forked from aws/aws-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request aws#4551 from bisdavid/iam-10-01
New CLI Examples for IAM
- Loading branch information
Showing
11 changed files
with
238 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| **To delete a permissions boundary from an IAM role** | ||
|
|
||
| The following ``delete-role-permissions-boundary`` example deletes the permissions boundary for the specified IAM role. To apply a permissions boundary to a role, use the ``put-role-permissions-boundary`` command. :: | ||
|
|
||
| aws iam delete-role-permissions-boundary \ | ||
| --role-name lambda-application-role | ||
|
|
||
| This command produces no output. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| **To delete a permissions boundary from an IAM user** | ||
|
|
||
| The following ``delete-user-permissions-boundary`` example deletes the permissions boundary attached to the IAM user named ``intern``. To apply a permissions boundary to a user, use the ``put-user-permissions-boundary`` command. :: | ||
|
|
||
| aws iam delete-user-permissions-boundary \ | ||
| --user-name intern | ||
|
|
||
| This command produces no output. |
40 changes: 40 additions & 0 deletions
40
awscli/examples/iam/generate-organizations-access-report.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| **Example 1: To generate an access report for a root in an organization** | ||
|
|
||
| The following ``generate-organizations-access-report`` example starts a background job to create an access report for the specified root in an organization. You can display the report after it's created by running the ``get-organizations-access-report`` command. :: | ||
|
|
||
| aws iam generate-organizations-access-report \ | ||
| --entity-path o-4fxmplt198/r-c3xb | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "JobId": "a8b6c06f-aaa4-8xmp-28bc-81da71836359" | ||
| } | ||
|
|
||
| **Example 2: To generate an access report for an account in an organization** | ||
|
|
||
| The following ``generate-organizations-access-report`` example starts a background job to create an access report for account ID ``123456789012`` in the organization ``o-4fxmplt198``. You can display the report after it's created by running the ``get-organizations-access-report`` command. :: | ||
|
|
||
| aws iam generate-organizations-access-report \ | ||
| --entity-path o-4fxmplt198/r-c3xb/123456789012 | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "JobId": "14b6c071-75f6-2xmp-fb77-faf6fb4201d2" | ||
| } | ||
|
|
||
| **Example 3: To generate an access report for an account in an organizational unit in an organization** | ||
|
|
||
| The following ``generate-organizations-access-report`` example starts a background job to create an access report for account ID ``234567890123`` in organizational unit ``ou-c3xb-lmu7j2yg`` in the organization ``o-4fxmplt198``. You can display the report after it's created by running the ``get-organizations-access-report`` command.:: | ||
|
|
||
| aws iam generate-organizations-access-report \ | ||
| --entity-path o-4fxmplt198/r-c3xb/ou-c3xb-lmu7j2yg/234567890123 | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "JobId": "2eb6c2e6-0xmp-ec04-1425-c937916a64af" | ||
| } | ||
|
|
||
| To get details about roots and organizational units in your organization, use the ``organizations list-roots`` and ``organizations list-organizational-units-for-parent`` commands. |
23 changes: 23 additions & 0 deletions
23
awscli/examples/iam/generate-service-last-accessed-details.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| **To generate a service access report** | ||
|
|
||
| The following ``generate-service-last-accessed-details`` example starts a background job to generate a report that lists the services accessed by IAM users and other entities with a custom policy named ``intern-boundary``. You can display the report after it is created by running the ``get-service-last-accessed-details`` command. :: | ||
|
|
||
| aws iam generate-service-last-accessed-details \ | ||
| --arn arn:aws:iam::123456789012:policy/intern-boundary | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "JobId": "2eb6c2b8-7b4c-3xmp-3c13-03b72c8cdfdc" | ||
| } | ||
|
|
||
| The following ``generate-service-last-accessed-details`` example starts a background job to generate a report that lists the services accessed by IAM users and other entities with the AWS managed ``AdministratorAccess`` policy. You can display the report after it is created by running the ``get-service-last-accessed-details`` command.:: | ||
|
|
||
| aws iam generate-service-last-accessed-details \ | ||
| --arn arn:aws:iam::aws:policy/AdministratorAccess | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "JobId": "78b6c2ba-d09e-6xmp-7039-ecde30b26916" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| **To retrieve an access report** | ||
|
|
||
| The following ``get-organizations-access-report`` example displays a previously generated access report for an AWS Organizations entity. To generate a report, use the ``generate-organizations-access-report`` command. :: | ||
|
|
||
| aws iam get-organizations-access-report \ | ||
| --job-id a8b6c06f-aaa4-8xmp-28bc-81da71836359 | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "JobStatus": "COMPLETED", | ||
| "JobCreationDate": "2019-09-30T06:53:36.187Z", | ||
| "JobCompletionDate": "2019-09-30T06:53:37.547Z", | ||
| "NumberOfServicesAccessible": 188, | ||
| "NumberOfServicesNotAccessed": 171, | ||
| "AccessDetails": [ | ||
| { | ||
| "ServiceName": "Alexa for Business", | ||
| "ServiceNamespace": "a4b", | ||
| "TotalAuthenticatedEntities": 0 | ||
| }, | ||
| ... | ||
| } |
37 changes: 37 additions & 0 deletions
37
awscli/examples/iam/get-service-last-accessed-details-with-entities.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| **To retrieve a service access report with details for a service** | ||
