resource('iam')
policy = iam.Policy('arn:aws:iam::ACCCOUNT_ID:policy/CustomS3Policy')
version = policy.default_version
policyJson = version.document
policyJson['Statement'][0]['Resource'].append('arn:aws:s3:::anotherbucket/*')
print(policyJson)
client = boto3.client('iam')
response = client.delete_policy(
PolicyArn='arn:aws:iam::ACCCOUNT_ID:policy/CustomS3Policy'
)
print(response)
response = client.create_policy(
PolicyName='CustomS3Policy',
PolicyDocument=json.dumps(policyJson)
)
print(response)
References :
http://boto3.readthedocs.io/en/latest/guide/iam-example-policies.html https://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.delete_policy https://gist.github.com/alexcasalboni/07414d62290828ea03a14b4bf2157fd1
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.