Reputation: 21
I'm trying to create a script using Boto3 that basically should create a Role with policy attached.
response = client.create_policy(
PolicyName='string',
Path='string',
PolicyDocument='string',
Description='string'
)
I can create a Policy separately(to validate policy document), but can't create a Role with out "AssumeRolePolicyDocument" and I'm not able to figure out how I can pass this policy document into "AssumeRolePolicyDocument"
So far I've managed to create the following script:
import json
import boto3
# Connect to IAM with boto
#iam = boto3.connect_iam($key, $secret)
# Create IAM client
iam = boto3.client('iam')
#createRole
S3ANDEC2 = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"*"
]
},
{
"Sid": "Ec2FullAccess",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
response = iam.create_role(
Path='/',
RoleName='Boto-R1',
AssumeRolePolicyDocument=json.dumps(S3ANDEC2),
Description='S3 Read and EC2Full permissions policy'
)
print(response)
When I run the above it returns the following error:
C:\Projects\AWS>python user.py Traceback (most recent call last): File "Role.py", line 116, in Description='S3 Read and EC2Full permissions policy' File "C:\Users\Rambo.one\AppData\Roaming\Python\Python34\site-packages\botocore\client.py", line 310, in _api_call return self._make_api_call(operation_name, kwargs) File "C:\Users\Rambo.one\AppData\Roaming\Python\Python34\site-packages\botocore\client.py", line 599, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
I made sure to validate my policy document.. not sure why it says "An error occurred (MalformedPolicyDocument) "
Any help is appreciated.
Upvotes: 1
Views: 5614
Reputation: 171
You can't attach policy to a role by using AssumeRolePolicyDocument, it is used to attach a trust policy to the role.
This is how you create a role, attach trust policy to it, create a policy and then attach policy to the role.
session = boto3.session.Session(profile_name='my_profile')
iam = session.client('iam')
path='/'
role_name='ec2-test-role'
description='BOTO3 ec2 test role'
trust_policy={
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
response = iam.create_role(
Path=path,
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps(trust_policy),
Description=description,
MaxSessionDuration=3600
)
managed_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"*"
]
},
{
"Sid": "Ec2FullAccess",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
response = iam.create_policy(
PolicyName='BOTO3-Test-ec2-policy',
PolicyDocument=json.dumps(managed_policy)
)
iam.attach_role_policy(
PolicyArn='arn:aws:iam::${account_id}:policy/BOTO3-Test-ec2-policy',
RoleName='ec2-test-role'
)
Upvotes: 3