Beispiel #1
0
def get_bucket_account(bucket_name, assumed_role):
    '''Given a bucket_name determine what AWS account the bucket resides in.
    Check
    * The bucket_account_map dictionary in the config file
    * The local AWS account that this tool runs from
    * The AWS account of the assumed_role argument passed in
    Return the AWS account number or False'''
    if bucket_name in options.bucket_account_map:
        # Check if the bucket is in the bucket account map
        return options.bucket_account_map[bucket_name]
    try:
        # Check if the bucket is in our local AWS account
        conn_s3 = boto.s3.connect_to_region('us-east-1',
                                            aws_access_key_id=options.aws_access_key_id,
                                            aws_secret_access_key=options.aws_secret_access_key)
        conn_s3.get_bucket(bucket_name)
        return boto.connect_iam().get_user().arn.split(':')[4].lstrip('0')
    except:
        pass
    try:
        # Check if the bucket is in the AWS account of the passed role
        conn_s3 = boto.s3.connect_to_region('us-east-1',
                                            **assumed_role)
        conn_s3.get_bucket(bucket_name)
        return boto.connect_iam().get_user().arn.split(':')[4].lstrip('0')
    except:
        pass
    logger.error("Unable to determine what account the bucket %s resides in. "
        "Checked the AWS account containing the mozdef user, the AWS account "
        "of the target CloudTrail, and the following bucket map : %s" % 
        options.bucket_account_map)
    return False
def create_s3_creds(proc_name, username, key=None, secret=None):
    '''
    Create temporary S3 credentials with a time-limit to allow users to
    access their analysis products.

    Parameters
    ----------
    proc_name : str
        Name of the process.
    username : str
        Name of the user
    key : str
        Credentials to connect to IAM
    secret : str
        Credentials to connect to IAM
    '''

    # Connect to IAM with boto
    # Try loading credentials in when not given.
    if key is None or secret is None:
        iam = boto.connect_iam()
    else:
        iam = boto.connect_iam(key, secret)

    # Create user. The credentials need to be attached to the process, so
    # combine the username and the proc_name
    cred_user_name = "{0}_{1}".format(username, proc_name)
    user_response = iam.create_user(crepkd_user_name)

    # Create Policy to only allow access to the one S3 bucket
    # The bucket name is assumed to have the same name as the proc_name.
    policy = {}
    policy['Statement'] = \
        [{'Sid': 'AwsIamUserPython',
          'Effect': 'Allow',
          'Action': 's3:*',
          'Resource': ['arn:aws:s3:::{}'.format(proc_name),
                       'arn:aws:s3:::{}/*'.format(proc_name)]}]

    policy_json = json.dumps(policy, indent=2)

    iam.put_user_policy(cred_user_name, 'allow_access_{}'.format(proc_name),
                        policy_json)

    # Generate new access key pair for 'aws-user'
    key_response = \
        iam.create_access_key(cred_user_name)[u'create_access_key_response'][u'create_access_key_result']

    key_id = key_response[u'access_key']['access_key_id']
    key_secret = key_response[u'access_key']['secret_access_key']

    return {"username": cred_user_name, "key_id": key_id,
            "key_secret": key_secret}
Beispiel #3
0
def test_upload_server_cert():
    conn = boto.connect_iam()

    conn.upload_server_cert("certname", "certbody", "privatekey")
    cert = conn.get_server_certificate("certname")
    cert.server_certificate_name.should.equal("certname")
    cert.arn.should.equal("arn:aws:iam::123456789012:server-certificate/certname")
Beispiel #4
0
 def _delete_iam_group(name):
     try:
         iam = boto.connect_iam()
         iam.delete_group(name)
     except BotoServerError as e:
         if e.status != 404:
             raise e
Beispiel #5
0
def test_get_all_groups():
    conn = boto.connect_iam()
    conn.create_group('my-group1')
    conn.create_group('my-group2')
    groups = conn.get_all_groups()['list_groups_response'][
        'list_groups_result']['groups']
    groups.should.have.length_of(2)
Beispiel #6
0
def get_iam_user_info():
    # IAM user info
    iam = boto.connect_iam(security_token=security_token)
    verbose("Getting IAM user info:")
    user_info = []
    users = iam.get_all_users().list_users_response.list_users_result.users
    debug(users)
    for user in users:
        verbose("User: "******"iam:userpolicy", user.user_name, policy_name, policy))

        # access keys
        access_keys = iam.get_all_access_keys(user.user_name)
        access_keys = access_keys.list_access_keys_response.list_access_keys_result.access_key_metadata
        for access_key in access_keys:
            user_info.append(
                config_line("iam:accesskey", access_key.user_name, access_key.status, access_key.access_key_id))

        # group membership
        groups = iam.get_groups_for_user(user.user_name)
        groups = groups.list_groups_for_user_response.list_groups_for_user_result.groups
        for group in groups:
            user_info.append(config_line("iam:useringroup", user.user_name, "", group.group_name))

    return sorted(user_info)
Beispiel #7
0
def connect_iam():
    logger.debug('Connecting to the Amazon Identity and Access Management (Amazon IAM) service.')
    iam = boto.connect_iam(aws_access_key_id=config['AWS_ACCESS_KEY_ID'],
                           aws_secret_access_key=config['AWS_SECRET_ACCESS_KEY'])
    logger.debug('Connected to Amazon IAM.')

    return iam
Beispiel #8
0
 def create_user(self, user_name):
   self.iam_connection = boto.connect_iam()
   try:
     resp = self.iam_connection.create_user(user_name)
   except boto.exception.BotoServerError, e:
     logging.error(e)
     return False
def create_account():
    #connect to IAM
    iam = boto.connect_iam(ACCESS_KEY,SECRET_KEY)

    #create user
    iam.create_user(new_account_name)

    #add user to group
    iam.add_user_to_group("Administrators", new_account_name)

    #create access keys
    keys = iam.create_access_key(new_account_name)
    
    # try statements to attach user to policy.
    # some versions of boto do not have attach_user_policy, however put_user_policy
    try:
        iam.attach_user_policy(account_perm_policy_arn,new_account_name)
    except:
        print "[-] Unable to execute method 'attach_user_policy()'"
        print "[-] Attempting put_user_policy "
        try:
            iam.put_user_policy(new_account_name,account_perm_policy_arn)
        except:
            print "[-] Failed executing method 'put_user_policy()'"
            print "[-] Execute command: aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name %s" % new_account_name
        
    #create AWS Web Console Login
    iam.create_login_profile(new_account_name,new_account_password)

    print "User %s created with password %s" % (new_account_name, new_account_password)
    print "Access Key ID: %s" % str(keys.access_key_id)
    print "Secret Key ID %s" % str(keys.secret_access_key)
Beispiel #10
0
def main():
    args = parse_args()
    if args.verbose > 1:
        print(args)

    # Get a complete list of usernames to act on
    if args.usernames is not None:
        usernames = args.usernames
    else:
        usernames = [i.strip() for i in args.username_file.readlines()]

    # Set up the connection to IAM
    conn = boto.connect_iam()

    # Take action on the usernames after asking for confirmation
    confirmation = confirm(
            "{}\nAre you sure you want to {} these users in IAM? [yes/NO]: ".format(
                '\n'.join(usernames), args.action)
            )

    if confirmation or args.no_verify:
        if args.action == "create":
                create_accounts(usernames, conn, verbosity=args.verbose)
        elif args.action == "delete":
            delete_accounts(usernames, conn, verbosity=args.verbose)
        elif args.action == "purge":
            purge_accounts(usernames, conn, verbosity=args.verbose)
        else:
            print("Unknown action '{}'".format(args.action))
            exit(1)
def copyseconddata(record):
    region = os.environ["REGION"]
    dest_bucket_name = os.environ["S3_BUCKET_NAME"]
    source_bucket_name = os.environ["S3_SOURCE_SECOND_BUCKET_NAME"]
    dynamo_table_name = os.environ["DYN_TABLENAME"]

    print "Deleting and recreating dynamo table so only new records are inserted into redshift"
    dynamo_conn = boto.dynamodb.connect_to_region(region)
    table = dynamo_conn.get_table(dynamo_table_name)
    dynamo_conn.delete_table(table)
    dynamo_schema = dynamo_conn.create_schema(hash_key_name='key',hash_key_proto_value=str)
    time.sleep(5)
    print "Sleeping for 5 seconds to let table delete"
    table = dynamo_conn.create_table(name=dynamo_table_name,schema=dynamo_schema,read_units=500, write_units=150)

    role_name = "NucleatorBucketandqDistributorServiceRunner"
    iam_conn = boto.connect_iam()
    role = iam_conn.get_role(role_name)
    role_arn = role["get_role_response"]["get_role_result"]["role"]["arn"]
    stsconn = sts.STSConnection()
    response = stsconn.assume_role(role_arn, "redshift_copy_session")
    access_key = response.credentials.access_key
    secret_key = response.credentials.secret_key
    session_token = response.credentials.session_token

    print "Running S3 Copy Command"
    command = "export AWS_ACCESS_KEY_ID=%s; export AWS_SECRET_ACCESS_KEY=%s; export AWS_SESSION_TOKEN=%s; aws s3 cp s3://%s/ s3://%s/ --recursive --include '*' > /dev/null" % (access_key, secret_key, session_token, source_bucket_name, dest_bucket_name)
    subprocess.call(command, shell=True)

    copytoredshift(record)
Beispiel #12
0
def get_iam_roles():
    # IAM Roles
    iam = boto.connect_iam(aws_access_key_id=assume_role.credentials.access_key,
 aws_secret_access_key=assume_role.credentials.secret_key,
 security_token=assume_role.credentials.session_token)
    verbose("Getting IAM role info:")
    role_policy = []
    roles = iam.list_roles().list_roles_response.list_roles_result.roles
    for role in roles:
        verbose("Role: " + role.role_name)
        # Policy controling use of the role (always present)
        assume_role_policy = role.assume_role_policy_document
        assume_role_policy = urllib.unquote(assume_role_policy)
        role_policy.append(config_line_policy("iam:assumerolepolicy", role.role_name, role.arn, assume_role_policy))

        # Policies around what the assumed role can do
        policies = iam.list_role_policies(role.role_name)
        policies = policies.list_role_policies_response.list_role_policies_result.policy_names
        for policy_name in policies:
            policy = iam.get_role_policy(role.role_name, policy_name)
            policy = policy.get_role_policy_response.get_role_policy_result.policy_document
            policy = urllib.unquote(policy)
            role_policy.append(config_line_policy("iam:rolepolicy", role.role_name, policy_name, policy))
        debug(policies)

    return sorted(role_policy)
Beispiel #13
0
 def connection(self):
     """
     Lazily creates boto2 IAM connection
     """
     if not self._boto2_connection:
         self._boto2_connection = boto.connect_iam()
     return self._boto2_connection
Beispiel #14
0
def test_list_instance_profiles_for_role():
    conn = boto.connect_iam()

    conn.create_role(role_name="my-role", assume_role_policy_document="some policy", path="my-path")
    conn.create_role(role_name="my-role2", assume_role_policy_document="some policy2", path="my-path2")

    profile_name_list = ['my-profile', 'my-profile2']
    profile_path_list = ['my-path', 'my-path2']
    for profile_count in range(0, 2):
        conn.create_instance_profile(profile_name_list[profile_count], path=profile_path_list[profile_count])

    for profile_count in range(0, 2):
        conn.add_role_to_instance_profile(profile_name_list[profile_count], "my-role")

    profile_dump = conn.list_instance_profiles_for_role(role_name="my-role")
    profile_list = profile_dump['list_instance_profiles_for_role_response']['list_instance_profiles_for_role_result']['instance_profiles']
    for profile_count in range(0, len(profile_list)):
        profile_name_list.remove(profile_list[profile_count]["instance_profile_name"])
        profile_path_list.remove(profile_list[profile_count]["path"])
        profile_list[profile_count]["roles"]["member"]["role_name"].should.equal("my-role")

    len(profile_name_list).should.equal(0)
    len(profile_path_list).should.equal(0)

    profile_dump2 = conn.list_instance_profiles_for_role(role_name="my-role2")
    profile_list = profile_dump2['list_instance_profiles_for_role_response']['list_instance_profiles_for_role_result']['instance_profiles']
    len(profile_list).should.equal(0)
Beispiel #15
0
def delete_user(user_name, access_key_id):

    deleted = False

    iam = boto.connect_iam(
            aws_access_key_id = private_settings.AWS_ACCESS_KEY_ID,
            aws_secret_access_key = private_settings.AWS_SECRET_ACCESS_KEY)

