使用 Boto 创建 IAM 策略时出现 MalformedPolicyDocumentException
Posted
技术标签:
【中文标题】使用 Boto 创建 IAM 策略时出现 MalformedPolicyDocumentException【英文标题】:MalformedPolicyDocumentException while creating IAM policy using Boto 【发布时间】:2021-05-13 01:11:54 【问题描述】:我正在编写一个使用 python 函数创建 IAM 策略的 boto 脚本。该策略已使用“json.dumps()”转换为 JSON 格式,但 AWS 仍不会将其视为有效格式。 功能是:
##### Global variables ####
region="us-east-2"
instance_type="t2.micro"
ebs_volume_size="20"
meta_template_name="ec2_policy_meta_template"
###############################
start_time_1 = input("What's the start time")
end_time1 = input("What's the end time")
def create_aws_iam_policy_template(**kwargs):
template_data =
template_data["region"] = kwargs.get('region')
template_data["start_time"] = kwargs.get('end_time')
template_data["end_time"] = kwargs.get('start_time')
template_data["instance_type"] = kwargs.get('instance_type')
template_data["ebs_volume_size"] = kwargs.get('ebs_volume_size')
template_data["meta_template_name"] = kwargs.get('meta_template_name')
meta_template_dict = getattr(meta_templates, template_data["meta_template_name"])
meta_template_json = json.dumps(meta_template_dict)
template_json = Template(meta_template_json).render(template_data)
return template_json
template_json = create_aws_iam_policy_template(
region=region,
instance_type=instance_type,
ebs_volume_size=ebs_volume_size,
meta_template_name=meta_template_name,
start_time = start_time_1,
end_time = end_time1
)
这是我用来将 dict 转换为 JSON 的方法:
app_json = json.dumps(template_json)
print(app_json)
这是 IAM 政策的输出:
""Version": "2012-10-17", "Statement": ["Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:RunInstances", "资源": ["arn:aws:ec2:us-east-2::instance/", "arn:aws:ec2:us-east-2::network-interface/", " arn:aws:ec2:us-east-2::key-pair/", "arn:aws:ec2:us-east-2::security-group/", "arn:aws :ec2:us-east-2::subnet/", "arn:aws:ec2:us-east-2::volume/", "arn:aws:ec2:us-east- 2::image/ami-"], "条件": "ForAllValues:NumericLessThanEquals": "ec2:VolumeSize": "20", "ForAllValues:StringEquals": "ec2:InstanceType": " t2.micro", "Sid": "VisualEditor1", "Effect": "Allow", "Action": ["ec2:TerminateInstances", "ec2:StartInstances", "ec2:StopInstances"], "资源”:“arn:aws:ec2:us-east-2::instance/”,“条件”:“ForAllValues:StringEquals”:“ec2:InstanceType”:“t2.micro” 、“Sid”:“VisualEditor2”、“效果”:“允许”、“操作”:[“ec2:Describe*”、“ec2:GetConsole*”、“cloudwatch:DescribeAlarms”、“iam:ListInstanceProfiles”、 “云观察:GetMetricStat istics”、“ec2:DescribeKeyPairs”、“ec2:CreateKeyPair”]、“资源”:“*”、“条件”:“DateGreaterThan”:“aws:CurrentTime”:“2020-06-30T23:59:59Z ", "DateLessThanEquals": "aws:CurrentTime": "2020-04-01T00:00:00Z"]" 这是我在尝试创建 IAM 策略时遇到的错误:
botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the CreatePolicy operation: Syntax errors in policy.
【问题讨论】:
能否提供更完整的示例代码?您在哪里以及如何生成template_json
并调用CreatePolicy
?
我已对问题进行了更改。请检查一下。
【参考方案1】:
尽管我能够通过控制台创建该策略,但总体上的警告太多了。
例如,aws:CurrentTime 应该如下所示:
"DateGreaterThan": "aws:CurrentTime": "2020-04-01T00:00:00Z",
"DateLessThan": "aws:CurrentTime": "2020-06-30T23:59:59Z"
ec2:InstanceType
条件没有指定相应的条件值。
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-2::instance/",
"arn:aws:ec2:us-east-2::network-interface/",
"arn:aws:ec2:us-east-2::key-pair/",
"arn:aws:ec2:us-east-2::security-group/",
"arn:aws:ec2:us-east-2::subnet/",
"arn:aws:ec2:us-east-2::volume/",
"arn:aws:ec2:us-east-2::image/ami-"
],
"Condition":
"ForAllValues:NumericLessThanEquals":
"ec2:VolumeSize": "20"
,
"ForAllValues:StringEquals":
"ec2:InstanceType": ""
,
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-2::instance/",
"Condition":
"ForAllValues:StringEquals":
"ec2:InstanceType": ""
,
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"iam:ListInstanceProfiles",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair"
],
"Resource": "*",
"Condition":
"DateGreaterThan":
"aws:CurrentTime": "30"
,
"DateLessThanEquals":
"aws:CurrentTime": "20"
]
【讨论】:
感谢您的回复,我已经更新了两个问题,但我得到了同样的错误,我重新检查了不知道现在可能是什么问题。 @PranaySinghParihar 我建议在IAM Policy Simulator 中进行策略测试。一旦确定这是您需要的策略,您就可以通过代码轻松生成它。 是的,我认为属性很好,但是输出中有这些不符合 IAM 策略格式的反斜杠“\”,但我不知道如何摆脱它。 @PranaySinghParihar 您在帖子中分享的政策是有效的,只是您提出的条件有问题。正如我在回答中所证实的那样。我能够通过console
创建策略
在模拟器中我似乎遇到了一个parcing错误。以上是关于使用 Boto 创建 IAM 策略时出现 MalformedPolicyDocumentException的主要内容,如果未能解决你的问题,请参考以下文章