Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For non root user, iam:GetUser is no necessary, iam:ListMFADevices is enough #8

Open
ikuwow opened this issue Feb 19, 2019 · 0 comments
Open

For non root user, iam:GetUser is no necessary, iam:ListMFADevices is enough #8

ikuwow opened this issue Feb 19, 2019 · 0 comments

Comments

@ikuwow
Copy link

ikuwow commented Feb 19, 2019
edited
Loading

awsmfa/awsmfa/__main__.py

Lines 331 to 345 in bbd9ef8

user = iam.get_user()
if user['User']['Arn'].endswith(':root'):
# The root user MFA device is not in the same way as non-root
# users, so we must find the root MFA devices using a different
# method than we do for normal users.
devices = boto3_session.resource('iam').CurrentUser().mfa_devices.all()
serials = (x.serial_number for x in devices)
else:
# Non-root users can have a restrictive policy that allows them
# only to list devices associated with their user but it requires
# using the low level IAM client to compose the proper request.
username = user['User']['UserName']
devices = botocore_session.create_client('iam').list_mfa_devices(
UserName=username)
serials = (x['SerialNumber'] for x in devices['MFADevices'])

https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListMFADevices.html

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request for this API.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ikuwow