2014/10/16 - AWS Identity and Access Management - 76 new api methods
Deletes the specified policy that is associated with the specified group.
Request Syntax
client.delete_group_policy(
GroupName='string',
PolicyName='string'
)
string
[REQUIRED]
Name of the group the policy is associated with.
string
[REQUIRED]
Name of the policy document to delete.
None
Lists the instance profiles that have the specified path prefix. If there are none, the action returns an empty list. For more information about instance profiles, go to About Instance Profiles.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_instance_profiles(
PathPrefix='string',
Marker='string',
MaxItems=123
)
string
The path prefix for filtering the results. For example: /application_abc/component_xyz/ , which would get all instance profiles whose path starts with /application_abc/component_xyz/ .
This parameter is optional. If it is not included, it defaults to a slash (/), listing all instance profiles.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'InstanceProfiles': [
{
'Path': 'string',
'InstanceProfileName': 'string',
'InstanceProfileId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'Roles': [
{
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string'
},
]
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListInstanceProfiles action.
InstanceProfiles (list) --
A list of instance profiles.
(dict) --
The InstanceProfile data type contains information about an instance profile.
This data type is used as a response element in the following actions:
CreateInstanceProfile
GetInstanceProfile
ListInstanceProfiles
ListInstanceProfilesForRole
Path (string) --
Path to the instance profile. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
InstanceProfileName (string) --
The name identifying the instance profile.
InstanceProfileId (string) --
The stable and unique string identifying the instance profile. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the instance profile was created.
Roles (list) --
The role associated with the instance profile.
(dict) --
The Role data type contains information about a role.
This data type is used as a response element in the following actions:
CreateRole
GetRole
ListRoles
Path (string) --
Path to the role. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
RoleName (string) --
The name identifying the role.
RoleId (string) --
The stable and unique string identifying the role. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the role was created.
AssumeRolePolicyDocument (string) --
The policy that grants an entity permission to assume the role.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
IsTruncated (boolean) --
A flag that indicates whether there are more instance profiles to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more instance profiles in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Adds (or updates) a policy document associated with the specified group. For information about policies, refer to Overview of Policies in the Using IAM guide.
For information about limits on the number of policies you can associate with a group, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.put_group_policy(
GroupName='string',
PolicyName='string',
PolicyDocument='string'
)
string
[REQUIRED]
Name of the group to associate the policy with.
string
[REQUIRED]
Name of the policy document.
string
[REQUIRED]
The policy document.
None
Deletes a SAML provider.
Deleting the provider does not update any roles that reference the SAML provider as a principal in their trust policies. Any attempt to assume a role that references a SAML provider that has been deleted will fail.
Request Syntax
client.delete_saml_provider(
SAMLProviderArn='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the SAML provider to delete.
None
Lists the server certificates that have the specified path prefix. If none exist, the action returns an empty list.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_server_certificates(
PathPrefix='string',
Marker='string',
MaxItems=123
)
string
The path prefix for filtering the results. For example: /company/servercerts would get all server certificates for which the path starts with /company/servercerts .
This parameter is optional. If it is not included, it defaults to a slash (/), listing all server certificates.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of server certificates you want in the response. If there are additional server certificates beyond the maximum you specify, the IsTruncated response element will be set to true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'ServerCertificateMetadataList': [
{
'Path': 'string',
'ServerCertificateName': 'string',
'ServerCertificateId': 'string',
'Arn': 'string',
'UploadDate': datetime(2015, 1, 1),
'Expiration': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListServerCertificates action.
ServerCertificateMetadataList (list) --
A list of server certificates.
(dict) --
ServerCertificateMetadata contains information about a server certificate without its certificate body, certificate chain, and private key.
This data type is used as a response element in the action UploadServerCertificate and ListServerCertificates.
Path (string) --
Path to the server certificate. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
ServerCertificateName (string) --
The name that identifies the server certificate.
ServerCertificateId (string) --
The stable and unique string identifying the server certificate. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the server certificate. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
UploadDate (datetime) --
The date when the server certificate was uploaded.
Expiration (datetime) --
The date on which the certificate is set to expire.
IsTruncated (boolean) --
A flag that indicates whether there are more server certificates to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more server certificates in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Deletes the specified policy associated with the specified role.
Request Syntax
client.delete_role_policy(
RoleName='string',
PolicyName='string'
)
string
[REQUIRED]
Name of the role the associated with the policy.
string
[REQUIRED]
Name of the policy document to delete.
None
Lists the virtual MFA devices under the AWS account by assignment status. If you do not specify an assignment status, the action returns a list of all virtual MFA devices. Assignment status can be Assigned , Unassigned , or Any .
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_virtual_mfa_devices(
AssignmentStatus='Assigned'|'Unassigned'|'Any',
Marker='string',
MaxItems=123
)
string
The status (unassigned or assigned) of the devices to list. If you do not specify an AssignmentStatus , the action defaults to Any which lists both assigned and unassigned virtual MFA devices.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'VirtualMFADevices': [
{
'SerialNumber': 'string',
'Base32StringSeed': b'bytes',
'QRCodePNG': b'bytes',
'User': {
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
},
'EnableDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListVirtualMFADevices action.
VirtualMFADevices (list) --
(dict) --
The VirtualMFADevice data type contains information about a virtual MFA device.
SerialNumber (string) --
The serial number associated with VirtualMFADevice .
Base32StringSeed (bytes) --
The Base32 seed defined as specified in RFC3548. The Base32StringSeed is Base64-encoded.
QRCodePNG (bytes) --
A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName? secret=$Base32String where $virtualMFADeviceName is one of the create call arguments, AccountName is the user name if set (accountId otherwise), and Base32String is the seed in Base32 format. The Base32String is Base64-encoded.
User (dict) --
The User data type contains information about a user.
This data type is used as a response element in the following actions:
CreateUser
GetUser
ListUsers
Path (string) --
Path to the user. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
UserName (string) --
The name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the user. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the user was created.
EnableDate (datetime) --
IsTruncated (boolean) --
A flag that indicates whether there are more items to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Creates an IAM entity to describe an identity provider (IdP) that supports SAML 2.0.
The SAML provider that you create with this operation can be used as a principal in a role's trust policy to establish a trust relationship between AWS and a SAML identity provider. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.
When you create the SAML provider, you upload an a SAML metadata document that you get from your IdP and that includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.
For more information, see Giving Console Access Using SAML and Creating Temporary Security Credentials for SAML Federation in the Using Temporary Credentials guide.
Request Syntax
client.create_saml_provider(
SAMLMetadataDocument='string',
Name='string'
)
string
[REQUIRED]
An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.
For more information, see Creating Temporary Security Credentials for SAML Federation in the Using Temporary Security Credentials guide.
string
[REQUIRED]
The name of the provider to create.
dict
Response Syntax
{
'SAMLProviderArn': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateSAMLProvider action.
SAMLProviderArn (string) --
The Amazon Resource Name (ARN) of the SAML provider.
Lists the instance profiles that have the specified associated role. If there are none, the action returns an empty list. For more information about instance profiles, go to About Instance Profiles.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_instance_profiles_for_role(
RoleName='string',
Marker='string',
MaxItems=123
)
string
[REQUIRED]
The name of the role to list instance profiles for.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'InstanceProfiles': [
{
'Path': 'string',
'InstanceProfileName': 'string',
'InstanceProfileId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'Roles': [
{
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string'
},
]
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListInstanceProfilesForRole action.
InstanceProfiles (list) --
A list of instance profiles.
(dict) --
The InstanceProfile data type contains information about an instance profile.
This data type is used as a response element in the following actions:
CreateInstanceProfile
GetInstanceProfile
ListInstanceProfiles
ListInstanceProfilesForRole
Path (string) --
Path to the instance profile. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
InstanceProfileName (string) --
The name identifying the instance profile.
InstanceProfileId (string) --
The stable and unique string identifying the instance profile. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the instance profile was created.
Roles (list) --
The role associated with the instance profile.
(dict) --
The Role data type contains information about a role.
This data type is used as a response element in the following actions:
CreateRole
GetRole
ListRoles
Path (string) --
Path to the role. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
RoleName (string) --
The name identifying the role.
RoleId (string) --
The stable and unique string identifying the role. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the role was created.
AssumeRolePolicyDocument (string) --
The policy that grants an entity permission to assume the role.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
IsTruncated (boolean) --
A flag that indicates whether there are more instance profiles to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more instance profiles in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Removes the specified user from the specified group.
Request Syntax
client.remove_user_from_group(
GroupName='string',
UserName='string'
)
string
[REQUIRED]
Name of the group to update.
string
[REQUIRED]
Name of the user to remove.
None
Deletes the specified role. The role must not have any policies attached. For more information about roles, go to Working with Roles.
Warning
Make sure you do not have any Amazon EC2 instances running with the role you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications running on the instance.
Request Syntax
client.delete_role(
RoleName='string'
)
string
[REQUIRED]
Name of the role to delete.
None
Returns information about the signing certificates associated with the specified user. If there are none, the action returns an empty list.
Although each user is limited to a small number of signing certificates, you can still paginate the results using the MaxItems and Marker parameters.
If the UserName field is not specified, the user name is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, this API can be used to manage root credentials even if the AWS account has no associated users.
Request Syntax
client.list_signing_certificates(
UserName='string',
Marker='string',
MaxItems=123
)
string
The name of the user.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of certificate IDs you want in the response. If there are additional certificate IDs beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'Certificates': [
{
'UserName': 'string',
'CertificateId': 'string',
'CertificateBody': 'string',
'Status': 'Active'|'Inactive',
'UploadDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListSigningCertificates action.
Certificates (list) --
A list of the user's signing certificate information.
(dict) --
The SigningCertificate data type contains information about an X.509 signing certificate.
This data type is used as a response element in the actions UploadSigningCertificate and ListSigningCertificates.
UserName (string) --
Name of the user the signing certificate is associated with.
CertificateId (string) --
The ID for the signing certificate.
CertificateBody (string) --
The contents of the signing certificate.
Status (string) --
The status of the signing certificate. Active means the key is valid for API calls, while Inactive means it is not.
UploadDate (datetime) --
The date when the signing certificate was uploaded.
IsTruncated (boolean) --
A flag that indicates whether there are more certificate IDs to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more certificates in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Returns information about the access key IDs associated with the specified user. If there are none, the action returns an empty list.
Although each user is limited to a small number of keys, you can still paginate the results using the MaxItems and Marker parameters.
If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, this API can be used to manage root credentials even if the AWS account has no associated users.
Request Syntax
client.list_access_keys(
UserName='string',
Marker='string',
MaxItems=123
)
string
Name of the user.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of keys you want in the response. If there are additional keys beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'AccessKeyMetadata': [
{
'UserName': 'string',
'AccessKeyId': 'string',
'Status': 'Active'|'Inactive',
'CreateDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListAccessKeys action.
AccessKeyMetadata (list) --
A list of access key metadata.
(dict) --
The AccessKey data type contains information about an AWS access key, without its secret key.
This data type is used as a response element in the action ListAccessKeys.
UserName (string) --
Name of the user the key is associated with.
AccessKeyId (string) --
The ID for this access key.
Status (string) --
The status of the access key. Active means the key is valid for API calls, while Inactive means it is not.
CreateDate (datetime) --
The date when the access key was created.
IsTruncated (boolean) --
A flag that indicates whether there are more keys to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more keys in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Retrieves information about the specified role, including the role's path, GUID, ARN, and the policy granting permission to assume the role. For more information about ARNs, go to ARNs. For more information about roles, go to Working with Roles.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Request Syntax
client.get_role(
RoleName='string'
)
string
[REQUIRED]
Name of the role to get information about.
dict
Response Syntax
{
'Role': {
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string'
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetRole action.
Role (dict) --
Information about the role.
Path (string) --
Path to the role. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
RoleName (string) --
The name identifying the role.
RoleId (string) --
The stable and unique string identifying the role. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the role was created.
AssumeRolePolicyDocument (string) --
The policy that grants an entity permission to assume the role.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Lists the groups that have the specified path prefix.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_groups(
PathPrefix='string',
Marker='string',
MaxItems=123
)
string
The path prefix for filtering the results. For example: /division_abc/subdivision_xyz/ , which would get all groups whose path starts with /division_abc/subdivision_xyz/ .
This parameter is optional. If it is not included, it defaults to a slash (/), listing all groups.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of groups you want in the response. If there are additional groups beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'Groups': [
{
'Path': 'string',
'GroupName': 'string',
'GroupId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListGroups action.
Groups (list) --
A list of groups.
(dict) --
The Group data type contains information about a group.
This data type is used as a response element in the following actions:
CreateGroup
GetGroup
ListGroups
Path (string) --
Path to the group. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
GroupName (string) --
The name that identifies the group.
GroupId (string) --
The stable and unique string identifying the group. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the group. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the group was created.
IsTruncated (boolean) --
A flag that indicates whether there are more groups to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more groups in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Creates a new group.
For information about the number of groups you can create, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.create_group(
Path='string',
GroupName='string'
)
string
The path to the group. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
string
[REQUIRED]
Name of the group to create. Do not include the path in this value.
dict
Response Syntax
{
'Group': {
'Path': 'string',
'GroupName': 'string',
'GroupId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateGroup action.
Group (dict) --
Information about the group.
Path (string) --
Path to the group. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
GroupName (string) --
The name that identifies the group.
GroupId (string) --
The stable and unique string identifying the group. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the group. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the group was created.
This action creates an alias for your AWS account. For information about using an AWS account alias, see Using an Alias for Your AWS Account ID in the Using IAM guide.
Request Syntax
client.create_account_alias(
AccountAlias='string'
)
string
[REQUIRED]
Name of the account alias to create.
None
Retrieves account level information about account entity usage and IAM quotas.
For information about limitations on IAM entities, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.get_account_summary()
dict
Response Syntax
{
'SummaryMap': {
'string': 123
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetAccountSummary action.
SummaryMap (dict) --
A set of key value pairs containing account-level information.
SummaryMap contains the following keys:
AccessKeysPerUserQuota - Maximum number of access keys that can be created per user
AccountMFAEnabled - 1 if the root account has an MFA device assigned to it, 0 otherwise
AssumeRolePolicySizeQuota - Maximum allowed size for assume role policy documents (in kilobytes)
GroupPolicySizeQuota - Maximum allowed size for Group policy documents (in kilobytes)
Groups - Number of Groups for the AWS account
GroupsPerUserQuota - Maximum number of groups a user can belong to
GroupsQuota - Maximum groups allowed for the AWS account
InstanceProfiles - Number of instance profiles for the AWS account
InstanceProfilesQuota - Maximum instance profiles allowed for the AWS account
MFADevices - Number of MFA devices, either assigned or unassigned
MFADevicesInUse - Number of MFA devices that have been assigned to an IAM user or to the root account
RolePolicySizeQuota - Maximum allowed size for role policy documents (in kilobytes)
Roles - Number of roles for the AWS account
RolesQuota - Maximum roles allowed for the AWS account
ServerCertificates - Number of server certificates for the AWS account
ServerCertificatesQuota - Maximum server certificates allowed for the AWS account
SigningCertificatesPerUserQuota - Maximum number of X509 certificates allowed for a user
UserPolicySizeQuota - Maximum allowed size for user policy documents (in kilobytes)
Users - Number of users for the AWS account
UsersQuota - Maximum users allowed for the AWS account
(string) --
(integer) --
Deletes the specified instance profile. The instance profile must not have an associated role.
Warning
Make sure you do not have any Amazon EC2 instances running with the instance profile you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications running on the instance.
For more information about instance profiles, go to About Instance Profiles.
Request Syntax
client.delete_instance_profile(
InstanceProfileName='string'
)
string
[REQUIRED]
Name of the instance profile to delete.
None
Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active .
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this API to manage root credentials even if the AWS account has no associated users.
For information about limits on the number of keys you can create, see Limitations on IAM Entities in the Using IAM guide.
Warning
To ensure the security of your AWS account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.
Request Syntax
client.create_access_key(
UserName='string'
)
string
The user name that the new key will belong to.
dict
Response Syntax
{
'AccessKey': {
'UserName': 'string',
'AccessKeyId': 'string',
'Status': 'Active'|'Inactive',
'SecretAccessKey': 'string',
'CreateDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateAccessKey action.
AccessKey (dict) --
Information about the access key.
UserName (string) --
Name of the user the key is associated with.
AccessKeyId (string) --
The ID for this access key.
Status (string) --
The status of the access key. Active means the key is valid for API calls, while Inactive means it is not.
SecretAccessKey (string) --
The secret key used to sign requests.
CreateDate (datetime) --
The date when the access key was created.
Changes the password of the IAM user calling ChangePassword . The root account password is not affected by this action. For information about modifying passwords, see Managing Passwords in the Using IAM guide.
Request Syntax
client.change_password(
OldPassword='string',
NewPassword='string'
)
string
[REQUIRED]
The IAM users's current password.
string
[REQUIRED]
The new password. The new password must conform to the AWS account's password policy, if one exists.
None
Generates a credential report for the AWS account. For more information about the credential report, see Getting Credential Reports in the Using IAM guide.
Request Syntax
client.generate_credential_report()
dict
Response Syntax
{
'State': 'STARTED'|'INPROGRESS'|'COMPLETE',
'Description': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GenerateCredentialReport action.
State (string) --
Information about the state of a credential report.
Description (string) --
Information about the credential report.
Returns a list of users that are in the specified group. You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.get_group(
GroupName='string',
Marker='string',
MaxItems=123
)
string
[REQUIRED]
Name of the group.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'Group': {
'Path': 'string',
'GroupName': 'string',
'GroupId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
},
'Users': [
{
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetGroup action.
Group (dict) --
Information about the group.
Path (string) --
Path to the group. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
GroupName (string) --
The name that identifies the group.
GroupId (string) --
The stable and unique string identifying the group. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the group. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the group was created.
Users (list) --
A list of users in the group.
(dict) --
The User data type contains information about a user.
This data type is used as a response element in the following actions:
CreateUser
GetUser
ListUsers
Path (string) --
Path to the user. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
UserName (string) --
The name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the user. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the user was created.
IsTruncated (boolean) --
A flag that indicates whether there are more user names to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more user names in the list.
Marker (string) --
If IsTruncated is true , then this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Updates the name and/or the path of the specified server certificate.
Warning
You should understand the implications of changing a server certificate's path or name. For more information, see Managing Server Certificates in the Using IAM guide.
Request Syntax
client.update_server_certificate(
ServerCertificateName='string',
NewPath='string',
NewServerCertificateName='string'
)
string
[REQUIRED]
The name of the server certificate that you want to update.
string
The new path for the server certificate. Include this only if you are updating the server certificate's path.
string
The new name for the server certificate. Include this only if you are updating the server certificate's name.
None
Returns the SAML provider metadocument that was uploaded when the provider was created or updated.
Request Syntax
client.get_saml_provider(
SAMLProviderArn='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the SAML provider to get information about.
dict
Response Syntax
{
'SAMLMetadataDocument': 'string',
'CreateDate': datetime(2015, 1, 1),
'ValidUntil': datetime(2015, 1, 1)
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetSAMLProvider action.
SAMLMetadataDocument (string) --
The XML metadata document that includes information about an identity provider.
CreateDate (datetime) --
The date and time when the SAML provider was created.
ValidUntil (datetime) --
The expiration date and time for the SAML provider.
Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console. For more information about managing passwords, see Managing Passwords in the Using IAM guide.
Request Syntax
client.create_login_profile(
UserName='string',
Password='string',
PasswordResetRequired=True|False
)
string
[REQUIRED]
Name of the user to create a password for.
string
[REQUIRED]
The new password for the user.
boolean
Specifies whether the user is required to set a new password on next sign-in.
dict
Response Syntax
{
'LoginProfile': {
'UserName': 'string',
'CreateDate': datetime(2015, 1, 1),
'PasswordResetRequired': True|False
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateLoginProfile action.
LoginProfile (dict) --
The user name and password create date.
UserName (string) --
The name of the user, which can be used for signing in to the AWS Management Console.
CreateDate (datetime) --
The date when the password for the user was created.
PasswordResetRequired (boolean) --
Specifies whether the user is required to set a new password on next sign-in.
Creates a new instance profile. For information about instance profiles, go to About Instance Profiles.
For information about the number of instance profiles you can create, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.create_instance_profile(
InstanceProfileName='string',
Path='string'
)
string
[REQUIRED]
Name of the instance profile to create.
string
The path to the instance profile. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
dict
Response Syntax
{
'InstanceProfile': {
'Path': 'string',
'InstanceProfileName': 'string',
'InstanceProfileId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'Roles': [
{
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string'
},
]
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateInstanceProfile action.
InstanceProfile (dict) --
Information about the instance profile.
Path (string) --
Path to the instance profile. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
InstanceProfileName (string) --
The name identifying the instance profile.
InstanceProfileId (string) --
The stable and unique string identifying the instance profile. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the instance profile was created.
Roles (list) --
The role associated with the instance profile.
(dict) --
The Role data type contains information about a role.
This data type is used as a response element in the following actions:
CreateRole
GetRole
ListRoles
Path (string) --
Path to the role. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
RoleName (string) --
The name identifying the role.
RoleId (string) --
The stable and unique string identifying the role. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the role was created.
AssumeRolePolicyDocument (string) --
The policy that grants an entity permission to assume the role.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Lists the account aliases associated with the account. For information about using an AWS account alias, see Using an Alias for Your AWS Account ID in the Using IAM guide.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_account_aliases(
Marker='string',
MaxItems=123
)
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of account aliases you want in the response. If there are additional account aliases beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'AccountAliases': [
'string',
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListAccountAliases action.
AccountAliases (list) --
A list of aliases associated with the account.
(string) --
IsTruncated (boolean) --
A flag that indicates whether there are more account aliases to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more account aliases in the list.
Marker (string) --
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. For more information about instance profiles, go to About Instance Profiles. For more information about ARNs, go to ARNs.
Request Syntax
client.get_instance_profile(
InstanceProfileName='string'
)
string
[REQUIRED]
Name of the instance profile to get information about.
dict
Response Syntax
{
'InstanceProfile': {
'Path': 'string',
'InstanceProfileName': 'string',
'InstanceProfileId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'Roles': [
{
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string'
},
]
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetInstanceProfile action.
InstanceProfile (dict) --
Information about the instance profile.
Path (string) --
Path to the instance profile. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
InstanceProfileName (string) --
The name identifying the instance profile.
InstanceProfileId (string) --
The stable and unique string identifying the instance profile. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the instance profile was created.
Roles (list) --
The role associated with the instance profile.
(dict) --
The Role data type contains information about a role.
This data type is used as a response element in the following actions:
CreateRole
GetRole
ListRoles
Path (string) --
Path to the role. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
RoleName (string) --
The name identifying the role.
RoleId (string) --
The stable and unique string identifying the role. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the role was created.
AssumeRolePolicyDocument (string) --
The policy that grants an entity permission to assume the role.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Lists the names of the policies associated with the specified user. If there are none, the action returns an empty list.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_user_policies(
UserName='string',
Marker='string',
MaxItems=123
)
string
[REQUIRED]
The name of the user to list policies for.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of policy names you want in the response. If there are additional policy names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'PolicyNames': [
'string',
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListUserPolicies action.
PolicyNames (list) --
A list of policy names.
(string) --
IsTruncated (boolean) --
A flag that indicates whether there are more policy names to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more policy names in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Updates the name and/or the path of the specified group.
Warning
You should understand the implications of changing a group's path or name. For more information, see Renaming Users and Groups in the Using IAM guide.
Request Syntax
client.update_group(
GroupName='string',
NewPath='string',
NewGroupName='string'
)
string
[REQUIRED]
Name of the group to update. If you're changing the name of the group, this is the original name.
string
New path for the group. Only include this if changing the group's path.
string
New name for the group. Only include this if changing the group's name.
None
Lists the users that have the specified path prefix. If there are none, the action returns an empty list.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_users(
PathPrefix='string',
Marker='string',
MaxItems=123
)
string
The path prefix for filtering the results. For example: /division_abc/subdivision_xyz/ , which would get all user names whose path starts with /division_abc/subdivision_xyz/ .
This parameter is optional. If it is not included, it defaults to a slash (/), listing all user names.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'Users': [
{
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListUsers action.
Users (list) --
A list of users.
(dict) --
The User data type contains information about a user.
This data type is used as a response element in the following actions:
CreateUser
GetUser
ListUsers
Path (string) --
Path to the user. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
UserName (string) --
The name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the user. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the user was created.
IsTruncated (boolean) --
A flag that indicates whether there are more user names to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more users in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Updates the policy that grants an entity permission to assume a role. For more information about roles, go to Working with Roles.
Request Syntax
client.update_assume_role_policy(
RoleName='string',
PolicyDocument='string'
)
string
[REQUIRED]
Name of the role to update.
string
[REQUIRED]
The policy that grants an entity permission to assume the role.
None
Uploads an X.509 signing certificate and associates it with the specified user. Some AWS services use X.509 signing certificates to validate requests that are signed with a corresponding private key. When you upload the certificate, its default status is Active .
If the UserName field is not specified, the user name is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, this API can be used to manage root credentials even if the AWS account has no associated users.
Request Syntax
client.upload_signing_certificate(
UserName='string',
CertificateBody='string'
)
string
Name of the user the signing certificate is for.
string
[REQUIRED]
The contents of the signing certificate.
dict
Response Syntax
{
'Certificate': {
'UserName': 'string',
'CertificateId': 'string',
'CertificateBody': 'string',
'Status': 'Active'|'Inactive',
'UploadDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the UploadSigningCertificate action.
Certificate (dict) --
Information about the certificate.
UserName (string) --
Name of the user the signing certificate is associated with.
