通过 boto3 解析 IAM 策略文档响应

Question

我是 python 的初学者，我正在尝试使用 boto3 从策略语句中获取 Statement id (Sid) 和 Condition。任何帮助表示赞赏。

示例政策：

{
    "Version": "2012-10-17",
    "Statement": [
        { 
            "Sid": "DenyResourceShare",
            "Effect": "Deny",
            "Action": [
                "ram:CreateResourceShare",
                "ram:AssociateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:organizations::*:organization/*",
                        "arn:aws:organizations::*:ou/*"
                    ]
                }
            }
        }
    ]
}

我能够获取内容，但是我不确定如何循环访问政策声明。

def print_policy(id):
        policy_data = org.describe_policy(
                 PolicyId=policy[id]
                 )
        print(policy_data['Policy']['Content'])
        content = json.loads(policy_data['Policy'])
         for statement in content['Statement']:
             print(statement['Sid'])

我得到错误：

     content = json.loads(policy_data['Policy'])
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 341, in loads
    raise TypeError(f'the JSON object must be str, bytes or bytearray, '
TypeError: the JSON object must be str, bytes or bytearray, not dict

试图将其转换为字符串，但得到以下错误：

content = json.loads(json.dumps(policy_data['Policy']))
             for statement in content['Statement']:
                 print(statement['Sid'])

错误：

for statement in content['Statement']:
KeyError: 'Statement'

Answer 1

使用您的示例，您可以遍历项目以获取，例如，Action：

iam = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ram:CreateResourceShare",
                "ram:AssociateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:organizations::*:organization/*",
                        "arn:aws:organizations::*:ou/*"
                    ]
                }
            }
        }
    ]
}

for item in iam['Statement']:
    print(', '.join(item['Action']))

输出：ram:CreateResourceShare, ram:AssociateResourceShare

但是，您的示例中没有Sid，所以我使用了AWS 中的一个。

iam_policy = {'Version': '2012-10-17', 'Statement': [{'Sid': 'EnableDisableHongKong', 'Effect': 'Allow', 'Action': ['account:EnableRegion', 'account:DisableRegion'], 'Resource': '*', 'Condition': {'StringEquals': {'account:TargetRegion': 'ap-east-1'}}}, {'Sid': 'ViewConsole', 'Effect': 'Allow', 'Action': ['aws-portal:ViewAccount', 'account:ListRegions'], 'Resource': '*'}]}

for item in iam_policy['Statement']:
    print(item['Sid'])

输出：

EnableDisableHongKong
ViewConsole

boto3 的简单示例：

import boto3
import json

arn = 'arn:aws:iam::aws:policy/AdministratorAccess'

iam = boto3.client('iam')
policy = iam.get_policy(PolicyArn=arn)
policy_version = iam.get_policy_version(
    PolicyArn=arn,
    VersionId=policy['Policy']['DefaultVersionId']
)

print(json.dumps(policy_version['PolicyVersion']['Document']))
print(json.dumps(policy_version['PolicyVersion']['Document']['Statement']))

打印出来：

{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*"}]}
[{"Effect": "Allow", "Action": "*", "Resource": "*"}]

Answer 2

您应该能够使用literal_eval 将内容字符串解析为python dict：

import ast

# later

content = ast.literal_eval(policy_data['Policy']['Content'])

# content should be dict now

print(type(content))
print(content)