Managing AWS IAM Users with Python and boto3

Updated On April 12, 2020 | By Mahesh Mogal

In this tutorial, we are going to manage IAM Users with Python and its boto3 library. Boto 3 is a standard library to access AWS services using Python. As we have learned in the last tutorial, using AWS IAM (Identity Access Management) we can create users, manage their permissions, create groups and delete users. Let us see how we can do these using Python

Create IAM Users with Python and boto3

When we create the AWS account we are signed in as root user. It is recommended to create a new user and use that to access AWS resources. Also, we need to create different users for everyone who wants to access AWS in different capacities.

Creating a new user in python is very easy. You can create a client or resource object for IAM and use its create user function. Additionally, you can pass tags to identify that user.

import boto3

iam = boto3.resource('iam') #using resource representing IAM

created_user = iam.create_user(
    UserName='first_user'
)
print(created_user)


#running file
python3 create_user.py

# expected output
iam.User(name='first_user')
import boto3

iam = boto3.client('iam') #using low lavel clinet to access IAM

created_user = iam.create_user(
    UserName='second_user',
    Tags=[ # adding tags to identify that user in IAM
        {
            'Key': 'Env',
            'Value': 'Test'
        }
    ]
)
print(created_user)
#running program
python3 create_user.py

#output, using IAM clinet will give you more data about created user
{'User': {'Path': '/', 'UserName': 'second_user', 'UserId': 'AIDAS3CARBCB4ISBODLJE', 'Arn': 'arn:aws:iam::195556345987:user/second_user', 'CreateDate': datetime.datetime(2019, 8, 18, 6, 14,
41, tzinfo=tzutc()), 'Tags': [{'Key': 'Env', 'Value': 'Test'}]}, 'ResponseMetadata': {'RequestId': '7714580d-c17f-11e9-9a35-37dd9682876d', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requ
estid': '7714580d-c17f-11e9-9a35-37dd9682876d', 'content-type': 'text/xml', 'content-length': '600', 'date': 'Sun, 18 Aug 2019 06:14:40 GMT'}, 'RetryAttempts': 0}}

Attach a Policy to a User

When you create a new user, by default he/she will have no permissions. This is in accordance with AWS best practice to grant the least required privileges to a user. So we will have to attache each user required level of permissions. And we can do that by using IAM policies. Each IAM policy is identified by AWS ARN (Amazon Resource Name). We need to get that ARN before we can attach it to the user. We can get that ARN from the AWS console. If you want to learn more about IAM policies and how to manage them, you can read another article I have written.

AWS S3 read only policy ARN

In the above image, we have copied ARN of S3 read access. The next step is to assign that to our user.

import boto3

iam = boto3.client('iam') # IAM low level client object

response = iam.attach_user_policy(
UserName = 'first_user', #Name of user
PolicyArn = 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess' 
# Policy ARN which you want to asign to user
)

print(response)

You can validate the result in the AWS console. We can see that the user now has s3 read access permissions.

Add User to Group

Adding permissions to each individual user is cumbersome especially when you have hundreds of users. So it is always a best practice to create Groups and manage permissions at a group level. We can create groups like HR, Admin, Testers, Developers and more. Users in one group will have all permissions attached to that group.

Before we add a user to a group, we need to make sure that the group is present in AWS IAM. We can create a group first and then add a user to it.

import boto3

iam = boto3.client('iam') # IAM low level client object

"""
    We need to make sure group is present in AWS IAM
    As we do not have group named Tester, We will create it first
    IN your case you can skip this step 
    if group is already created in your account
"""

create_group_response = iam.create_group(GroupName = 'Tester')


#adding user to Tester group
response = iam.add_user_to_group(
UserName = 'first_user', #Name of user
GroupName = 'Tester'
)

print(response)

You can also use simpler methods provided by the IAM resource object to add a user to a group.

iam_resource = boto3.resource('iam') #resource representing IAM
group = iam_resource.Group('Tester') # Name of group

response = group.add_user(
UserName='second_user' #name of user
)

List All Users

Let us write code to list all users in our account. We get a response object with all details like user name, permissions, created date, etc. We can format and print the required details below.

import boto3
iam = boto3.client('iam')

users = iam.list_users()

for user in users['Users']:
    print("UserName: {0}\nCreateDate: {1}\n"
    .format(user['UserName'], user['CreateDate']))


# sample output
UserName: first_user
CreateDate: 2019-08-18 06:11:15+00:00

UserName: second_user
CreateDate: 2019-08-18 06:14:41+00:00

If you have hundreds of users, then you might want to use the paginator method. It returns iterator for all users in your account.

import boto3
iam = boto3.client('iam')

pages = iam.get_paginator('list_users')
for page in pages.paginate():
    for user in page['Users']:
        print("UserName: {0}\nCreateDate: {1}\n"
        .format(user['UserName'], user['CreateDate']))

Get Specific User Details

Now let us get details for a specific user. It is again a very simple script using Python.

import boto3

iam = boto3.client('iam')

#Name of user whoes details we need
response = iam.get_user(UserName = 'second_user')

print(response)

If we pass no argument to get_user method, it will run details of user which boto3 is using to access AWS services. If you want to learn more about AWS CLI configure and how boto3 uses those user profiles you can read this article.

import boto3

iam = boto3.client('iam')

response = iam.get_user()

print(response)

Delete User

More often than not, we need to delete users from our AWS account. We can do that simply running delete user function. But before deleting the user from IAM, we need to remove that user from all groups which he/she is part of. Also, we need to remove all policies which are directly assigned to that user.

import boto3

iam = boto3.client('iam')

"""
    Before deleting user we need to remove it from Group
    Otherwise we will get following error
    An error occurred (DeleteConflict) when calling the DeleteUser operation:
    Cannot delete entity, must remove users from group first.
"""

response = iam.remove_user_from_group(
    GroupName='Tester',
    UserName='second_user'
)

print(response)

response = iam.delete_user(
    UserName='second_user'
)

print(response)

We can also use the resource class to delete the user. In this case, we first need to remove polices attached to that user before deleting it along with removing a user from Groups.

iam = boto3.resource('iam')

"""
    Before deleting user we need to remove
    policies attached to that user
    Otherwise we will get following error

    An error occurred (DeleteConflict) when calling the DeleteUser operation:
    Cannot delete entity, must detach all policies first.
"""

#policy arn which we want to detach from user
policy = iam.Policy('arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess')

response = policy.detach_user(
    UserName='first_user'
)

group = iam.Group('Tester')
response = group.remove_user(
    UserName='first_user'
)


#Now we can delete user
user = iam.User('first_user')

user.delete()

Conclusion

We have learned how to manage IAM users using Python and boto3. and you must have seen that it's very easy. I hope it helped you. You can get all of this code in my Github repo.
If you want to learn how to perform these operations using AWS CLI please read this article. See you again.

.

Mahesh Mogal

I am passionate about Cloud, Data Analytics, Machine Learning, and Artificial Intelligence. I like to learn and try out new things. I have started blogging about my experience while learning these exciting technologies.

Stay Updated with Latest Blogs

Get latest blogs delivered to your mail directly.

Recent Posts

Sorting in Spark Dataframe

In this blog, we will learn how to sort rows in spark dataframe based on some column values.

Read More
Removing White Spaces From Data in Spark

White spaces can be a headache if not removed before processing data. We will learn how to remove spaces from data in spark using inbuilt functions.

Read More
Padding Data in Spark Dataframe

In this blog, we will learn how to use rpad and lpad functions to add padding to data in spark dataframe.

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap