[英]Programmatically Convert all AWS inline policies to Managed Policies of current IAM Roles
目前,我有數百個具有內聯策略的 AWS IAM 角色。
我想以某種方式將這些內聯策略轉換為托管策略。
雖然AWS 文檔可以通過 Console 執行此操作,但這將非常耗時。
有沒有人知道一種方法,或者有一個腳本可以通過 BOTO 或 AWS CLI 執行此操作……或者指導我使用某種可以以編程方式執行此操作的方法?
提前致謝
boto3 代碼將是這樣的。
在此代碼中,嵌入在指定 IAM 用戶中的內聯策略將被復制到客戶托管的策略中。
注意刪除部分被注釋掉。
import json
import boto3
user_name = 'xxxxxxx'
client = boto3.client("iam")
response = client.list_user_policies(UserName=user_name)
for policy_name in response["PolicyNames"]:
response = client.get_user_policy(UserName=user_name, PolicyName=policy_name)
policy_document = json.dumps(response["PolicyDocument"])
response = client.create_policy(
PolicyName=policy_name, PolicyDocument=policy_document_json
)
# response = client.delete_user_policy(
# UserName=user_name,
# PolicyName=policy_name
# )
使用@shimo 代碼段,以下內容可用於添加錯誤處理並將新創建的托管策略附加到 IAM 角色:
import json
import boto3
from botocore.exceptions import ClientError
role_name = 'xxxxxxxx'
account_id = '123456789'
client = boto3.client("iam")
resource = boto3.resource('iam')
response = client.list_role_policies(RoleName=role_name)
for policy_name in response["PolicyNames"]:
response = client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
policy_document = json.dumps(response["PolicyDocument"])
print(policy_document)
try:
response = client.create_policy(
PolicyName=policy_name, PolicyDocument=policy_document
)
print(policy_name + 'Policy Created')
except ClientError as error:
if error.response['Error']['Code'] == 'EntityAlreadyExists':
print(policy_name + ' policy already exists')
else:
print("Unexpected error: %s" % error)
policy_arn = f'arn:aws:iam::{account_id}:policy/{policy_name}'
role = resource.Role(role_name)
role.attach_policy(PolicyArn=policy_arn)
response = client.delete_role_policy(
RoleName=role_name,
PolicyName=policy_name
)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.