[英]Trying to create IAM Policy, Role and Users using Python (Boto3)
我正在嘗試使用 Boto3 創建一個腳本,該腳本基本上應該創建一個附加了策略的角色。
response = client.create_policy(
PolicyName='string',
Path='string',
PolicyDocument='string',
Description='string'
)
我可以單獨創建一個策略(以驗證策略文檔),但不能在沒有“AssumeRolePolicyDocument”的情況下創建角色,我無法弄清楚如何將此策略文檔傳遞到“AssumeRolePolicyDocument”
到目前為止,我已經設法創建了以下腳本:
import json
import boto3
# Connect to IAM with boto
#iam = boto3.connect_iam($key, $secret)
# Create IAM client
iam = boto3.client('iam')
#createRole
S3ANDEC2 = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"*"
]
},
{
"Sid": "Ec2FullAccess",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
response = iam.create_role(
Path='/',
RoleName='Boto-R1',
AssumeRolePolicyDocument=json.dumps(S3ANDEC2),
Description='S3 Read and EC2Full permissions policy'
)
print(response)
當我運行上面的它返回以下錯誤:
C:\\Projects\\AWS>python user.py Traceback(最近一次調用):文件“Role.py”,第 116 行,在 Description='S3 讀取和 EC2Full 權限策略' 文件“C:\\Users\\Rambo.one” \\AppData\\Roaming\\Python\\Python34\\site-packages\\botocore\\client.py”,第 310 行,在 _api_call 中返回 self._make_api_call(operation_name, kwargs) 文件“C:\\Users\\Rambo.one\\AppData\\Roaming\\Python \\Python34\\site-packages\\botocore\\client.py”,第 599 行,在 _make_api_call 中引發 error_class(parsed_response, operation_name) botocore.errorfactory.MalformedPolicyDocumentException:調用 CreateRole 操作時發生錯誤(MalformedPolicyDocument):已禁止字段資源
我確保驗證了我的政策文件......不知道為什么它說“發生錯誤(MalformedPolicyDocument)”
任何幫助表示贊賞。
您不能使用AssumeRolePolicyDocument將策略附加到角色,它用於將信任策略附加到角色。
這就是您創建角色、將信任策略附加到它、創建策略然后將策略附加到角色的方式。
session = boto3.session.Session(profile_name='my_profile')
iam = session.client('iam')
path='/'
role_name='ec2-test-role'
description='BOTO3 ec2 test role'
trust_policy={
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
response = iam.create_role(
Path=path,
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps(trust_policy),
Description=description,
MaxSessionDuration=3600
)
managed_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"*"
]
},
{
"Sid": "Ec2FullAccess",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
response = iam.create_policy(
PolicyName='BOTO3-Test-ec2-policy',
PolicyDocument=json.dumps(managed_policy)
)
iam.attach_role_policy(
PolicyArn='arn:aws:iam::${account_id}:policy/BOTO3-Test-ec2-policy',
RoleName='ec2-test-role'
)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.