Trying to create IAM Policy, Role and Users using Python (Boto3)

Question

I'm trying to create a script using Boto3 that basically should create a Role with policy attached.

Create policy syntax as per (http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.create_policy ) is:

response = client.create_policy(
    PolicyName='string',
    Path='string',
    PolicyDocument='string',
    Description='string'
)

---

I can create a Policy separately(to validate policy document), but can't create a Role with out "AssumeRolePolicyDocument" and I'm not able to figure out how I can pass this policy document into "AssumeRolePolicyDocument"

So far I've managed to create the following script:

---

import json

import boto3

# Connect to IAM with boto
#iam = boto3.connect_iam($key, $secret)


# Create IAM client
iam = boto3.client('iam')

#createRole
S3ANDEC2 = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ReadOnly",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Ec2FullAccess",
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

response = iam.create_role(
    Path='/',
    RoleName='Boto-R1',
    AssumeRolePolicyDocument=json.dumps(S3ANDEC2),
    Description='S3 Read and EC2Full permissions policy'
)

print(response)

---

When I run the above it returns the following error:

C:\Projects\AWS>python user.py Traceback (most recent call last): File "Role.py", line 116, in Description='S3 Read and EC2Full permissions policy' File "C:\Users\Rambo.one\AppData\Roaming\Python\Python34\site-packages\botocore\client.py", line 310, in _api_call return self._make_api_call(operation_name, kwargs) File "C:\Users\Rambo.one\AppData\Roaming\Python\Python34\site-packages\botocore\client.py", line 599, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource

I made sure to validate my policy document.. not sure why it says "An error occurred (MalformedPolicyDocument) "

Any help is appreciated.

Answer 1

You can't attach policy to a role by using AssumeRolePolicyDocument, it is used to attach a trust policy to the role.

This is how you create a role, attach trust policy to it, create a policy and then attach policy to the role.

session = boto3.session.Session(profile_name='my_profile')
iam = session.client('iam')

path='/'
role_name='ec2-test-role'
description='BOTO3 ec2 test role'

trust_policy={
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

response = iam.create_role(
    Path=path,
    RoleName=role_name,
    AssumeRolePolicyDocument=json.dumps(trust_policy),
    Description=description,
    MaxSessionDuration=3600
)

managed_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ReadOnly",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Ec2FullAccess",
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

response = iam.create_policy(
  PolicyName='BOTO3-Test-ec2-policy',
  PolicyDocument=json.dumps(managed_policy)
)

iam.attach_role_policy(
    PolicyArn='arn:aws:iam::${account_id}:policy/BOTO3-Test-ec2-policy',
    RoleName='ec2-test-role'
)