Manage IAM Groups using Python and AWS CLI
In this article, we are going to manage AWS IAM Groups using Python and AWS CLI. IAM Groups are the recommended way to manage AWS permissions for a collection of users. Let us learn how we can master IAM group operations.
Create IAM Group
We can create the IAM group in the following ways in python and AWS CLI.
1
2
3
4
5
6
7
8
9
10
11
|
import boto3
#creating group with client
iam = boto3.client('iam') # IAM low level client object
create_group_response = iam.create_group(GroupName = 'group1')
print(create_group_response)
#createing group with resource
iam = boto3.resource('iam') #resource representing IAM
response = iam.create_group(
GroupName='group2'
)
print(response)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
#using AWS CLI
# command for creating IAM Group
mahesh@mahesh:~$ aws iam create-group \
> --group-name 'group2'
{
"Group": {
"Path": "/",
"GroupName": "group2",
"GroupId": "AGPAS3CARBCB7H4NRBUHW",
"Arn": "arn:aws:iam::195556345987:group/group2",
"CreateDate": "2019-08-18T09:34:55Z"
}
}
|
List All Groups in IAM
We can list all IAM groups in AWS.
1
2
3
4
5
6
7
|
import boto3
#listing all groups using client
iam = boto3.client('iam') # IAM low level client object
response = iam.list_groups()
for group in response['Groups']:
print("GroupName: {0}\nCreateDate: {1}\n"
.format(group['GroupName'], group['CreateDate']))
|
We can achieve the same using AWS CLI using the following command
1 |
mahesh@mahesh:~$ aws iam list-groups
|
Adding Users to IAM Group
We can add users to the group with Python using the following script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
import boto3
iam = boto3.client('iam') # IAM low level client object
#adding user to group
response = iam.add_user_to_group(
UserName = 'user1_g1', #Name of user
GroupName = 'group1'
)
print(response)
iam_resource = boto3.resource('iam') #resource representing IAM
group = iam_resource.Group('group1') # Name of group
response = group.add_user(
UserName='user2_g1' #name of user
)
print(response)
|
Using AWS CLI, we can run the following command to add a user to the group.
1
2
3
4
|
# adding user to IAM Group
mahesh@mahesh:~$ aws iam add-user-to-group \
> --group-name 'group2' \
> --user-name 'user3_g2'
|
Listing All users in specific IAM group
Often, we might need to list all users who belong to a particular group. Using Python, we can list users using the following script.
1
2
3
4
5
6
7
8
9
10
11
|
import boto3
#get specific group using client
iam = boto3.client('iam') # IAM low level client object
response = iam.get_group(
GroupName='group1'
)
print(response['Group']['GroupName'])
#list all users in that group
for user in response['Users']:
print("UserName: {0}\nCreateDate: {1}\n"
.format(user['UserName'], user['CreateDate']))
|
For doing the same in AWS CLI, we need to run the following command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
mahesh@mahesh:~$ aws iam get-group \
> --group-name 'group2'
{
"Users": [
{
"Path": "/",
"UserName": "user4_g2",
"UserId": "AIDAS3CARBCB2C4EDOCVJ",
"Arn": "arn:aws:iam::195556345987:user/user4_g2",
"CreateDate": "2019-08-18T14:03:03Z"
},
{
"Path": "/",
"UserName": "user3_g2",
"UserId": "AIDAS3CARBCBRW2GMRXRE",
"Arn": "arn:aws:iam::195556345987:user/user3_g2",
"CreateDate": "2019-08-18T14:03:03Z"
}
],
"Group": {
"Path": "/",
"GroupName": "group2",
"GroupId": "AGPAS3CARBCBVVJM7KFWW",
"Arn": "arn:aws:iam::195556345987:group/group2",
"CreateDate": "2019-08-18T13:42:24Z"
}
}
|
Removing Users from IAM groups
We can remove users from the IAM group using python using the function below.
1
2
3
4
5
6
|
import boto3
iam = boto3.client('iam')
response = iam.remove_user_from_group(
GroupName='group2',
UserName='user3_g2'
)
|
1
2
3
4
|
#removing user from group using AWS CLI
mahesh@mahesh:~$ aws iam remove-user-from-group \
> --user-name 'user3_g2' \
> --group-name 'group2'
|
Attaching Policies to IAM Group
We can manage permissions for all users in the group with IAM policies. We can attache policy to IAM group and it will affect all users in that group. Let us write a script to attach a policy to the IAM group using Python.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
import boto3
#attaching policy using client
iam = boto3.client('iam') # IAM low level client object
#attaching admin access level policy to group
response = iam.attach_group_policy(
GroupName='group1',
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
print(response)
#attaching policy using resource
iam = boto3.resource('iam')
group = iam.Group('group2')
#attaching s3 admin access policy to group
response = group.attach_policy(
PolicyArn='arn:aws:iam::aws:policy/AmazonS3FullAccess'
)
print(response)
|
Listing Attached policies to IAM Group
It is easier to manage policies for users at the group level. Any policy attached to that group will be applied to all of its members. We can check all policies attached to that group using the below method
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
import boto3
#listing all policies attached to group using client
iam = boto3.client('iam') # IAM low level client object
response = iam.list_attached_group_policies(
GroupName='group1'
)
for policy in response['AttachedPolicies']:
print('PolcyName: {0}\nPolicyARN: {1}\n'.format(
policy['PolicyName'], policy['PolicyArn']
))
#listing all policies attached to group using resource
iam = boto3.resource('iam') #resource representing an AWS IAM
group = iam.Group('group2')
policy_iterator = group.attached_policies.all()
for policy in policy_iterator:
print(policy)
|
We can do the same thing using AWS CLI as well.
1
2
3
4
5
6
7
8
9
10
|
mahesh@mahesh:~$ aws iam list-attached-group-policies \
> --group-name 'admin'
{
"AttachedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
}
]
}
|
Removing attached policies to IAM group
We can remove the attached policies to IAM groups.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
import boto3
#detach policy from group using client
iam = boto3.client('iam') # IAM low level client object
response = iam.detach_group_policy(
GroupName='group1',
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
print(response)
#detach policy from group using resource
iam = boto3.resource('iam') #resource representing an AWS IAM
group = iam.Group('group2')
response = group.detach_policy(
PolicyArn='arn:aws:iam::aws:policy/AmazonS3FullAccess'
)
print(response)
|
Using AWS CLI, we can run below command
1
2
3
|
mahesh@mahesh:~$ aws iam detach-group-policy \
> --group-name 'admin' \
> --policy-arn 'arn:aws:iam::aws:policy/AdministratorAccess'
|
Deleting IAM group
In the last group operation of this article, we are going to learn how to delete the IAM group. Before deleting any group, we need to remove all members from that group and detach all policies attached to that group. Then only we will be able to delete the IAM group.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
import boto3
#delete group using client
iam = boto3.client('iam') # IAM low level client object
#make sure group should not have any users
#and all attached policies have been removed
#before we can delete that group
response = iam.delete_group(
GroupName='group1'
)
print(response)
#delete group using resource
iam = boto3.resource('iam')
group = iam.Group('group2')
#i have already removed users and attached polcies from group2
response = group.delete()
print(response)
|
1
2
3
|
# Deleting group in AWS CLI
mahesh@mahesh:~$ aws iam delete-group \
> --group-name 'group2'
|
Conclusion
In this tutorial on AWS IAM, we have gone through how to manage IAM group operations like create, add user, add/remove policy and delete using python and AWS CLI. I hope you have found it useful. See you in the next article, until then keep learning ๐