[英]Trying to create IAM Policy, Role and Users using Python (Boto3)
我正在尝试使用 Boto3 创建一个脚本,该脚本基本上应该创建一个附加了策略的角色。
response = client.create_policy(
PolicyName='string',
Path='string',
PolicyDocument='string',
Description='string'
)
我可以单独创建一个策略(以验证策略文档),但不能在没有“AssumeRolePolicyDocument”的情况下创建角色,我无法弄清楚如何将此策略文档传递到“AssumeRolePolicyDocument”
到目前为止,我已经设法创建了以下脚本:
import json
import boto3
# Connect to IAM with boto
#iam = boto3.connect_iam($key, $secret)
# Create IAM client
iam = boto3.client('iam')
#createRole
S3ANDEC2 = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"*"
]
},
{
"Sid": "Ec2FullAccess",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
response = iam.create_role(
Path='/',
RoleName='Boto-R1',
AssumeRolePolicyDocument=json.dumps(S3ANDEC2),
Description='S3 Read and EC2Full permissions policy'
)
print(response)
当我运行上面的它返回以下错误:
C:\\Projects\\AWS>python user.py Traceback(最近一次调用):文件“Role.py”,第 116 行,在 Description='S3 读取和 EC2Full 权限策略' 文件“C:\\Users\\Rambo.one” \\AppData\\Roaming\\Python\\Python34\\site-packages\\botocore\\client.py”,第 310 行,在 _api_call 中返回 self._make_api_call(operation_name, kwargs) 文件“C:\\Users\\Rambo.one\\AppData\\Roaming\\Python \\Python34\\site-packages\\botocore\\client.py”,第 599 行,在 _make_api_call 中引发 error_class(parsed_response, operation_name) botocore.errorfactory.MalformedPolicyDocumentException:调用 CreateRole 操作时发生错误(MalformedPolicyDocument):已禁止字段资源
我确保验证了我的政策文件......不知道为什么它说“发生错误(MalformedPolicyDocument)”
任何帮助表示赞赏。
您不能使用AssumeRolePolicyDocument将策略附加到角色,它用于将信任策略附加到角色。
这就是您创建角色、将信任策略附加到它、创建策略然后将策略附加到角色的方式。
session = boto3.session.Session(profile_name='my_profile')
iam = session.client('iam')
path='/'
role_name='ec2-test-role'
description='BOTO3 ec2 test role'
trust_policy={
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
response = iam.create_role(
Path=path,
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps(trust_policy),
Description=description,
MaxSessionDuration=3600
)
managed_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"*"
]
},
{
"Sid": "Ec2FullAccess",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
response = iam.create_policy(
PolicyName='BOTO3-Test-ec2-policy',
PolicyDocument=json.dumps(managed_policy)
)
iam.attach_role_policy(
PolicyArn='arn:aws:iam::${account_id}:policy/BOTO3-Test-ec2-policy',
RoleName='ec2-test-role'
)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.