To elaborate on my understanding of https://stackoverflow.com/a/43128660/447862 the important thing is to get the JSON from the default version of each policy. Since my machine does not have mapfile I opted to use Python.

import boto3, json, sys

iam = boto3.client( iam )
policy_arn = sys.argv[1]
policy_name = policy_arn.split( / )[-1]

version = iam.get_policy(PolicyArn=policy_arn)[ Policy ][ DefaultVersionId ]
policy_version = iam.get_policy_version(PolicyArn=policy_arn, VersionId=version)
policy_document = policy_version[ PolicyVersion ][ Document ]

with open(f"{policy_name}.json",  w ) as outfile:
  outfile.write(json.dumps(policy_document, indent=2))
  outfile.write( 
 )

现在,作为<条码>ws-iam-policy-dump.py,我现在可以按照我的愿望,将每份政策文件写到自己的档案中,进行搜查。

aws iam list-policies --query  Policies[*].Arn  --output text > policy-arns.txt
for arn in $(cat policy-arns.txt); do
  python aws-iam-policy-dump.py $arn
done

也许可以通过在沙尔做所有事来加快,但这种混合办法对我来说是充分的。

aws iam list-policies --query  Policies[*].[Arn, DefaultVersionId]  | jq -rc  .[] | join(" ")  | xargs -l bash -c  aws iam get-policy-version --policy-arn=$0 --version-id=$1 --query="{"$0": PolicyVersion.Document.Statement[*].[Action, NotAction][][]}"  | jq -c | grep YOUR_POLICY_ACTION_HERE

1. This basically captures all the Arns and Versions in the single call
2. Then joins the output into a single space-separated string
3. This string is then sent to another bash process via xargs where the ARN and VersionId are passed in as separate parameters to get-policy-version
4. The result of this is combined with the ARN into a single line
5. Lines are grepped for your pleasure with the search action you re looking for.

我在谈到这一问题时,寻求找到可能包含具体行动的现有政策的途径。 指挥部将根据政策数目在奥(n)时间进行,因为对你们的每一项政策分别发出呼吁。

我无法说明如何获得<代码>.contains()>,在最后的-query中适当开展工作,以便一夫能够过滤而不是灰色。

纯一流的@amacleod反应:

# based on https://stackoverflow.com/questions/38270609/can-i-search-existing-iam-policies-for-a-specific-action
#          https://www.learnaws.org/2021/05/12/aws-iam-boto3-guide/

import boto3, json, sys

iam = boto3.client( iam )


def write_policy(policy_arn):

    # policy_arn = sys.argv[1]
    policy_name = policy_arn.split( / )[-1]

    version = iam.get_policy(PolicyArn=policy_arn)[ Policy ][ DefaultVersionId ]
    policy_version = iam.get_policy_version(PolicyArn=policy_arn, VersionId=version)
    policy_document = policy_version[ PolicyVersion ][ Document ]

    with open(f"{policy_name}.json",  w ) as outfile:
        outfile.write(json.dumps(policy_document, indent=2))
        outfile.write( 
 )

def list_policies():
    paginator = iam.get_paginator( list_policies )
    for response in paginator.paginate(Scope="Local"):
        for policy in response["Policies"]:
            print(f"Policy Name: {policy[ PolicyName ]} ARN: {policy[ Arn ]}")
            write_policy(policy[ Arn ])


if __name__ ==  __main__ :
    list_policies()

由于我多年来一直在探寻并发现这一问题和一套答案,这里有“平原编码”(第<条码>jq 要求)指示我用这个方法编制一份国际水域政策名称及其相关行动的清单:

$ aws iam list-policies --query  Policies[*].[PolicyName, Arn, DefaultVersionId]  --output text |
    while read NAME ARN VER; do
      echo "$NAME $(aws iam get-policy-version --policy-arn=$ARN --version-id=$VER --query  PolicyVersion.Document.Statement[*].Action[]  --output text | tr  	     )"
    done > policies.txt

这样做需要时间,但我可以很快地抓住产出,找到我可以再利用的现有政策。