CertificateId (string) --
The ID for the signing certificate.
CertificateBody (string) --
The contents of the signing certificate.
Status (string) --
The status of the signing certificate. Active means the key is valid for API calls, while Inactive means it is not.
UploadDate (datetime) --
The date when the signing certificate was uploaded.
Adds (or updates) a policy document associated with the specified user. For information about policies, refer to Overview of Policies in the Using IAM guide.
For information about limits on the number of policies you can associate with a user, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.put_user_policy(
UserName='string',
PolicyName='string',
PolicyDocument='string'
)
string
[REQUIRED]
Name of the user to associate the policy with.
string
[REQUIRED]
Name of the policy document.
string
[REQUIRED]
The policy document.
None
Deletes the access key associated with the specified user.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this API to manage root credentials even if the AWS account has no associated users.
Request Syntax
client.delete_access_key(
UserName='string',
AccessKeyId='string'
)
string
Name of the user whose key you want to delete.
string
[REQUIRED]
The access key ID for the access key ID and secret access key you want to delete.
None
Creates a new user for your AWS account.
For information about limitations on the number of users you can create, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.create_user(
Path='string',
UserName='string'
)
string
The path for the user name. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
string
[REQUIRED]
Name of the user to create.
dict
Response Syntax
{
'User': {
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateUser action.
User (dict) --
Information about the user.
Path (string) --
Path to the user. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
UserName (string) --
The name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the user. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the user was created.
Deletes a virtual MFA device.
Request Syntax
client.delete_virtual_mfa_device(
SerialNumber='string'
)
string
[REQUIRED]
The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the same as the ARN.
None
Retrieves information about the specified server certificate.
Request Syntax
client.get_server_certificate(
ServerCertificateName='string'
)
string
[REQUIRED]
The name of the server certificate you want to retrieve information about.
dict
Response Syntax
{
'ServerCertificate': {
'ServerCertificateMetadata': {
'Path': 'string',
'ServerCertificateName': 'string',
'ServerCertificateId': 'string',
'Arn': 'string',
'UploadDate': datetime(2015, 1, 1),
'Expiration': datetime(2015, 1, 1)
},
'CertificateBody': 'string',
'CertificateChain': 'string'
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetServerCertificate action.
ServerCertificate (dict) --
Information about the server certificate.
ServerCertificateMetadata (dict) --
The meta information of the server certificate, such as its name, path, ID, and ARN.
Path (string) --
Path to the server certificate. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
ServerCertificateName (string) --
The name that identifies the server certificate.
ServerCertificateId (string) --
The stable and unique string identifying the server certificate. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the server certificate. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
UploadDate (datetime) --
The date when the server certificate was uploaded.
Expiration (datetime) --
The date on which the certificate is set to expire.
CertificateBody (string) --
The contents of the public key certificate.
CertificateChain (string) --
The contents of the public key certificate chain.
Retrieves information about the specified user, including the user's path, unique ID, and ARN.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request.
Request Syntax
client.get_user(
UserName='string'
)
string
Name of the user to get information about.
This parameter is optional. If it is not included, it defaults to the user making the request.
dict
Response Syntax
{
'User': {
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetUser action.
User (dict) --
Information about the user.
Path (string) --
Path to the user. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
UserName (string) --
The name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the user. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the user was created.
Retrieves the specified policy document for the specified user. The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Request Syntax
client.get_user_policy(
UserName='string',
PolicyName='string'
)
string
[REQUIRED]
Name of the user who the policy is associated with.
string
[REQUIRED]
Name of the policy document to get.
dict
Response Syntax
{
'UserName': 'string',
'PolicyName': 'string',
'PolicyDocument': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetUserPolicy action.
UserName (string) --
The user the policy is associated with.
PolicyName (string) --
The name of the policy.
PolicyDocument (string) --
The policy document.
Updates the metadata document for an existing SAML provider.
Request Syntax
client.update_saml_provider(
SAMLMetadataDocument='string',
SAMLProviderArn='string'
)
string
[REQUIRED]
An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the SAML provider to update.
dict
Response Syntax
{
'SAMLProviderArn': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the UpdateSAMLProvider action.
SAMLProviderArn (string) --
The Amazon Resource Name (ARN) of the SAML provider that was updated.
Updates the password policy settings for the AWS account.
For more information about using a password policy, see Managing an IAM Password Policy in the Using IAM guide.
Request Syntax
client.update_account_password_policy(
MinimumPasswordLength=123,
RequireSymbols=True|False,
RequireNumbers=True|False,
RequireUppercaseCharacters=True|False,
RequireLowercaseCharacters=True|False,
AllowUsersToChangePassword=True|False,
MaxPasswordAge=123,
PasswordReusePrevention=123,
HardExpiry=True|False
)
integer
The minimum number of characters allowed in an IAM user password.
Default value: 6
boolean
Specifies whether IAM user passwords must contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ' Default value: false
boolean
Specifies whether IAM user passwords must contain at least one numeric character (0 to 9).
Default value: false
boolean
Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
Default value: false
boolean
Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z).
Default value: false
boolean
Allows all IAM users in your account to use the AWS Management Console to change their own passwords. For more information, see Letting IAM Users Change Their Own Passwords in the Using IAM guide.
Default value: false
integer
The number of days that an IAM user password is valid. The default value of 0 means IAM user passwords never expire.
Default value: 0
integer
Specifies the number of previous passwords that IAM users are prevented from reusing. The default value of 0 means IAM users are not prevented from reusing previous passwords.
Default value: 0
boolean
Prevents IAM users from setting a new password after their password has expired.
Default value: false
None
Deletes the password policy for the AWS account.
Request Syntax
client.delete_account_password_policy()
None
Adds the specified user to the specified group.
Request Syntax
client.add_user_to_group(
GroupName='string',
UserName='string'
)
string
[REQUIRED]
Name of the group to update.
string
[REQUIRED]
Name of the user to add.
None
Retrieves a credential report for the AWS account. For more information about the credential report, see Getting Credential Reports in the Using IAM guide.
Request Syntax
client.get_credential_report()
dict
Response Syntax
{
'Content': b'bytes',
'ReportFormat': 'text/csv',
'GeneratedTime': datetime(2015, 1, 1)
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetCredentialReport action.
Content (bytes) --
Contains the credential report. The report is Base64-encoded.
ReportFormat (string) --
The format (MIME type) of the credential report.
GeneratedTime (datetime) --
The time and date when the credential report was created, in ISO 8601 date-time format.
Lists the SAML providers in the account.
