def get_iam_users(): """Requires: none """ config = get_config() conn = IAMConnection(config['access_key'],config['secret_key']) users = conn.get_all_users() for user in users['list_users_response']['list_users_result']['users']: print user['user_name']+","+user['create_date']
def list_users(conn): conn = IAMConnection() users = conn.get_all_users() print "\nCurrent AWS user accounts:\n" for user in users.list_users_result.users: print "- {0}".format(user.user_name) print ""
def create_user(self, s3_user): connect = IAMConnection(self.admin_access_key, self.admin_secret_key) user = connect.get_all_users() users = user['list_users_response']['list_users_result']['users'] for user in users: if s3_user in user['user_name']: return False connect.create_user(s3_user) return True
def setup(self): """Make sure our current credentials are for this account and set self.connection""" try: connection = IAMConnection() except boto.exception.NoAuthHandlerFound: raise SyncrError("Export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY before running this script (your aws credentials)") # Need roles to make sure we have the correct account log.info("Finding roles in your account") try: result = connection.list_roles() except boto.exception.BotoServerError as error: if error.status == 403: raise SyncrError("Your credentials aren't allowed to look at iam roles :(") else: raise roles = self.all_roles = result["list_roles_response"]["list_roles_result"]["roles"] if not roles: raise SyncrError("There are no roles in your account, I can't figure out the account id") # Need users for kms to be able to grant to users log.info("Finding users in your account") try: result = connection.get_all_users() except boto.exception.BotoServerError as error: if error.status == 403: raise SyncrError("Your credentials aren't allowed to look at iam users :(") else: raise self.all_users = result["list_users_response"]["list_users_result"]["users"] amazon_account_id = roles[0]['arn'].split(":")[4] if str(self.account_id) != str(amazon_account_id): raise SyncrError("Please use credentials for the right account", expect=self.account_id, got=amazon_account_id) # If reached this far, the credentials belong to the correct account :) self.connection = connection return connection
class IamCloud(object): """Representation of the IAM database in AWS""" def __init__(self): self._users = set() self._groups = set() self._policies = set() self._conn = IAMConnection() def _load_users(self): raw_users = self._conn.get_all_users() u_list = (raw_users[u'list_users_response'] [u'list_users_result'] [u'users']) for u_dict in u_list: name = u_dict[u'user_name'] # User's groups groups = set() raw_groups = self._conn.get_groups_for_user(name) g_list = (raw_groups[u'list_groups_for_user_response'] [u'list_groups_for_user_result'] [u'groups']) for g_dict in g_list: groups.add(g_dict[u'group_name']) # User's policies policies = set() raw_policies = self._conn.get_all_user_policies(name) p_list = (raw_policies[u'list_user_policies_response'] [u'list_user_policies_result'] [u'policy_names']) for policy_name in p_list: raw_policy = self._conn.get_user_policy(name, policy_name) encoded_policy = (raw_policy[u'get_user_policy_response'] [u'get_user_policy_result'] [u'policy_document']) str_policy = urllib.unquote_plus(encoded_policy) dict_policy = json.loads(str_policy) policy = IamPolicy(policy_name, dict_policy) policies.add(policy) user = IamUser(name, groups, policies) self._users.add(user) @property def users(self): if not self._users: self._load_users() return self._users def _load_groups(self): raw_groups = self._conn.get_all_groups() g_list = (raw_groups[u'list_groups_response'] [u'list_groups_result'] [u'groups']) for g_dict in g_list: name = g_dict[u'group_name'] # Group's policies policies = set() raw_policies = self._conn.get_all_group_policies(name) p_list = (raw_policies[u'list_group_policies_response'] [u'list_group_policies_result'] [u'policy_names']) for policy_name in p_list: raw_policy = self._conn.get_group_policy(name, policy_name) encoded_policy = (raw_policy[u'get_group_policy_response'] [u'get_group_policy_result'] [u'policy_document']) str_policy = urllib.unquote_plus(encoded_policy) dict_policy = json.loads(str_policy) policy = IamPolicy(policy_name, dict_policy) policies.add(policy) group = IamGroup(name, policies) self._groups.add(group) @property def groups(self): if not self._groups: self._load_groups() return self._groups @property def policies(self): if not self._policies: self._load_policies() return self._policies def dump_users(self): """Dump users into files""" config = SafeConfigParser() for user in