def get_iam_users():
"""Requires: none """
config = get_config()
conn = IAMConnection(config['access_key'],config['secret_key'])
users = conn.get_all_users()
for user in users['list_users_response']['list_users_result']['users']:
print user['user_name']+","+user['create_date']
def list_users(conn):
conn = IAMConnection()
users = conn.get_all_users()
print "\nCurrent AWS user accounts:\n"
for user in users.list_users_result.users:
print "- {0}".format(user.user_name)
print ""
def list_users(conn):
conn = IAMConnection()
users = conn.get_all_users()
print "\nCurrent AWS user accounts:\n"
for user in users.list_users_result.users:
print "- {0}".format(user.user_name)
print ""
def create_user(self, s3_user):
connect = IAMConnection(self.admin_access_key, self.admin_secret_key)
user = connect.get_all_users()
users = user['list_users_response']['list_users_result']['users']
for user in users:
if s3_user in user['user_name']:
return False
connect.create_user(s3_user)
return True
def create_user(self, s3_user):
connect = IAMConnection(self.admin_access_key, self.admin_secret_key)
user = connect.get_all_users()
users = user['list_users_response']['list_users_result']['users']
for user in users:
if s3_user in user['user_name']:
return False
connect.create_user(s3_user)
return True
def setup(self):
"""Make sure our current credentials are for this account and set self.connection"""
try:
connection = IAMConnection()
except boto.exception.NoAuthHandlerFound:
raise SyncrError("Export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY before running this script (your aws credentials)")
# Need roles to make sure we have the correct account
log.info("Finding roles in your account")
try:
result = connection.list_roles()
except boto.exception.BotoServerError as error:
if error.status == 403:
raise SyncrError("Your credentials aren't allowed to look at iam roles :(")
else:
raise
roles = self.all_roles = result["list_roles_response"]["list_roles_result"]["roles"]
if not roles:
raise SyncrError("There are no roles in your account, I can't figure out the account id")
# Need users for kms to be able to grant to users
log.info("Finding users in your account")
try:
result = connection.get_all_users()
except boto.exception.BotoServerError as error:
if error.status == 403:
raise SyncrError("Your credentials aren't allowed to look at iam users :(")
else:
raise
self.all_users = result["list_users_response"]["list_users_result"]["users"]
amazon_account_id = roles[0]['arn'].split(":")[4]
if str(self.account_id) != str(amazon_account_id):
raise SyncrError("Please use credentials for the right account", expect=self.account_id, got=amazon_account_id)
# If reached this far, the credentials belong to the correct account :)
self.connection = connection
return connection
class IamCloud(object):
"""Representation of the IAM database in AWS"""
def __init__(self):
self._users = set()
self._groups = set()
self._policies = set()
self._conn = IAMConnection()
def _load_users(self):
raw_users = self._conn.get_all_users()
u_list = (raw_users[u'list_users_response']
[u'list_users_result']
[u'users'])
for u_dict in u_list:
name = u_dict[u'user_name']
# User's groups
groups = set()
raw_groups = self._conn.get_groups_for_user(name)
g_list = (raw_groups[u'list_groups_for_user_response']
[u'list_groups_for_user_result']
[u'groups'])
for g_dict in g_list:
groups.add(g_dict[u'group_name'])
# User's policies
policies = set()
raw_policies = self._conn.get_all_user_policies(name)
p_list = (raw_policies[u'list_user_policies_response']
[u'list_user_policies_result']
[u'policy_names'])
for policy_name in p_list:
raw_policy = self._conn.get_user_policy(name, policy_name)
encoded_policy = (raw_policy[u'get_user_policy_response']
[u'get_user_policy_result']
[u'policy_document'])
str_policy = urllib.unquote_plus(encoded_policy)
dict_policy = json.loads(str_policy)
policy = IamPolicy(policy_name, dict_policy)
policies.add(policy)
user = IamUser(name, groups, policies)
self._users.add(user)
@property
def users(self):
if not self._users:
self._load_users()
return self._users
def _load_groups(self):
raw_groups = self._conn.get_all_groups()
g_list = (raw_groups[u'list_groups_response']
[u'list_groups_result']
[u'groups'])
for g_dict in g_list:
name = g_dict[u'group_name']
# Group's policies
policies = set()
raw_policies = self._conn.get_all_group_policies(name)
p_list = (raw_policies[u'list_group_policies_response']
[u'list_group_policies_result']
[u'policy_names'])
for policy_name in p_list:
raw_policy = self._conn.get_group_policy(name, policy_name)
encoded_policy = (raw_policy[u'get_group_policy_response']
[u'get_group_policy_result']
[u'policy_document'])
str_policy = urllib.unquote_plus(encoded_policy)
dict_policy = json.loads(str_policy)
policy = IamPolicy(policy_name, dict_policy)
policies.add(policy)
group = IamGroup(name, policies)
self._groups.add(group)
@property
def groups(self):
