使用 Amazon 开发工具包创建只读和读写 IAM 用户 - Amazon Identity and Access Management
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

使用 Amazon 开发工具包创建只读和读写 IAM 用户

以下代码示例显示了如何:

  • 创建两个 IAM 用户。

  • 附加一项策略,该策略允许其中一个用户获取对象并将其放入 Amazon Simple Storage Service (Amazon S3) 存储桶。

  • 附加一项策略,该策略允许另一个用户从该存储桶获取对象。

  • 根据用户凭证获取对该存储桶的不同权限。

Python
适用于 Python (Boto3) 的 SDK
注意

在 GitHub 上查看更多内容。查找完整示例,学习如何在 Amazon 代码示例存储库中进行设置和运行。

创建包装 IAM 用户操作的函数。

import logging import time import boto3 from botocore.exceptions import ClientError import access_key_wrapper import policy_wrapper logger = logging.getLogger(__name__) iam = boto3.resource('iam') def create_user(user_name): """ Creates a user. By default, a user has no permissions or access keys. :param user_name: The name of the user. :return: The newly created user. """ try: user = iam.create_user(UserName=user_name) logger.info("Created user %s.", user.name) except ClientError: logger.exception("Couldn't create user %s.", user_name) raise else: return user def update_user(user_name, new_user_name): """ Updates a user's name. :param user_name: The current name of the user to update. :param new_user_name: The new name to assign to the user. :return: The updated user. """ try: user = iam.User(user_name) user.update(NewUserName=new_user_name) logger.info("Renamed %s to %s.", user_name, new_user_name) except ClientError: logger.exception("Couldn't update name for user %s.", user_name) raise return user def list_users(): """ Lists the users in the current account. :return: The list of users. """ try: users = list(iam.users.all()) logger.info("Got %s users.", len(users)) except ClientError: logger.exception("Couldn't get users.") raise else: return users def delete_user(user_name): """ Deletes a user. Before a user can be deleted, all associated resources, such as access keys and policies, must be deleted or detached. :param user_name: The name of the user. """ try: iam.User(user_name).delete() logger.info("Deleted user %s.", user_name) except ClientError: logger.exception("Couldn't delete user %s.", user_name) raise def attach_policy(user_name, policy_arn): """ Attaches a policy to a user. :param user_name: The name of the user. :param policy_arn: The Amazon Resource Name (ARN) of the policy. """ try: iam.User(user_name).attach_policy(PolicyArn=policy_arn) logger.info("Attached policy %s to user %s.", policy_arn, user_name) except ClientError: logger.exception("Couldn't attach policy %s to user %s.", policy_arn, user_name) raise def detach_policy(user_name, policy_arn): """ Detaches a policy from a user. :param user_name: The name of the user. :param policy_arn: The Amazon Resource Name (ARN) of the policy. """ try: iam.User(user_name).detach_policy(PolicyArn=policy_arn) logger.info("Detached policy %s from user %s.", policy_arn, user_name) except ClientError: logger.exception( "Couldn't detach policy %s from user %s.", policy_arn, user_name) raise

创建包装 IAM policy 操作的函数。

import json import logging import operator import pprint import time import boto3 from botocore.exceptions import ClientError logger = logging.getLogger(__name__) iam = boto3.resource('iam') def create_policy(name, description, actions, resource_arn): """ Creates a policy that contains a single statement. :param name: The name of the policy to create. :param description: The description of the policy. :param actions: The actions allowed by the policy. These typically take the form of service:action, such as s3:PutObject. :param resource_arn: The Amazon Resource Name (ARN) of the resource this policy applies to. This ARN can contain wildcards, such as 'arn:aws:s3:::my-bucket/*' to allow actions on all objects in the bucket named 'my-bucket'. :return: The newly created policy. """ policy_doc = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": actions, "Resource": resource_arn } ] } try: policy = iam.create_policy( PolicyName=name, Description=description, PolicyDocument=json.dumps(policy_doc)) logger.info("Created policy %s.", policy.arn) except ClientError: logger.exception("Couldn't create policy %s.", name) raise else: return policy def delete_policy(policy_arn): """ Deletes a policy. :param policy_arn: The ARN of the policy to delete. """ try: iam.Policy(policy_arn).delete() logger.info("Deleted policy %s.", policy_arn) except ClientError: logger.exception("Couldn't delete policy %s.", policy_arn) raise

创建包装 IAM 访问密钥操作的函数。

import logging import boto3 from botocore.exceptions import ClientError logger = logging.getLogger(__name__) iam = boto3.resource('iam') def create_key(user_name): """ Creates an access key for the specified user. Each user can have a maximum of two keys. :param user_name: The name of the user. :return: The created access key. """ try: key_pair = iam.User(user_name).create_access_key_pair() logger.info( "Created access key pair for %s. Key ID is %s.", key_pair.user_name, key_pair.id) except ClientError: logger.exception("Couldn't create access key pair for %s.", user_name) raise else: return key_pair def delete_key(user_name, key_id): """ Deletes a user's access key. :param user_name: The user that owns the key. :param key_id: The ID of the key to delete. """ try: key = iam.AccessKey(user_name, key_id) key.delete() logger.info( "Deleted access key %s for %s.", key.id, key.user_name) except ClientError: logger.exception("Couldn't delete key %s for %s", key_id, user_name) raise

