如果我有一个名为OperationAdmins的角色,它将AdministratorAccess策略授予承担该角色的任何人,我如何找到可以承担OperationAdmins角色的所有用户或组的列表?
只是给您一个例子,您可以根据自己的需要自定义它。您可以使用IAM策略模拟器API来实现这一点。
import boto3
iamc = boto3.client('iam')
iamr = boto3.resource('iam')
iam_paginator = iamc.get_paginator('list_users')
iam_page_iterator = iam_paginator.paginate()
operation_admins_iam_role = iamr.Role('OperationAdmins')
operation_admins_iam_role_arn = operation_admins_iam_role.arn
for page in iam_page_iterator:
users = page['Users']
for user in users:
user_arn = user['Arn']
resp = iamc.simulate_principal_policy(
PolicySourceArn=user_arn,
ActionNames=['sts:AssumeRole'],
ResourceArns=[operation_admins_iam_role_arn]
)
decision = resp['EvaluationResults'][0]['EvalDecision']
print(user_arn, decision)
信任有两个方面。
- 请求承担 的身份
- 允许假定 的身份
(Asker)用户/组可以拥有权限。重要的是sts:AssumeRole。
(允许)在您的例子中,OperationAdmins角色。他们将建立一种信任关系,这种关系定义了谁可以承担自己的责任。
阅读更多:https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
此信任关系允许任何人在帐户111122223333中,并具有sts:AssumeRole权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
此信任关系允许用户LiJuan如果他有sts:AssumeRole权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/LiJuan"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}