How to get the permission or group details of the users in AWS iam using boto

Question

I have successfully fetched the users from AWS IAM using the python boto module.

Code:

import  boto from boto.iam.connection import IAMConnection       cfn = IAMConnection(aws_access_key_id='somekeyid',aws_secret_access_key ='secret_here')     data = cfn.get_all_users()      for user in data.users:         print user,"\n" 

How do I get the Groups or Permissions the user is associated with?

I added this line of code to get the group associated with the users and I am getting the error mentioned down below.

Added Code:

group=cfn.get_groups_for_user("Shital") print group 

where "Shital" is the user that exists and is being fetched from above. For test purposes, I am manually passing it to a function call.

Error:

Traceback (most recent call last):   File "getuser.py", line 14, in <module>     pol=cfn.get_groups_for_user("Shita")   File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 509, in get_groups_for_user     list_marker='Groups')   File "/home/tara/testinghere/IAM/env/local/lib/python2.7/site-packages/boto/iam/connection.py", line 102, in get_response     raise self.ResponseError(response.status, response.reason, body) boto.exception.BotoServerError: BotoServerError: 403 Forbidden <ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">   <Error>     <Type>Sender</Type>     <Code>AccessDenied</Code>     <Message>User: arn:aws:iam::586848946515:user/qa-api-users is not authorized to perform: iam:ListGroupsForUser on resource: user Shita</Message>   </Error>   <RequestId>7e9a4b56-95f0-11e7-9bb0-8b8eb22708c5</RequestId> </ErrorResponse> 

Answer 1

Using credentials with suitable authority is essential for this query to work. As code_onkel points out, it makes sense to assign IAMFullAccess or AdministratorAccess as needed to complete the transaction successfully.

Answer 2

There is several major caveats for this code:

1 - It assumes that you are using the default policy versions for all policies.

2 - It assumes that you have the permissions required.

3 - It is written using boto3 rather than the old boto.

Now that we have that out of the way, the code:

#! /bin/python3  import boto3  USERNAME = '<The desired username>' policy_names = []  def get_groups_by_username(username):     client = boto3.client('iam')     groups_json = client.list_groups_for_user(UserName=username)['Groups']     group_names = []     for group in groups_json:         group_names.append(group['GroupName'])     return group_names   def get_group_policies(user_groups):     client = boto3.client('iam')     global policy_names     for group in user_groups:         # This is for AWS managed policies and returns both the policy ARN and name         attached_group_policies = (client.list_attached_group_policies(GroupName=group)['AttachedPolicies'])         for policy in attached_group_policies:             policy_names.append(policy['PolicyName'])         # This is for inline policies and returns only the policy name         group_policies = (client.list_group_policies(GroupName=group)['PolicyNames'])         for policy in group_policies:             policy_names.append(policy)   def get_user_policies(username):     client = boto3.client('iam')     global policy_names     # This is for AWS managed policies and returns both the policy ARN and name     attached_user_policies = (client.list_attached_user_policies(UserName=username)['AttachedPolicies'])     for policy in attached_user_policies:         policy_names.append(policy['PolicyName'])     # This is for inline policies and returns only the policy name     user_policies = (client.list_user_policies(UserName=username)['PolicyNames'])     for policy in user_policies:         policy_names.append(policy)   get_user_policies(USERNAME) groups = get_groups_by_username(USERNAME) print("The user " + USERNAME + " belongs to the groups:") print(groups) get_group_policies(groups) print("The user " + USERNAME + " has the following policies applied to it: ") print(policy_names)