Parse the IAM policy document response by boto3

Question

I am a beginner in python and I am trying to get the Statement id (Sid), and Condition from the policy statement using boto3. any help is appreciated.

Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        { 
            "Sid": "DenyResourceShare",
            "Effect": "Deny",
            "Action": [
                "ram:CreateResourceShare",
                "ram:AssociateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:organizations::*:organization/*",
                        "arn:aws:organizations::*:ou/*"
                    ]
                }
            }
        }
    ]
}

I am able to get the content, however i am not sure how to loop over the policy statements.

def print_policy(id):
        policy_data = org.describe_policy(
                 PolicyId=policy[id]
                 )
        print(policy_data['Policy']['Content'])
        content = json.loads(policy_data['Policy'])
         for statement in content['Statement']:
             print(statement['Sid'])

I get the error:

     content = json.loads(policy_data['Policy'])
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 341, in loads
    raise TypeError(f'the JSON object must be str, bytes or bytearray, '
TypeError: the JSON object must be str, bytes or bytearray, not dict

tried to convert it to string, but got the below Error:

content = json.loads(json.dumps(policy_data['Policy']))
             for statement in content['Statement']:
                 print(statement['Sid'])

Error:

for statement in content['Statement']:
KeyError: 'Statement'

Answer 1

Using your example you can loop over the items to get, for example, Action :

iam = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ram:CreateResourceShare",
                "ram:AssociateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:organizations::*:organization/*",
                        "arn:aws:organizations::*:ou/*"
                    ]
                }
            }
        }
    ]
}

for item in iam['Statement']:
    print(', '.join(item['Action']))

Output: ram:CreateResourceShare, ram:AssociateResourceShare

However, you don't have a Sid in your example, so I've used one from AWS .

iam_policy = {'Version': '2012-10-17', 'Statement': [{'Sid': 'EnableDisableHongKong', 'Effect': 'Allow', 'Action': ['account:EnableRegion', 'account:DisableRegion'], 'Resource': '*', 'Condition': {'StringEquals': {'account:TargetRegion': 'ap-east-1'}}}, {'Sid': 'ViewConsole', 'Effect': 'Allow', 'Action': ['aws-portal:ViewAccount', 'account:ListRegions'], 'Resource': '*'}]}

for item in iam_policy['Statement']:
    print(item['Sid'])

Output:

EnableDisableHongKong
ViewConsole

A simple example with boto3 :

import boto3
import json

arn = 'arn:aws:iam::aws:policy/AdministratorAccess'

iam = boto3.client('iam')
policy = iam.get_policy(PolicyArn=arn)
policy_version = iam.get_policy_version(
    PolicyArn=arn,
    VersionId=policy['Policy']['DefaultVersionId']
)

print(json.dumps(policy_version['PolicyVersion']['Document']))
print(json.dumps(policy_version['PolicyVersion']['Document']['Statement']))

This prints:

{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*"}]}
[{"Effect": "Allow", "Action": "*", "Resource": "*"}]

Answer 2

You should be able to parse the Content string into python dict using literal_eval :

import ast

# later

content = ast.literal_eval(policy_data['Policy']['Content'])

# content should be dict now

print(type(content))
print(content)