stackoom
  简体   繁体   中英

How to update IAM Policy using Boto3 Python

 原文  2018-06-19 19:25:05       amazon-web-services/ amazon-s3/ aws-lambda/ amazon-iam

Question

I have a S3 bucket read policy : 

   {
      "Version":"2012-10-17",
      "Statement":[
        {
          "Effect":"Allow",
          "Action":["s3:GetObject"],
          "Resource":["arn:aws:s3:::examplebucket/*"]
        }
      ]
    }

Based on a cloud trail logs when new bucket is created , I am creating an event which will invoke a Lambda function.

Able to read json for the policy and add a new resource (bucket) to the same policy. Is there a direct python API to be invoked which will update an existing IAM policy with new resource ?

2 answers

solution1
 2  2018-11-02 15:46:23

I found the right way of doing it:

You have to create a policy version (including your policy changes) of your existing policy and tag it as default. As so the new version will replace the existing policy.

Get your existing policy : 

policy = iam.Policy('arn:aws:iam::' + ACCOUNT_ID + ':policy/' + POLICY_NAME)

Get JSON from this policy: 

policyJson = policy.default_version.document

Change it as you want: 

policyJson['Statement'].append({  
'Action': '*',
'Resource': 'arn:aws:ec2:::*/*',
'Effect': 'Allow'
})

Create a policy version with the new JSON and the option SetAsDefault to True 

response = client.create_policy_version(
    PolicyArn= 'arn:aws:iam::' + ACCOUNT_ID + ':policy/' + POLICY_NAME,
    PolicyDocument= json.dumps(policyJson),
    SetAsDefault= True
)

Delete the previous version (optional but recommanded max 5 versions ): 

response = client.delete_policy_version(
    PolicyArn= 'arn:aws:iam::' + ACCOUNT_ID + ':policy/' + POLICY_NAME,
    VersionId= version.version_id
    )

And you're good to go!

Thomas.

Ref: IAM DOC

solution2
 0  2018-06-22 08:04:04

You have to get the IAM policy, then delete and finally create it again with modified JSON as it was previously suggested.

Code Snippet 

import boto3, json

# Create IAM client
iam = boto3.resource('iam')

policy = iam.Policy('arn:aws:iam::ACCCOUNT_ID:policy/CustomS3Policy')
version = policy.default_version
policyJson = version.document
policyJson['Statement'][0]['Resource'].append('arn:aws:s3:::anotherbucket/*')

print(policyJson)

client = boto3.client('iam')
response = client.delete_policy(
    PolicyArn='arn:aws:iam::ACCCOUNT_ID:policy/CustomS3Policy'
)
print(response)

response = client.create_policy(
  PolicyName='CustomS3Policy',
  PolicyDocument=json.dumps(policyJson)
)
print(response)

References :

http://boto3.readthedocs.io/en/latest/guide/iam-example-policies.html https://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.delete_policy https://gist.github.com/alexcasalboni/07414d62290828ea03a14b4bf2157fd1

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Trying to create IAM Policy, Role and Users using Python (Boto3) How to get policy document for aws managed policy of a iam user in python boto3? How to attach or update an API gateway resource policy using boto3 Edit an existing IAM Role trust policy using boto3 How to get inline policy document of a iam user in boto3? How to create AWS IAM role attaching managed policy only using Boto3 Parse the IAM policy document response by boto3 RDS connectivity in Python using Boto3 and IAM Role assuming IAM role multiple times using boto3 in python How to attach new role permissions to iam_role in aws using python boto3?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM