Shows how to use the AWS SDK for Python (Boto3) to work with AWS Identity and Access Management (IAM).
IAM is a web service for securely controlling access to AWS services. With IAM, you can centrally manage permissions in your AWS account.
- Running this code might result in charges to your AWS account. For more details, see AWS Pricing and Free Tier.
- Running the tests might result in charges to your AWS account.
- We recommend that you grant your code least privilege. At most, grant only the minimum permissions required to perform the task. For more information, see Grant least privilege.
- This code is not tested in every AWS Region. For more information, see AWS Regional Services.
For prerequisites, see the README in the python folder.
Install the packages required by these examples by running the following in a virtual environment:
python -m pip install -r requirements.txt
Code excerpts that show you how to call individual service functions.
- Attach a policy to a role (
AttachRolePolicy) - Attach a policy to a user (
AttachUserPolicy) - Create a policy (
CreatePolicy) - Create a policy version (
CreatePolicyVersion) - Create a role (
CreateRole) - Create a service-linked role (
CreateServiceLinkedRole) - Create a user (
CreateUser) - Create an access key (
CreateAccessKey) - Create an alias for an account (
CreateAccountAlias) - Create an instance profile (
CreateInstanceProfile) - Delete a policy (
DeletePolicy) - Delete a role (
DeleteRole) - Delete a user (
DeleteUser) - Delete an access key (
DeleteAccessKey) - Delete an account alias (
DeleteAccountAlias) - Delete an instance profile (
DeleteInstanceProfile) - Detach a policy from a role (
DetachRolePolicy) - Detach a policy from a user (
DetachUserPolicy) - Generate a credential report (
GenerateCredentialReport) - Get a credential report (
GetCredentialReport) - Get a detailed authorization report for your account (
GetAccountAuthorizationDetails) - Get a policy (
GetPolicy) - Get a policy version (
GetPolicyVersion) - Get a role (
GetRole) - Get a summary of account usage (
GetAccountSummary) - Get data about the last use of an access key (
GetAccessKeyLastUsed) - Get the account password policy (
GetAccountPasswordPolicy) - List SAML providers (
ListSAMLProviders) - List a user's access keys (
ListAccessKeys) - List account aliases (
ListAccountAliases) - List groups (
ListGroups) - List inline policies for a role (
ListRolePolicies) - List policies (
ListPolicies) - List policies attached to a role (
ListAttachedRolePolicies) - List roles (
ListRoles) - List users (
ListUsers) - Update a user (
UpdateUser) - Update an access key (
UpdateAccessKey)
Code examples that show you how to accomplish a specific task by calling multiple functions within the same service.
- Build and manage a resilient service
- Create a user and assume a role
- Create read-only and read-write users
- Manage access keys
- Manage policies
- Manage roles
- Manage your account
- Roll back a policy version
This example shows you how to create a load-balanced web service that returns book, movie, and song recommendations. The example shows how the service responds to failures, and how to restructure the service for more resilience when failures occur.
- Use an Amazon EC2 Auto Scaling group to create Amazon Elastic Compute Cloud (Amazon EC2) instances based on a launch template and to keep the number of instances in a specified range.
- Handle and distribute HTTP requests with Elastic Load Balancing.
- Monitor the health of instances in an Auto Scaling group and forward requests only to healthy instances.
- Run a Python web server on each EC2 instance to handle HTTP requests. The web server responds with recommendations and health checks.
- Simulate a recommendation service with an Amazon DynamoDB table.
- Control web server response to requests and health checks by updating AWS Systems Manager parameters.
Start the example by running the following at a command prompt:
python ../../cross_service/resilient_service/runner.py
Complete details and instructions on how to run this example can be found in the README for the example.
This example shows you how to create a user and assume a role.
- Create a user with no permissions.
- Create a role that grants permission to list Amazon S3 buckets for the account.
- Add a policy to let the user assume the role.
- Assume the role and list S3 buckets using temporary credentials, then clean up resources.
Start the example by running the following at a command prompt:
python scenario_create_user_assume_role.py
This example shows you how to create users and attach policies to them.
- Create two IAM users.
- Attach a policy for one user to get and put objects in an Amazon S3 bucket.
- Attach a policy for the second user to get objects from the bucket.
- Get different permissions to the bucket based on user credentials.
Start the example by running the following at a command prompt:
python user_wrapper.py
This example shows you how to manage access keys.
- Create and list access keys.
- Find out when and how an access key was last used.
- Update and delete access keys.
Start the example by running the following at a command prompt:
python access_key_wrapper.py
This example shows you how to do the following:
- Create and list policies.
- Create and get policy versions.
- Roll back a policy to a previous version.
- Delete policies.
Start the example by running the following at a command prompt:
python policy_wrapper.py
This example shows you how to do the following:
- Create an IAM role.
- Attach and detach policies for a role.
- Delete a role.
Start the example by running the following at a command prompt:
python role_wrapper.py
This example shows you how to do the following:
- Get and update the account alias.
- Generate a report of users and credentials.
- Get a summary of account usage.
- Get details for all users, groups, roles, and policies in your account, including their relationships to each other.
Start the example by running the following at a command prompt:
python account_wrapper.py
This example shows you how to do the following:
- Get the list of policy versions in order by date.
- Find the default policy version.
- Make the previous policy version the default.
- Delete the old default version.
Start the example by running the following at a command prompt:
python policy_wrapper.py
⚠ Running tests might result in charges to your AWS account.
To find instructions for running these tests, see the README
in the python folder.
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0