Using old analyze_by_access_level fails now
5vmmvm opened this issue · 1 comments
5vmmvm commented
Hi team,
I was trying to re-run this for certain templates and I'm getting some errors. This is the code I'm using as example:
#!/usr/bin/env python
from policy_sentry.analysis.analyze import analyze_by_access_level
import json
if __name__ == '__main__':
permissions_management_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetRecommendationSummaries",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:DescribeRecommendationExportJobs",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"autoscaling:DescribeAutoScalingGroups",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
print('********* READ ***********')
permissions_management_actions = analyze_by_access_level(permissions_management_policy, "read")
print(json.dumps(permissions_management_actions, indent=4))
print('********* LIST ***********')
permissions_management_actions = analyze_by_access_level(permissions_management_policy, "list")
print(json.dumps(permissions_management_actions, indent=4))
print('********* WRITE ***********')
permissions_management_actions = analyze_by_access_level(permissions_management_policy, "write")
print(json.dumps(permissions_management_actions, indent=4))
print('********* TAGGING ***********')
permissions_management_actions = analyze_by_access_level(permissions_management_policy, "tagging")
print(json.dumps(permissions_management_actions, indent=4))
print('********* PERMISSIONS-MANAGEMENT ***********')
permissions_management_actions = analyze_by_access_level(permissions_management_policy, "permissions-management")
print(json.dumps(permissions_management_actions, indent=4))
And I'm getting this error:
********* READ ***********
Traceback (most recent call last):
File "analyze_json.py", line 34, in <module>
permissions_management_actions = analyze_by_access_level(permissions_management_policy, "read")
File "/usr/local/lib/python3.9/site-packages/policy_sentry/analysis/analyze.py", line 27, in analyze_by_access_level
requested_actions = get_actions_from_policy(expanded_policy)
File "/usr/local/lib/python3.9/site-packages/policy_sentry/util/policy_files.py", line 52, in get_actions_from_policy
if service in action_data.keys():
AttributeError: 'bool' object has no attribute 'keys'
Could you please take a look? thanks!
gruebel commented
Hey @5vmmvm thanks for reaching out in the past.
I looked into it and it was fixed a while ago 😅 Additionally the access levels you used will not work, it has to be Read, List, Write, Tagging and Permissions management. The ones you used are for the CLI only, which are transformed to the ones I mentioned.
And the output for your example
********* READ ***********
[
"cloudwatch:GetMetricData"
]
********* LIST ***********
[
"autoscaling:DescribeAutoScalingGroups",
"compute-optimizer:DescribeRecommendationExportJobs",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetRecommendationSummaries",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs"
]
********* WRITE ***********
[]
********* TAGGING ***********
[]
********* PERMISSIONS-MANAGEMENT ***********
[]