sorted(self.users): config.add_section(user.name) if user.groups: config.set(user.name, u'groups', ',\n'.join(sorted(user.groups))) if user.policies: policy_names = set() for policy in user.policies: policy_names.add(policy.name) config.set(user.name, u'policies', ',\n'.join(sorted(policy_names))) with open(USERS_FILE, 'w') as configfile: config.write(configfile) def dump_groups(self): """Dump groups into files""" config = SafeConfigParser() for group in sorted(self.groups): config.add_section(group.name) if group.policies: policy_names = set() for policy in group.policies: policy_names.add(policy.name) config.set(group.name, u'policies', ',\n'.join(sorted(policy_names))) with open(GROUPS_FILE, 'w') as configfile: config.write(configfile) def dump_policies(self): """Dump user and group policies into files""" policies_to_dump = set() # Check that there is no dupe policy policy_used = {} for user in self.users: for policy in user.policies: if policy.name not in policy_used: policy_used[policy.name] = set(["user:"******"user:"******"group:" + group.name]) else: policy_used[policy.name].add("group:" + group.name) for policy_name in policy_used: if len(policy_used[policy_name]) > 1: print("Multiple policies named {} have been found:" .format(policy_name)) for policy_user in policy_used[policy_name]: print " - {}".format(policy_user) print print ("You must rename any duplicate policy for the dump to " "be consistent.") print "Rename those and dump again." for user in self.users: for policy in user.policies: policies_to_dump.add(policy) for group in self.groups: for policy in group.policies: policies_to_dump.add(policy) # If the policies folder is not there, create it if policies_to_dump and not os.path.isdir(POLICIES_DIR): os.mkdir(POLICIES_DIR, 0755) for policy in policies_to_dump: filename = policy.name + u'.json' filepath = os.path.join(POLICIES_DIR, filename) with open(filepath, 'w') as policy_file: json.dump(policy.document, policy_file, sort_keys=True, indent=2, separators=(',', ': ')) def dump(self): """Dump everything into files""" print "Dumping users into {filename}...".format(filename=USERS_FILE) self.dump_users() print "Dumping groups into {filename}...".format(filename=GROUPS_FILE) self.dump_groups() print ("Dumping policies into {foldername}/*.json..." .format(foldername=POLICIES_DIR)) self.dump_policies()
import boto from boto import iam from boto.iam.connection import IAMConnection from boto.iam.connection import MFADevices conn= IAMConnection() summary= conn.get_all_users(); for user in summary.users: name=user['user_name'] print get_all_mfa_devices(name)
print "DESTROY: Removing policy %s from group %s" % ( policy, group_name) iam.delete_group_policy(group_name, policy) iam.delete_group(group_name) if not group_exists or destructive: print "INITIALIZE: Group %s does not exist, creating" % ( group_name,) group = iam.create_group(group_name) print "INITIALIZE: Adding policy %s to group %s" % ( policy_name, group_name) iam.put_group_policy(group_name, policy_name, policy_json) # 2) Check if IAM user 'can-opener-user' exists, if not, # create, set to group 'can-opener-grp', get credentials # and print them out. user_exists = user_name in [u.user_name for u in iam.get_all_users().list_users_response.list_users_result.users] if user_exists and destructive: for key in iam.get_all_access_keys(user_name).list_access_keys_response.list_access_keys_result.access_key_metadata: print "DESTROY: Destroying access key %s of user %s" % ( key.access_key_id, user_name) iam.delete_access_key(key.access_key_id, user_name) print "DESTROY: Destructing old user %s" % (user_name,) iam.delete_user(user_name) if not user_exists or destructive: print "INIITALIZE: User %s does not exist, creating" % ( user_name,) user = iam.create_user(user_name) print "INITIALIZE: Adding user %s to group %s" % ( user_name, group_name) iam.add_user_to_group(group_name, user_name) print "INITIALIZE: Creating new access key for user %s" % (
# Prints a list of all access keys with the associated user. import boto from boto.iam.connection import IAMConnection cfn = IAMConnection() data = cfn.get_all_users() for user in data.list_users_result.users: for ak in cfn.get_all_access_keys( user.user_name).list_access_keys_result.access_key_metadata: print user.user_name + ': ' + ak.access_key_id
# Prints a list of all access keys with the associated user. import boto from boto.iam.connection import IAMConnection cfn = IAMConnection() data = cfn.get_all_users() for user in data.list_users_result.users: for ak in cfn.get_all_access_keys(user.user_name).list_access_keys_result.access_key_metadata: print user.user_name + ': ' + ak.access_key_id