stackoom
  简体   繁体   中英

How to get policy document for aws managed policy of a iam user in python boto3?

 原文  2020-07-08 13:04:34       python-3.x/ amazon-web-services/ boto3/ amazon-iam/ policy

Question

I'm able to retrieve the policy document for inline policies by "get_user_policy()" client. Is there any way to retrieve policy documents for AWS managed policies of IAM user..?

import boto3
client = boto3.client('iam')
policy = iam.get_user_policy(UserName="<string>",PolicyName = "<string>")
doc = dict((k,response[k]) for k in ['PolicyDocument']if k in policy)
print(doc)

It seems like we can get a policy document of managed policy using its arn. But I'm not sure how to get arn for all the managed policies which were attached to particular IAM user.

So, How to get the policy document for aws managed policy of iam user in python?

Thanks in advance.

2 answers

solution1
 0  2020-07-08 19:00:33

solution2
 0 ACCPTED  2020-07-10 22:43:04

I have created one user called test1 and attached IAMReadOnlyAccess and PowerUserAccess. The catch was ARN difference for AWS managed policy and customer managed policy. For more info. 

import boto3

iam_res = boto3.resource('iam')
user = iam_res.User('test1')

policy_iterator = user.attached_policies.all()

for each in policy_iterator:
    if each.arn.startswith('arn:aws:iam::aws'):
        print(each.default_version.document)

Here is the output.

{'Statement': [{'Action': ['iam:GenerateCredentialReport',
                           'iam:GenerateServiceLastAccessedDetails',
                           'iam:Get*',
                           'iam:List*',
                           'iam:SimulateCustomPolicy',
                           'iam:SimulatePrincipalPolicy'],
                'Effect': 'Allow',
                'Resource': '*'}],
 'Version': '2012-10-17'}
{'Statement': [{'Effect': 'Allow',
                'NotAction': ['iam:*', 'organizations:*', 'account:*'],
                'Resource': '*'},
               {'Action': ['iam:CreateServiceLinkedRole',
                           'iam:DeleteServiceLinkedRole',
                           'iam:ListRoles',
                           'organizations:DescribeOrganization',
                           'account:ListRegions'],
                'Effect': 'Allow',
                'Resource': '*'}],
 'Version': '2012-10-17'}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to list AWS managed policy attached to a role using boto3 AWS Boto3 Syntax errors in policy How to extract rolename, policy from cloudtrail event for IAM CreateRole event using boto3 Unable to delete AWS Role Policy - NoSuchEntity with Boto3 Using wildcards in boto3 get_policy_versions How to get quotas of AWS via boto3? Unable to parse AWS DynamoDB binary get item in boto3 python How to attach an AWS managed policy to a role in cloudformation and troposphere how to create file in aws S3 using python boto3 How do I update an AWS Gamelift script with boto3 in python?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM