AWS Identity and Access Management

2017/04/19 - AWS Identity and Access Management - 2 new 8 updated api methods

Changes  This changes introduces a new IAM role type, Service Linked Role, which works like a normal role but must be managed via services' control.

CreateServiceLinkedRole (new) Link ¶

Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed.

The name of the role is autogenerated by combining the string that you specify for the AWSServiceName parameter with the string that you specify for the CustomSuffix parameter. The resulting name must be unique in your account or the request fails.

To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role.

See also: AWS API Documentation

Request Syntax

client.create_service_linked_role(
    AWSServiceName='string',
    Description='string',
    CustomSuffix='string'
)
type AWSServiceName

string

param AWSServiceName

[REQUIRED]

The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com

type Description

string

param Description

The description of the role.

type CustomSuffix

string

param CustomSuffix

A string that you provide, which is combined with the service name to form the complete role name. If you make multiple requests for the same service, then you must supply a different CustomSuffix for each request. Otherwise the request fails with a duplicate role name error. For example, you could add -1 or -debug to the suffix.

rtype

dict

returns

Response Syntax

{
    'Role': {
        'Path': 'string',
        'RoleName': 'string',
        'RoleId': 'string',
        'Arn': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'AssumeRolePolicyDocument': 'string',
        'Description': 'string'
    }
}

Response Structure

  • (dict) --

    • Role (dict) --

      A Role object that contains details about the newly created role.

      • Path (string) --

        The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

      • RoleName (string) --

        The friendly name that identifies the role.

      • RoleId (string) --

        The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

      • CreateDate (datetime) --

        The date and time, in ISO 8601 date-time format , when the role was created.

      • AssumeRolePolicyDocument (string) --

        The policy that grants an entity permission to assume the role.

      • Description (string) --

        A description of the role that you provide.

UpdateRoleDescription (new) Link ¶

Modifies the description of a role.

See also: AWS API Documentation

Request Syntax

client.update_role_description(
    RoleName='string',
    Description='string'
)
type RoleName

string

param RoleName

[REQUIRED]

The name of the role that you want to modify.

type Description

string

param Description

[REQUIRED]

The new description that you want to apply to the specified role.

rtype

dict

returns

Response Syntax

{
    'Role': {
        'Path': 'string',
        'RoleName': 'string',
        'RoleId': 'string',
        'Arn': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'AssumeRolePolicyDocument': 'string',
        'Description': 'string'
    }
}

Response Structure

  • (dict) --

    • Role (dict) --

      A structure that contains details about the modified role.

      • Path (string) --

        The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

      • RoleName (string) --

        The friendly name that identifies the role.

      • RoleId (string) --

        The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

      • CreateDate (datetime) --

        The date and time, in ISO 8601 date-time format , when the role was created.

      • AssumeRolePolicyDocument (string) --

        The policy that grants an entity permission to assume the role.

      • Description (string) --

        A description of the role that you provide.

CreateInstanceProfile (updated) Link ¶
Changes (response)
{'InstanceProfile': {'Roles': {'Description': 'string'}}}

Creates a new instance profile. For information about instance profiles, go to About Instance Profiles .

For information about the number of instance profiles you can create, see Limitations on IAM Entities in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.create_instance_profile(
    InstanceProfileName='string',
    Path='string'
)
type InstanceProfileName

string

param InstanceProfileName

[REQUIRED]

The name of the instance profile to create.

This parameter allows (per its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Path

string

param Path

The path to the instance profile. For more information about paths, see IAM Identifiers in the IAM User Guide .

This parameter is optional. If it is not included, it defaults to a slash (/).

This paramater allows (per its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes, containing any ASCII character from the ! (u0021) thru the DEL character (u007F), including most punctuation characters, digits, and upper and lowercased letters.

rtype

dict

returns

Response Syntax

{
    'InstanceProfile': {
        'Path': 'string',
        'InstanceProfileName': 'string',
        'InstanceProfileId': 'string',
        'Arn': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'Roles': [
            {
                'Path': 'string',
                'RoleName': 'string',
                'RoleId': 'string',
                'Arn': 'string',
                'CreateDate': datetime(2015, 1, 1),
                'AssumeRolePolicyDocument': 'string',
                'Description': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful CreateInstanceProfile request.

