nad87563
Reputation: 4072
Parse the IAM policy document response by boto3
I am a beginner in python and I am trying to get the Statement id (Sid), and Condition from the policy statement using boto3. any help is appreciated.
Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourceShare",
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalArn": [
"arn:aws:organizations::*:organization/*",
"arn:aws:organizations::*:ou/*"
]
}
}
}
]
}
I am able to get the content, however i am not sure how to loop over the policy statements.
def print_policy(id):
policy_data = org.describe_policy(
PolicyId=policy[id]
)
print(policy_data['Policy']['Content'])
content = json.loads(policy_data['Policy'])
for statement in content['Statement']:
print(statement['Sid'])
I get the error:
content = json.loads(policy_data['Policy'])
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 341, in loads
raise TypeError(f'the JSON object must be str, bytes or bytearray, '
TypeError: the JSON object must be str, bytes or bytearray, not dict
tried to convert it to string, but got the below Error:
content = json.loads(json.dumps(policy_data['Policy']))
for statement in content['Statement']:
print(statement['Sid'])
Error:
for statement in content['Statement']:
KeyError: 'Statement'
Upvotes: 2
Views: 1911
Answers (2)
baduker
Reputation: 20042
Using your example you can loop over the items to get, for example, Action:
iam = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalArn": [
"arn:aws:organizations::*:organization/*",
"arn:aws:organizations::*:ou/*"
]
}
}
}
]
}
for item in iam['Statement']:
print(', '.join(item['Action']))
Output: ram:CreateResourceShare, ram:AssociateResourceShare
However, you don't have a Sid in your example, so I've used one from AWS.
iam_policy = {'Version': '2012-10-17', 'Statement': [{'Sid': 'EnableDisableHongKong', 'Effect': 'Allow', 'Action': ['account:EnableRegion', 'account:DisableRegion'], 'Resource': '*', 'Condition': {'StringEquals': {'account:TargetRegion': 'ap-east-1'}}}, {'Sid': 'ViewConsole', 'Effect': 'Allow', 'Action': ['aws-portal:ViewAccount', 'account:ListRegions'], 'Resource': '*'}]}
for item in iam_policy['Statement']:
print(item['Sid'])
Output:
EnableDisableHongKong
ViewConsole
A simple example with boto3:
import boto3
import json
arn = 'arn:aws:iam::aws:policy/AdministratorAccess'
iam = boto3.client('iam')
policy = iam.get_policy(PolicyArn=arn)
policy_version = iam.get_policy_version(
PolicyArn=arn,
VersionId=policy['Policy']['DefaultVersionId']
)
print(json.dumps(policy_version['PolicyVersion']['Document']))
print(json.dumps(policy_version['PolicyVersion']['Document']['Statement']))
This prints:
{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*"}]}
[{"Effect": "Allow", "Action": "*", "Resource": "*"}]
Upvotes: 4
Marcin
Reputation: 238249
You should be able to parse the Content string into python dict using literal_eval:
import ast
# later
content = ast.literal_eval(policy_data['Policy']['Content'])
# content should be dict now
print(type(content))
print(content)
Upvotes: 2
Related Questions
- Python boto function for getting ALL policies associated with a ROLE?
- How to get IAM Policy Document via boto
- MalformedPolicyDocumentException while creating IAM policy using Boto
- How to get inline policy document of a iam user in boto3?
- How can we fetch IAM users, their groups and policies?
- boto3 iam client: get policy by name
- Parsing boto3 output JSON
- How to parse the policy document response by boto3
- Cant parse boto3 client json response using python
- boto IAM: Getting a policy template