til: aws_boto-command-line.md
This data as json
| path | topic | title | url | body | html | shot | created | created_utc | updated | updated_utc | shot_hash | slug |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| aws_boto-command-line.md | aws | Using boto3 from the command line | https://github.com/simonw/til/blob/main/aws/boto-command-line.md | I found a useful pattern today for automating more complex AWS processes as pastable command line snippets, using [Boto3](https://aws.amazon.com/sdk-for-python/). The trick is to take advantage of the fact that `python3 -c '...'` lets you pass in a multi-line Python string which will be executed directly. I used that to create a new IAM role by running the following: ```bash python3 -c ' import boto3, json iam = boto3.client("iam") create_role_response = iam.create_role( Description=("Description of my role"), RoleName="my-new-role", AssumeRolePolicyDocument=json.dumps( { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::462092780466:user/s3.read-write.my-previously-created-user" }, "Action": "sts:AssumeRole", } ], } ), MaxSessionDuration=12 * 60 * 60, ) # Attach AmazonS3FullAccess to it - note that even though we use full access # on the role itself any time we call sts.assume_role() we attach an additional # policy to ensure reduced access for the temporary credentials iam.attach_role_policy( RoleName="my-new-role", PolicyArn="arn:aws:iam::aws:policy/AmazonS3FullAccess", ) print(create_role_response["Role"]["Arn"]) ' ``` | <p>I found a useful pattern today for automating more complex AWS processes as pastable command line snippets, using <a href="https://aws.amazon.com/sdk-for-python/" rel="nofollow">Boto3</a>.</p> <p>The trick is to take advantage of the fact that <code>python3 -c '...'</code> lets you pass in a multi-line Python string which will be executed directly.</p> <p>I used that to create a new IAM role by running the following:</p> <div class="highlight highlight-source-shell"><pre>python3 -c <span class="pl-s"><span class="pl-pds">'</span></span> <span class="pl-s">import boto3, json</span> <span class="pl-s"></span> <span class="pl-s">iam = boto3.client("iam")</span> <span class="pl-s">create_role_response = iam.create_role(</span> <span class="pl-s"> Description=("Description of my role"),</span> <span class="pl-s"> RoleName="my-new-role",</span> <span class="pl-s"> AssumeRolePolicyDocument=json.dumps(</span> <span class="pl-s"> {</span> <span class="pl-s"> "Version": "2012-10-17",</span> <span class="pl-s"> "Statement": [</span> <span class="pl-s"> {</span> <span class="pl-s"> "Effect": "Allow",</span> <span class="pl-s"> "Principal": {</span> <span class="pl-s"> "AWS": "arn:aws:iam::462092780466:user/s3.read-write.my-previously-created-user"</span> <span class="pl-s"> },</span> <span class="pl-s"> "Action": "sts:AssumeRole",</span> <span class="pl-s"> }</span> <span class="pl-s"> ],</span> <span class="pl-s"> }</span> <span class="pl-s"> ),</span> <span class="pl-s"> MaxSessionDuration=12 * 60 * 60,</span> <span class="pl-s">)</span> <span class="pl-s"># Attach AmazonS3FullAccess to it - note that even though we use full access</span> <span class="pl-s"># on the role itself any time we call sts.assume_role() we attach an additional</span> <span class="pl-s"># policy to ensure reduced access for the temporary credentials</span> <span class="pl-s">iam.attach_role_policy(</span> <span class="pl-s"> RoleName="my-new-role",</span> <span class="pl-s"> PolicyArn="arn:aws:iam::aws:policy/AmazonS3FullAccess",</span> <span class="pl-s">)</span> <span class="pl-s">print(create_role_response["Role"]["Arn"])</span> <span class="pl-s"><span class="pl-pds">'</span></span></pre></div> | <Binary: 58,094 bytes> | 2022-08-02T20:34:27-07:00 | 2022-08-03T03:34:27+00:00 | 2022-08-02T20:34:27-07:00 | 2022-08-03T03:34:27+00:00 | be4e6236df967f2d6d68f8caaf400be9 | boto-command-line |