Managing AWS IAM Users with Python and boto3

In this tutorial, we are going to manage IAM Users with Python and its boto3 library. Boto 3 is a standard library to access AWS services using Python. As we have learned in the last tutorial, using AWS IAM (Identity Access Management) we can create users, manage their permissions, create groups and delete users. Let us see how we can do these using Python

Create IAM Users with Python and boto3

When we create the AWS account we are signed in as root user. It is recommended to create a new user and use that to access AWS resources. Also, we need to create different users for everyone who wants to access AWS in different capacities.

Creating a new user in python is very easy. You can create a client or resource object for IAM and use its create user function. Additionally, you can pass tags to identify that user.

Attach a Policy to a User

When you create a new user, by default he/she will have no permissions. This is in accordance with AWS best practice to grant the least required privileges to a user. So we will have to attache each user required level of permissions. And we can do that by using IAM policies. Each IAM policy is identified by AWS ARN (Amazon Resource Name). We need to get that ARN before we can attach it to the user. We can get that ARN from the AWS console. If you want to learn more about IAM policies and how to manage them, you can read another article I have written.

AWS S3 read only policy ARN

In the above image, we have copied ARN of S3 read access. The next step is to assign that to our user.

You can validate the result in the AWS console. We can see that the user now has s3 read access permissions.

Add User to Group

Adding permissions to each individual user is cumbersome especially when you have hundreds of users. So it is always a best practice to create Groups and manage permissions at a group level. We can create groups like HR, Admin, Testers, Developers and more. Users in one group will have all permissions attached to that group.

Before we add a user to a group, we need to make sure that the group is present in AWS IAM. We can create a group first and then add a user to it.

You can also use simpler methods provided by the IAM resource object to add a user to a group.

List All Users

Let us write code to list all users in our account. We get a response object with all details like user name, permissions, created date, etc. We can format and print the required details below.

If you have hundreds of users, then you might want to use the paginator method. It returns iterator for all users in your account.

Get Specific User Details

Now let us get details for a specific user. It is again a very simple script using Python.

If we pass no argument to get_user method, it will run details of user which boto3 is using to access AWS services. If you want to learn more about AWS CLI configure and how boto3 uses those user profiles you can read this article.

Delete User

More often than not, we need to delete users from our AWS account. We can do that simply running delete user function. But before deleting the user from IAM, we need to remove that user from all groups which he/she is part of. Also, we need to remove all policies which are directly assigned to that user.

We can also use the resource class to delete the user. In this case, we first need to remove polices attached to that user before deleting it along with removing a user from Groups.

Conclusion

We have learned how to manage IAM users using Python and boto3. and you must have seen that it’s very easy. I hope it helped you. You can get all of this code in my Github repo.
If you want to learn how to perform these operations using AWS CLI please read this article. See you again.

Similar Posts