    • InstanceProfile (dict) --

      A structure containing details about the new instance profile.

      • Path (string) --

        The path to the instance profile. For more information about paths, see IAM Identifiers in the Using IAM guide.

      • InstanceProfileName (string) --

        The name identifying the instance profile.

      • InstanceProfileId (string) --

        The stable and unique string identifying the instance profile. For more information about IDs, see IAM Identifiers in the Using IAM guide.

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

      • CreateDate (datetime) --

        The date when the instance profile was created.

      • Roles (list) --

        The role associated with the instance profile.

        • (dict) --

          Contains information about an IAM role. This structure is returned as a response element in several APIs that interact with roles.

          • Path (string) --

            The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

          • RoleName (string) --

            The friendly name that identifies the role.

          • RoleId (string) --

            The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

          • Arn (string) --

            The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

          • CreateDate (datetime) --

            The date and time, in ISO 8601 date-time format , when the role was created.

          • AssumeRolePolicyDocument (string) --

            The policy that grants an entity permission to assume the role.

          • Description (string) --

            A description of the role that you provide.

CreateRole (updated) Link ¶
Changes (request, response)
Request
{'Description': 'string'}
Response
{'Role': {'Description': 'string'}}

Creates a new role for your AWS account. For more information about roles, go to Working with Roles . For information about limitations on role names and the number of roles you can create, go to Limitations on IAM Entities in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.create_role(
    Path='string',
    RoleName='string',
    AssumeRolePolicyDocument='string',
    Description='string'
)
type Path

string

param Path

The path to the role. For more information about paths, see IAM Identifiers in the IAM User Guide .

This parameter is optional. If it is not included, it defaults to a slash (/).

This paramater allows (per its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes, containing any ASCII character from the ! (u0021) thru the DEL character (u007F), including most punctuation characters, digits, and upper and lowercased letters.

type RoleName

string

param RoleName

[REQUIRED]

The name of the role to create.

This parameter allows (per its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Role names are not distinguished by case. For example, you cannot create roles named both "PRODROLE" and "prodrole".

type AssumeRolePolicyDocument

string

param AssumeRolePolicyDocument

[REQUIRED]

The trust relationship policy document that grants an entity permission to assume the role.

The regex pattern used to validate this parameter is a string of characters consisting of any printable ASCII character ranging from the space character (u0020) through end of the ASCII character range as well as the printable characters in the Basic Latin and Latin-1 Supplement character set (through u00FF). It also includes the special characters tab (u0009), line feed (u000A), and carriage return (u000D).

type Description

string

param Description

A customer-provided description of the role.

rtype

dict

returns

Response Syntax

{
    'Role': {
        'Path': 'string',
        'RoleName': 'string',
        'RoleId': 'string',
        'Arn': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'AssumeRolePolicyDocument': 'string',
        'Description': 'string'
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful CreateRole request.

    • Role (dict) --

      A structure containing details about the new role.

      • Path (string) --

        The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

      • RoleName (string) --

        The friendly name that identifies the role.

      • RoleId (string) --

        The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

      • CreateDate (datetime) --

        The date and time, in ISO 8601 date-time format , when the role was created.

      • AssumeRolePolicyDocument (string) --

        The policy that grants an entity permission to assume the role.

      • Description (string) --

        A description of the role that you provide.

GetAccountAuthorizationDetails (updated) Link ¶
Changes (response)
{'RoleDetailList': {'InstanceProfileList': {'Roles': {'Description': 'string'}}}}

Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this API to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account.

You can optionally filter the results using the Filter parameter. You can paginate the results using the MaxItems and Marker parameters.

See also: AWS API Documentation

Request Syntax

client.get_account_authorization_details(
    Filter=[
        'User'|'Role'|'Group'|'LocalManagedPolicy'|'AWSManagedPolicy',
    ],
    MaxItems=123,
    Marker='string'
)
type Filter

list

param Filter

A list of entity types used to filter the results. Only the entities that match the types you specify are included in the output. Use the value LocalManagedPolicy to include customer managed policies.

The format for this parameter is a comma-separated (if more than one) list of strings. Each string value in the list must be one of the valid values listed below.

  • (string) --

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true and Marker contains a value to include in the subsequent call that tells the service where to continue from.

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

rtype

dict

returns

Response Syntax

{
    'UserDetailList': [
        {
            'Path': 'string',
            'UserName': 'string',
            'UserId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'UserPolicyList': [
                {
                    'PolicyName': 'string',
                    'PolicyDocument': 'string'
                },
            ],
            'GroupList': [
                'string',
            ],
            'AttachedManagedPolicies': [
                {
                    'PolicyName': 'string',
                    'PolicyArn': 'string'
                },
            ]
        },
    ],
    'GroupDetailList': [
        {
            'Path': 'string',
            'GroupName': 'string',
            'GroupId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'GroupPolicyList': [
                {
                    'PolicyName': 'string',
                    'PolicyDocument': 'string'
                },
            ],
            'AttachedManagedPolicies': [
                {
                    'PolicyName': 'string',
                    'PolicyArn': 'string'
                },
            ]
        },
    ],
    'RoleDetailList': [
        {
            'Path': 'string',
            'RoleName': 'string',
            'RoleId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'AssumeRolePolicyDocument': 'string',
            'InstanceProfileList': [
                {
                    'Path': 'string',
                    'InstanceProfileName': 'string',
                    'InstanceProfileId': 'string',
                    'Arn': 'string',
                    'CreateDate': datetime(2015, 1, 1),
                    'Roles': [
                        {
                            'Path': 'string',
                            'RoleName': 'string',
                            'RoleId': 'string',
                            'Arn': 'string',
                            'CreateDate': datetime(2015, 1, 1),
                            'AssumeRolePolicyDocument': 'string',
                            'Description': 'string'
                        },
                    ]
                },
            ],
            'RolePolicyList': [
                {
                    'PolicyName': 'string',
                    'PolicyDocument': 'string'
                },
            ],
            'AttachedManagedPolicies': [
                {
                    'PolicyName': 'string',
                    'PolicyArn': 'string'
                },
            ]
        },
    ],
    'Policies': [
        {
            'PolicyName': 'string',
            'PolicyId': 'string',
            'Arn': 'string',
            'Path': 'string',
            'DefaultVersionId': 'string',
            'AttachmentCount': 123,
            'IsAttachable': True|False,
            'Description': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'UpdateDate': datetime(2015, 1, 1),
            'PolicyVersionList': [
                {
                    'Document': 'string',
                    'VersionId': 'string',
                    'IsDefaultVersion': True|False,
                    'CreateDate': datetime(2015, 1, 1)
                },
            ]
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful GetAccountAuthorizationDetails request.

    • UserDetailList (list) --

      A list containing information about IAM users.

      • (dict) --

        Contains information about an IAM user, including all the user's policies and all the IAM groups the user is in.

        This data type is used as a response element in the GetAccountAuthorizationDetails action.

        • Path (string) --

          The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.

        • UserName (string) --

          The friendly name identifying the user.

        • UserId (string) --

          The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the user was created.

        • UserPolicyList (list) --

          A list of the inline policies embedded in the user.

          • (dict) --

            Contains information about an IAM policy, including the policy document.

            This data type is used as a response element in the GetAccountAuthorizationDetails action.

            • PolicyName (string) --

              The name of the policy.

            • PolicyDocument (string) --

              The policy document.

        • GroupList (list) --

          A list of IAM groups that the user is in.

          • (string) --

        • AttachedManagedPolicies (list) --

          A list of the managed policies attached to the user.

          • (dict) --

            Contains information about an attached policy.

            An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the ListAttachedGroupPolicies , ListAttachedRolePolicies , ListAttachedUserPolicies , and GetAccountAuthorizationDetails actions.