Request Syntax
client.list_saml_providers()
dict
Response Syntax
{
'SAMLProviderList': [
{
'Arn': 'string',
'ValidUntil': datetime(2015, 1, 1),
'CreateDate': datetime(2015, 1, 1)
},
]
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListSAMLProviders action.
SAMLProviderList (list) --
The list of SAML providers for this account.
(dict) --
The list of SAML providers for this account.
Arn (string) --
The Amazon Resource Name (ARN) of the SAML provider.
ValidUntil (datetime) --
The expiration date and time for the SAML provider.
CreateDate (datetime) --
The date and time when the SAML provider was created.
Updates the name and/or the path of the specified user.
Warning
You should understand the implications of changing a user's path or name. For more information, see Renaming Users and Groups in the Using IAM guide.
Request Syntax
client.update_user(
UserName='string',
NewPath='string',
NewUserName='string'
)
string
[REQUIRED]
Name of the user to update. If you're changing the name of the user, this is the original user name.
string
New path for the user. Include this parameter only if you're changing the user's path.
string
New name for the user. Include this parameter only if you're changing the user's name.
None
Changes the status of the specified access key from Active to Inactive, or vice versa. This action can be used to disable a user's key as part of a key rotation work flow.
If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, this API can be used to manage root credentials even if the AWS account has no associated users.
For information about rotating keys, see Managing Keys and Certificates in the Using IAM guide.
Request Syntax
client.update_access_key(
UserName='string',
AccessKeyId='string',
Status='Active'|'Inactive'
)
string
Name of the user whose key you want to update.
string
[REQUIRED]
The access key ID of the secret access key you want to update.
string
[REQUIRED]
The status you want to assign to the secret access key. Active means the key can be used for API calls to AWS, while Inactive means the key cannot be used.
None
Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.
For information about the number of server certificates you can upload, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.upload_server_certificate(
Path='string',
ServerCertificateName='string',
CertificateBody='string',
PrivateKey='string',
CertificateChain='string'
)
string
The path for the server certificate. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
string
[REQUIRED]
The name for the server certificate. Do not include the path in this value.
string
[REQUIRED]
The contents of the public key certificate in PEM-encoded format.
string
[REQUIRED]
The contents of the private key in PEM-encoded format.
string
The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.
dict
Response Syntax
{
'ServerCertificateMetadata': {
'Path': 'string',
'ServerCertificateName': 'string',
'ServerCertificateId': 'string',
'Arn': 'string',
'UploadDate': datetime(2015, 1, 1),
'Expiration': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the UploadServerCertificate action.
ServerCertificateMetadata (dict) --
The meta information of the uploaded server certificate without its certificate body, certificate chain, and private key.
Path (string) --
Path to the server certificate. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
ServerCertificateName (string) --
The name that identifies the server certificate.
ServerCertificateId (string) --
The stable and unique string identifying the server certificate. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the server certificate. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
UploadDate (datetime) --
The date when the server certificate was uploaded.
Expiration (datetime) --
The date on which the certificate is set to expire.
Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.
Request Syntax
client.deactivate_mfa_device(
UserName='string',
SerialNumber='string'
)
string
[REQUIRED]
Name of the user whose MFA device you want to deactivate.
string
[REQUIRED]
The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
None
Deletes the password for the specified user, which terminates the user's ability to access AWS services through the AWS Management Console.
Warning
Deleting a user's password does not prevent a user from accessing IAM through the command line interface or the API. To prevent all user access you must also either make the access key inactive or delete it. For more information about making keys inactive or deleting them, see UpdateAccessKey and DeleteAccessKey.
Request Syntax
client.delete_login_profile(
UserName='string'
)
string
[REQUIRED]
Name of the user whose password you want to delete.
None
Enables the specified MFA device and associates it with the specified user name. When enabled, the MFA device is required for every subsequent login by the user name associated with the device.
Request Syntax
client.enable_mfa_device(
UserName='string',
SerialNumber='string',
AuthenticationCode1='string',
AuthenticationCode2='string'
)
string
[REQUIRED]
Name of the user for whom you want to enable the MFA device.
string
[REQUIRED]
The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
string
[REQUIRED]
An authentication code emitted by the device.
string
[REQUIRED]
A subsequent authentication code emitted by the device.
None
Synchronizes the specified MFA device with AWS servers.
Request Syntax
client.resync_mfa_device(
UserName='string',
SerialNumber='string',
AuthenticationCode1='string',
AuthenticationCode2='string'
)
string
[REQUIRED]
Name of the user whose MFA device you want to resynchronize.
string
[REQUIRED]
Serial number that uniquely identifies the MFA device.
string
[REQUIRED]
An authentication code emitted by the device.
string
[REQUIRED]
A subsequent authentication code emitted by the device.
None
Deletes the specified signing certificate associated with the specified user.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this API to manage root credentials even if the AWS account has no associated users.
Request Syntax
client.delete_signing_certificate(
UserName='string',
CertificateId='string'
)
string
Name of the user the signing certificate belongs to.
string
[REQUIRED]
ID of the signing certificate to delete.
None
Retrieves the user name and password-creation date for the specified user. If the user has not been assigned a password, the action returns a 404 ( NoSuchEntity ) error.
Request Syntax
client.get_login_profile(
UserName='string'
)
string
[REQUIRED]
Name of the user whose login profile you want to retrieve.
dict
Response Syntax
{
'LoginProfile': {
'UserName': 'string',
'CreateDate': datetime(2015, 1, 1),
'PasswordResetRequired': True|False
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetLoginProfile action.
LoginProfile (dict) --
User name and password create date for the user.
UserName (string) --
The name of the user, which can be used for signing in to the AWS Management Console.
CreateDate (datetime) --
The date when the password for the user was created.
PasswordResetRequired (boolean) --
Specifies whether the user is required to set a new password on next sign-in.
Lists the names of the policies associated with the specified role. If there are none, the action returns an empty list.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_role_policies(
RoleName='string',
Marker='string',
MaxItems=123
)
string
[REQUIRED]
The name of the role to list policies for.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'PolicyNames': [
'string',
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListRolePolicies action.
PolicyNames (list) --
A list of policy names.
(string) --
IsTruncated (boolean) --
A flag that indicates whether there are more policy names to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more policy names in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Deletes the specified user. The user must not belong to any groups, have any keys or signing certificates, or have any attached policies.
Request Syntax
client.delete_user(
UserName='string'
)
string
[REQUIRED]
Name of the user to delete.
