Iam

class coto.clients.iam.Client(session)

A low-level client representing IAM:

import coto

session = coto.Session()
client = session.client('iam')

These are the available methods:

• General:

  • get_account_info()

• Access Keys:

  • list_root_access_keys()
  • create_root_access_key()
  • update_root_access_key()
  • delete_root_access_key()

• MFA Devices:

  • list_root_mfa_devices()
  • create_virtual_mfa_device()
  • enable_root_mfa_device()
  • deactivate_root_mfa_device()
  • delete_virtual_mfa_device()

create_root_access_key()

Creates a new AWS secret access key and corresponding AWS access key ID for the account root user. The default status for new keys is Active.

Request Syntax:

response = client.create_root_access_key()

Returns:Response Syntax

{
    "id": str,
    "status": "Active",
    "secret": str,
    "createDate": int,
    "deleteDate": int
}

Return type:dict

create_virtual_mfa_device(VirtualMFADeviceName='root-account-mfa-device', Path='/')

Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use enable_mfa_device() to attach the MFA device to the account root user.

Request Syntax:

response = client.create_virtual_mfa_device(
    VirtualMFADeviceName=str,
    Path=str
)

Parameters:

• VirtualMFADeviceName (str) – The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device. This parameter is optional. If it is not included, it defaults to root-account-mfa-device.
• Path (str) – The path for the virtual MFA device. For more information about paths, see IAM Identifiers in the IAM User Guide. This parameter is optional. If it is not included, it defaults to a slash (/).

Returns:

Response Syntax

{
    "serialNumber": str,
    "qrCodePNG": str,
    "base32StringSeed": str
}

serialNumber (str) – The serial number associated with VirtualMFADevice.

qrCodePNG (str) – A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName?secret=$Base32String where $virtualMFADeviceName is one of the create call arguments, $AccountName is the user name if set (otherwise, the account ID), and $Base32String is the seed in Base32 format. The $Base32String value is Base64-encoded.

base32StringSeed (str) – The Base32 seed defined as specified in RFC3548 . The Base32StringSeed is Base64-encoded.

Return type:

dict

deactivate_root_mfa_device(SerialNumber)

Deactivates the specified MFA device and removes it from association with the account root user.

Request Syntax:

response = client.deactivate_root_mfa_device(
    SerialNumber=str
)

Parameters:SerialNumber (str) – The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.

delete_root_access_key(AccessKeyId)

Deletes the access key pair associated with the account root user.

Request Syntax:

response = client.delete_root_access_key(
    AccessKeyId=str,
)

Parameters:AccessKeyId (str) – The access key ID for the access key ID and secret access key you want to delete. Returns:success Return type:bool

enable_root_mfa_device(SerialNumber, Base32StringSeed=None, AuthenticationCode1=None, AuthenticationCode2=None)

Enables the specified MFA device and associates it with the account root user. When enabled, the MFA device is required for every subsequent login by the account root user.

Specify either the Base32StringSeed, or both AuthenticationCode1 and AuthenticationCode2.

Request Syntax:

response = client.enable_root_mfa_device(
    SerialNumber=str,
    Base32StringSeed=str,
)

or

response = client.enable_root_mfa_device(
    SerialNumber=str,
    AuthenticationCode1=str,
    AuthenticationCode2=str,
)

Parameters:

• SerialNumber (str) – The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
• Base32StringSeed (str) – The Base32 seed defined as specified in RFC3548. The Base32StringSeed is Base64-encoded. If set, the the current values for the AuthenticationCode1 and AuthenticationCode2 arguments will be calculated.
• AuthenticationCode1 (str) – An authentication code emitted by the device. The format for this parameter is a string of 6 digits. If Base32StringSeed is set, it wil override this argument.
• AuthenticationCode2 (str) – An authentication code emitted by the device. The format for this parameter is a string of 6 digits. If Base32StringSeed is set, it wil override this argument.

get_account_info()

Retrieves a summary of account information.

Request Syntax:

response = client.get_account_info()

Returns:Response Syntax

{
    'aliases': [],
    'checklistSummary': {
        'checklistItems': [
            {
                'complete': bool,
                'fetchSucceeded': bool,
                'identifier': str,
            },
        ],
        'error': bool,
        'errorCount': int,
        'totalCompletedCount': int,
        'totalCount': int
    },
    'errorMap': {},
    'errors': [],
    'invalidPolicyExist': bool,
    'summaryMap': {
        'AccessKeysPerUserQuota': int,
        'AccountAccessKeysPresent': int,
        'AccountMFAEnabled': int,
        'AccountSigningCertificatesPresent': int,
        'AssumeRolePolicySizeQuota': int,
        'AttachedPoliciesPerGroupQuota': int,
        'AttachedPoliciesPerRoleQuota': int,
        'AttachedPoliciesPerUserQuota': int,
        'GroupPolicySizeQuota': int,
        'Groups': int,
        'GroupsPerUserQuota': int,
        'GroupsQuota': int,
        'InstanceProfiles': int,
        'InstanceProfilesQuota': int,
        'MFADevices': int,
        'MFADevicesInUse': int,
        'Policies': int,
        'PoliciesQuota': int,
        'PolicySizeQuota': int,
        'PolicyVersionsInUse': int,
        'PolicyVersionsInUseQuota': int,
        'Providers': int,
        'RolePolicySizeQuota': int,
        'Roles': int,
        'RolesQuota': int,
        'ServerCertificates': int,
        'ServerCertificatesQuota': int,
        'SigningCertificatesPerUserQuota': int,
        'UserPolicySizeQuota': int,
        'Users': int,
        'UsersQuota': int,
        'VersionsPerPolicyQuota': int,
    }
}

Return type:dict

list_root_access_keys(Deleted=False)

List the access key pairs associated with the account root user.

Request Syntax:

response = client.list_root_access_keys(
    Deleted=bool,
)

Parameters:Deleted (bool) – List the deleted access key pairs Returns:Response Syntax

[
    {
        'createDate': int,
        'deleteDate': int,
        'id': int,
        'lastUsedDetails': {
            'lastDateUsed': int,
            'region': str,
            'serviceName': str,
        },
        'status': 'Active' | 'Inactive' | 'Deleted',
    },
]

Return type:dict

list_root_mfa_devices()

Lists enabled root MFA devices.

Request Syntax:

response = client.list_root_mfa_devices()

Returns:Response Syntax

{
    'serialNumber': [
        str,
    ],
    'nextItem': str,
    'truncated': bool
}

Return type:dict

update_root_access_key(AccessKeyId, Status='Inactive')

Changes the status of the specified access key from Active to Inactive, or vice versa. This action can be used to disable a account root user’s key as part of a key rotation work flow.

Request Syntax:

response = client.activate_root_access_key(
    AccessKeyId=str,
    Status='Active' | 'Inactive',
)

Parameters:

• AccessKeyId (str) – The access key ID for the access key ID and secret access key you want to activate.
• Status (str) – The status you want to assign to the secret access key. Active means the key can be used for API calls to AWS, while Inactive means the key cannot be used.

Returns:

success

Return type:

bool