            For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

            • PolicyName (string) --

              The friendly name of the attached policy.

            • PolicyArn (string) --

              The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

              For more information about ARNs, go to Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

    • GroupDetailList (list) --

      A list containing information about IAM groups.

      • (dict) --

        Contains information about an IAM group, including all of the group's policies.

        This data type is used as a response element in the GetAccountAuthorizationDetails action.

        • Path (string) --

          The path to the group. For more information about paths, see IAM Identifiers in the Using IAM guide.

        • GroupName (string) --

          The friendly name that identifies the group.

        • GroupId (string) --

          The stable and unique string identifying the group. For more information about IDs, see IAM Identifiers in the Using IAM guide.

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the group was created.

        • GroupPolicyList (list) --

          A list of the inline policies embedded in the group.

          • (dict) --

            Contains information about an IAM policy, including the policy document.

            This data type is used as a response element in the GetAccountAuthorizationDetails action.

            • PolicyName (string) --

              The name of the policy.

            • PolicyDocument (string) --

              The policy document.

        • AttachedManagedPolicies (list) --

          A list of the managed policies attached to the group.

          • (dict) --

            Contains information about an attached policy.

            An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the ListAttachedGroupPolicies , ListAttachedRolePolicies , ListAttachedUserPolicies , and GetAccountAuthorizationDetails actions.

            For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

            • PolicyName (string) --

              The friendly name of the attached policy.

            • PolicyArn (string) --

              The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

              For more information about ARNs, go to Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

    • RoleDetailList (list) --

      A list containing information about IAM roles.

      • (dict) --

        Contains information about an IAM role, including all of the role's policies.

        This data type is used as a response element in the GetAccountAuthorizationDetails action.

        • Path (string) --

          The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

        • RoleName (string) --

          The friendly name that identifies the role.

        • RoleId (string) --

          The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the role was created.

        • AssumeRolePolicyDocument (string) --

          The trust policy that grants permission to assume the role.

        • InstanceProfileList (list) --

          A list of instance profiles that contain this role.

          • (dict) --

            Contains information about an instance profile.

            This data type is used as a response element in the following actions:

            • CreateInstanceProfile

            • GetInstanceProfile

            • ListInstanceProfiles

            • ListInstanceProfilesForRole

            • Path (string) --

              The path to the instance profile. For more information about paths, see IAM Identifiers in the Using IAM guide.

            • InstanceProfileName (string) --

              The name identifying the instance profile.

            • InstanceProfileId (string) --

              The stable and unique string identifying the instance profile. For more information about IDs, see IAM Identifiers in the Using IAM guide.

            • Arn (string) --

              The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

            • CreateDate (datetime) --

              The date when the instance profile was created.

            • Roles (list) --

              The role associated with the instance profile.

              • (dict) --

                Contains information about an IAM role. This structure is returned as a response element in several APIs that interact with roles.

                • Path (string) --

                  The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

                • RoleName (string) --

                  The friendly name that identifies the role.

                • RoleId (string) --

                  The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

                • Arn (string) --

                  The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

                • CreateDate (datetime) --

                  The date and time, in ISO 8601 date-time format , when the role was created.

                • AssumeRolePolicyDocument (string) --

                  The policy that grants an entity permission to assume the role.

                • Description (string) --

                  A description of the role that you provide.

        • RolePolicyList (list) --

          A list of inline policies embedded in the role. These policies are the role's access (permissions) policies.

          • (dict) --

            Contains information about an IAM policy, including the policy document.

            This data type is used as a response element in the GetAccountAuthorizationDetails action.

            • PolicyName (string) --

              The name of the policy.

            • PolicyDocument (string) --

              The policy document.

        • AttachedManagedPolicies (list) --

          A list of managed policies attached to the role. These policies are the role's access (permissions) policies.

          • (dict) --

            Contains information about an attached policy.

            An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the ListAttachedGroupPolicies , ListAttachedRolePolicies , ListAttachedUserPolicies , and GetAccountAuthorizationDetails actions.

            For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

            • PolicyName (string) --

              The friendly name of the attached policy.