None
Retrieves the specified policy document for the specified group. The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Request Syntax
client.get_group_policy(
GroupName='string',
PolicyName='string'
)
string
[REQUIRED]
Name of the group the policy is associated with.
string
[REQUIRED]
Name of the policy document to get.
dict
Response Syntax
{
'GroupName': 'string',
'PolicyName': 'string',
'PolicyDocument': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetGroupPolicy action.
GroupName (string) --
The group the policy is associated with.
PolicyName (string) --
The name of the policy.
PolicyDocument (string) --
The policy document.
Deletes the specified server certificate.
Warning
If you are using a server certificate with Elastic Load Balancing, deleting the certificate could have implications for your application. If Elastic Load Balancing doesn't detect the deletion of bound certificates, it may continue to use the certificates. This could cause Elastic Load Balancing to stop accepting traffic. We recommend that you remove the reference to the certificate from Elastic Load Balancing before using this command to delete the certificate. For more information, go to DeleteLoadBalancerListeners in the Elastic Load Balancing API Reference .
Request Syntax
client.delete_server_certificate(
ServerCertificateName='string'
)
string
[REQUIRED]
The name of the server certificate you want to delete.
None
Lists the names of the policies associated with the specified group. If there are none, the action returns an empty list.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_group_policies(
GroupName='string',
Marker='string',
MaxItems=123
)
string
[REQUIRED]
The name of the group to list policies for.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of policy names you want in the response. If there are additional policy names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'PolicyNames': [
'string',
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListGroupPolicies action.
PolicyNames (list) --
A list of policy names.
(string) --
IsTruncated (boolean) --
A flag that indicates whether there are more policy names to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more policy names in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Deletes the specified group. The group must not contain any users or have any attached policies.
Request Syntax
client.delete_group(
GroupName='string'
)
string
[REQUIRED]
Name of the group to delete.
None
Adds (or updates) a policy document associated with the specified role. For information about policies, go to Overview of Policies in the Using IAM guide.
For information about limits on the policies you can associate with a role, see Limitations on IAM Entities in the Using IAM guide.
Request Syntax
client.put_role_policy(
RoleName='string',
PolicyName='string',
PolicyDocument='string'
)
string
[REQUIRED]
Name of the role to associate the policy with.
string
[REQUIRED]
Name of the policy document.
string
[REQUIRED]
The policy document.
None
Deletes the specified policy associated with the specified user.
Request Syntax
client.delete_user_policy(
UserName='string',
PolicyName='string'
)
string
[REQUIRED]
Name of the user the policy is associated with.
string
[REQUIRED]
Name of the policy document to delete.
None
Lists the MFA devices. If the request includes the user name, then this action lists all the MFA devices associated with the specified user name. If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_mfa_devices(
UserName='string',
Marker='string',
MaxItems=123
)
string
Name of the user whose MFA devices you want to list.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of MFA devices you want in the response. If there are additional MFA devices beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'MFADevices': [
{
'UserName': 'string',
'SerialNumber': 'string',
'EnableDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListMFADevices action.
MFADevices (list) --
A list of MFA devices.
(dict) --
The MFADevice data type contains information about an MFA device.
This data type is used as a response element in the action ListMFADevices.
UserName (string) --
The user with whom the MFA device is associated.
SerialNumber (string) --
The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
EnableDate (datetime) --
The date when the MFA device was enabled for the user.
IsTruncated (boolean) --
A flag that indicates whether there are more MFA devices to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more MFA devices in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Removes the specified role from the specified instance profile.
Warning
Make sure you do not have any Amazon EC2 instances running with the role you are about to remove from the instance profile. Removing a role from an instance profile that is associated with a running instance will break any applications running on the instance.
For more information about roles, go to Working with Roles. For more information about instance profiles, go to About Instance Profiles.
Request Syntax
client.remove_role_from_instance_profile(
InstanceProfileName='string',
RoleName='string'
)
string
[REQUIRED]
Name of the instance profile to update.
string
[REQUIRED]
Name of the role to remove.
None
Creates a new role for your AWS account. For more information about roles, go to Working with Roles. For information about limitations on role names and the number of roles you can create, go to Limitations on IAM Entities in the Using IAM guide.
The example policy grants permission to an EC2 instance to assume the role. The policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Request Syntax
client.create_role(
Path='string',
RoleName='string',
AssumeRolePolicyDocument='string'
)
string
The path to the role. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
string
[REQUIRED]
Name of the role to create.
string
[REQUIRED]
The policy that grants an entity permission to assume the role.
dict
Response Syntax
{
'Role': {
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string'
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateRole action.
Role (dict) --
Information about the role.
Path (string) --
Path to the role. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
RoleName (string) --
The name identifying the role.
RoleId (string) --
The stable and unique string identifying the role. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the role was created.
AssumeRolePolicyDocument (string) --
The policy that grants an entity permission to assume the role.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Changes the status of the specified signing certificate from active to disabled, or vice versa. This action can be used to disable a user's signing certificate as part of a certificate rotation work flow.
If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, this API can be used to manage root credentials even if the AWS account has no associated users.
For information about rotating certificates, see Managing Keys and Certificates in the Using IAM guide.
Request Syntax
client.update_signing_certificate(
UserName='string',
CertificateId='string',
Status='Active'|'Inactive'
)
string
Name of the user the signing certificate belongs to.
string
[REQUIRED]
The ID of the signing certificate you want to update.
string
[REQUIRED]
The status you want to assign to the certificate. Active means the certificate can be used for API calls to AWS, while Inactive means the certificate cannot be used.
None
Deletes the specified AWS account alias. For information about using an AWS account alias, see Using an Alias for Your AWS Account ID in the Using IAM guide.
Request Syntax
client.delete_account_alias(
AccountAlias='string'
)
string
[REQUIRED]
Name of the account alias to delete.
None
Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, go to Using a Virtual MFA Device in the Using IAM guide.
For information about limits on the number of MFA devices you can create, see Limitations on Entities in the Using IAM guide.
Warning
The seed information contained in the QR code and the Base32 string should be treated like any other secret access information, such as your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.
Request Syntax
client.create_virtual_mfa_device(
Path='string',
VirtualMFADeviceName='string'
)
string
The path for the virtual MFA device. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
string
[REQUIRED]
The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device.
dict
Response Syntax
{
'VirtualMFADevice': {
'SerialNumber': 'string',
'Base32StringSeed': b'bytes',
'QRCodePNG': b'bytes',
'User': {
'Path': 'string',
'UserName': 'string',
'UserId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
},
'EnableDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the CreateVirtualMFADevice action.
VirtualMFADevice (dict) --
A newly created virtual MFA device.
SerialNumber (string) --
The serial number associated with VirtualMFADevice .
