NtJav4SoiCTaPAOOrL2RAttach AWS IAM User Policy to Assume a Role
Attach AWS IAM User Policy to Assume a Role
This task assigns a policy to an IAM user, enabling them to assume a specified IAM role. This key security measure allows controlled, temporary access elevation in line with the principle of least privilege. It's essential for secure and efficient permission management in AWS. Note:- This will directly attach a policy to the AWS IAM User.
inputs
outputs
import boto3
from botocore.exceptions import ClientError
import json
creds = _get_creds(cred_label)['creds']
access_key = creds['username']
secret_key = creds['password']
def get_aws_account_id():
"""
Retrieves the AWS account ID using STS.
"""
sts_client = boto3.client('sts',aws_access_key_id=access_key,aws_secret_access_key=secret_key,region_name='us-east-1')
try:
account_id = sts_client.get_caller_identity()["Account"]
return account_id
except ClientError as error:
print(f"Error retrieving AWS account ID: {error}")
return None
def get_policy_arn(iam_client, policy_name):
"""
Retrieves the ARN of a given policy.
:param iam_client: The IAM client instance.
:param policy_name: The name of the policy.
:return: The ARN of the policy or None if not found.
"""
try:
policy = iam_client.get_policy(PolicyArn=f"arn:aws:iam::{get_aws_account_id()}:policy/{policy_name}")
return policy['Policy']['Arn']
except ClientError:
return None
def check_role_exists(iam_client, role_name):
"""
Checks if the specified IAM role exists.
:param iam_client: The IAM client instance.
:param role_name: The name of the IAM role to check.
:return: True if the role exists, False otherwise.
"""
try:
iam_client.get_role(RoleName=role_name)
return True
except ClientError as error:
if error.response['Error']['Code'] == 'NoSuchEntity':
return False
else:
raise
def attach_role_to_user(user_name, role_name):
"""
Attaches a policy to a user that allows the user to assume a specified role.
:param user_name: The name of the IAM user.
:param role_name: The name of the IAM role.
"""
# Create an IAM client
iam_client = boto3.client('iam',aws_access_key_id=access_key,aws_secret_access_key=secret_key)
# Get AWS account ID
account_id = get_aws_account_id()
if account_id is None:
print("Failed to retrieve AWS account ID. Exiting function.")
return
policy_name = f"AllowAssumeRole-{role_name}"
policy_arn = get_policy_arn(iam_client, policy_name)
policy_document = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": f"arn:aws:iam::{account_id}:role/{role_name}"
}
]
}
# Check if the role exists
if not check_role_exists(iam_client, role_name):
print(f"The role '{role_name}' does not exist. Exiting function.")
return
# Create or update policy
if policy_arn:
print(f"Policy {policy_name} already exists. Updating policy.")
try:
iam_client.create_policy_version(
PolicyArn=policy_arn,
PolicyDocument=json.dumps(policy_document),
SetAsDefault=True
)
except ClientError as error:
print(f"Failed to update policy: {error}")
return
else:
try:
policy_response = iam_client.create_policy(
PolicyName=policy_name,
PolicyDocument=json.dumps(policy_document)
)
policy_arn = policy_response['Policy']['Arn']
except ClientError as error:
print(f"Failed to create policy: {error}")
return
# Attach the policy to the user
try:
iam_client.attach_user_policy(
UserName=user_name,
PolicyArn=policy_arn
)
print(f"Policy {policy_name} attached to user {user_name} allowing to assume role {role_name}.")
except ClientError as error:
print(f"Failed to attach policy to user: {error}")
# Example usage
#username = 'test_user'
#rolename = 'AWSServiceRoleForECS'
attach_role_to_user(username, rolename)
context.proceed=False
copied