            • PolicyArn (string) --

              The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

              For more information about ARNs, go to Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

    • Policies (list) --

      A list containing information about managed policies.

      • (dict) --

        Contains information about a managed policy, including the policy's ARN, versions, and the number of principal entities (users, groups, and roles) that the policy is attached to.

        This data type is used as a response element in the GetAccountAuthorizationDetails action.

        For more information about managed policies, see Managed Policies and Inline Policies in the Using IAM guide.

        • PolicyName (string) --

          The friendly name (not ARN) identifying the policy.

        • PolicyId (string) --

          The stable and unique string identifying the policy.

          For more information about IDs, see IAM Identifiers in the Using IAM guide.

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference .

        • Path (string) --

          The path to the policy.

          For more information about paths, see IAM Identifiers in the Using IAM guide.

        • DefaultVersionId (string) --

          The identifier for the version of the policy that is set as the default (operative) version.

          For more information about policy versions, see Versioning for Managed Policies in the Using IAM guide.

        • AttachmentCount (integer) --

          The number of principal entities (users, groups, and roles) that the policy is attached to.

        • IsAttachable (boolean) --

          Specifies whether the policy can be attached to an IAM user, group, or role.

        • Description (string) --

          A friendly description of the policy.

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the policy was created.

        • UpdateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the policy was last updated.

          When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.

        • PolicyVersionList (list) --

          A list containing information about the versions of the policy.

          • (dict) --

            Contains information about a version of a managed policy.

            This data type is used as a response element in the CreatePolicyVersion , GetPolicyVersion , ListPolicyVersions , and GetAccountAuthorizationDetails actions.

            For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

            • Document (string) --

              The policy document.

              The policy document is returned in the response to the GetPolicyVersion and GetAccountAuthorizationDetails operations. It is not returned in the response to the CreatePolicyVersion or ListPolicyVersions operations.

            • VersionId (string) --

              The identifier for the policy version.

              Policy version identifiers always begin with v (always lowercase). When a policy is created, the first policy version is v1 .

            • IsDefaultVersion (boolean) --

              Specifies whether the policy version is set as the policy's default version.

            • CreateDate (datetime) --

              The date and time, in ISO 8601 date-time format , when the policy version was created.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

GetInstanceProfile (updated) Link ¶
Changes (response)
{'InstanceProfile': {'Roles': {'Description': 'string'}}}

Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. For more information about instance profiles, see About Instance Profiles in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.get_instance_profile(
    InstanceProfileName='string'
)
type InstanceProfileName

string

param InstanceProfileName

[REQUIRED]

The name of the instance profile to get information about.

This parameter allows (per its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

rtype

dict

returns

Response Syntax

{
    'InstanceProfile': {
        'Path': 'string',
        'InstanceProfileName': 'string',
        'InstanceProfileId': 'string',
        'Arn': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'Roles': [
            {
                'Path': 'string',
                'RoleName': 'string',
                'RoleId': 'string',
                'Arn': 'string',
                'CreateDate': datetime(2015, 1, 1),
                'AssumeRolePolicyDocument': 'string',
                'Description': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful GetInstanceProfile request.

    • InstanceProfile (dict) --

      A structure containing details about the instance profile.

      • Path (string) --

        The path to the instance profile. For more information about paths, see IAM Identifiers in the Using IAM guide.

      • InstanceProfileName (string) --

        The name identifying the instance profile.

      • InstanceProfileId (string) --

        The stable and unique string identifying the instance profile. For more information about IDs, see IAM Identifiers in the Using IAM guide.

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

      • CreateDate (datetime) --

        The date when the instance profile was created.

      • Roles (list) --

        The role associated with the instance profile.

        • (dict) --

          Contains information about an IAM role. This structure is returned as a response element in several APIs that interact with roles.

          • Path (string) --

            The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

          • RoleName (string) --

            The friendly name that identifies the role.

          • RoleId (string) --

            The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

          • Arn (string) --

            The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

          • CreateDate (datetime) --

            The date and time, in ISO 8601 date-time format , when the role was created.