    try:
        # Must remove access key and groups from user before deleting
        iam.delete_access_key(access_key_id = access_key_id, user_name = user_name)

        groups = iam.get_groups_for_user(user_name = user_name)
        for group in groups['list_groups_for_user_response']['list_groups_for_user_result']['groups']:
            iam.remove_user_from_group(group_name = group['group_name'], user_name = user_name)

        iam.delete_user(user_name = user_name)

        logger.info('Deleted iam user "{}"'.format(user_name))

        deleted = True

    except BotoServerError, e:
        logger.error('Unable to delete iam user "{}": {}, {}'.format(user_name,
            e.status, e.reason))
Beispiel #16
0
 def getAllInstances(self):
     try:
         #尝试Key的有效性并判断属于大陆区还是海外区,并获得相应的regions列表
         conn = ec2.connect_to_region('ap-southeast-1')
         regions = conn.get_all_regions()            
         accountid = boto.connect_iam().get_user().arn.split(':')[4]
     except EC2ResponseError as e:
         print e
         
     instances=[]
     for region in regions:
         conn=ec2.connect_to_region(region.name)
         for instance in conn.get_only_instances():
             ins={}
             ins['instance_id']=instance.id
             ins['name']=instance.tags.get('Name','')
             ins['project']=instance.tags.get('PROJECT','')
             ins['instance_type']=instance.instance_type
             ins['state']=instance.state
             ins['placement']=instance.placement
             ins['private_ip']=instance.private_ip_address
             ins['public_ip']=instance.ip_address
             ins['vpc_id']=instance.vpc_id
             ins['subnet_id']=instance.subnet_id
             ins['image_id']=instance.image_id
             ins['virtualization_type']=instance.virtualization_type
             ins['launch_time']=instance.launch_time
             instances.append(ins)
     return instances
Beispiel #17
0
 def setup_boto_connections(self, aws_access_key_id=None, aws_secret_access_key=None, clc_ip=None, walrus_ip=None):
     if aws_access_key_id is None:
         aws_access_key_id = self.aws_access_key_id
     if aws_secret_access_key is None:
         aws_secret_access_key = self.aws_secret_access_key
         
     if clc_ip is None:
         clc_ip = self.get_clc_ip()
     if walrus_ip is None:
         walrus_ip = self.get_walrus_ip()
         
     self.ec2 = boto.connect_ec2(aws_access_key_id=aws_access_key_id,
                                         aws_secret_access_key=aws_secret_access_key,
                                         is_secure=False,
                                         api_version = '2009-11-30',
                                         region=RegionInfo(name="eucalyptus", endpoint=clc_ip),
                                         port=8773,
                                         path="/services/Eucalyptus",
                                         debug=self.boto_debug)
     self.s3 = boto.connect_s3(aws_access_key_id=aws_access_key_id,
                                           aws_secret_access_key=aws_secret_access_key,
                                           is_secure=False,
                                           host=walrus_ip,
                                           port=8773,
                                           path="/services/Walrus",
                                           calling_format=OrdinaryCallingFormat(),
                                           debug=self.boto_debug)
     self.euare = boto.connect_iam(aws_access_key_id=aws_access_key_id,
                                           aws_secret_access_key=aws_secret_access_key,
                                           is_secure=False,
                                           host=clc_ip,
                                           port=8773,
                                           path="/services/Euare",
                                           debug=self.boto_debug)
Beispiel #18
0
def create_user(shortname=None):
    import boto

    conn = boto.connect_iam()
    try:
        _response = conn.create_group(shortname)
        print green('create group response: \n{}'.format(_response))
    except:
        print red('Problem creating group: {}'.format(shortname))
    print green(policy.format(shortname))
    _response = conn.put_group_policy(shortname, shortname + 'Policy', policy.format(shortname))
    print green('put group polocy response: \n{}'.format(_response))
    
    # make the user
    try:
        _response = conn.create_user(shortname)
        print green('create user response: \n{}'.format(_response))
    except:
        print red('Problem creating user: {}'.format(shortname))
    _response = conn.add_user_to_group(shortname, shortname)
    print green('add user to group response: \n{}'.format(_response))
    _response = conn.create_access_key(shortname)
    print green('added new account, access key: \n{}'.format(_response))

    sleep(5) # give the access key a chance to propogate
    create_buckets(shortname=shortname)
def create_role():
    """
    Creates IAM role using CloudFormation for AWS Lambda service
    """
    client_cf = boto.cloudformation.connect_to_region(REGION)
    response = client_cf.create_stack(
        stack_name=STACK_NAME,
        template_url=TEMPLATE_URL,
        capabilities=CAPABILITIES
    )
    print response
    time.sleep(7)
    print "Creating roles"
    time.sleep(7)
    print "Still creating"
    time.sleep(7)
    print "Giving Lambda proper permissions"
    # get name of LambdaExecRole
    client_iam = boto.connect_iam()
    roles = client_iam.list_roles()
    list_roles = roles['list_roles_response']['list_roles_result']['roles']
    for i in range(len(list_roles)):
        if STACK_NAME+"-LambdaExecRole" in list_roles[i].arn:
            IAM_ROLE = list_roles[i].role_name
    print "Trying..."
    # grants Admin access to LambdaExecRole to access Cloudwatch, DynamoDB, Kinesis
    client_iam.put_role_policy(IAM_ROLE, POLICY_NAME, POLICY)
    print "Created role"
Beispiel #20
0
 def getAllVolumes(self):
     try:
         #尝试Key的有效性并判断属于大陆区还是海外区,并获得相应的regions列表
         conn = ec2.connect_to_region('ap-southeast-1')
         regions = conn.get_all_regions()
         accountid = boto.connect_iam().get_user().arn.split(':')[4]
     except EC2ResponseError as e:
         print e
         
     volumes=[]            
     for region in regions:
         #print "connect to region", region
         conn = ec2.connect_to_region(region.name)
         for volume in conn.get_all_volumes():                
             vol={}               
             vol['volume_id'] = volume.id
             vol['type'] = volume.type
             vol['size'] = volume.size
             vol['status'] = volume.status
             vol['iops'] = volume.iops
             vol['zone'] = volume.zone
             vol['project'] = volume.tags.get('PROJECT','')
             vol_attr = volume.attach_data
             vol['instance_id'] = vol_attr.instance_id
             vol['snapshot_id'] = volume.snapshot_id
             vol['create_time'] = volume.create_time
             volumes.append(vol)               
     return volumes
def main():
    #Assumes that your AWS credentials are exported in the local environment.
    iam = boto.connect_iam()
    user_names = []
    if aws_key_report_file:
        with open(aws_key_report_file) as report_fp:
            for line in report_fp:
                user_names.append(line.split(',')[0])
        #remove first two elements, they are the csv legend, and the <root_account>
        user_names = user_names[2:]
    else:
        print 'Skipping AWS credential check, no aws key report file specified'

    access_key_ids = []
    #do AWS key lookup.
    for user_name in user_names:
        keys = iam.get_all_access_keys(user_name)
        for key in keys['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
            print_key_info(key)
            access_key_ids.append(tuple(['AWS:' + key['user_name'], key['access_key_id']]))

