[英]Function for adding parameters in IAM policy
我一直在研究用于从 function 创建 IAM 用户策略的 boto 脚本。 我想在策略中添加区域、instance_type 和 ebs_volume 限制。 我希望 output 采用 json 格式。 我不知道如何继续。文件的名称是 template_function.py 这是 function
def create_aws_iam_policy_template(**template):
print()
create_aws_iam_policy_template(region = "us-east-1", instance_type = "t2.micro", volume_size = "12")
这是存储在同一目录“metatemplate.py”中的另一个文件中的策略
import json
import template_function
import boto3
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
f"arn:aws:ec2:{region}::instance/*",
f"arn:aws:ec2:{region}::network-interface/*",
f"arn:aws:ec2:{region}::key-pair/*",
f"arn:aws:ec2:{region}::security-group/*",
f"arn:aws:ec2:{region}::subnet/*",
f"arn:aws:ec2:{region}::volume/*",
f"arn:aws:ec2:{region}::image/ami-*"
],
"Condition": {
"ForAllValues:NumericLessThanEquals": {
"ec2:VolumeSize": f"{volume_size}"
},
"ForAllValues:StringEquals": {
"ec2:InstanceType": f"{instance_type}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": f"arn:aws:ec2:{region}::instance/*",
"Condition": {
"ForAllValues:StringEquals": {
"ec2:InstanceType": f"{region}"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"iam:ListInstanceProfiles",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair"
],
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": f"{start_time}"
},
"DateLessThanEquals": {
"aws:CurrentTime": f"{end_time}"
}
}
}
]
}
response = iam.create_policy(
PolicyName='GoodPolicy',
PolicyDocument=json.dumps(some_policy)
)
Create a Python object that has the same members as you want to see in the JSON, then in your code import json and call json.dumps(your_python_object) . 这会将您的 object 变成 JSON 字符串。
然后调用create_policy API并将您从 json.dumps 获得的字符串作为PolicyDocument参数传递。
有多种方法可以做到这一点。 下面是一个
import json
from jinja2 import Template
policy = '''
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:{{region}}::instance/*",
"arn:aws:ec2:{{region}}::network-interface/*",
"arn:aws:ec2:{{region}}::key-pair/*",
"arn:aws:ec2:{{region}}::security-group/*",
"arn:aws:ec2:{{region}}::subnet/*",
"arn:aws:ec2:{{region}}::volume/*",
"arn:aws:ec2:{{region}}::image/ami-*"
],
"Condition": {
"ForAllValues:NumericLessThanEquals": {
"ec2:VolumeSize": "{{volume_size}}"
},
"ForAllValues:StringEquals": {
"ec2:InstanceType": "{{instance_type}}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:{{region}}::instance/*",
"Condition": {
"ForAllValues:StringEquals": {
"ec2:InstanceType": "{{region}}"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"iam:ListInstanceProfiles",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair"
],
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "{{start_time}}"
},
"DateLessThanEquals": {
"aws:CurrentTime": "{{end_time}}"
}
}
}
]
}
'''
tm = Template(policy)
parsed_policy = tm.render(egion='us-east-1',start_time='1-2-3', end_time='3-4-5', volume_size='2', instance_type='t2.micro')
print(json.dumps(parsed_policy))
使用 Boto 创建 IAM 策略时出现 MalformedPolicyDocumentException
[英]MalformedPolicyDocumentException while creating IAM policy using Boto
AWS Lambda策略长度超出 - 向lambda函数添加规则
[英]AWS Lambda Policy Length Exceeded - adding rules to a lambda function
授予对 Opensearch 的访问权限 Lambda [IAM 和配置域级别访问策略]
[英]Give access Lambda to Opensearch [IAM & Configure domain level access policy]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.