          • AssumeRolePolicyDocument (string) --

            The policy that grants an entity permission to assume the role.

          • Description (string) --

            A description of the role that you provide.

GetRole (updated) Link ¶
Changes (response)
{'Role': {'Description': 'string'}}

Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role. For more information about roles, see Working with Roles .

Note

Policies returned by this API are URL-encoded compliant with RFC 3986 . You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.

See also: AWS API Documentation

Request Syntax

client.get_role(
    RoleName='string'
)
type RoleName

string

param RoleName

[REQUIRED]

The name of the IAM role to get information about.

This parameter allows (per its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

rtype

dict

returns

Response Syntax

{
    'Role': {
        'Path': 'string',
        'RoleName': 'string',
        'RoleId': 'string',
        'Arn': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'AssumeRolePolicyDocument': 'string',
        'Description': 'string'
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful GetRole request.

    • Role (dict) --

      A structure containing details about the IAM role.

      • Path (string) --

        The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

      • RoleName (string) --

        The friendly name that identifies the role.

      • RoleId (string) --

        The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

      • CreateDate (datetime) --

        The date and time, in ISO 8601 date-time format , when the role was created.

      • AssumeRolePolicyDocument (string) --

        The policy that grants an entity permission to assume the role.

      • Description (string) --

        A description of the role that you provide.

ListInstanceProfiles (updated) Link ¶
Changes (response)
{'InstanceProfiles': {'Roles': {'Description': 'string'}}}

Lists the instance profiles that have the specified path prefix. If there are none, the action returns an empty list. For more information about instance profiles, go to About Instance Profiles .

You can paginate the results using the MaxItems and Marker parameters.

See also: AWS API Documentation

Request Syntax

client.list_instance_profiles(
    PathPrefix='string',
    Marker='string',
    MaxItems=123
)
type PathPrefix

string

param PathPrefix

The path prefix for filtering the results. For example, the prefix /application_abc/component_xyz/ gets all instance profiles whose path starts with /application_abc/component_xyz/ .

This parameter is optional. If it is not included, it defaults to a slash (/), listing all instance profiles. This paramater allows (per its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes, containing any ASCII character from the ! (u0021) thru the DEL character (u007F), including most punctuation characters, digits, and upper and lowercased letters.

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'InstanceProfiles': [
        {
            'Path': 'string',
            'InstanceProfileName': 'string',
            'InstanceProfileId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'Roles': [
                {
                    'Path': 'string',
                    'RoleName': 'string',
                    'RoleId': 'string',
                    'Arn': 'string',
                    'CreateDate': datetime(2015, 1, 1),
                    'AssumeRolePolicyDocument': 'string',
                    'Description': 'string'
                },
            ]
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful ListInstanceProfiles request.

    • InstanceProfiles (list) --

      A list of instance profiles.

      • (dict) --

        Contains information about an instance profile.

        This data type is used as a response element in the following actions:

        • CreateInstanceProfile

        • GetInstanceProfile

        • ListInstanceProfiles

        • ListInstanceProfilesForRole

        • Path (string) --

          The path to the instance profile. For more information about paths, see IAM Identifiers in the Using IAM guide.

        • InstanceProfileName (string) --

          The name identifying the instance profile.

        • InstanceProfileId (string) --

          The stable and unique string identifying the instance profile. For more information about IDs, see IAM Identifiers in the Using IAM guide.

        • Arn (string) --

          The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

        • CreateDate (datetime) --

          The date when the instance profile was created.

        • Roles (list) --

          The role associated with the instance profile.

          • (dict) --

            Contains information about an IAM role. This structure is returned as a response element in several APIs that interact with roles.

            • Path (string) --

              The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

            • RoleName (string) --

              The friendly name that identifies the role.

            • RoleId (string) --

              The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

            • Arn (string) --

              The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

            • CreateDate (datetime) --

              The date and time, in ISO 8601 date-time format , when the role was created.

            • AssumeRolePolicyDocument (string) --

              The policy that grants an entity permission to assume the role.

