I'm trying to run some boto functions in a python script. I need to create an IAM policy with the minimum required permissions to execute those boto functions. Is there a good way I can relate those boto functions to the AWS IAM permissions that I'd need to execute them.
For example, here are the boto modules (python) I have. What IAM permissions would a user need to run them? Is there a good way to find this?
boto.ec2.autoscale.connect_to_region
boto.ec2.elb.connect_to_region
boto.ec2.connect_to_region
boto.ec2.instance.Instance
boto.ec2.elb.loadbalancer.LoadBalancer
boto.ec2.autoscale.group.AutoScalingGroup
There is no 1:1 correlation between the functions you listed and an API call to AWS.
If you use a client function, then you need the specific permission for that function, such as:
response = ec2_client.describe_instances()
This command would require ec2:DescribeInstances permission.
boto3 also provides resource functions that provide a more object-like experience, such as:
instance = ec2_resource.Instance('id')
Such functions could call any number of underlying API calls, so it is not easy to determine the permissions required for such calls.
You can use AWS CloudTrail to view the underlying API calls that were made, so that permissions can be determined.