stackoom
  简体   繁体   中英

How to attach new role permissions to iam_role in aws using python boto3?

 原文  2021-02-20 11:19:22       python/ amazon-web-services/ boto3/ amazon-iam

Question

I'm trying to attach new permissions to the existing IAM role using python boto3. I'm using the append() method to attach new permissions to the IAM role but it is not really adding permissions to the role.

Python: 

import boto3
iam = boto3.client('iam',aws_access_key_id=ACCESS_KEY,aws_secret_access_key=SECRET_KEY)
rolename = ROLENAME
policyname = POLICYNAME

#Get rolepolicy 
response = iam.get_role_policy(RoleName=rolename,PolicyName=policyname)
add_permission = response['PolicyDocument']['Statement']

#Assume json_perm is the  permission that needs to be attached inside Statement block of policydocument.
json_perm = """ {'Action':'*','Resource':'','Effect':'Allow'})""" 

#Attaching new permissions to the role
add_permission.append(json_perm)
print(add_permission)

#Get response after appending
new_response = iam.get_role_policy(RoleName=rolename,PolicyName=policyname)
print(new_response)

When printing add_permission I'm able to see the new permissions got appended in the policy document. But I'm not able to see that permission in the AWS console and also after appending If I print new_response I'm not able to see the newly added permissions in the output terminal also.

Appending new permissions to the IAM-role doesn't actually do any change to the role..? How to attach new permissions to the IAM role PolicyDocument using python boto3?

Thanks.

1 answers

solution1
 1  2021-02-20 11:39:03

Appending new permissions to the IAM-role doesn't actually do any change to the role..?

This does not work, because you are not actually updating the policy at AWS. You are just adding it to a python variable add_permission . This does not automatically translate to actual changes of the policy at AWS.

For that, you have to use put_role_policy call to AWS to update the policy.

You can try the following code:

#Get rolepolicy 
response = iam.get_role_policy(
    RoleName=rolename,
    PolicyName=policyname)

add_permission = response['PolicyDocument']
#print(add_permission)

#Attaching new permissions to the role
#add_permission.append(json_perm)
#print(add_permission)

# NOT a good idea to allow all actions on all resources
add_permission['Statement'].append({
                       'Action':'*',
                       'Resource':'*',
                       'Effect':'Allow',
                       'Sid': 'AllowAlll'})

response = iam.put_role_policy(
    RoleName=rolename,
    PolicyName=policyname,
    PolicyDocument=json.dumps(add_permission)
)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question python boto3 attach/replace IAM role to ec2 RDS connectivity in Python using Boto3 and IAM Role assuming IAM role multiple times using boto3 in python AWS Boto3 No Credential Error IAM role K8S boto3 s3 file upload using IAM role for authentication How can we connect to Amazon CloudWatch using boto3 with IAM role without using secret access key Boto3: How to assume IAM Role to access other account How can I list the all the resources attached to a IAM role using boto3? Role assumption errors with boto3, aws workdocs, and Lambda execution with python AWS ECS - How to pass task's execution role to Boto3?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM