is there a way in boto3 to get the access level of a service in a policy (Full access, List, Tagging, Read, Write)? The allowed actions are too much, I just need the access levels.
For example I have the "IAMUserChangePassword"-Policy.
The allowed service in that policy is "IAM" and the access levels are "Read, Write". Now I want to write some python code to return a list of all access levels. I do not need the actions "iam:GetAccountPasswordPolicy, iam:ChangePassword", I just need the access levels.
No, this is not possible.
While the IAM console does provide a 'user-friendly' version of policies by showing checkboxes with Read, Write, List, etc, this level of information is not available through an API. The console must have some additional logic that parses the policies to extract this information.
Related
I'm trying to use a service account and the Google Drive API to automate sharing a folder and i want to be able to set the expirationTime property.
I've found previous threads that mention setting it in a permissions.update() call, but whatever i try i get the same generic error - 'Expiration dates cannot be set on this item.'.
I've validated i'm passing the correct date format, because i've even shared manually from my drive account and then used the permissions.list() to get the expirationTime from the returned data.
I've also tried creating a folder in my user drive, making my service account and editor and then trying to share that folder via API but i get the same problem.
Is there something that prevents a service account being able to set this property?
To note - I haven't enabled the domain wide delegation and tried impersonating yet.
Sample code:
update_body = {
'role': 'reader',
'expirationTime': '2023-03-13T23:59:59.000Z'
}
driveadmin.permissions().update(
fileId='<idhere>', permissionId='<idhere>', body=update_body).execute()
Checking the documentation from the feature it seems that it's only available to paid Google Workspace subscriptions as mentioned in the Google Workspace updates blog. You are most likely getting the error Expiration dates can't be set on this item as the service account is treated as a regular Gmail account and you can notice that this feature is not available for this type of accounts in the availability section of the update:
If you perform impersonation with your Google Workspace user I'm pretty sure that you won't receive the error as long as you have one of the subscriptions in which the feature is enabled. You can check more information about how to perform impersonation and Domain Wide Delegation here.
When I run the code below, which is taken from: https://developers.google.com/drive/api/v3/manage-shareddrives#python
# Create a new drive
test_drive_metadata = {'name': 'Test Drive'}
request_id = str(uuid.uuid4())
test_drive = self.service.drives().create(
body=test_drive_metadata,
requestId=request_id,
fields='id'
).execute()
I get "The user does not have sufficient permissions for this file." This does not happen if I create files, if I list shared drives or anything else. There are no other required scopes other than ['https://www.googleapis.com/auth/drive'].
It should be noted that I am using a service account. Are service accounts not allowed to create shared drives? This is not documented anywhere as far as I am aware if this is the case.
There doesn't seem to be any explicit documentation regarding this limitation, but considering that Service Accounts (without using DWD and impersonation) are supposed to manage application data, and not user data, it makes sense that they cannot be used to manage data that is shared with regular users.
Also, the use of Service Accounts to manage shared documents seems to be advised against, according to the official documentation:
Using the service account as a common owner to create many shared documents can have severe performance implications.
On the other hand, since Service Accounts have certain limitations compared to regular accounts (for example, Event creation in Calendar), this could probably be one of these limitations.
In any case, in order to make sure that's the case, I'd suggest you to report this behaviour in this Issue Tracker component.
Reference:
Drive API: Perform G Suite Domain-Wide Delegation of Authority
Using OAuth 2.0 for Server to Server Applications
I want to programatically get all the actions a user is allowed to do across aws services.
I've tried to fiddle with simulate_principal_policy but it seems this method expects a list of all actions, and I don't want to maintain a hard-coded list.
I also tried to call it with iam:* for example and got a generic 'implicitDeny' response so I know the user is not permitted all the actions but I require a higher granularity of actions.
Any ideas as to how do I get the action list dynamically?
Thanks!
To start with, there is no programmatic way to retrieve all possible actions (regardless of whether they are permitted to use an action).
You would need to construct a list of possible actions before checking the security. As an example, the boto3 SDK for Python contains an internal list of commands that it uses to validate commands before sending them to AWS.
Once you have a particular action, you could use Access the Policy Simulator API to validate whether a given user would be allowed to make a particular API call. This is much easier than attempting to parse the various Allow and Deny permissions associated with a given user.
However, a call might be denied based upon the specific parameters of the call. For example, a user might have permissions to terminate any Amazon EC2 instance that has a particular tag, but cannot terminate all instances. To correctly test this, an InstanceId would need to be provided to the simulation.
Also, permissions might be restricted by IP Address and even Time of Day. Thus, while a user would have permission to call an Action, where and when they do it will have an impact on whether the Action is permitted.
Bottom line: It ain't easy! AWS will validate permissions at the time of the call. Use the Policy Simulator to obtain similar validation results.
I am surprised no one has answered this question correctly. Here is code that uses boto3 that addresses the OP's question directly:
import boto3
session = boto3.Session('us-east-1')
for service in session.get_available_services ():
service_client = session.client (service)
print (service)
print (service_client.meta.service_model.operation_names)
IAM, however, is a special case as it won't be listed in the get_available_services() call above:
IAM = session.client ('iam')
print ('iam')
print (IAM.meta.service_model.operation_names)
I am building out a product that will use the serverless architecture on Amazon (using this example project).
Right now the product is usable by anyone. However, I don't want just anyone to be able to add/update/delete from the database. I do want anyone to be able to read from it though. So, I'd like to use two different sets of credentials. The first would be distributed with the application and would allow read only access. The second set remains internal and would be embedded in OS variables that the application would utilize.
It looks like these permissions are set up in the serverless.yml file, but this is only for one set of credentials.
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource: "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE}"
How I can set up two different roles?
IAM offers a number of pre-defined, managed IAM policies for DynamoDB, including:
AmazonDynamoDBReadOnlyAccess
AmazonDynamoDBFullAccess
Create two IAM roles with these managed policies: one for your read-only application and the other for your internal system. If either/both are running on EC2 then, rather than rely on credentials in environment variables, you can launch these EC2 instances with the relevant IAM role.
I'd like to retrieve a user's current permissions via Softlayer's Python API, ideally a list containing permissions as they'd be seen on the user portal.
I've tried the method under User_Customer service, which reports back with the following error:
SoftLayer.exceptions.SoftLayerAPIError: SoftLayerAPIError(SoftLayer_Exception): Object does not exist to execute method on. (SoftLayer_User_Customer::getPermissions)
I'm aware that a header may need to be set for that particular API call, but I couldn't find a source that explains how to set the headers in the Python API.
I've also tried calling this Account service method. Which succeeds, but returns a list of users under the account and not the information I expect.
Here you can see examples about the use of the python client:
https://softlayer.github.io/python/
particulary about the permissions associated to an user you can see this example:
https://softlayer.github.io/python/set_permission/
permissions = self.client['User_Customer'].getPermissions(id=user_id)
print("=== OLD PERMISSIONS ===")
self.printPermissions(permissions)
Regards