def _validate_type_and_size_allowed(instance_type, volume_size):
"""validate user is allowed to create instance with type and size"""
if validate_perms.blocked(
actions=["ec2:RunInstances"],
resources=["arn:aws:ec2:*:*:instance/*"],
context={'ec2:InstanceType': [instance_type]}):
halt.err(f"Instance type {instance_type} not permitted.")
if validate_perms.blocked(actions=["ec2:RunInstances"],
resources=["arn:aws:ec2:*:*:volume/*"],
context={'ec2:VolumeSize': [volume_size]}):
halt.err(f"Volume size {volume_size}GiB is too large.")
def blocked_actions(self, _):
return validate_perms.blocked(actions=[
"iam:ListUsers",
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey"
])
def blocked_actions(self, _):
return validate_perms.blocked(actions=[
"iam:ListUsers", "iam:ListAccessKeys", "iam:DeleteAccessKey",
"iam:ListGroupsForUser", "iam:RemoveUserFromGroup",
"iam:ListAttachedUserPolicies", "iam:DetachUserPolicy",
"iam:DeleteUser"
])
def blocked_actions(self, cmd_args):
needed_actions = [
"ec2:DescribeInstances", "ec2:DescribeAddresses",
"ec2:ReleaseAddress"
]
if cmd_args.force is True:
needed_actions.append("ec2:DisassociateAddress")
return validate_perms.blocked(actions=needed_actions)
def blocked_actions(self, _):
return validate_perms.blocked(actions=[
"iam:ListUsers",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup"
])
def _validate_user(config_dict):
"""validate config's IAM user access key and minimal permissions
iam:GetUser, iam:SimulatePrincipalPolicy, iam:GetAccessKeyLastUsed, and
ec2:DescribeRegions permissions required for successful validation.
Args:
config_dict (dict): Should contain config's IAM user access key.
'access_key' (dict): IAM user's access key.
Access key ID (str): Secret access key.
"""
consts.KEY_ID = next(iter(config_dict['access_key']))
consts.KEY_SECRET = config_dict['access_key'][consts.KEY_ID]
# IAM User access key must be validated before validate_perms can be used.
try:
iam_user = aws.iam_client().get_user()['User']
except ClientError as e:
# TODO: Use client exceptions instead once they're documented
if e.response['Error']['Code'] == "InvalidClientTokenId":
halt.err("Access key ID is invalid.")
elif e.response['Error']['Code'] == "SignatureDoesNotMatch":
halt.err("Access key ID is valid, but its secret is invalid.")
elif e.response['Error']['Code'] == "AccessDenied":
halt.assert_empty(["iam:GetUser"])
halt.err(str(e))
# This ARN is needed for iam:SimulatePrincipalPolicy action.
consts.IAM_ARN = iam_user['Arn']
consts.IAM_NAME = iam_user['UserName']
# Validate IAM user can use iam:SimulatePrincipalPolicy action.
try:
validate_perms.blocked(actions=["iam:GetUser"])
except ClientError as e:
if e.response['Error']['Code'] == "AccessDenied":
halt.assert_empty(["iam:SimulatePrincipalPolicy"])
halt.err(str(e))
# Validate IAM user can use other basic permissions needed for the script
halt.assert_empty(
validate_perms.blocked(
actions=["iam:GetAccessKeyLastUsed", "ec2:DescribeRegions"]))
def blocked_actions(self, cmd_args):
needed_actions = [
"ec2:DescribeInstances", "ec2:DescribeAccountAttributes",
"ec2:DescribeVpcs", "ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs",
"ec2:DescribeImages", "ec2:CreateTags"
]
if cmd_args.elastic_ip is True:
needed_actions.extend([
"ec2:DescribeAddresses", "ec2:AllocateAddress",
"ec2:AssociateAddress"
])
elif cmd_args.use_ip is not None:
needed_actions.extend(
["ec2:DescribeAddresses", "ec2:AssociateAddress"])
if cmd_args.force is True:
needed_actions.append("ec2:DisassociateAddress")
denied_actions = validate_perms.blocked(actions=needed_actions)
denied_actions.extend(
validate_perms.blocked(actions=["ec2:RunInstances"],
resources=["arn:aws:ec2:*:*:instance/*"],
context={'ec2:InstanceType': ["t2.nano"]}))
return denied_actions
def blocked_actions(cls, sub_command: str) -> List[str]:
"""check whether IAM user is allowed to perform actions on component
Should be overridden by child classes in the following fashion:
@classmethod
def blocked_actions(cls, sub_command):
cls.describe_actions = []
cls.upload_actions = []
cls.delete_actions = []
return super().blocked_actions(sub_command)
"""
needed_actions = cls.describe_actions
if sub_command == "upload":
needed_actions.extend(cls.upload_actions)
elif sub_command == "delete":
needed_actions.extend(cls.delete_actions)
return validate_perms.blocked(actions=needed_actions)
def blocked_actions(self, _):
return validate_perms.blocked(actions=[
"ec2:DescribeInstances", "ec2:DescribeAddresses",
"ec2:DisassociateAddress"
])
def blocked_actions(self, _):
return validate_perms.blocked(actions=[
"ec2:DescribeInstances", "ec2:DescribeAddresses",
"ec2:AllocateAddress", "ec2:CreateTags"
])
def blocked_actions(self, _):
return validate_perms.blocked(actions=["iam:GetAccessKeyLastUsed"])
def blocked_actions(self, _):
return validate_perms.blocked(actions=[
"iam:ListGroups",
"iam:GetGroup"
])
def blocked_actions(self, _):
return validate_perms.blocked(actions=[
"iam:ListGroups", "iam:CreateUser", "iam:AddUserToGroup",
"iam:CreateAccessKey"
])
def blocked_actions(self, _):
return validate_perms.blocked(actions=["ec2:DescribeInstances"])
