How to get IAM Policy Document via boto
Solution 1
Please switch to boto3 as there is better support and documentation. As in boto3 documentation, get_policy() doesn't give you policydocument.
The best I can get is get_account_authorization_details()
I did a quick check under cli, just substitute all the command to boto3 then you are all good to go.
aws iam get-account-authorization-details --filter 'LocalManagedPolicy'
Solution 2
Please move to boto3.
Approach this from the policy side: Identify the Policy ARN, Identify the Policy DefaultVersionId using the ARN, Retrieve the PolicyDocument using ARN and DefaultVersionId.
import boto3
import json
arn = 'arn:aws:iam::aws:policy/AdministratorAccess'
iam = boto3.client('iam')
policy = iam.get_policy(
PolicyArn = arn
)
policy_version = iam.get_policy_version(
PolicyArn = arn,
VersionId = policy['Policy']['DefaultVersionId']
)
print(json.dumps(policy_version['PolicyVersion']['Document']))
print(json.dumps(policy_version['PolicyVersion']['Document']['Statement']))
Run this code and pipe the output to "jq ." and you get the following output:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
[
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
You specifically requested the Actions / Statement in your question. I printed the 'Document' and 'Statement' properties to show the differences.
http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_policy http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_policy_version
sarnu
Updated on June 09, 2022Comments
-
sarnu almost 2 years
I am trying to get the details of a aws IAM Policy via boto to be able to backup or replicate IAM policies via script. I have searched the docs of boto 2 and 3 but did not find any possibility to get the json data of a configured policy.
What I (successfully) did:
- Created a policy via IAM Management console
- Assigned it to a role
- Used it for creation of ec2 instances via boto
But I cannot find a way to retrieve the associated JSON data ('Policy Document' in Management Console) to get it in boto.
What I tried with boto:
import boto.iam REGION_NAME = 'eu-west-1' iam_conn = boto.iam.connect_to_region(REGION_NAME) arn = 'arn:myproperlyformattedarn' p = iam_conn.get_policy(arn) print p
result:
{ "get_policy_response": { "response_metadata": { "request_id": "XXXXX-XXXX-XXXX-XXXX-XXXX" }, "get_policy_result": { "policy": { "update_date": "2016-04-15T12:51:21Z", "create_date": "2016-04-15T12:51:21Z", "is_attachable": "true", "policy_name": "My_Policy_Name", "default_version_id": "v1", "attachment_count": "1", "path": "/", "arn": "arn:aws:iam::123456789:policy/VerticaTest_GetConfigsFromS3", "policy_id": "XXXSOMELONGSTRINGXXXX" } } } }
What I am after is something like this (the policy document in Management Console):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::mybucketname", "arn:aws:s3:::mybucketname/*" ] } ] }
-
sarnu about 8 yearsThe function get_account_authorization_details() actually contained the policy details.