如何使用 boto 获取 AWS iam 中用户的权限或组详细信息

Question

我已使用 python boto 模块从 AWS IAM 成功获取用户。

代码：

import  boto
from boto.iam.connection import IAMConnection


    cfn = IAMConnection(aws_access_key_id='somekeyid',aws_secret_access_key ='secret_here')
    data = cfn.get_all_users()

    for user in data.users:
        print user,"\n"

如何获取用户关联的组或权限？

我添加了这行代码来获取与用户关联的组，我收到了下面提到的错误。

添加代码：

group=cfn.get_groups_for_user("Shital")
print group

其中“Shital”是存在并从上方获取的用户。出于测试目的，我手动将其传递给函数调用。

错误：

Traceback (most recent call last):
  File "getuser.py", line 14, in <module>
    pol=cfn.get_groups_for_user("Shita")
  File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 509, in get_groups_for_user
    list_marker='Groups')
  File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 102, in get_response
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 Forbidden
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <Error>
    <Type>Sender</Type>
    <Code>AccessDenied</Code>
    <Message>User: arn:aws:iam::586848946515:user/qa-api-users is not authorized to perform: iam:ListGroupsForUser on resource: user Shita</Message>
  </Error>
  <RequestId>7e9a4b56-95f0-11e7-9bb0-8b8eb22708c5</RequestId>
</ErrorResponse>

Answer 1

使用具有适当权限的凭据对于此查询的工作至关重要。正如 code_onkel 指出的那样，根据需要分配 IAMFullAccess 或 AdministratorAccess 以成功完成事务是有意义的。

Answer 2

您收到此错误是因为您没有 ListGroupUser 的权限。 因此，您收到此错误用户：arn:aws:iam::586848946515:user/qa-api-users is not authorized to perform: iam:ListGroupsForUser on resource: user Shita

您可以创建一个允许您列出用户详细信息的角色，您可以将该角色添加到您的个人资料中，或者您可以使用承担角色。 https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html

Answer 3

此代码有几个主要注意事项：

1 - 假设您对所有策略使用默认策略版本。

2 - 它假定您具有所需的权限。

3 - 它是使用 boto3 而不是旧的 bo​​to 编写的。

现在我们已经解决了这个问题，代码：

#! /bin/python3

import boto3

USERNAME = '<The desired username>'
policy_names = []

def get_groups_by_username(username):
    client = boto3.client('iam')
    groups_json = client.list_groups_for_user(UserName=username)['Groups']
    group_names = []
    for group in groups_json:
        group_names.append(group['GroupName'])
    return group_names


def get_group_policies(user_groups):
    client = boto3.client('iam')
    global policy_names
    for group in user_groups:
        # This is for AWS managed policies and returns both the policy ARN and name
        attached_group_policies = (client.list_attached_group_policies(GroupName=group)['AttachedPolicies'])
        for policy in attached_group_policies:
            policy_names.append(policy['PolicyName'])
        # This is for inline policies and returns only the policy name
        group_policies = (client.list_group_policies(GroupName=group)['PolicyNames'])
        for policy in group_policies:
            policy_names.append(policy)


def get_user_policies(username):
    client = boto3.client('iam')
    global policy_names
    # This is for AWS managed policies and returns both the policy ARN and name
    attached_user_policies = (client.list_attached_user_policies(UserName=username)['AttachedPolicies'])
    for policy in attached_user_policies:
        policy_names.append(policy['PolicyName'])
    # This is for inline policies and returns only the policy name
    user_policies = (client.list_user_policies(UserName=username)['PolicyNames'])
    for policy in user_policies:
        policy_names.append(policy)


get_user_policies(USERNAME)
groups = get_groups_by_username(USERNAME)
print("The user " + USERNAME + " belongs to the groups:")
print(groups)
get_group_policies(groups)
print("The user " + USERNAME + " has the following policies applied to it: ")
print(policy_names)