使用包装器函数创建具有不同策略的用户,然后使用其凭证访问 Amazon S3 存储桶。

def usage_demo(): """ Shows how to manage users, keys, and policies. This demonstration creates two users: one user who can put and get objects in an Amazon S3 bucket, and another user who can only get objects from the bucket. The demo then shows how the users can perform only the actions they are permitted to perform. """ logging.basicConfig(level=logging.INFO, format='%(levelname)s: %(message)s') print('-'*88) print("Welcome to the AWS Identity and Account Management user demo.") print('-'*88) print("Users can have policies and roles attached to grant them specific " "permissions.") s3 = boto3.resource('s3') bucket = s3.create_bucket( Bucket=f'demo-iam-bucket-{time.time_ns()}', CreateBucketConfiguration={ 'LocationConstraint': s3.meta.client.meta.region_name } ) print(f"Created an Amazon S3 bucket named {bucket.name}.") user_read_writer = create_user('demo-iam-read-writer') user_reader = create_user('demo-iam-reader') print(f"Created two IAM users: {user_read_writer.name} and {user_reader.name}") update_user(user_read_writer.name, 'demo-iam-creator') update_user(user_reader.name, 'demo-iam-getter') users = list_users() user_read_writer = next(user for user in users if user.user_id == user_read_writer.user_id) user_reader = next(user for user in users if user.user_id == user_reader.user_id) print(f"Changed the names of the users to {user_read_writer.name} " f"and {user_reader.name}.") read_write_policy = policy_wrapper.create_policy( 'demo-iam-read-write-policy', 'Grants rights to create and get an object in the demo bucket.', ['s3:PutObject', 's3:GetObject'], f'arn:aws:s3:::{bucket.name}/*') print(f"Created policy {read_write_policy.policy_name} with ARN: {read_write_policy.arn}") print(read_write_policy.description) read_policy = policy_wrapper.create_policy( 'demo-iam-read-policy', 'Grants rights to get an object from the demo bucket.', 's3:GetObject', f'arn:aws:s3:::{bucket.name}/*') print(f"Created policy {read_policy.policy_name} with ARN: {read_policy.arn}") print(read_policy.description) attach_policy(user_read_writer.name, read_write_policy.arn) print(f"Attached {read_write_policy.policy_name} to {user_read_writer.name}.") attach_policy(user_reader.name, read_policy.arn) print(f"Attached {read_policy.policy_name} to {user_reader.name}.") user_read_writer_key = access_key_wrapper.create_key(user_read_writer.name) print(f"Created access key pair for {user_read_writer.name}.") user_reader_key = access_key_wrapper.create_key(user_reader.name) print(f"Created access key pair for {user_reader.name}.") s3_read_writer_resource = boto3.resource( 's3', aws_access_key_id=user_read_writer_key.id, aws_secret_access_key=user_read_writer_key.secret) demo_object_key = f'object-{time.time_ns()}' demo_object = None while demo_object is None: try: demo_object = s3_read_writer_resource.Bucket(bucket.name).put_object( Key=demo_object_key, Body=b'AWS IAM demo object content!') except ClientError as error: if error.response['Error']['Code'] == 'InvalidAccessKeyId': print("Access key not yet available. Waiting...") time.sleep(1) else: raise print(f"Put {demo_object_key} into {bucket.name} using " f"{user_read_writer.name}'s credentials.") read_writer_object = s3_read_writer_resource.Bucket( bucket.name).Object(demo_object_key) read_writer_content = read_writer_object.get()['Body'].read() print(f"Got object {read_writer_object.key} using read-writer user's credentials.") print(f"Object content: {read_writer_content}") s3_reader_resource = boto3.resource( 's3', aws_access_key_id=user_reader_key.id, aws_secret_access_key=user_reader_key.secret) demo_content = None while demo_content is None: try: demo_object = s3_reader_resource.Bucket(bucket.name).Object(demo_object_key) demo_content = demo_object.get()['Body'].read() print(f"Got object {demo_object.key} using reader user's credentials.") print(f"Object content: {demo_content}") except ClientError as error: if error.response['Error']['Code'] == 'InvalidAccessKeyId': print("Access key not yet available. Waiting...") time.sleep(1) else: raise try: demo_object.delete() except ClientError as error: if error.response['Error']['Code'] == 'AccessDenied': print('-'*88) print("Tried to delete the object using the reader user's credentials. " "Got expected AccessDenied error because the reader is not " "allowed to delete objects.") print('-'*88) access_key_wrapper.delete_key(user_reader.name, user_reader_key.id) detach_policy(user_reader.name, read_policy.arn) policy_wrapper.delete_policy(read_policy.arn) delete_user(user_reader.name) print(f"Deleted keys, detached and deleted policy, and deleted {user_reader.name}.") access_key_wrapper.delete_key(user_read_writer.name, user_read_writer_key.id) detach_policy(user_read_writer.name, read_write_policy.arn) policy_wrapper.delete_policy(read_write_policy.arn) delete_user(user_read_writer.name) print(f"Deleted keys, detached and deleted policy, and deleted {user_read_writer.name}.") bucket.objects.delete() bucket.delete() print(f"Emptied and deleted {bucket.name}.") print("Thanks for watching!")

有关 Amazon 软件开发工具包开发人员指南和代码示例的完整列表,请参阅 将 IAM 与 Amazon 开发工具包配合使用。本主题还包括有关入门的信息以及有关先前的软件开发工具包版本的详细信息。