    #Read in extra search terms
    if extra_token_file:
        with open(extra_token_file) as report_fp:
            for line in report_fp:
                print line.rstrip()
                access_key_ids.append(line.split(','))
    else:
        print 'Skipping extra credential check, no csv file specified'

    for key in access_key_ids:
        print '\n'
        search_github(key)
Beispiel #22
0
def apply_policy(group, policy_name, bucket_name):
    logging.debug(policy_template[policy_name])
    iam = boto.connect_iam()
    formatted = formatstring_json_escape(policy_template[policy_name]).format(bucket=bucket_name)
    policy = json.dumps(json.loads(formatted), sort_keys=True, indent=4)
    response = iam.put_group_policy(group, policy_name, policy)
    return response
def createTopicArn(region_name, topic_name):
    from boto_cli.iam.accountinfo import AccountInfo

    iam = boto.connect_iam(**credentials)
    accountInfo = AccountInfo(iam)
    account = accountInfo.describe()
    return "arn:aws:sns:" + region_name + ":" + account.id + ":" + topic_name
Beispiel #24
0
def create_instance_profile(name, policy):
    # Remove it before starting
    delete_instance_profile(name)
    
    # Next, you need to create an Instance Profile in IAM.
    c = boto.connect_iam()
    instance_profile = c.create_instance_profile(name)

    # Once you have the instance profile, you need to create the role, 
    # add the role to the instance profile and associate the policy with the role.
    role = c.create_role(name)
    c.add_role_to_instance_profile(name, name)
    c.put_role_policy(name, name, policy)

    # Wait for it to be available
    for _ in xrange(10):
        
        # We want to wait in all cases, because I've seen the roles created
        # and available via the API but not to EC2 instances. So we better wait
        # for at least 1min
        logging.debug('Waiting for role %s to be available...' % name)
        time.sleep(60)
        
        try:
            c.get_role(name)
            c.get_instance_profile(name)
            break
        except:
            pass

    else:
        raise RuntimeError('Role creation for instance profile failed.')

    # Now, you can use that instance profile when you launch an instance
    return name
Beispiel #25
0
def test_delete_login_profile():
    conn = boto.connect_iam()
    conn.create_user('my-user')
    with assert_raises(BotoServerError):
        conn.delete_login_profile('my-user')
    conn.create_login_profile('my-user', 'my-pass')
    conn.delete_login_profile('my-user')
Beispiel #26
0
def assume_service(account_number, service, region='us-east-1'):
    conn = boto.connect_sts()

    role = conn.assume_role('arn:aws:iam::{0}:role/{1}'.format(
        account_number, current_app.config.get('LEMUR_INSTANCE_PROFILE', 'Lemur')), 'blah')

    if service in 'iam':
        return boto.connect_iam(
            aws_access_key_id=role.credentials.access_key,
            aws_secret_access_key=role.credentials.secret_key,
            security_token=role.credentials.session_token)

    elif service in 'elb':
        return boto.ec2.elb.connect_to_region(
            region,
            aws_access_key_id=role.credentials.access_key,
            aws_secret_access_key=role.credentials.secret_key,
            security_token=role.credentials.session_token)

    elif service in 'vpc':
        return boto.connect_vpc(
            aws_access_key_id=role.credentials.access_key,
            aws_secret_access_key=role.credentials.secret_key,
            security_token=role.credentials.session_token)

    elif service in 's3':
        return boto.s3.connect_to_region(
            region,
            aws_access_key_id=role.credentials.access_key,
            aws_secret_access_key=role.credentials.secret_key,
            security_token=role.credentials.session_token)
Beispiel #27
0
def get_account_number():
    """ Gets the current account number
    Created so I do not have to remember how to do this every time
    :return: Returns the current account number
    """
    import boto
    return boto.connect_iam().get_user().arn.split(':')[4]
Beispiel #28
0
def IamGroup(group_name=None):
    con = boto.connect_iam()
    if group_name == None:
        ''' http://localhost/iam/group '''
        gr = con.get_all_groups()
        gl = [{
            'id': g.group_id,
            'name': g.group_name,
            'arn': g.arn,
            'created': g.create_date
            } for g in gr['list_groups_response']['list_groups_result']['groups']]

        return render_template('iam/GroupIndex.html',
                gl=gl)

    elif group_name != None:
        ''' http://localhost/iam/group/<group_name> '''
        gr = con.get_group(group_name)
        group = gr['get_group_response']['get_group_result']['group']
        gd = {'id':group.group_id,
                'name':group.group_name,
                'created':group.create_date,
                'arn':group.arn}

        ul = gr['get_group_response']['get_group_result']['users']
        users = [{
            'id':u.user_id,
            'name':u.user_name,
            'arn':u.arn,
            'created':u.create_date
            } for u in ul]

        return render_template('iam/GroupView.html',
                gd=gd, users=users)
Beispiel #29
0
def create_user(user_name):

    secret_access_key = None
    access_key_id = None

    iam = boto.connect_iam(
            aws_access_key_id = private_settings.AWS_ACCESS_KEY_ID,
            aws_secret_access_key = private_settings.AWS_SECRET_ACCESS_KEY)

    try:
        response = iam.create_user(user_name = user_name)

        iam.add_user_to_group(private_settings.AWS_IAM_GROUP, user_name)

        response = iam.create_access_key(user_name = user_name)

        access_key = response.create_access_key_response.create_access_key_result.access_key

        secret_access_key = access_key.secret_access_key
        access_key_id = access_key.access_key_id

