Working with IAM policies

This Python example shows you how to create and get IAM policies and attach and detach IAM policies from roles.

The scenario

You grant permissions to a user by creating a policy, which is a document that lists the actions that a user can perform and the resources those actions can affect. Any actions or resources that are not explicitly allowed are denied by default. Policies can be created and attached to users, groups of users, roles assumed by users, and resources.

In this example, Python code used to manage policies in IAM. The code uses the Amazon Web Services (AWS) SDK for Python to create and delete policies as well as attaching and detaching role policies using these methods of the IAM client class:

All the example code for the Amazon Web Services (AWS) SDK for Python is available here on GitHub.

For more information about IAM policies, see Overview of Access Management: Permissions and Policies in the IAM User Guide.

Prerequisite tasks

To set up and run this example, you must first configure your AWS credentials, as described in Quickstart.

Create an IAM policy

Create a new managed policy for your AWS account.

This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version. For more information about policy versions, see Versioning for Managed Policies in the IAM User Guide.

The example below shows how to:

All the example code for the Amazon Web Services (AWS) SDK for Python is available here on GitHub.

Example

import json

import boto3

# Create IAM client
iam = boto3.client('iam')

# Create a policy
my_managed_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "RESOURCE_ARN"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem"
            ],
            "Resource": "RESOURCE_ARN"
        }
    ]
}
response = iam.create_policy(
  PolicyName='myDynamoDBPolicy',
  PolicyDocument=json.dumps(my_managed_policy)
)
print(response)

Get an IAM policy

Get information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached. To get the list of the specific users, groups, and roles that the policy is attached to, use the list_entities_for_policy API. This API returns metadata about the policy. To get the actual policy document for a specific version of the policy, use get_policy_version API.

This API gets information about managed policies. To get information about an inline policy that is embedded with an IAM user, group, or role, use the get_user_policy, get_group_policy, or get_role_policy API.

The example below shows how to:

  • Get information about a managed policy using get_policy.

Example

import boto3


# Create IAM client
iam = boto3.client('iam')

# Get a policy
response = iam.get_policy(
    PolicyArn='arn:aws:iam::aws:policy/AWSLambdaExecute'
)
print(response['Policy'])

Attach a managed role policy

When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy. You cannot use a managed policy as the role's trust policy. The role's trust policy is created at the same time as the role, using create_role. You can update a role's trust policy using update_assume_role_policy.

Use this API to attach a managed policy to a role. To embed an inline policy in a role, use put_role_policy.

The example below shows how to:

Example

import boto3

# Create IAM client
iam = boto3.client('iam')

# Attach a role policy
iam.attach_role_policy(
    PolicyArn='arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess',
    RoleName='AmazonDynamoDBFullAccess'
)

Detach a managed role policy

Detach the specified managed policy from the specified role.

A role can also have inline policies embedded with it. To delete an inline policy, use the delete_role_policy API. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

The example below shows how to:

Example

import boto3

# Create IAM client
iam = boto3.client('iam')

# Detach a role policy
iam.detach_role_policy(
    PolicyArn='arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess',
    RoleName='AmazonDynamoDBFullAccess'
)