            • Description (string) --

              A description of the role that you provide.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

ListInstanceProfilesForRole (updated) Link ¶
Changes (response)
{'InstanceProfiles': {'Roles': {'Description': 'string'}}}

Lists the instance profiles that have the specified associated IAM role. If there are none, the action returns an empty list. For more information about instance profiles, go to About Instance Profiles .

You can paginate the results using the MaxItems and Marker parameters.

See also: AWS API Documentation

Request Syntax

client.list_instance_profiles_for_role(
    RoleName='string',
    Marker='string',
    MaxItems=123
)
type RoleName

string

param RoleName

[REQUIRED]

The name of the role to list instance profiles for.

This parameter allows (per its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'InstanceProfiles': [
        {
            'Path': 'string',
            'InstanceProfileName': 'string',
            'InstanceProfileId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'Roles': [
                {
                    'Path': 'string',
                    'RoleName': 'string',
                    'RoleId': 'string',
                    'Arn': 'string',
                    'CreateDate': datetime(2015, 1, 1),
                    'AssumeRolePolicyDocument': 'string',
                    'Description': 'string'
                },
            ]
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful ListInstanceProfilesForRole request.

    • InstanceProfiles (list) --

      A list of instance profiles.

      • (dict) --

        Contains information about an instance profile.

        This data type is used as a response element in the following actions:

        • CreateInstanceProfile

        • GetInstanceProfile

        • ListInstanceProfiles

        • ListInstanceProfilesForRole

        • Path (string) --

          The path to the instance profile. For more information about paths, see IAM Identifiers in the Using IAM guide.

        • InstanceProfileName (string) --

          The name identifying the instance profile.

        • InstanceProfileId (string) --

          The stable and unique string identifying the instance profile. For more information about IDs, see IAM Identifiers in the Using IAM guide.

        • Arn (string) --

          The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

        • CreateDate (datetime) --

          The date when the instance profile was created.

        • Roles (list) --

          The role associated with the instance profile.

          • (dict) --

            Contains information about an IAM role. This structure is returned as a response element in several APIs that interact with roles.

            • Path (string) --

              The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

            • RoleName (string) --

              The friendly name that identifies the role.

            • RoleId (string) --

              The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

            • Arn (string) --

              The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

            • CreateDate (datetime) --

              The date and time, in ISO 8601 date-time format , when the role was created.

            • AssumeRolePolicyDocument (string) --

              The policy that grants an entity permission to assume the role.

            • Description (string) --

              A description of the role that you provide.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

ListRoles (updated) Link ¶
Changes (response)
{'Roles': {'Description': 'string'}}

Lists the IAM roles that have the specified path prefix. If there are none, the action returns an empty list. For more information about roles, go to Working with Roles .

You can paginate the results using the MaxItems and Marker parameters.

See also: AWS API Documentation

Request Syntax

client.list_roles(
    PathPrefix='string',
    Marker='string',
    MaxItems=123
)
type PathPrefix

string

param PathPrefix

The path prefix for filtering the results. For example, the prefix /application_abc/component_xyz/ gets all roles whose path starts with /application_abc/component_xyz/ .

This parameter is optional. If it is not included, it defaults to a slash (/), listing all roles. This paramater allows (per its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes, containing any ASCII character from the ! (u0021) thru the DEL character (u007F), including most punctuation characters, digits, and upper and lowercased letters.

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'Roles': [
        {
            'Path': 'string',
            'RoleName': 'string',
            'RoleId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'AssumeRolePolicyDocument': 'string',
            'Description': 'string'
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful ListRoles request.

    • Roles (list) --

      A list of roles.

      • (dict) --

        Contains information about an IAM role. This structure is returned as a response element in several APIs that interact with roles.

        • Path (string) --

          The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

        • RoleName (string) --

          The friendly name that identifies the role.

        • RoleId (string) --

          The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

        • Arn (string) --

          The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide guide.

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the role was created.

        • AssumeRolePolicyDocument (string) --

          The policy that grants an entity permission to assume the role.

        • Description (string) --

          A description of the role that you provide.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.