使用 Boto 创建 IAM 策略时出现 MalformedPolicyDocumentException

【问题标题】:MalformedPolicyDocumentException while creating IAM policy using Boto使用 Boto 创建 IAM 策略时出现 MalformedPolicyDocumentException
【发布时间】:2021-05-13 01:11:54
【问题描述】:

我正在编写一个使用 python 函数创建 IAM 策略的 boto 脚本。该策略已使用“json.dumps()”转换为 JSON 格式,但 AWS 仍不会将其视为有效格式。 功能是:

##### Global variables ####
region="us-east-2"
instance_type="t2.micro"
ebs_volume_size="20"
meta_template_name="ec2_policy_meta_template"
###############################

start_time_1 = input("What's the start time")
end_time1 = input("What's the end time")
def create_aws_iam_policy_template(**kwargs):
  template_data = {}
  template_data["region"] = kwargs.get('region')
  template_data["start_time"] = kwargs.get('end_time')
  template_data["end_time"] = kwargs.get('start_time')
  template_data["instance_type"] = kwargs.get('instance_type')
  template_data["ebs_volume_size"] = kwargs.get('ebs_volume_size')
  template_data["meta_template_name"] = kwargs.get('meta_template_name')

  meta_template_dict = getattr(meta_templates, template_data["meta_template_name"])
  meta_template_json = json.dumps(meta_template_dict)
  template_json = Template(meta_template_json).render(template_data)
  return template_json  


template_json = create_aws_iam_policy_template(
  region=region,
  instance_type=instance_type,
  ebs_volume_size=ebs_volume_size,
  meta_template_name=meta_template_name,
  start_time = start_time_1,
  end_time = end_time1
)

这是我用来将 dict 转换为 JSON 的方法:

app_json = json.dumps(template_json)
print(app_json)

这是 IAM 政策的输出:

"{"Version": "2012-10-17", "Statement": [{"Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:RunInstances", "资源": ["arn:aws:ec2:us-east-2::instance/", "arn:aws:ec2:us-east-2::network-interface/", " arn:aws:ec2:us-east-2::key-pair/", "arn:aws:ec2:us-east-2::security-group/", "arn:aws :ec2:us-east-2::subnet/", "arn:aws:ec2:us-east-2::volume/", "arn:aws:ec2:us-east- 2::image/ami-"], "条件": {"ForAllValues:NumericLessThanEquals": {"ec2:VolumeSize": "20"}, "ForAllValues:StringEquals": {"ec2:InstanceType": " t2.micro"}}}, {"Sid": "VisualEditor1", "Effect": "Allow", "Action": ["ec2:TerminateInstances", "ec2:StartInstances", "ec2:StopInstances"], "资源”:“arn:aws:ec2:us-east-2::instance/”,“条件”:{“ForAllValues:StringEquals”:{“ec2:InstanceType”:“t2.micro”}} }、{“Sid”:“VisualEditor2”、“效果”:“允许”、“操作”:[“ec2:Describe*”、“ec2:GetConsole*”、“cloudwatch:DescribeAlarms”、“iam:ListInstanceProfiles”、 “云观察:GetMetricStat istics”、“ec2:DescribeKeyPairs”、“ec2:CreateKeyPair”]、“资源”:“*”、“条件”:{“DateGreaterThan”:{“aws:CurrentTime”:“2020-06-30T23:59:59Z "}, "DateLessThanEquals": {"aws:CurrentTime": "2020-04-01T00:00:00Z"}}}]}" 这是我在尝试创建 IAM 策略时遇到的错误:

botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the CreatePolicy operation: Syntax errors in policy.

【问题讨论】:

  • 能否提供更完整的示例代码?您在哪里以及如何生成template_json 并调用CreatePolicy
  • 我已对问题进行了更改。请检查一下。

标签: python json amazon-web-services boto3 amazon-iam


【解决方案1】:

尽管我能够通过控制台创建该策略,但总体上的警告太多了。

例如,aws:CurrentTime 应该如下所示:

                "DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
                "DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}

ec2:InstanceType 条件没有指定相应的条件值。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:us-east-2::instance/",
        "arn:aws:ec2:us-east-2::network-interface/",
        "arn:aws:ec2:us-east-2::key-pair/",
        "arn:aws:ec2:us-east-2::security-group/",
        "arn:aws:ec2:us-east-2::subnet/",
        "arn:aws:ec2:us-east-2::volume/",
        "arn:aws:ec2:us-east-2::image/ami-"
      ],
      "Condition": {
        "ForAllValues:NumericLessThanEquals": {
          "ec2:VolumeSize": "20"
        },
        "ForAllValues:StringEquals": {
          "ec2:InstanceType": ""
        }
      }
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "ec2:TerminateInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "arn:aws:ec2:us-east-2::instance/",
      "Condition": {
        "ForAllValues:StringEquals": {
          "ec2:InstanceType": ""
        }
      }
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:GetConsole*",
        "cloudwatch:DescribeAlarms",
        "iam:ListInstanceProfiles",
        "cloudwatch:GetMetricStatistics",
        "ec2:DescribeKeyPairs",
        "ec2:CreateKeyPair"
      ],
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": {
          "aws:CurrentTime": "30"
        },
        "DateLessThanEquals": {
          "aws:CurrentTime": "20"
        }
      }
    }
  ]
}

【讨论】:

  • 感谢您的回复,我已经更新了两个问题,但我得到了同样的错误,我重新检查了不知道现在可能是什么问题。
  • @PranaySinghParihar 我建议在IAM Policy Simulator 中进行策略测试。一旦确定这是您需要的策略,您就可以通过代码轻松生成它。
  • 是的,我认为属性很好,但是输出中有这些不符合 IAM 策略格式的反斜杠“\”,但我不知道如何摆脱它。
  • @PranaySinghParihar 您在帖子中分享的政策是有效的,只是您提出的条件有问题。正如我在回答中所证实的那样。我能够通过console 创建策略
  • 在模拟器中我似乎遇到了一个parcing错误。
猜你喜欢
  • 2017-11-02
  • 2018-08-25
  • 1970-01-01
  • 2017-07-27
  • 2018-04-13
  • 2018-02-28
  • 2012-05-18
  • 2021-10-16
  • 2020-12-16
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode