Manage IAM policies using Python boto3 and AWS CLI

IAM Policies is a way to manage permissions for Groups, Users and Roles in AWS. IAM Policy is a list of permitted actions for particular resources. In this tutorial, we are going to learn how to manage IAM Policies using Python and AWS CLI. So, let’s get started.

List Managed IAM Policies

When we create an AWS account, it comes with a set of predefined IAM polices. These are called managed policies (i.e. policies managed by AWS). The first thing we will do is list all polices in the AWS account.

This function will return all of the AWS managed policies. There are a few important parameters to know while listing policies.

  • Score – It has three possible values ‘AWS’, ‘Local’, and ‘All’. We can either list all AWS managed policies using ‘AWS’ or list all policies created by users using ‘Local’. And if we want to list all of the policies created by users as well as AWS then we can use ‘All’
  • OnlyAttached – (True|Fasle) By default it is false and returns all policies. If it is True then only policies attached to Group, User or Role are returned.
  • MaxItems – To limit the number of policies returned in one call we can use this parameter.

We can do this using AWS CLI in the following way.

Create IAM policy

Now that we have listed all managed policies in AWS, Let us create our first user-managed or local policy. For creating policy, we need to give Policy Document which is nothing but a list of permissions for AWS resources represented in JSON format. If you are not familiar with how to create a policy document then you can visit the AWS Policy Generator to get the policy document. You can refer below the policy document which grants read and write access to only one S3 bucket. I have created an S3 bucket with the name my-test-bucket-123df and we will only grant read and write access to that bucket and no other S3 bucket using the below policy.

This will create local policy in AWS IAM with “my-test-bucket-123df-admin-policy” name. We can verify that on the console.

To create an IAM policy using AWS CLI, we can run the following command.

Create a New version of IAM Policy

There will be certain times that we need to update managed or local policy. Instead of updating policy, we can create different versions and use them. We also have the option to roll back to the previous version if have to.

There are few things to remember before we create a new version for policy. We can only have at max 5 versions of each policy. While creating policy version we can set that up as default version using SetAsDefault parameter. Now we know this, let us see, how to create a policy version

We can validate versions of policy on our AWS console.

We can create IAM Policy using AWS CLI using the command below.

List Versions of IAM Policy

Now that we have different versions for IAM policies, the next logical step will be to write script list all versions of that policy. So let’s do it.

Again, let’s see how we can do this in AWS CLI.

Get Policy and its Policy Document

We can get policy details using below python code.

You will notice that this function “get_policy” does not return policy document. For getting the policy document, we have to use “get_policy_version” function.

Delete Policy

Now we are going to write code for deleting IAM Policy using Python. Before we can delete policy, we need to make sure we have detached that policy from all Groups, Users, and Roles. Not only that, we have to delete all versions of that policy except the default version. So lets us start by deleting the policy version.

Now let us write a script to delete IAM Policy using AWS CLI. Now I am not writing code with for loop but you get the idea. If you want that script with for loop to delete all versions of policy or to detach policy form Groups and users please let me know in comments.

Conclusion

In this tutorial, we have learned how to manage IAM policies using python and AWS CLI. This is very useful when you have to write automated scripts or your applications. I hope you found this useful. See you in the next article.

Similar Posts

Leave a Reply

Your email address will not be published.