How to access IAM resources using temporary credentials
I’m trying to access IAM resources of a AWS account A from a different AWS account B using assume role thing. I’ve assume role permission policy setup in both the AWS accounts (trustee account and trusted account). Let’s say the role name is dummyRole exists in AWS A and it has create user permission and create access keys permissions and I’m permitted to assume dummyRole from AWS B.
I’m trying to create an IAM user in AWS account A by assuming dummyRole from AWS account A. I’m stuck at a place where once we get into the AWS A using temporary credentials what needs to be done to have visibility of the IAM functions. Here is the code snippet I tried but observing AttributeError: 'IAM' object has no attribute 'User'
import boto3 import os, sys role_arn = 'arn:aws:iam::A:role/dummyRole' client = boto3.client('sts') response = client.assume_role(RoleArn=role_arn, RoleSessionName='createCrossAccountUser') local_creds = response.get('Credentials') print (local_creds) access_key = local_creds.get('AccessKeyId', '') secret_key = local_creds.get('SecretAccessKey', '') session_token = local_creds.get('SessionToken', '') iam_resource = boto3.client('iam', aws_access_key_id=access_key, aws_secret_access_key=secret_key, aws_session_token=session_token) print (iam_resource) iam_resource.User('dummyUserForSubaccount') 
Just update below line with boto3.resource
iam_resource = boto3.resource('iam', aws_access_key_id=access_key, aws_secret_access_key=secret_key, aws_session_token=session_token) Whenever you got the error like
AttributeError: ‘<AWS-Service>’ object has no attribute ‘<attribute-name>’
Always check boto3 document for that service. As per your case
As per document, User() method is available for Resource not for Client. Same logic you have to follow for all AWS services.
You can also create user like this. just replace last line of your code with this.
iam_resource.create_user(UserName='dummyUserForSubaccount') 
