Reputation: 147
AWS IAM Python Boto3 script - Create User
My Issue: I am trying to create an AWS CLI script using Python and the Boto3 library. I want the script to ask for inputs (username? programmatic access? attach to which Group? Change password on first login? etc.) and set up the user with those details.
My Attempt: I can create the user and give the user programmatic access or not. My problem lies with passing the selected Group ARN to the attach_group_policy PolicyARN='aws:aws:iam::aws:policy/xxxx
I feel a veriable suits here but cannot think how to do it. Hopefully my code below shows my problem better.
iam = boto3.resource('iam')
iam_keys = boto3.resource('iam')
group_list = boto3.client('iam')
attach_group = boto3.client('iam')
mail = raw_input("Please enter your e-mail address: ")
response = iam.create_user(UserName=mail)
prog = raw_input("Do you require programmatic access?(y/n): ")
if prog == "y":
iam_keys.create_access_key(UserName=mail)
print("Make sure awscli is installed on your machine")
elif prog == "n":
print("Console access only")
### it is this area downwards that things break/get confusing
list = group_list.list_groups(MaxItems=150) ### works
for "GroupName" in list: ### works
print(list) ### works; prints as large JSON, need to output just u' GroupName
float(input("Please pick a Group {}".format(attach)))
var = attach_group.attach_group_policy(GroupName=attach, PolicyArn='aws:aws:iam::aws:policy/xxxx') ### Broke; need to fill in ARN somehow after forward slash
print(response, prog)
I want the selected Policy (selected by typing exact name of Group) to attach to the user.
Any help is greatly appreciated, I have very little Python knowledge nad have been following https://boto3.amazonaws.com/v1/documentation/api/latest/index.html
Thank you.
Upvotes: 2
Views: 4039
Answers (1)
Reputation: 78563
Here is a Python 2 example of how to list IAM groups, allow the user to select one of them, and then use the ARN corresponding to the selected IAM group:
import boto3
iam = boto3.client('iam')
rsp = iam.list_groups()
groups = rsp['Groups']
print(groups)
index = 1
for group in groups:
print("%d: %s" % (index, group["GroupName"]))
index += 1
option = int(input("Please pick a group number: "))
arn = groups[option-1]["Arn"]
print("You selected group %d: %s" % (option, arn))
Or in Python3:
import boto3
iam = boto3.client('iam')
rsp = iam.list_groups()
groups = rsp['Groups']
index = 1
for group in groups:
print(f'{index}: {group["GroupName"]}')
index += 1
option = int(input("Please pick a group number: "))
arn = groups[option-1]["Arn"]
print(f'You selected group {option}: {arn}')
This will result in something like this:
1: admins
2: devops
3: programmers
Please pick a group number: 2
You selected option 2: arn:aws:iam::123456781234:group/devops
Note: you will need to add input validation around this, for example if the user types -3 or the letter A.
If, as I suspect, you actually need the user to select a policy by name so that you can retrieve the ARN for that policy (to attach to an IAM group), then you can do that as follows:
rsp = iam.list_policies(Scope='Local', OnlyAttached=False)
policies = rsp['Policies']
index = 1
for policy in policies:
print("%d: %s" % (index, policy["PolicyName"]))
index += 1
option = int(input("Please pick a policy number: "))
arn = policies[option-1]["Arn"]
print("You selected policy %d: %s" % (option, arn))
Upvotes: 3
Related Questions
- Boto3 exception NoCredentialsError
- How to create an ec2 instance using boto3
- Creating users in AWS SSO group using boto3
- Boto3 assume role with IAM user credentials
- Boto3 Error in AWS SDK: botocore.exceptions.NoCredentialsError: Unable to locate credentials
- How do I use Boto3 to launch an EC2 instance with an IAM role?
- How to create user in amazon-cognito using boto3 in python
- AWS IAM Python script - Add new User to existing Group
- Boto3 IAM User creation failing with InvalidClientTokenId - The security token included in the request is invalid
- boto issue with IAM role