|
|
||
| The following ``get-service-last-accessed-details-with-entities`` example retrieves a report that contains details about IAM users and other entities that accessed the specified service. To generate a report, use the ``generate-service-last-accessed-details`` command. To get a list of services accessed with namespaces, use ``get-service-last-accessed-details``. :: | ||
|
|
||
| aws iam get-service-last-accessed-details-with-entities \ | ||
| --job-id 78b6c2ba-d09e-6xmp-7039-ecde30b26916 \ | ||
| --service-namespace lambda | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "JobStatus": "COMPLETED", | ||
| "JobCreationDate": "2019-10-01T03:55:41.756Z", | ||
| "JobCompletionDate": "2019-10-01T03:55:42.533Z", | ||
| "EntityDetailsList": [ | ||
| { | ||
| "EntityInfo": { | ||
| "Arn": "arn:aws:iam::123456789012:user/admin", | ||
| "Name": "admin", | ||
| "Type": "USER", | ||
| "Id": "AIDAIO2XMPLENQEXAMPLE", | ||
| "Path": "/" | ||
| }, | ||
| "LastAuthenticated": "2019-09-30T23:02:00Z" | ||
| }, | ||
| { | ||
| "EntityInfo": { | ||
| "Arn": "arn:aws:iam::123456789012:user/developer", | ||
| "Name": "developer", | ||
| "Type": "USER", | ||
| "Id": "AIDAIBEYXMPL2YEXAMPLE", | ||
| "Path": "/" | ||
| }, | ||
| "LastAuthenticated": "2019-09-16T19:34:00Z" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| **To retrieve a service access report** | ||
|
|
||
| The following ``get-service-last-accessed-details`` example retrieves a previously generated report that lists the services accessed by IAM entities. To generate a report, use the ``generate-service-last-accessed-details`` command. :: | ||
|
|
||
| aws iam get-service-last-accessed-details \ | ||
| --job-id 2eb6c2b8-7b4c-3xmp-3c13-03b72c8cdfdc | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "JobStatus": "COMPLETED", | ||
| "JobCreationDate": "2019-10-01T03:50:35.929Z", | ||
| "ServicesLastAccessed": [ | ||
| ... | ||
| { | ||
| "ServiceName": "AWS Lambda", | ||
| "LastAuthenticated": "2019-09-30T23:02:00Z", | ||
| "ServiceNamespace": "lambda", | ||
| "LastAuthenticatedEntity": "arn:aws:iam::123456789012:user/admin", | ||
| "TotalAuthenticatedEntities": 6 | ||
| }, | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| **To retrieve a list of credentials** | ||
|
|
||
| The following ``list-service-specific-credentials`` example lists the credentials generated for HTTPS access to AWS CodeCommit repositories for a user named ``developer``. :: | ||
|
|
||
| aws iam list-service-specific-credentials \ | ||
| --user-name developer \ | ||
| --service-name codecommit.amazonaws.com | ||
|
|
||
| Output:: | ||
|
|
||
| { | ||
| "ServiceSpecificCredentials": [ | ||
| { | ||
| "UserName": "developer", | ||
| "Status": "Inactive", | ||
| "ServiceUserName": "developer-at-123456789012", | ||
| "CreateDate": "2019-10-01T04:31:41Z", | ||
| "ServiceSpecificCredentialId": "ACCAQFODXMPL4YFHP7DZE", | ||
| "ServiceName": "codecommit.amazonaws.com" | ||
| }, | ||
| { | ||
| "UserName": "developer", | ||
| "Status": "Active", | ||
| "ServiceUserName": "developer+1-at-123456789012", | ||
| "CreateDate": "2019-10-01T04:31:45Z", | ||
| "ServiceSpecificCredentialId": "ACCAQFOXMPL6VW57M7AJP", | ||
| "ServiceName": "codecommit.amazonaws.com" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| **To apply a permissions boundary based on a custom policy to an IAM role** | ||
|
|
||
| The following ``put-role-permissions-boundary`` example applies the custom policy named ``intern-boundary`` as the permissions boundary for the specified IAM role. :: | ||
|
|
||
| aws iam put-role-permissions-boundary \ | ||
| --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary \ | ||
| --role-name lambda-application-role | ||
|
|
||
| This command produces no output. | ||
|
|
||
| **To apply a permissions boundary based on an AWS managed policy to an IAM role** | ||
|
|
||
| The following ``put-role-permissions-boundary`` example applies the AWS managed ``PowerUserAccess`` policy as the permissions boundary for the specified IAM role . :: | ||
|
|
||
| aws iam put-role-permissions-boundary \ | ||
| --permissions-boundary arn:aws:iam::aws:policy/PowerUserAccess \ | ||
| --role-name x-account-admin | ||
|
|
||
| This command produces no output. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| **To apply a permissions boundary based on a custom policy to an IAM user** | ||
|
|
||
| The following ``put-user-permissions-boundary`` example applies a custom policy named ``intern-boundary`` as the permissions boundary for the specified IAM user. :: | ||
|
|
||
| aws iam put-user-permissions-boundary \ | ||
| --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary \ | ||
| --user-name intern | ||
|
|
||
| This command produces no output. | ||
|
|
||
| **To apply a permissions boundary based on an AWS managed policy to an IAM user** | ||
|
|
||
| The following ``put-user-permissions-boundary`` example applies the AWS managed pollicy named ``PowerUserAccess`` as the permissions boundary for the specified IAM user. :: | ||
|
|
||
| aws iam put-user-permissions-boundary \ | ||
| --permissions-boundary arn:aws:iam::aws:policy/PowerUserAccess \ | ||
| --user-name developer | ||
|
|
||
| This command produces no output. |
8 changes: 8 additions & 0 deletions
8
awscli/examples/iam/set-security-token-service-preferences.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| **To set the global endpoint token version** | ||
|
|
||
| The following ``set-security-token-service-preferences`` example configures Amazon STS to use version 2 tokens when you authenticate against the global endpoint. :: | ||
|
|
||
| aws iam set-security-token-service-preferences \ | ||
| --global-endpoint-token-version v2Token | ||
|
|
||
| This command produces no output. |