在我的 IAM 政策信任关系中显示如下
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::279121212121212:user/ai-s-p57s13"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "xxxxxxxxxxx=2_0vy+PyUFdt728JrFjqeCOau62zU="
}
}
}
]
}
现在我想改变信任关系 aws :: sts:ExternalId
使用 python
将 id 设置为如下所示的新值:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::333333333333:user/ai-s-p57s13"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "yyyyyyyyyy=2_0vy+PyUFdt728JrFjqeCOau62zU="
}
}
}
]
}
使用 python
我想改变我尝试使用以下代码:
import boto3
client = boto3.client('iam')
response = client.attach_role_policy(RoleName='testrole', PolicyArn='arn:aws:iam::279121212121212:user/testrole')
trust_policy = response['Role']['AssumeRolePolicyDocument']
trust_policy['Statement'][0]['Principal'] ['AWS']= 'arn:aws:iam::279121212121212:user/ai-s-p57s13'
最佳答案
您可以按如下方式执行此操作:
import json
import boto3
iam = boto3.client('iam')
role_name = "testrole"
# get existing role info
role_info = iam.get_role(RoleName = role_name)
# get trust policy
trust_policy = role_info['Role']['AssumeRolePolicyDocument']
#print(trust_policy)
# get external_id
exiting_external_id = trust_policy['Statement'][0]['Condition']['StringEquals']['sts:ExternalId']
#print(exiting_external_id)
new_prefix='yyyyyyyyyy'
# create new external id
new_external_id = new_prefix + "=" + exiting_external_id.split('=', 1)[1]
#print(new_external_id)
# update the trust policy
trust_policy['Statement'][0]['Condition']['StringEquals']['sts:ExternalId'] = new_external_id
print(trust_policy)
# update the role
response = iam.update_assume_role_policy(
RoleName=role_name,
PolicyDocument=json.dumps(trust_policy)
)
print(response)
关于python - 如何使用python更改AWS可信用户 "sts ExternalId"?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67544027/