【发布时间】:2021-03-20 03:57:57
【问题描述】:
我正在尝试在 AWS 上创建一个 IAM 用户并将其附加到具有 IAM 策略的用户组,但我收到“调用 CreatePolicy 操作时发生错误(MalformedPolicyDocument):策略未能通过旧版解析”错误,我不确定这意味着什么。我认为这与政策本身有关,但我不确定。
import boto3
import sys
import json
iam = boto3.client('iam')
sts = boto3.client('sts')
response = iam.create_user(
UserName='GoodUser'
)
IDK = sts.get_caller_identity()
print(IDK['UserId'])
response = iam.create_group(
GroupName='GoodGroup'
)
response = iam.add_user_to_group(
GroupName='GoodGroup',
UserName='GoodUser'
)
some_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-2:{}:instance/*".format(IDK),
"arn:aws:ec2:us-east-2:{}:security-group/*".format(IDK),
"arn:aws:ec2:us-east-2:{}:image/ami-0a91cd140a1fc148a".format(IDK)
],
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-2:{}:instance/*".format(IDK),
"Condition": {
"ForAllValues:StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
response = iam.create_policy(
PolicyName='GoodPolicy',
PolicyDocument=json.dumps(some_policy)
)
print(response)
IDK1 = iam.attach_user_policy(
UserName='GoodUser',
PolicyArn='arn:aws:iam::{}:policy/some_policy'.format(IDK)
)
【问题讨论】:
-
尝试通过 AWS 控制台创建策略。使用
json.dumps(some_policy)的输出作为输入 -
这不适用于我的用例,因为我需要 UserID,而且它可能会因每个用户而改变,所以不想在策略中硬编码
-
尽可能使用假身份证,也许您会从控制台收到有关问题的反馈
-
我已经使用控制台测试了该策略,它适用于硬编码的用户 ID,但是当我尝试在 boto 上动态输入时它不起作用。
标签: python amazon-web-services boto3 amazon-iam boto