I found a useful pattern today for automating more complex AWS processes as pastable command line snippets, using Boto3.
The trick is to take advantage of the fact that python3 -c '...'
lets you pass in a multi-line Python string which will be executed directly.
I used that to create a new IAM role by running the following:
python3 -c '
import boto3, json
iam = boto3.client("iam")
create_role_response = iam.create_role(
Description=("Description of my role"),
RoleName="my-new-role",
AssumeRolePolicyDocument=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::462092780466:user/s3.read-write.my-previously-created-user"
},
"Action": "sts:AssumeRole",
}
],
}
),
MaxSessionDuration=12 * 60 * 60,
)
# Attach AmazonS3FullAccess to it - note that even though we use full access
# on the role itself any time we call sts.assume_role() we attach an additional
# policy to ensure reduced access for the temporary credentials
iam.attach_role_policy(
RoleName="my-new-role",
PolicyArn="arn:aws:iam::aws:policy/AmazonS3FullAccess",
)
print(create_role_response["Role"]["Arn"])
'
Created 2022-08-02T20:34:27-07:00 · Edit