Using --policy should imply --user-permissions-boundary=none

[simonw]

I ran into this problem here:

• datasette.simonwillison.net simonwillisonblog#273 (comment)

If you use --policy but forget to set --user-permissions-boundary=none you are likely to generate credentials that can't be used, because they only work with S3.

[simonw]

I also added --statement in:

• Make it easier to add extra policy statements #72

Used like this:

s3-credentials create simonw-ocr-demo-bucket --statement '{
  "Effect": "Allow",
  "Action": "textract:*",
  "Resource": "*"
}' -c > ocr.json

Passing that option should assume --user-permissions-boundary=none too.

[simonw]

Looks like --user-permissions-boundary isn't covered by any tests at all at the moment.

Prototype implementation of this change:

 diff --git a/s3_credentials/cli.py b/s3_credentials/cli.py
index 2aed5e9..25f9e25 100644
--- a/s3_credentials/cli.py
+++ b/s3_credentials/cli.py
@@ -328,6 +328,9 @@ def create(
     if write_only:
         permission = "write-only"
 
+    if not user_permissions_boundary and (policy or extra_statements):
+        user_permissions_boundary = "none"
+
     s3 = None
     iam = None
     sts = None