]>
Commit | Line | Data |
---|---|---|
11fdf7f2 TL |
1 | ====== |
2 | Role | |
3 | ====== | |
4 | ||
5 | A role is similar to a user and has permission policies attached to it, that determine what a role can or can not do. A role can be assumed by any identity that needs it. If a user assumes a role, a set of dynamically created temporary credentials are returned to the user. A role can be used to delegate access to users, applications, services that do not have permissions to access some s3 resources. | |
6 | ||
20effc67 | 7 | The following radosgw-admin commands can be used to create/ delete/ update a role and permissions associated with a role. |
11fdf7f2 TL |
8 | |
9 | Create a Role | |
10 | ------------- | |
11 | ||
12 | To create a role, execute the following:: | |
13 | ||
14 | radosgw-admin role create --role-name={role-name} [--path=="{path to the role}"] [--assume-role-policy-doc={trust-policy-document}] | |
15 | ||
16 | Request Parameters | |
17 | ~~~~~~~~~~~~~~~~~~ | |
18 | ||
19 | ``role-name`` | |
20 | ||
21 | :Description: Name of the role. | |
22 | :Type: String | |
23 | ||
24 | ``path`` | |
25 | ||
26 | :Description: Path to the role. The default value is a slash(/). | |
27 | :Type: String | |
28 | ||
29 | ``assume-role-policy-doc`` | |
30 | ||
31 | :Description: The trust relationship policy document that grants an entity permission to assume the role. | |
32 | :Type: String | |
33 | ||
34 | For example:: | |
35 | ||
36 | radosgw-admin role create --role-name=S3Access1 --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\} | |
37 | ||
38 | .. code-block:: javascript | |
39 | ||
40 | { | |
41 | "id": "ca43045c-082c-491a-8af1-2eebca13deec", | |
42 | "name": "S3Access1", | |
43 | "path": "/application_abc/component_xyz/", | |
44 | "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1", | |
45 | "create_date": "2018-10-17T10:18:29.116Z", | |
46 | "max_session_duration": 3600, | |
47 | "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}" | |
48 | } | |
49 | ||
50 | ||
51 | Delete a Role | |
52 | ------------- | |
53 | ||
54 | To delete a role, execute the following:: | |
55 | ||
20effc67 | 56 | radosgw-admin role delete --role-name={role-name} |
11fdf7f2 TL |
57 | |
58 | Request Parameters | |
59 | ~~~~~~~~~~~~~~~~~~ | |
60 | ||
61 | ``role-name`` | |
62 | ||
63 | :Description: Name of the role. | |
64 | :Type: String | |
65 | ||
66 | For example:: | |
67 | ||
20effc67 | 68 | radosgw-admin role delete --role-name=S3Access1 |
11fdf7f2 TL |
69 | |
70 | Note: A role can be deleted only when it doesn't have any permission policy attached to it. | |
71 | ||
72 | Get a Role | |
73 | ---------- | |
74 | ||
75 | To get information about a role, execute the following:: | |
76 | ||
77 | radosgw-admin role get --role-name={role-name} | |
78 | ||
79 | Request Parameters | |
80 | ~~~~~~~~~~~~~~~~~~ | |
81 | ||
82 | ``role-name`` | |
83 | ||
84 | :Description: Name of the role. | |
85 | :Type: String | |
86 | ||
87 | For example:: | |
88 | ||
89 | radosgw-admin role get --role-name=S3Access1 | |
90 | ||
91 | .. code-block:: javascript | |
92 | ||
93 | { | |
94 | "id": "ca43045c-082c-491a-8af1-2eebca13deec", | |
95 | "name": "S3Access1", | |
96 | "path": "/application_abc/component_xyz/", | |
97 | "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1", | |
98 | "create_date": "2018-10-17T10:18:29.116Z", | |
99 | "max_session_duration": 3600, | |
100 | "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}" | |
101 | } | |
102 | ||
103 | ||
104 | List Roles | |
105 | ---------- | |
106 | ||
107 | To list roles with a specified path prefix, execute the following:: | |
108 | ||
109 | radosgw-admin role list [--path-prefix ={path prefix}] | |
110 | ||
111 | Request Parameters | |
112 | ~~~~~~~~~~~~~~~~~~ | |
113 | ||
114 | ``path-prefix`` | |
115 | ||
116 | :Description: Path prefix for filtering roles. If this is not specified, all roles are listed. | |
117 | :Type: String | |
118 | ||
119 | For example:: | |
120 | ||
121 | radosgw-admin role list --path-prefix="/application" | |
122 | ||
123 | .. code-block:: javascript | |
124 | ||
125 | [ | |
126 | { | |
127 | "id": "3e1c0ff7-8f2b-456c-8fdf-20f428ba6a7f", | |
128 | "name": "S3Access1", | |
129 | "path": "/application_abc/component_xyz/", | |
130 | "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1", | |
131 | "create_date": "2018-10-17T10:32:01.881Z", | |
132 | "max_session_duration": 3600, | |
133 | "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}" | |
134 | } | |
135 | ] | |
136 | ||
137 | ||
138 | Update Assume Role Policy Document of a role | |
139 | -------------------------------------------- | |
140 | ||
141 | To modify a role's assume role policy document, execute the following:: | |
142 | ||
1e59de90 | 143 | radosgw-admin role-trust-policy modify --role-name={role-name} --assume-role-policy-doc={trust-policy-document} |
11fdf7f2 TL |
144 | |
145 | Request Parameters | |
146 | ~~~~~~~~~~~~~~~~~~ | |
147 | ||
148 | ``role-name`` | |
149 | ||
150 | :Description: Name of the role. | |
151 | :Type: String | |
152 | ||
153 | ``assume-role-policy-doc`` | |
154 | ||
155 | :Description: The trust relationship policy document that grants an entity permission to assume the role. | |
156 | :Type: String | |
157 | ||
158 | For example:: | |
159 | ||
1e59de90 | 160 | radosgw-admin role-trust-policy modify --role-name=S3Access1 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\} |
11fdf7f2 TL |
161 | |
162 | .. code-block:: javascript | |
163 | ||
164 | { | |
165 | "id": "ca43045c-082c-491a-8af1-2eebca13deec", | |
166 | "name": "S3Access1", | |
167 | "path": "/application_abc/component_xyz/", | |
168 | "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1", | |
169 | "create_date": "2018-10-17T10:18:29.116Z", | |
170 | "max_session_duration": 3600, | |
171 | "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER2\"]},\"Action\":[\"sts:AssumeRole\"]}]}" | |
172 | } | |
173 | ||
174 | ||
175 | In the above example, we are modifying the Principal from TESTER to TESTER2 in its assume role policy document. | |
176 | ||
177 | Add/ Update a Policy attached to a Role | |
178 | --------------------------------------- | |
179 | ||
180 | To add or update the inline policy attached to a role, execute the following:: | |
181 | ||
182 | radosgw-admin role policy put --role-name={role-name} --policy-name={policy-name} --policy-doc={permission-policy-doc} | |
183 | ||
184 | Request Parameters | |
185 | ~~~~~~~~~~~~~~~~~~ | |
186 | ||
187 | ``role-name`` | |
188 | ||
189 | :Description: Name of the role. | |
190 | :Type: String | |
191 | ||
192 | ``policy-name`` | |
193 | ||
194 | :Description: Name of the policy. | |
195 | :Type: String | |
196 | ||
197 | ``policy-doc`` | |
198 | ||
199 | :Description: The Permission policy document. | |
200 | :Type: String | |
201 | ||
202 | For example:: | |
203 | ||
204 | radosgw-admin role-policy put --role-name=S3Access1 --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\} | |
205 | ||
1e59de90 TL |
206 | For passing ``policy-doc`` as a file:: |
207 | ||
208 | radosgw-admin role-policy put --role-name=S3Access1 --policy-name=Policy1 --infile policy-document.json | |
209 | ||
11fdf7f2 TL |
210 | In the above example, we are attaching a policy 'Policy1' to role 'S3Access1', which allows all s3 actions on 'example_bucket'. |
211 | ||
212 | List Permission Policy Names attached to a Role | |
213 | ----------------------------------------------- | |
214 | ||
215 | To list the names of permission policies attached to a role, execute the following:: | |
216 | ||
217 | radosgw-admin role policy get --role-name={role-name} | |
218 | ||
219 | Request Parameters | |
220 | ~~~~~~~~~~~~~~~~~~ | |
221 | ||
222 | ``role-name`` | |
223 | ||
224 | :Description: Name of the role. | |
225 | :Type: String | |
226 | ||
227 | For example:: | |
228 | ||
229 | radosgw-admin role-policy list --role-name=S3Access1 | |
230 | ||
231 | .. code-block:: javascript | |
232 | ||
233 | [ | |
234 | "Policy1" | |
235 | ] | |
236 | ||
237 | ||
238 | Get Permission Policy attached to a Role | |
239 | ---------------------------------------- | |
240 | ||
241 | To get a specific permission policy attached to a role, execute the following:: | |
242 | ||
243 | radosgw-admin role policy get --role-name={role-name} --policy-name={policy-name} | |
244 | ||
245 | Request Parameters | |
246 | ~~~~~~~~~~~~~~~~~~ | |
247 | ||
248 | ``role-name`` | |
249 | ||
250 | :Description: Name of the role. | |
251 | :Type: String | |
252 | ||
253 | ``policy-name`` | |
254 | ||
255 | :Description: Name of the policy. | |
256 | :Type: String | |
257 | ||
258 | For example:: | |
259 | ||
260 | radosgw-admin role-policy get --role-name=S3Access1 --policy-name=Policy1 | |
261 | ||
262 | .. code-block:: javascript | |
263 | ||
264 | { | |
265 | "Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":\"arn:aws:s3:::example_bucket\"}]}" | |
266 | } | |
267 | ||
268 | ||
269 | Delete Policy attached to a Role | |
270 | -------------------------------- | |
271 | ||
272 | To delete permission policy attached to a role, execute the following:: | |
273 | ||
20effc67 | 274 | radosgw-admin role policy delete --role-name={role-name} --policy-name={policy-name} |
11fdf7f2 TL |
275 | |
276 | Request Parameters | |
277 | ~~~~~~~~~~~~~~~~~~ | |
278 | ||
279 | ``role-name`` | |
280 | ||
281 | :Description: Name of the role. | |
282 | :Type: String | |
283 | ||
284 | ``policy-name`` | |
285 | ||
286 | :Description: Name of the policy. | |
287 | :Type: String | |
288 | ||
289 | For example:: | |
290 | ||
20effc67 | 291 | radosgw-admin role-policy delete --role-name=S3Access1 --policy-name=Policy1 |
11fdf7f2 TL |
292 | |
293 | ||
1e59de90 TL |
294 | Update a role |
295 | ------------- | |
296 | ||
297 | To update a role's max-session-duration, execute the following:: | |
298 | ||
299 | radosgw-admin role update --role-name={role-name} --max-session-duration={max-session-duration} | |
300 | ||
301 | Request Parameters | |
302 | ~~~~~~~~~~~~~~~~~~ | |
303 | ||
304 | ``role-name`` | |
305 | ||
306 | :Description: Name of the role. | |
307 | :Type: String | |
308 | ||
309 | ``max-session-duration`` | |
310 | ||
311 | :Description: Maximum session duration for a role. | |
312 | :Type: String | |
313 | ||
314 | For example:: | |
315 | ||
316 | radosgw-admin role update --role-name=S3Access1 --max-session-duration=43200 | |
317 | ||
318 | Note: This command currently can only be used to update max-session-duration. | |
319 | ||
11fdf7f2 TL |
320 | REST APIs for Manipulating a Role |
321 | ================================= | |
322 | ||
323 | In addition to the above radosgw-admin commands, the following REST APIs can be used for manipulating a role. For the request parameters and their explanations, refer to the sections above. | |
324 | ||
325 | In order to invoke the REST admin APIs, a user with admin caps needs to be created. | |
326 | ||
327 | .. code-block:: javascript | |
328 | ||
329 | radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create | |
330 | radosgw-admin caps add --uid="TESTER" --caps="roles=*" | |
331 | ||
332 | ||
333 | Create a Role | |
334 | ------------- | |
335 | ||
336 | Example:: | |
337 | POST "<hostname>?Action=CreateRole&RoleName=S3Access&Path=/application_abc/component_xyz/&AssumeRolePolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}" | |
338 | ||
339 | .. code-block:: XML | |
340 | ||
341 | <role> | |
342 | <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id> | |
343 | <name>S3Access</name> | |
344 | <path>/application_abc/component_xyz/</path> | |
345 | <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn> | |
346 | <create_date>2018-10-23T07:43:42.811Z</create_date> | |
347 | <max_session_duration>3600</max_session_duration> | |
348 | <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document> | |
349 | </role> | |
350 | ||
351 | ||
352 | Delete a Role | |
353 | ------------- | |
354 | ||
355 | Example:: | |
356 | POST "<hostname>?Action=DeleteRole&RoleName=S3Access" | |
357 | ||
358 | Note: A role can be deleted only when it doesn't have any permission policy attached to it. | |
359 | ||
360 | Get a Role | |
361 | ---------- | |
362 | ||
363 | Example:: | |
364 | POST "<hostname>?Action=GetRole&RoleName=S3Access" | |
365 | ||
366 | .. code-block:: XML | |
367 | ||
368 | <role> | |
369 | <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id> | |
370 | <name>S3Access</name> | |
371 | <path>/application_abc/component_xyz/</path> | |
372 | <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn> | |
373 | <create_date>2018-10-23T07:43:42.811Z</create_date> | |
374 | <max_session_duration>3600</max_session_duration> | |
375 | <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document> | |
376 | </role> | |
377 | ||
378 | ||
379 | List Roles | |
380 | ---------- | |
381 | ||
382 | Example:: | |
383 | POST "<hostname>?Action=ListRoles&RoleName=S3Access&PathPrefix=/application" | |
384 | ||
385 | .. code-block:: XML | |
386 | ||
387 | <role> | |
388 | <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id> | |
389 | <name>S3Access</name> | |
390 | <path>/application_abc/component_xyz/</path> | |
391 | <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn> | |
392 | <create_date>2018-10-23T07:43:42.811Z</create_date> | |
393 | <max_session_duration>3600</max_session_duration> | |
394 | <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document> | |
395 | </role> | |
396 | ||
397 | ||
398 | Update Assume Role Policy Document | |
399 | ---------------------------------- | |
400 | ||
401 | Example:: | |
402 | POST "<hostname>?Action=UpdateAssumeRolePolicy&RoleName=S3Access&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}" | |
403 | ||
404 | Add/ Update a Policy attached to a Role | |
405 | --------------------------------------- | |
406 | ||
407 | Example:: | |
408 | POST "<hostname>?Action=PutRolePolicy&RoleName=S3Access&PolicyName=Policy1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:CreateBucket\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}" | |
409 | ||
410 | List Permission Policy Names attached to a Role | |
411 | ----------------------------------------------- | |
412 | ||
413 | Example:: | |
414 | POST "<hostname>?Action=ListRolePolicies&RoleName=S3Access" | |
415 | ||
416 | .. code-block:: XML | |
417 | ||
418 | <PolicyNames> | |
419 | <member>Policy1</member> | |
420 | </PolicyNames> | |
421 | ||
422 | ||
423 | Get Permission Policy attached to a Role | |
424 | ---------------------------------------- | |
425 | ||
426 | Example:: | |
427 | POST "<hostname>?Action=GetRolePolicy&RoleName=S3Access&PolicyName=Policy1" | |
428 | ||
429 | .. code-block:: XML | |
430 | ||
431 | <GetRolePolicyResult> | |
432 | <PolicyName>Policy1</PolicyName> | |
433 | <RoleName>S3Access</RoleName> | |
434 | <Permission_policy>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:CreateBucket"],"Resource":"arn:aws:s3:::example_bucket"}]}</Permission_policy> | |
435 | </GetRolePolicyResult> | |
436 | ||
437 | ||
438 | Delete Policy attached to a Role | |
439 | -------------------------------- | |
440 | ||
441 | Example:: | |
20effc67 TL |
442 | POST "<hostname>?Action=DeleteRolePolicy&RoleName=S3Access&PolicyName=Policy1" |
443 | ||
444 | Tag a role | |
445 | ---------- | |
446 | A role can have multivalued tags attached to it. These tags can be passed in as part of CreateRole REST API also. | |
