我已成功使用python boto模块从AWS iam获取用户。
代码:
import boto
from boto.iam.connection import IAMConnection
cfn = IAMConnection(aws_access_key_id='somekeyid',aws_secret_access_key ='secret_here')
data = cfn.get_all_users()
for user in data.users:
print user,"\n"
如何获取与用户相关联的群组详细信息或 权限类型用户与?
相关联
我添加了这行代码来获取与用户关联的组,我收到了下面提到的错误。
已添加代码:
group=cfn.get_groups_for_user("Shital")
print group
在哪里," Shital"是从上面存在和被提取的用户。出于测试目的,我手动将其传递给函数调用。
错误:
Traceback (most recent call last):
File "getuser.py", line 14, in <module>
pol=cfn.get_groups_for_user("Shita")
File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 509, in get_groups_for_user
list_marker='Groups')
File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 102, in get_response
raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 Forbidden
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>User: arn:aws:iam::586848946515:user/qa-api-users is not authorized to perform: iam:ListGroupsForUser on resource: user Shita</Message>
</Error>
<RequestId>7e9a4b56-95f0-11e7-9bb0-8b8eb22708c5</RequestId>
</ErrorResponse>
答案 0 :(得分:0)
使用具有适当权限的凭据对于此查询的工作至关重要。正如code_onkel指出的那样,根据需要分配IAMFullAccess或AdministratorAccess以成功完成事务是有意义的。
答案 1 :(得分:0)
您收到此错误是因为您没有ListGroupUser的权限。 因此,您收到此错误用户:arn:aws:iam :: 586848946515:user / qa-api-users无权执行:iam:资源上的ListGroupsForUser:用户Shita
您可以创建一个角色,允许您列出用户详细信息,您可以将该角色添加到您的个人资料中,也可以使用假定角色。 https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html
答案 2 :(得分:0)
此代码有几个主要警告:
1-假定您对所有策略都使用默认策略版本。
2-假定您具有所需的权限。
3-它是使用boto3而不是旧的boto编写的。
现在,我们已经解决了这个问题,代码:
#! /bin/python3
import boto3
USERNAME = '<The desired username>'
policy_names = []
def get_groups_by_username(username):
client = boto3.client('iam')
groups_json = client.list_groups_for_user(UserName=username)['Groups']
group_names = []
for group in groups_json:
group_names.append(group['GroupName'])
return group_names
def get_group_policies(user_groups):
client = boto3.client('iam')
global policy_names
for group in user_groups:
# This is for AWS managed policies and returns both the policy ARN and name
attached_group_policies = (client.list_attached_group_policies(GroupName=group)['AttachedPolicies'])
for policy in attached_group_policies:
policy_names.append(policy['PolicyName'])
# This is for inline policies and returns only the policy name
group_policies = (client.list_group_policies(GroupName=group)['PolicyNames'])
for policy in group_policies:
policy_names.append(policy)
def get_user_policies(username):
client = boto3.client('iam')
global policy_names
# This is for AWS managed policies and returns both the policy ARN and name
attached_user_policies = (client.list_attached_user_policies(UserName=username)['AttachedPolicies'])
for policy in attached_user_policies:
policy_names.append(policy['PolicyName'])
# This is for inline policies and returns only the policy name
user_policies = (client.list_user_policies(UserName=username)['PolicyNames'])
for policy in user_policies:
policy_names.append(policy)
get_user_policies(USERNAME)
groups = get_groups_by_username(USERNAME)
print("The user " + USERNAME + " belongs to the groups:")
print(groups)
get_group_policies(groups)
print("The user " + USERNAME + " has the following policies applied to it: ")
print(policy_names)