        logger.info('Created iam user "{}"'.format(user_name))

        return {'secret_access_key': secret_access_key,
            'access_key_id': access_key_id,
            'user_name': user_name}

    except BotoServerError, e:
        logger.error('Unable to create iam user "{}": {}, {}'.format(user_name,
            e.status, e.reason))
        raise Exception('iam create error') 
Beispiel #30
0
def test_managed_policy():
    conn = boto.connect_iam()

    conn.create_policy(policy_name='UserManagedPolicy',
                       policy_document={'mypolicy': 'test'},
                       path='/mypolicy/',
                       description='my user managed policy')

    aws_policies = conn.list_policies(scope='AWS')['list_policies_response']['list_policies_result']['policies']
    set(p.name for p in aws_managed_policies).should.equal(set(p['policy_name'] for p in aws_policies))

    user_policies = conn.list_policies(scope='Local')['list_policies_response']['list_policies_result']['policies']
    set(['UserManagedPolicy']).should.equal(set(p['policy_name'] for p in user_policies))

    all_policies = conn.list_policies()['list_policies_response']['list_policies_result']['policies']
    set(p['policy_name'] for p in aws_policies + user_policies).should.equal(set(p['policy_name'] for p in all_policies))

    role_name = 'my-role'
    conn.create_role(role_name, assume_role_policy_document={'policy': 'test'}, path="my-path")
    for policy_name in ['AmazonElasticMapReduceRole',
                        'AmazonElasticMapReduceforEC2Role']:
        policy_arn = 'arn:aws:iam::aws:policy/service-role/' + policy_name
        conn.attach_role_policy(policy_arn, role_name)

    rows = conn.list_policies(only_attached=True)['list_policies_response']['list_policies_result']['policies']
    rows.should.have.length_of(2)
    for x in rows:
        int(x['attachment_count']).should.be.greater_than(0)

    # boto has not implemented this end point but accessible this way
    resp = conn.get_response('ListAttachedRolePolicies',
                             {'RoleName': role_name},
                             list_marker='AttachedPolicies')
    resp['list_attached_role_policies_response']['list_attached_role_policies_result']['attached_policies'].should.have.length_of(2)
Beispiel #31
0
def test_remove_user_from_group():
    conn = boto.connect_iam()
    with assert_raises(BotoServerError):
        conn.remove_user_from_group("my-group", "my-user")
    conn.create_group("my-group")
    conn.create_user("my-user")
    with assert_raises(BotoServerError):
        conn.remove_user_from_group("my-group", "my-user")
    conn.add_user_to_group("my-group", "my-user")
    conn.remove_user_from_group("my-group", "my-user")
Beispiel #32
0
def test_put_role_policy():
    conn = boto.connect_iam()
    conn.create_role("my-role",
                     assume_role_policy_document="some policy",
                     path="my-path")
    conn.put_role_policy("my-role", "test policy", "my policy")
    policy = conn.get_role_policy(
        "my-role", "test policy"
    )['get_role_policy_response']['get_role_policy_result']['policy_name']
    policy.should.equal("test policy")
Beispiel #33
0
def get_gateway_iam_connection(gateway, credentials):
    """ connect to iam api of the given gateway """
    if gateway.iam_connection is None:
        gateway.iam_connection = boto.connect_iam(
            aws_access_key_id=credentials.access_key,
            aws_secret_access_key=credentials.secret,
            host=gateway.host,
            port=gateway.port,
            is_secure=False)
    return gateway.iam_connection
Beispiel #34
0
 def _connect(self):
     if self._conn:
         return self._conn
     (access_key_id, secret_access_key) = nixops_aws.ec2_utils.fetch_aws_secret_key(
         self.access_key_id
     )
     self._conn = boto.connect_iam(
         aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key
     )
     return self._conn
Beispiel #35
0
def delete_iam_profile():
    """Delete AWS IAM profile"""

    print 'Deleting IAM Profile: {0} ...'.format(IAM_PROFILE)

    conn = boto.connect_iam()
    conn.delete_role_policy(IAM_PROFILE, 'EC2-Describe')
    conn.remove_role_from_instance_profile(IAM_PROFILE, IAM_PROFILE)
    conn.delete_instance_profile(IAM_PROFILE)
    conn.delete_role(IAM_PROFILE)
Beispiel #36
0
def test_delete_server_cert():
    conn = boto.connect_iam()

    conn.upload_server_cert("certname", "certbody", "privatekey")
    conn.get_server_certificate("certname")
    conn.delete_server_cert("certname")
    with assert_raises(BotoServerError):
        conn.get_server_certificate("certname")
    with assert_raises(BotoServerError):
        conn.delete_server_cert("certname")
def create_role(policy_name, assume_role_policy_document, policy_str):
    iam = boto.connect_iam()
    if role_exists(iam, policy_name):
        print('Role "{0}" already exists. Assuming correct values.'.format(
            policy_name))
    else:
        print('Creating policy: ' + policy_name)
        iam.create_role(
            policy_name,
            assume_role_policy_document=assume_role_policy_document)
        iam.put_role_policy(policy_name, 'inlinepolicy', policy_str)
 def run(self, terms, variables=None, **kwargs):
     try:
         iam_conn = boto.connect_iam()
         return [iam_conn.get_user().arn.split(':')[4]]
     except:
         response = urllib.request.urlopen(
             'http://169.254.169.254/latest/meta-data/iam/info/')
         response_content = response.read()
         json_output = json.loads(response_content)
         arn = json_output.get('InstanceProfileArn')
         return [arn.split(':')[4]]
Beispiel #39
0
def test_get_credential_report():
    conn = boto.connect_iam()
    conn.create_user('my-user')
    with assert_raises(BotoServerError):
        conn.get_credential_report()
    result = conn.generate_credential_report()
    while result['generate_credential_report_response']['generate_credential_report_result']['state'] != 'COMPLETE':
        result = conn.generate_credential_report()
    result = conn.get_credential_report()
    report = base64.b64decode(result['get_credential_report_response']['get_credential_report_result']['content'].encode('ascii')).decode('ascii')
    report.should.match(r'.*my-user.*')
Beispiel #40
0
def test_get_groups_for_user():
    conn = boto.connect_iam()
    conn.create_group('my-group1')
    conn.create_group('my-group2')
    conn.create_group('other-group')
    conn.create_user('my-user')
    conn.add_user_to_group('my-group1', 'my-user')
    conn.add_user_to_group('my-group2', 'my-user')