447 | AWS does not support multi-valued role tags. | |
448 | ||
449 | Example:: | |
450 | POST "<hostname>?Action=TagRole&RoleName=S3Access&Tags.member.1.Key=Department&Tags.member.1.Value=Engineering" | |
451 | ||
452 | .. code-block:: XML | |
453 | ||
454 | <TagRoleResponse> | |
455 | <ResponseMetadata> | |
456 | <RequestId>tx000000000000000000004-00611f337e-1027-default</RequestId> | |
457 | </ResponseMetadata> | |
458 | </TagRoleResponse> | |
459 | ||
460 | ||
461 | List role tags | |
462 | -------------- | |
463 | Lists the tags attached to a role. | |
464 | ||
465 | Example:: | |
466 | POST "<hostname>?Action=ListRoleTags&RoleName=S3Access" | |
467 | ||
468 | .. code-block:: XML | |
469 | ||
470 | <ListRoleTagsResponse> | |
471 | <ListRoleTagsResult> | |
472 | <Tags> | |
473 | <member> | |
474 | <Key>Department</Key> | |
475 | <Value>Engineering</Value> | |
476 | </member> | |
477 | </Tags> | |
478 | </ListRoleTagsResult> | |
479 | <ResponseMetadata> | |
480 | <RequestId>tx000000000000000000005-00611f337e-1027-default</RequestId> | |
481 | </ResponseMetadata> | |
482 | </ListRoleTagsResponse> | |
483 | ||
484 | Delete role tags | |
485 | ---------------- | |
486 | Delete a tag/ tags attached to a role. | |
487 | ||
488 | Example:: | |
489 | POST "<hostname>?Action=UntagRoles&RoleName=S3Access&TagKeys.member.1=Department" | |
490 | ||
491 | .. code-block:: XML | |
492 | ||
493 | <UntagRoleResponse> | |
494 | <ResponseMetadata> | |
495 | <RequestId>tx000000000000000000007-00611f337e-1027-default</RequestId> | |
496 | </ResponseMetadata> | |
497 | </UntagRoleResponse> | |
498 | ||
1e59de90 TL |
499 | Update Role |
500 | ----------- | |
501 | ||
502 | Example:: | |
503 | POST "<hostname>?Action=UpdateRole&RoleName=S3Access&MaxSessionDuration=43200" | |
504 | ||
505 | .. code-block:: XML | |
506 | ||
507 | <UpdateRoleResponse> | |
508 | <UpdateRoleResult> | |
509 | <ResponseMetadata> | |
510 | <RequestId>tx000000000000000000007-00611f337e-1027-default</RequestId> | |
511 | </ResponseMetadata> | |
512 | </UpdateRoleResult> | |
513 | </UpdateRoleResponse> | |
514 | ||
515 | Note: This API currently can only be used to update max-session-duration. | |
20effc67 TL |
516 | |
517 | Sample code for tagging, listing tags and untagging a role | |
518 | ---------------------------------------------------------- | |
519 | ||
520 | The following is sample code for adding tags to role, listing tags and untagging a role using boto3. | |
521 | ||
522 | .. code-block:: python | |
523 | ||
524 | import boto3 | |
525 | ||
526 | access_key = 'TESTER' | |
527 | secret_key = 'test123' | |
528 | ||
529 | iam_client = boto3.client('iam', | |
530 | aws_access_key_id=access_key, | |
531 | aws_secret_access_key=secret_key, | |
532 | endpoint_url='http://s3.us-east.localhost:8000', | |
533 | region_name='' | |
534 | ) | |
535 | ||
536 | policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/quickstart:sub\":\"user1\"}}}]}" | |
537 | ||
538 | print ("\n Creating Role with tags\n") | |
539 | tags_list = [ | |
540 | {'Key':'Department','Value':'Engineering'} | |
541 | ] | |
542 | role_response = iam_client.create_role( | |
543 | AssumeRolePolicyDocument=policy_document, | |
544 | Path='/', | |
545 | RoleName='S3Access', | |
546 | Tags=tags_list, | |
547 | ) | |
548 | ||
549 | print ("Adding tags to role\n") | |
550 | response = iam_client.tag_role( | |
551 | RoleName='S3Access', | |
552 | Tags= [ | |
553 | {'Key':'CostCenter','Value':'123456'} | |
554 | ] | |
555 | ) | |
556 | print ("Listing role tags\n") | |
557 | response = iam_client.list_role_tags( | |
558 | RoleName='S3Access' | |
559 | ) | |
560 | print (response) | |
561 | print ("Untagging role\n") | |
562 | response = iam_client.untag_role( | |
563 | RoleName='S3Access', | |
564 | TagKeys=[ | |
565 | 'Department', | |
566 | ] | |
567 | ) | |
568 | ||
569 | ||
570 |