How can we fetch IAM users, their groups and policies?

拟墨画扇 提交于 2019-12-31 22:49:13

问题


I need to fetch all the aws user's, their corresponding groups, policies and then if mfa is activated for them or not. Can anyone tell me how it can be done via aws cli or boto.

I have a script that fetches out just the all user's in aws.

  import boto3
    from boto3 import *
    import argparse

    access_key = ''
    secret_key = ''

    def get_iam_uses_list():
    client =  boto3.client('iam',
                aws_access_key_id=access_key,
                aws_secret_access_key=secret_key)
       my_list=list()
       iam_all_users = client.list_users(MaxItems=200)
       for user in iam_all_users['Users']:
        my_list.append(user['UserName'])
#

    for i in my_list:
        print i

#    print "read complete"
#
#    for i in my_list:
#        iam_user_policy=client.list_attached_user_policies(UserName=i)
#        for policy in iam_user_policy['AttachedPolicies']:
#               print "%s \t %s" %(i, policy['PolicyName'])

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('access_key', help='Access Key');
    parser.add_argument('secret_key', help='Secret Key');
    args = parser.parse_args()
    global access_key
    global secret_key
    access_key = args.access_key
    secret_key = args.secret_key
get_iam_uses_list()

if  __name__ =='__main__':main()

回答1:


Here, I am using boto commands to do four operations -

  1. List all the users
  2. List policy attached to each user
  3. List roles added to each user
  4. List Mfa devices to see if MFA has been configured by User or not (Here I am not checking is MFA is not enabled, but checking if the device has been configured by a user or not.)

Get IAM connection to AWS Account

import boto3
client = boto3.client('iam',aws_access_key_id="XXX",aws_secret_access_key="XXX") 

Getting IAM Users This will print all the usernames. you can customize if you want to print other details as well.

users = client.list_users()
for key in users['Users']:
    print key['UserName']

Getting List of Policy attached to each user

for key in users['Users']:
    List_of_Policies =  client.list_user_policies(UserName=key['UserName'])
    for key in List_of_Policies['PolicyNames']:
        print key['PolicyName']

Getting List of Groups attached to each user

for key in users['Users']:
    List_of_Groups =  client.list_groups_for_user(UserName=key['UserName'])
       for key in List_of_Groups['Groups']:
           print key['GroupName']

Checking if MFA Device is configured or not

for key in users['Users']:
    List_of_MFA_Devices = client.list_mfa_devices(UserName=key['UserName'])
    for key in List_of_MFA_Devices['MFADevices']:
          print key

You can further check if List_of_MFA_Devices['MFADevices'] is empty or not. If empty, then MFA Device is not configured.

If you want to add output as List of Dict where each index will contain dict have value pairs for userName, Groups, Policy, isMFA_flag_configured or not. Use the following code -

import boto3
client = boto3.client('iam',aws_access_key_id="XXXX",aws_secret_access_key="YYY")
users = client.list_users()
user_list = []
for key in users['Users']:
    result = {}
    Policies = []
    Groups=[]

    result['userName']=key['UserName']
    List_of_Policies =  client.list_user_policies(UserName=key['UserName'])

    result['Policies'] = List_of_Policies['PolicyNames']

    List_of_Groups =  client.list_groups_for_user(UserName=key['UserName'])

    for Group in List_of_Groups['Groups']:
        Groups.append(Group['GroupName'])
    result['Groups'] = Groups

    List_of_MFA_Devices = client.list_mfa_devices(UserName=key['UserName'])

    if not len(List_of_MFA_Devices['MFADevices']):
        result['isMFADeviceConfigured']=False   
    else:
        result['isMFADeviceConfigured']=True    
    user_list.append(result)

for key in user_list:
    print key

Output for the above code -

{'userName': 'user1', 'Groups': ['grp1','grp2'], 'Policies':['policy1','policy2], 'isMFADeviceConfigured': False/True}

{'userName': 'user2', 'Groups': ['grp1','grp2'], 'Policies': ['policy1','policy2], 'isMFADeviceConfigured': False/True}



来源:https://stackoverflow.com/questions/46073435/how-can-we-fetch-iam-users-their-groups-and-policies

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!