Base32StringSeed (bytes) --
The Base32 seed defined as specified in RFC3548. The Base32StringSeed is Base64-encoded.
QRCodePNG (bytes) --
A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName? secret=$Base32String where $virtualMFADeviceName is one of the create call arguments, AccountName is the user name if set (accountId otherwise), and Base32String is the seed in Base32 format. The Base32String is Base64-encoded.
User (dict) --
The User data type contains information about a user.
This data type is used as a response element in the following actions:
CreateUser
GetUser
ListUsers
Path (string) --
Path to the user. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
UserName (string) --
The name identifying the user.
UserId (string) --
The stable and unique string identifying the user. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the user. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the user was created.
EnableDate (datetime) --
Lists the roles that have the specified path prefix. If there are none, the action returns an empty list. For more information about roles, go to Working with Roles.
You can paginate the results using the MaxItems and Marker parameters.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Request Syntax
client.list_roles(
PathPrefix='string',
Marker='string',
MaxItems=123
)
string
The path prefix for filtering the results. For example: /application_abc/component_xyz/ , which would get all roles whose path starts with /application_abc/component_xyz/ .
This parameter is optional. If it is not included, it defaults to a slash (/), listing all roles.
string
Use this parameter only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this parameter only when paginating results to indicate the maximum number of user names you want in the response. If there are additional user names beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'Roles': [
{
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string'
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListRoles action.
Roles (list) --
A list of roles.
(dict) --
The Role data type contains information about a role.
This data type is used as a response element in the following actions:
CreateRole
GetRole
ListRoles
Path (string) --
Path to the role. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
RoleName (string) --
The name identifying the role.
RoleId (string) --
The stable and unique string identifying the role. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the role was created.
AssumeRolePolicyDocument (string) --
The policy that grants an entity permission to assume the role.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
IsTruncated (boolean) --
A flag that indicates whether there are more roles to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more roles in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Lists the groups the specified user belongs to.
You can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.list_groups_for_user(
UserName='string',
Marker='string',
MaxItems=123
)
string
[REQUIRED]
The name of the user to list groups for.
string
Use this only when paginating results, and only in a subsequent request after you've received a response where the results are truncated. Set it to the value of the Marker element in the response you just received.
integer
Use this only when paginating results to indicate the maximum number of groups you want in the response. If there are additional groups beyond the maximum you specify, the IsTruncated response element is true . This parameter is optional. If you do not include it, it defaults to 100.
dict
Response Syntax
{
'Groups': [
{
'Path': 'string',
'GroupName': 'string',
'GroupId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1)
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the ListGroupsForUser action.
Groups (list) --
A list of groups.
(dict) --
The Group data type contains information about a group.
This data type is used as a response element in the following actions:
CreateGroup
GetGroup
ListGroups
Path (string) --
Path to the group. For more information about paths, see Identifiers for IAM Entities in the Using IAM guide.
GroupName (string) --
The name that identifies the group.
GroupId (string) --
The stable and unique string identifying the group. For more information about IDs, see Identifiers for IAM Entities in the Using IAM guide.
Arn (string) --
The Amazon Resource Name (ARN) specifying the group. For more information about ARNs and how to use them in policies, see Identifiers for IAM Entities in the Using IAM guide.
CreateDate (datetime) --
The date when the group was created.
IsTruncated (boolean) --
A flag that indicates whether there are more groups to list. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more groups in the list.
Marker (string) --
If IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Changes the password for the specified user.
Request Syntax
client.update_login_profile(
UserName='string',
Password='string',
PasswordResetRequired=True|False
)
string
[REQUIRED]
Name of the user whose password you want to update.
string
The new password for the specified user.
boolean
Require the specified user to set a new password on next sign-in.
None
Adds the specified role to the specified instance profile. For more information about roles, go to Working with Roles. For more information about instance profiles, go to About Instance Profiles.
Request Syntax
client.add_role_to_instance_profile(
InstanceProfileName='string',
RoleName='string'
)
string
[REQUIRED]
Name of the instance profile to update.
string
[REQUIRED]
Name of the role to add.
None
Retrieves the specified policy document for the specified role. For more information about roles, go to Working with Roles.
The returned policy is URL-encoded according to RFC 3986. For more information about RFC 3986, go to http://www.faqs.org/rfcs/rfc3986.html.
Request Syntax
client.get_role_policy(
RoleName='string',
PolicyName='string'
)
string
[REQUIRED]
Name of the role associated with the policy.
string
[REQUIRED]
Name of the policy document to get.
dict
Response Syntax
{
'RoleName': 'string',
'PolicyName': 'string',
'PolicyDocument': 'string'
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetRolePolicy action.
RoleName (string) --
The role the policy is associated with.
PolicyName (string) --
The name of the policy.
PolicyDocument (string) --
The policy document.
Retrieves the password policy for the AWS account. For more information about using a password policy, go to Managing an IAM Password Policy.
Request Syntax
client.get_account_password_policy()
dict
Response Syntax
{
'PasswordPolicy': {
'MinimumPasswordLength': 123,
'RequireSymbols': True|False,
'RequireNumbers': True|False,
'RequireUppercaseCharacters': True|False,
'RequireLowercaseCharacters': True|False,
'AllowUsersToChangePassword': True|False,
'ExpirePasswords': True|False,
'MaxPasswordAge': 123,
'PasswordReusePrevention': 123,
'HardExpiry': True|False
}
}
Response Structure
(dict) --
Contains the result of a successful invocation of the GetAccountPasswordPolicy action.
PasswordPolicy (dict) --
The PasswordPolicy data type contains information about the account password policy.
This data type is used as a response element in the action GetAccountPasswordPolicy.
MinimumPasswordLength (integer) --
Minimum length to require for IAM user passwords.
RequireSymbols (boolean) --
Specifies whether to require symbols for IAM user passwords.
RequireNumbers (boolean) --
Specifies whether to require numbers for IAM user passwords.
RequireUppercaseCharacters (boolean) --
Specifies whether to require uppercase characters for IAM user passwords.
RequireLowercaseCharacters (boolean) --
Specifies whether to require lowercase characters for IAM user passwords.
AllowUsersToChangePassword (boolean) --
Specifies whether IAM users are allowed to change their own password.
ExpirePasswords (boolean) --
Specifies whether IAM users are required to change their password after a specified number of days.
MaxPasswordAge (integer) --
The number of days that an IAM user password is valid.
PasswordReusePrevention (integer) --
Specifies the number of previous passwords that IAM users are prevented from reusing.
HardExpiry (boolean) --
Specifies whether IAM users are prevented from setting a new password after their password has expired.