    groups = conn.get_groups_for_user('my-user')['list_groups_for_user_response']['list_groups_for_user_result']['groups']
    groups.should.have.length_of(2)
Beispiel #41
0
def test_get_all_server_certs():
    conn = boto.connect_iam()

    conn.upload_server_cert("certname", "certbody", "privatekey")
    certs = conn.get_all_server_certs()['list_server_certificates_response'][
        'list_server_certificates_result']['server_certificate_metadata_list']
    certs.should.have.length_of(1)
    cert1 = certs[0]
    cert1.server_certificate_name.should.equal("certname")
    cert1.arn.should.equal(
        "arn:aws:iam::123456789012:server-certificate/certname")
Beispiel #42
0
def test_get_all_access_keys():
    conn = boto.connect_iam()
    conn.create_user('my-user')
    response = conn.get_all_access_keys('my-user')
    assert_equals(
        response['list_access_keys_response']['list_access_keys_result']
        ['access_key_metadata'], [])
    conn.create_access_key('my-user')
    response = conn.get_all_access_keys('my-user')
    assert_not_equals(
        response['list_access_keys_response']['list_access_keys_result']
        ['access_key_metadata'], [])
Beispiel #43
0
def test_get_all_group_policies():
    conn = boto.connect_iam()
    conn.create_group("my-group")
    policies = conn.get_all_group_policies(
        "my-group")["list_group_policies_response"][
            "list_group_policies_result"]["policy_names"]
    assert policies == []
    conn.put_group_policy("my-group", "my-policy", MOCK_POLICY)
    policies = conn.get_all_group_policies(
        "my-group")["list_group_policies_response"][
            "list_group_policies_result"]["policy_names"]
    assert policies == ["my-policy"]
Beispiel #44
0
def test_list_instance_profiles():
    conn = boto.connect_iam()
    conn.create_instance_profile("my-profile", path="my-path")
    conn.create_role("my-role", path="my-path")

    conn.add_role_to_instance_profile("my-profile", "my-role")

    profiles = conn.list_instance_profiles().instance_profiles

    len(profiles).should.equal(1)
    profiles[0].instance_profile_name.should.equal("my-profile")
    profiles[0].roles.role_name.should.equal("my-role")
Beispiel #45
0
def get_iam_summary():
    iam = boto.connect_iam(
        aws_access_key_id=assume_role.credentials.access_key,
        aws_secret_access_key=assume_role.credentials.secret_key,
        security_token=assume_role.credentials.session_token)
    verbose("Getting account summary:")
    summary = iam.get_account_summary()
    debug(summary)
    return [
        config_line("iam:accountsummary", "AccountMFAEnabled", "",
                    str(summary["AccountMFAEnabled"]))
    ]
Beispiel #46
0
def create_iam_profile():
    """Creates AWS IAM profile"""

    print 'Creating IAM Profile: {0} ...'.format(IAM_PROFILE)

    conn = boto.connect_iam()
    instance_profile = conn.create_instance_profile(IAM_PROFILE)
    role = conn.create_role(TRAINER + '-{0}'.format(VPC))
    conn.add_role_to_instance_profile(IAM_PROFILE, IAM_PROFILE)
    conn.put_role_policy(IAM_PROFILE, 'EC2-Describe', POLICY)

    print 'IAM profile, role, and policy created ...'
Beispiel #47
0
def test_get_groups_for_user():
    conn = boto.connect_iam()
    conn.create_group("my-group1")
    conn.create_group("my-group2")
    conn.create_group("other-group")
    conn.create_user("my-user")
    conn.add_user_to_group("my-group1", "my-user")
    conn.add_user_to_group("my-group2", "my-user")

    groups = conn.get_groups_for_user(
        "my-user"
    )["list_groups_for_user_response"]["list_groups_for_user_result"]["groups"]
    groups.should.have.length_of(2)
Beispiel #48
0
    def _connect(self):
        if self.in_ec2:
            self.meta = boto.utils.get_instance_metadata()
        if self.region is None:
            if self.in_ec2:
                self.region = self.meta['hostname'].split('.')[1]
            else:
                self.region = 'us-west-2'

        self.ec2 = self.ec2 or boto.ec2.connect_to_region(self.region)
        self.iam = self.iam or boto.connect_iam()
        assert self.ec2
        assert self.iam
Beispiel #49
0
def get_iam_info(key_id, secret, session_token, iam_info):
    manage_dictionary(iam_info, 'groups', {})
    manage_dictionary(iam_info, 'permissions', {})
    manage_dictionary(iam_info, 'roles', {})
    manage_dictionary(iam_info, 'users', {})
    iam_connection = boto.connect_iam(aws_access_key_id=key_id,
                                      aws_secret_access_key=secret,
                                      security_token=session_token)
    # Generate the report early so that download doesn't fail with "ReportInProgress".
    try:
        iam_connection.generate_credential_report()
    except Exception, e:
        pass
Beispiel #50
0
    def test_cloudtrail(self):
        cloudtrail = boto.connect_cloudtrail()

        # Don't delete existing customer data!
        res = cloudtrail.describe_trails()
        if len(res['trailList']):
            self.fail('A trail already exists on this account!')

        # Who am I?
        iam = boto.connect_iam()
        response = iam.get_user()
        account_id = response['get_user_response']['get_user_result'] \
                             ['user']['user_id']

        # Setup a new bucket
        s3 = boto.connect_s3()
        bucket_name = 'cloudtrail-integ-{0}'.format(time())
        policy = DEFAULT_S3_POLICY.replace('<BucketName>', bucket_name)\
                                  .replace('<CustomerAccountID>', account_id)\
                                  .replace('<Prefix>/', '')
        b = s3.create_bucket(bucket_name)
        b.set_policy(policy)

        # Setup CloudTrail
        cloudtrail.create_trail(trail={'Name': 'test', 'S3BucketName': bucket_name})

        cloudtrail.update_trail(trail={'Name': 'test', 'IncludeGlobalServiceEvents': False})

        trails = cloudtrail.describe_trails()

        self.assertEqual('test', trails['trailList'][0]['Name'])
        self.assertFalse(trails['trailList'][0]['IncludeGlobalServiceEvents'])

        cloudtrail.start_logging(name='test')

        status = cloudtrail.get_trail_status(name='test')
        self.assertTrue(status['IsLogging'])

        cloudtrail.stop_logging(name='test')

        status = cloudtrail.get_trail_status(name='test')
        self.assertFalse(status['IsLogging'])

        # Clean up
        cloudtrail.delete_trail(name='test')

        for key in b.list():
            key.delete()

        s3.delete_bucket(bucket_name)
Beispiel #51
0
 def setup_iam_connection(self, endpoint="iam.amazonaws.com", aws_access_key_id=None,aws_secret_access_key=None,
                          is_secure=True, port=443, path='/', boto_debug=0 ):
     try:
         euare_connection_args = { 'aws_access_key_id' : aws_access_key_id,
                                   'aws_secret_access_key': aws_secret_access_key,
                                   'is_secure': is_secure,
                                   'debug':boto_debug,
                                   'port' : port,
                                   'path' : path,
                                   'host' : endpoint}
         self.debug("Attempting to create IAM connection to " + endpoint + ':' + str(port) + path)
         self.euare = boto.connect_iam(**euare_connection_args)
     except Exception, e:
         self.critical("Was unable to create IAM connection because of exception: " + str(e))
def delete_user(username, policy_name=None, key_name=None, iam_connec=None):
    '''
    Deletes IAM user credentials and any associated policy or key names.

    Parameters
    ----------
    username : string
        Name of the user to delete.
    policy_name : string, optional
        Policy attached to the user. All must be deleted before the user can
        be deleted.
    key_name : string, optional
        Name of the access key assigned to the user. All must be deleted before
        the user can be deleted.
    iam_connec : boto.iam.connection.IAMConnection, optional
        Connection to IAM. If None, attempts to create one automatically using
        credentials on the local system.

    Returns
    -------
    True/False : bool
        If True, the user was deleted. If False, some exception was raised
        during the process.
    '''

    if iam_connec is None:
        iam = boto.connect_iam()
    else:
        if not isinstance(iam_connec, boto.iam.connection.IAMConnection):
            raise TypeError("Given iam_connec is not an IAMConnection.")
        iam = iam_connec

    if key_name is not None:
        try:
            iam.delete_access_key(key_name, user_name=username)
        except Exception:
            return False

    if policy_name is not None:
        try:
            iam.delete_user_policy(username, policy_name)
        except Exception:
            return False

    try:
        iam.delete_user(username)
    except Exception:
        return False

    return True
Beispiel #53
0
def test_remove_role_from_instance_profile():
    conn = boto.connect_iam()
    conn.create_instance_profile("my-profile", path="my-path")
    conn.create_role("my-role", assume_role_policy_document="some policy", path="my-path")
    conn.add_role_to_instance_profile("my-profile", "my-role")

    profile = conn.get_instance_profile("my-profile")
    role_from_profile = list(profile.roles.values())[0]
    role_from_profile['role_name'].should.equal("my-role")

    conn.remove_role_from_instance_profile("my-profile", "my-role")

    profile = conn.get_instance_profile("my-profile")
    dict(profile.roles).should.be.empty
    def test_password_policy(self):
        # A series of tests to check the password policy API
        iam = boto.connect_iam()

        # First preserve what is the current password policy
        try:
            initial_policy_result = iam.get_account_password_policy()
        except boto.exception.BotoServerError as srv_error:
            initial_policy = None
            if srv_error.status != 404:
                raise srv_error

        # Update the policy and check it back
        test_min_length = 88
        iam.update_account_password_policy(minimum_password_length=test_min_length)
        new_policy = iam.get_account_password_policy()
        new_min_length = new_policy['get_account_password_policy_response']\
                                        ['get_account_password_policy_result']['password_policy']\
                                        ['minimum_password_length']

        if test_min_length != int(new_min_length):
            raise Exception("Failed to update account password policy")

        # Delete the policy and check the correct deletion
        test_policy = ''
        iam.delete_account_password_policy()
        try:
            test_policy = iam.get_account_password_policy()
        except boto.exception.BotoServerError as srv_error:
            test_policy = None
            if srv_error.status != 404:
                raise srv_error

        if test_policy is not None:
            raise Exception("Failed to delete account password policy")

        # Restore initial account password policy
        if initial_policy:
            p = initial_policy['get_account_password_policy_response']\
                    ['get_account_password_policy_result']['password_policy']
            iam.update_account_password_policy(minimum_password_length=int(p['minimum_password_length']),
                                                allow_users_to_change_password=bool(p['allow_users_to_change_password']),
                                                hard_expiry=bool(p['hard_expiry']),
                                                max_password_age=int(p['max_password_age']),
                                                password_reuse_prevention=int(p['password_reuse_prevention']),
                                                require_lowercase_characters=bool(p['require_lowercase_characters']),
                                                require_numbers=bool(p['require_numbers']),
                                                require_symbols=bool(p['require_symbols']),
                                                require_uppercase_characters=bool(p['require_uppercase_characters']))
Beispiel #55
0
def test_managed_policy():
    conn = boto.connect_iam()

    conn.create_policy(policy_name='UserManagedPolicy',
                       policy_document={'mypolicy': 'test'},
                       path='/mypolicy/',
                       description='my user managed policy')

    aws_policies = conn.list_policies(
        scope='AWS'
    )['list_policies_response']['list_policies_result']['policies']
    set(p.name for p in aws_managed_policies).should.equal(
        set(p['policy_name'] for p in aws_policies))

    user_policies = conn.list_policies(
        scope='Local'
    )['list_policies_response']['list_policies_result']['policies']
    set(['UserManagedPolicy'
         ]).should.equal(set(p['policy_name'] for p in user_policies))

    all_policies = conn.list_policies(
    )['list_policies_response']['list_policies_result']['policies']
    set(p['policy_name'] for p in aws_policies + user_policies).should.equal(
        set(p['policy_name'] for p in all_policies))

    role_name = 'my-role'
    conn.create_role(role_name,
                     assume_role_policy_document={'policy': 'test'},
                     path="my-path")
    for policy_name in [
            'AmazonElasticMapReduceRole', 'AmazonElasticMapReduceforEC2Role'
    ]:
        policy_arn = 'arn:aws:iam::aws:policy/service-role/' + policy_name
        conn.attach_role_policy(policy_arn, role_name)

    rows = conn.list_policies(
        only_attached=True
    )['list_policies_response']['list_policies_result']['policies']
    rows.should.have.length_of(2)
    for x in rows:
        int(x['attachment_count']).should.be.greater_than(0)

    # boto has not implemented this end point but accessible this way
    resp = conn.get_response('ListAttachedRolePolicies',
                             {'RoleName': role_name},
                             list_marker='AttachedPolicies')
    resp['list_attached_role_policies_response'][
        'list_attached_role_policies_result'][
            'attached_policies'].should.have.length_of(2)
Beispiel #56
0
    def getAllVolumes(self, aws_access_key_id, aws_secret_access_key):
        try:
            #尝试Key的有效性并判断属于大陆区还是海外区,并获得相应的regions列表
            conn = ec2.connect_to_region(
                'ap-southeast-1',
                aws_access_key_id=aws_access_key_id,
                aws_secret_access_key=aws_secret_access_key)
            regions = conn.get_all_regions()
            accountid = boto.connect_iam(
                aws_access_key_id=aws_access_key_id,
                aws_secret_access_key=aws_secret_access_key).get_user(
                ).arn.split(':')[4]
        except EC2ResponseError as e:
            print e

        volumes = []
        for region in regions:
            print "connect to region", region
            conn = ec2.connect_to_region(
                region.name,
                aws_access_key_id=aws_access_key_id,
                aws_secret_access_key=aws_secret_access_key)
            for volume in conn.get_all_volumes():
                vol = {}
                vol['_id'] = volume.id
                vol['status'] = volume.status
                vol['attachment_state'] = volume.attachment_state()
                vol['create_time'] = volume.create_time
                vol['encrypted'] = volume.encrypted
                vol['region'] = volume.region.name
                vol['zone'] = volume.zone
                vol['size'] = volume.size
                vol['type'] = volume.type
                vol['iops'] = volume.iops
                vol['tags'] = volume.tags
                vol['snapshot_id'] = volume.snapshot_id
                vol['accountid'] = accountid

                attachment = {}
                vol_attr = volume.attach_data
                attachment['_id'] = vol_attr.id
                attachment['instance_id'] = vol_attr.instance_id
                attachment['attach_time'] = vol_attr.attach_time
                #attachment['deleteOnTermination'] = vol_attr.deleteOnTermination
                attachment['device'] = vol_attr.device

                vol['attach_data'] = attachment
                volumes.append(vol)
        return volumes
Beispiel #57
0
def test_get_all_access_keys():
    """If no access keys exist there should be none in the response,
    if an access key is present it should have the correct fields present"""
    conn = boto.connect_iam()
    conn.create_user('my-user')
    response = conn.get_all_access_keys('my-user')
    assert_equals(
        response['list_access_keys_response']['list_access_keys_result']
        ['access_key_metadata'], [])
    conn.create_access_key('my-user')
    response = conn.get_all_access_keys('my-user')
    assert_equals(
        sorted(response['list_access_keys_response']['list_access_keys_result']
               ['access_key_metadata'][0].keys()),
        sorted(['status', 'create_date', 'user_name', 'access_key_id']))
Beispiel #58
0
def get_iam_info(key_id, secret, session_token):
    iam_info = {}
    manage_dictionary(iam_info, 'groups', {})
    manage_dictionary(iam_info, 'permissions', {})
    manage_dictionary(iam_info, 'roles', {})
    manage_dictionary(iam_info, 'users', {})
    iam_connection = boto.connect_iam(aws_access_key_id=key_id,
                                      aws_secret_access_key=secret,
                                      security_token=session_token)
    print 'Fetching IAM users data...'
    get_users_info(iam_connection, iam_info)
    print 'Fetching IAM groups data...'
    get_groups_info(iam_connection, iam_info)
    print 'Fetching IAM roles data...'
    get_roles_info(iam_connection, iam_info)
    return iam_info
Beispiel #59
0
    def test_group_users(self):
        # A very basic test to create a group, a user, add the user
        # to the group and then delete everything
        iam = boto.connect_iam()

        name = 'boto-test-%d' % time.time()
        username = '******' % time.time()

        iam.create_group(name)
        iam.create_user(username)

        iam.add_user_to_group(name, username)

        iam.remove_user_from_group(name, username)
        iam.delete_user(username)
        iam.delete_group(name)
def copytoredshift(record):
    dynamo_table_name = os.environ["DYN_TABLENAME"]
    redshift_username = os.environ["RSDB_USERNAME"]
    redshift_password = os.environ["RSDB_PASSWORD"]
    redshift_database = os.environ["RSDB_DATABASE"]
    redshift_port = os.environ["RSDB_PORT"]
    customer = os.environ["CUSTOMER"]
    cage = os.environ["CAGE"]

    role_name = "NucleatorBucketandqDistributorServiceRunner"

    iam_conn = boto.connect_iam()
    role = iam_conn.get_role(role_name)
    role_arn = role["get_role_response"]["get_role_result"]["role"]["arn"]

    stsconn = sts.STSConnection()
    response = stsconn.assume_role(role_arn, "redshift_copy_session")
    access_key = response.credentials.access_key
    secret_key = response.credentials.secret_key
    session_token = response.credentials.session_token

    if customer is "47Lining":
        endpoint = "redshift.%s.%s.com" % (cage, customer)
    else:
        endpoint = "redshift.%s.%s.47lining.com" % (cage, customer)

    print "Connecting to redshift cluster: %s" % endpoint
    conn = psycopg2.connect(dbname=redshift_database,
                            host=endpoint,
                            port=redshift_port,
                            user=redshift_username,
                            password=redshift_password)
    cur = conn.cursor()

    print "Connected. Creating table"
    cur.execute(
        "CREATE TABLE IF NOT EXISTS imageproccessingtable(key varchar(50) NOT NULL, url varchar(200) NOT NULL, dateoriginal timestamp NOT NULL, gpslatitude float8 NOT NULL, gpslongitude float8 NOT NULL, image varchar(100));"
    )
    conn.commit()

    print "Table recreated. Running copy command..."
    cur.execute(
        "copy imageproccessingtable from 'dynamodb://%s' credentials 'aws_access_key_id=%s;aws_secret_access_key=%s;token=%s' readratio 100;"
        % (dynamo_table_name, access_key, secret_key, session_token))
    conn.commit()

    print "Copy command completed"