本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 使用 SDK 管理 IAM 存取金鑰 AWS 下列程式碼範例示範如何管理存取金鑰。 **警告** 為避免安全風險,在開發專用軟體或使用真實資料時,請勿使用 IAM 使用者進行身分驗證。相反地,搭配使用聯合功能和身分提供者,例如 [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)。 + 建立並列出存取金鑰。 + 找出上次使用存取金鑰的時間和方式。 + 更新和刪除存取金鑰。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)中設定和執行。 建立可包裝 IAM 存取金鑰動作的函數。 ``` import logging import boto3 from botocore.exceptions import ClientError logger = logging.getLogger(__name__) iam = boto3.resource("iam") def list_keys(user_name): """ Lists the keys owned by the specified user. :param user_name: The name of the user. :return: The list of keys owned by the user. """ try: keys = list(iam.User(user_name).access_keys.all()) logger.info("Got %s access keys for %s.", len(keys), user_name) except ClientError: logger.exception("Couldn't get access keys for %s.", user_name) raise else: return keys def create_key(user_name): """ Creates an access key for the specified user. Each user can have a maximum of two keys. :param user_name: The name of the user. :return: The created access key. """ try: key_pair = iam.User(user_name).create_access_key_pair() logger.info( "Created access key pair for %s. Key ID is %s.", key_pair.user_name, key_pair.id, ) except ClientError: logger.exception("Couldn't create access key pair for %s.", user_name) raise else: return key_pair def get_last_use(key_id): """ Gets information about when and how a key was last used. :param key_id: The ID of the key to look up. :return: Information about the key's last use. """ try: response = iam.meta.client.get_access_key_last_used(AccessKeyId=key_id) last_used_date = response["AccessKeyLastUsed"].get("LastUsedDate", None) last_service = response["AccessKeyLastUsed"].get("ServiceName", None) logger.info( "Key %s was last used by %s on %s to access %s.", key_id, response["UserName"], last_used_date, last_service, ) except ClientError: logger.exception("Couldn't get last use of key %s.", key_id) raise else: return response def update_key(user_name, key_id, activate): """ Updates the status of a key. :param user_name: The user that owns the key. :param key_id: The ID of the key to update. :param activate: When True, the key is activated. Otherwise, the key is deactivated. """ try: key = iam.User(user_name).AccessKey(key_id) if activate: key.activate() else: key.deactivate() logger.info("%s key %s.", "Activated" if activate else "Deactivated", key_id) except ClientError: logger.exception( "Couldn't %s key %s.", "Activate" if activate else "Deactivate", key_id ) raise def delete_key(user_name, key_id): """ Deletes a user's access key. :param user_name: The user that owns the key. :param key_id: The ID of the key to delete. """ try: key = iam.AccessKey(user_name, key_id) key.delete() logger.info("Deleted access key %s for %s.", key.id, key.user_name) except ClientError: logger.exception("Couldn't delete key %s for %s", key_id, user_name) raise ``` 使用包裝函數執行目前使用者的存取金鑰動作。 ``` def usage_demo(): """Shows how to create and manage access keys.""" def print_keys(): """Gets and prints the current keys for a user.""" current_keys = list_keys(current_user_name) print("The current user's keys are now:") print(*[f"{key.id}: {key.status}" for key in current_keys], sep="\n") logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s") print("-" * 88) print("Welcome to the AWS Identity and Account Management access key demo.") print("-" * 88) current_user_name = iam.CurrentUser().user_name print( f"This demo creates an access key for the current user " f"({current_user_name}), manipulates the key in a few ways, and then " f"deletes it." ) all_keys = list_keys(current_user_name) if len(all_keys) == 2: print( "The current user already has the maximum of 2 access keys. To run " "this demo, either delete one of the access keys or use a user " "that has only 1 access key." ) else: new_key = create_key(current_user_name) print(f"Created a new key with id {new_key.id} and secret {new_key.secret}.") print_keys() existing_key = next(key for key in all_keys if key != new_key) last_use = get_last_use(existing_key.id)["AccessKeyLastUsed"] print( f"Key {all_keys[0].id} was last used to access {last_use['ServiceName']} " f"on {last_use['LastUsedDate']}" ) update_key(current_user_name, new_key.id, False) print(f"Key {new_key.id} is now deactivated.") print_keys() delete_key(current_user_name, new_key.id) print_keys() print("Thanks for watching!") ``` + 如需 API 詳細資訊,請參閱《適用於 Python (Boto3) 的AWS SDK API 參考》**中的下列主題。 + [CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey) + [DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey) + [GetAccessKeyLastUsed](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccessKeyLastUsed) + [ListAccessKeys](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAccessKeys) + [UpdateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/UpdateAccessKey) ------ 如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。