Reputation: 3559
How to get the permission or group details of the users in AWS iam using boto
I have successfully fetched the users from AWS IAM using the python boto module.
Code:
import boto
from boto.iam.connection import IAMConnection
cfn = IAMConnection(aws_access_key_id='somekeyid',aws_secret_access_key ='secret_here')
data = cfn.get_all_users()
for user in data.users:
print user,"\n"
How do I get the Groups or Permissions the user is associated with?
I added this line of code to get the group associated with the users and I am getting the error mentioned down below.
Added Code:
group=cfn.get_groups_for_user("Shital")
print group
where "Shital" is the user that exists and is being fetched from above. For test purposes, I am manually passing it to a function call.
Error:
Traceback (most recent call last):
File "getuser.py", line 14, in <module>
pol=cfn.get_groups_for_user("Shita")
File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 509, in get_groups_for_user
list_marker='Groups')
File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 102, in get_response
raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 Forbidden
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>User: arn:aws:iam::586848946515:user/qa-api-users is not authorized to perform: iam:ListGroupsForUser on resource: user Shita</Message>
</Error>
<RequestId>7e9a4b56-95f0-11e7-9bb0-8b8eb22708c5</RequestId>
</ErrorResponse>
Upvotes: 22
Views: 3663
Answers (3)
Reputation: 1178
There is several major caveats for this code:
1 - It assumes that you are using the default policy versions for all policies.
2 - It assumes that you have the permissions required.
3 - It is written using boto3 rather than the old boto.
Now that we have that out of the way, the code:
#! /bin/python3
import boto3
USERNAME = '<The desired username>'
policy_names = []
def get_groups_by_username(username):
client = boto3.client('iam')
groups_json = client.list_groups_for_user(UserName=username)['Groups']
group_names = []
for group in groups_json:
group_names.append(group['GroupName'])
return group_names
def get_group_policies(user_groups):
client = boto3.client('iam')
global policy_names
for group in user_groups:
# This is for AWS managed policies and returns both the policy ARN and name
attached_group_policies = (client.list_attached_group_policies(GroupName=group)['AttachedPolicies'])
for policy in attached_group_policies:
policy_names.append(policy['PolicyName'])
# This is for inline policies and returns only the policy name
group_policies = (client.list_group_policies(GroupName=group)['PolicyNames'])
for policy in group_policies:
policy_names.append(policy)
def get_user_policies(username):
client = boto3.client('iam')
global policy_names
# This is for AWS managed policies and returns both the policy ARN and name
attached_user_policies = (client.list_attached_user_policies(UserName=username)['AttachedPolicies'])
for policy in attached_user_policies:
policy_names.append(policy['PolicyName'])
# This is for inline policies and returns only the policy name
user_policies = (client.list_user_policies(UserName=username)['PolicyNames'])
for policy in user_policies:
policy_names.append(policy)
get_user_policies(USERNAME)
groups = get_groups_by_username(USERNAME)
print("The user " + USERNAME + " belongs to the groups:")
print(groups)
get_group_policies(groups)
print("The user " + USERNAME + " has the following policies applied to it: ")
print(policy_names)
Upvotes: 4
Reputation: 183
You are getting this error because you don't have permission to ListGroupUser. Because of that, you are getting this error User: arn:aws:iam::586848946515:user/qa-api-users is not authorized to perform: iam:ListGroupsForUser on resource: user Shita
You can create a role will allow you to list user details and you can add that role to your profile or you can use assume role. https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html
Upvotes: 0
Reputation: 20415
Using credentials with suitable authority is essential for this query to work. As code_onkel points out, it makes sense to assign IAMFullAccess or AdministratorAccess as needed to complete the transaction successfully.
Upvotes: 1
Related Questions
- boto3 - getting a listing of users in each group
- Get the UserID for an IAM user programatically using Boto3
- Attaching IAM user to IAM Group using Boto3
- How can we fetch IAM users, their groups and policies?
- boto3 list all security groups for AWS account
- boto3 giving AccessDenied, is there a way to lookup the missing permissions?
- How do I get IAM user owner for any particular AWS resource using Boto & Python?
- Boto: how to get security group by id?
- How to get the resource for a given security group using python boto?
- Using boto (AWS Python), how do I get a list of IAM users?