if not self._groups:
self._load_groups()
return self._groups
@property
def policies(self):
if not self._policies:
self._load_policies()
return self._policies
def dump_users(self):
"""Dump users into files"""
config = SafeConfigParser()
for user in sorted(self.users):
config.add_section(user.name)
if user.groups:
config.set(user.name,
u'groups',
',\n'.join(sorted(user.groups)))
if user.policies:
policy_names = set()
for policy in user.policies:
policy_names.add(policy.name)
config.set(user.name,
u'policies',
',\n'.join(sorted(policy_names)))
with open(USERS_FILE, 'w') as configfile:
config.write(configfile)
def dump_groups(self):
"""Dump groups into files"""
config = SafeConfigParser()
for group in sorted(self.groups):
config.add_section(group.name)
if group.policies:
policy_names = set()
for policy in group.policies:
policy_names.add(policy.name)
config.set(group.name,
u'policies',
',\n'.join(sorted(policy_names)))
with open(GROUPS_FILE, 'w') as configfile:
config.write(configfile)
def dump_policies(self):
"""Dump user and group policies into files"""
policies_to_dump = set()
# Check that there is no dupe policy
policy_used = {}
for user in self.users:
for policy in user.policies:
if policy.name not in policy_used:
policy_used[policy.name] = set(["user:"******"user:"******"group:" + group.name])
else:
policy_used[policy.name].add("group:" + group.name)
for policy_name in policy_used:
if len(policy_used[policy_name]) > 1:
print("Multiple policies named {} have been found:"
.format(policy_name))
for policy_user in policy_used[policy_name]:
print " - {}".format(policy_user)
print
print ("You must rename any duplicate policy for the dump to "
"be consistent.")
print "Rename those and dump again."
for user in self.users:
for policy in user.policies:
policies_to_dump.add(policy)
for group in self.groups:
for policy in group.policies:
policies_to_dump.add(policy)
# If the policies folder is not there, create it
if policies_to_dump and not os.path.isdir(POLICIES_DIR):
os.mkdir(POLICIES_DIR, 0755)
for policy in policies_to_dump:
filename = policy.name + u'.json'
filepath = os.path.join(POLICIES_DIR, filename)
with open(filepath, 'w') as policy_file:
json.dump(policy.document,
policy_file,
sort_keys=True,
indent=2,
separators=(',', ': '))
def dump(self):
"""Dump everything into files"""
print "Dumping users into {filename}...".format(filename=USERS_FILE)
self.dump_users()
print "Dumping groups into {filename}...".format(filename=GROUPS_FILE)
self.dump_groups()
print ("Dumping policies into {foldername}/*.json..."
.format(foldername=POLICIES_DIR))
self.dump_policies()
import boto from boto import iam from boto.iam.connection import IAMConnection from boto.iam.connection import MFADevices conn= IAMConnection() summary= conn.get_all_users(); for user in summary.users: name=user['user_name'] print get_all_mfa_devices(name)
print "DESTROY: Removing policy %s from group %s" % (
policy, group_name)
iam.delete_group_policy(group_name, policy)
iam.delete_group(group_name)
if not group_exists or destructive:
print "INITIALIZE: Group %s does not exist, creating" % (
group_name,)
group = iam.create_group(group_name)
print "INITIALIZE: Adding policy %s to group %s" % (
policy_name, group_name)
iam.put_group_policy(group_name, policy_name, policy_json)
# 2) Check if IAM user 'can-opener-user' exists, if not,
# create, set to group 'can-opener-grp', get credentials
# and print them out.
user_exists = user_name in [u.user_name for u in iam.get_all_users().list_users_response.list_users_result.users]
if user_exists and destructive:
for key in iam.get_all_access_keys(user_name).list_access_keys_response.list_access_keys_result.access_key_metadata:
print "DESTROY: Destroying access key %s of user %s" % (
key.access_key_id, user_name)
iam.delete_access_key(key.access_key_id, user_name)
print "DESTROY: Destructing old user %s" % (user_name,)
iam.delete_user(user_name)
if not user_exists or destructive:
print "INIITALIZE: User %s does not exist, creating" % (
user_name,)
user = iam.create_user(user_name)
print "INITIALIZE: Adding user %s to group %s" % (
user_name, group_name)
iam.add_user_to_group(group_name, user_name)
print "INITIALIZE: Creating new access key for user %s" % (
# Prints a list of all access keys with the associated user.
import boto
from boto.iam.connection import IAMConnection
cfn = IAMConnection()
data = cfn.get_all_users()
for user in data.list_users_result.users:
for ak in cfn.get_all_access_keys(
user.user_name).list_access_keys_result.access_key_metadata:
print user.user_name + ': ' + ak.access_key_id
# Prints a list of all access keys with the associated user.
import boto
from boto.iam.connection import IAMConnection
cfn = IAMConnection()
data = cfn.get_all_users()
for user in data.list_users_result.users:
for ak in cfn.get_all_access_keys(user.user_name).list_access_keys_result.access_key_metadata:
print user.user_name + ': ' + ak.access_key_id
