Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3-credentials list-user-policies command #5

Closed
simonw opened this issue Nov 2, 2021 · 4 comments
Closed

s3-credentials list-user-policies command #5

simonw opened this issue Nov 2, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@simonw
Copy link
Owner

simonw commented Nov 2, 2021

Since the implementation of #3 is going to start adding inline policies to users, having a command to see those policies will be useful.

It can look similar to list-users from #4.
@simonw simonw added the enhancement New feature or request label Nov 2, 2021
@simonw
Copy link
Owner Author

simonw commented Nov 2, 2021

This will have to make N+1 calls - list_user_policies only returns the policy names: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.list_user_policies

Then call get_user_policy for each one to retrieve the policy details: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_user_policy

@simonw
Copy link
Owner Author

simonw commented Nov 2, 2021

Made a start on this:

@cli.command()
@click.argument("username")
@click.option("--array", help="Output a valid JSON array", is_flag=True)
@click.option("--nl", help="Output newline-delimited JSON", is_flag=True)
def list_user_policies(username, array, nl):
    "List inline policies for specified user"
    iam = boto3.client("iam")
    paginator = iam.get_paginator("list_user_policies")
    gathered = []
    for response in paginator.paginate(UserName=username):
        print(response)

But I can't try it out yet because I haven't written any inline policies to anyone - so back to work on #3 instead.

@simonw
Copy link
Owner Author

simonw commented Nov 2, 2021

I'm going to have this accept 0 or more usernames - if you pass none it will loop through all users.

@simonw
Copy link
Owner Author

simonw commented Nov 3, 2021

Better version:

@cli.command()
@click.argument("usernames", nargs=-1)
def list_user_policies(usernames):
    "List inline policies for specified user"
    iam = boto3.client("iam")
    if not usernames:
        usernames = []
        paginator = iam.get_paginator("list_users")
        for response in paginator.paginate():
            for user in response["Users"]:
                usernames.append(user["UserName"])

    paginator = iam.get_paginator("list_user_policies")
    for username in usernames:
        click.echo("User: {}".format(username))
        for response in paginator.paginate(UserName=username):
            for policy_name in response["PolicyNames"]:
                click.echo("PolicyName: {}".format(policy_name))
                policy_response = iam.get_user_policy(
                    UserName=username, PolicyName=policy_name
                )
                click.echo(
                    json.dumps(policy_response["PolicyDocument"], indent=4, default=str)
                )

@simonw simonw closed this as completed in a8e10fb Nov 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw