def add_account_assume_policy(self, account_id, external_id=None):
     policy_document = PolicyDocument()
     account_statement = Statement("Allow", ["sts:AssumeRole"])
     account_statement.set_account_principal(account_id,
                                             external_id=external_id)
     policy_document.add_statement(account_statement)
     self.AssumeRolePolicyDocument = \
         transform_policy_document(policy_document)
 def add_service_assume_policy(self, service_principal):
     policy_document = PolicyDocument()
     service_statement = Statement("Allow", ["sts:AssumeRole"])
     service_statement.set_service_principal([service_principal])
     policy_document.add_statement(service_statement)
     # An example of using a transform to make the Rack IAM
     # objects usable by Troposphere
     self.AssumeRolePolicyDocument =\
         transform_policy_document(policy_document)
Beispiel #3
0
    def setUp(self):
        test_role = Role("BlankRole")

        asdoc = PolicyDocument()
        astatement = Statement("Allow", ["sts:AssumeRole"])
        astatement.set_service_principal(["ec2.amazonaws.com"])
        asdoc.add_statement(astatement)
        test_role.set_assume_policy(asdoc)

        self.test_role = test_role
    def setUp(self):
        test_policy = Policy('TestPolicy')

        allpolicydoc = PolicyDocument(policy_id='Policy123456')
        allstatement = Statement("Allow", ["*"], "*")
        allpolicydoc.add_statement(allstatement)

        test_policy.set_policy_document(allpolicydoc)

        self.test_policy = test_policy
    def add_multi_statement_policy(self, policy_name, statements):
        # Troposphere object
        policy = Policy(title=policy_name)
        policy.PolicyName = policy_name

        policy_document = PolicyDocument()
        for statement in statements:
            policy_document.add_statement(statement)

        policy.PolicyDocument = transform_policy_document(policy_document)
        self.Policies.append(policy)
    def add_policy(self, policy_name, effect, action="*", resource="*"):
        # Troposphere object
        policy = Policy(title=policy_name)
        policy.PolicyName = policy_name

        policy_document = PolicyDocument()
        statement = Statement(effect, action, resource=resource)
        policy_document.add_statement(statement)

        policy.PolicyDocument = transform_policy_document(policy_document)
        self.Policies.append(policy)
Beispiel #7
0
    def setUp(self):
        test_policy = Policy('TestPolicy',
                             groups=['group1', 'group2'],
                             users=['user1', 'user2'],
                             roles=['role1', 'role2'])
        allpolicydoc = PolicyDocument(policy_id='Policy123456')
        allstatement = Statement("Allow", ["*"], "*")
        allpolicydoc.add_statement(allstatement)
        test_policy.set_policy_document(allpolicydoc)

        self.test_dict = transform_policy(test_policy)
Beispiel #8
0
    def setUp(self):
        test_group = Group('TestGroup', users=['user1', 'user2'])

        allpolicy = InlinePolicy('TestPolicy')
        allpolicydoc = PolicyDocument()
        allstatement = Statement("Allow", ["*"], "*")
        allpolicydoc.add_statement(allstatement)
        allpolicy.set_policy_document(allpolicydoc)

        test_group.add_policy(allpolicy)
        test_group.set_managed_policy_arns(['arn1', 'arn2'])
        self.test_dict = transform_group(test_group)
        self.test_mapping = transform_group_users(test_group)
    def setUp(self):
        test_user = User('TestUser', groups=['group1', 'group2'])

        allpolicy = InlinePolicy('TestPolicy')
        allpolicydoc = PolicyDocument()
        allstatement = Statement("Allow", ["*"], "*")
        allpolicydoc.add_statement(allstatement)
        allpolicy.set_policy_document(allpolicydoc)

        test_user.add_policy(allpolicy)
        test_user.set_login_profile('mypass')
        test_user.set_managed_policy_arns(['arn1', 'arn2'])
        self.test_dict = transform_user(test_user)
Beispiel #10
0
    def setUp(self):
        test_group = Group('TestGroup', ['user1', 'user2'])

        allpolicydoc = PolicyDocument()
        allstatement = Statement("Allow", ["*"], "*")
        allpolicydoc.add_statement(allstatement)
        allinlinepolicy = InlinePolicy('TestPolicy')
        allinlinepolicy.set_policy_document(allpolicydoc)

        test_group.add_policy(allinlinepolicy)
        test_group.set_managed_policy_arns(['arn1', 'arn2'])
        test_group.add_users(['user3'])

        self.test_group = test_group
Beispiel #11
0
 def test_multiple_statements(self):
     test_policy_doc = PolicyDocument().add_statements([
         Statement('Allow', 's3:*', '*'),
         Statement('Allow', 'ec2:*', '*'),
         Statement('Allow', 'es:*', '*')
     ])
     self.assertEquals(len(test_policy_doc.statements), 3)
     for statement in test_policy_doc.statements:
         self.assertIsInstance(statement, Statement)
Beispiel #12
0
 def test_chaining(self):
     test_user = User('TestUser').set_login_profile('mypass'). \
         set_managed_policy_arns(['arn1', 'arn2'])
     test_group = Group('TestGroup').add_policy(
         InlinePolicy('MyPolicy').set_policy_document(
             PolicyDocument().add_statement(
                 Statement('Allow', 's3:*', '*')
             )
         )
     )
     test_role = Role('TestRole').add_policy(
         InlinePolicy('MyPolicy').set_policy_document(
             PolicyDocument().add_statement(
                 Statement('Allow', 's3:*', '*')
             )
         )
     )
     self.assertIsInstance(test_user, User)
     self.assertIsInstance(test_group, Group)
     self.assertIsInstance(test_role, Role)
Beispiel #13
0
    def setUp(self):
        test_role = Role("RootRole")

        adoc = PolicyDocument()
        astatement = Statement("Allow", ["sts:AssumeRole"])
        astatement.set_service_principal(["ec2.amazonaws.com"])
        adoc.add_statement(astatement)

        allpolicy = InlinePolicy("root")
        allpolicydoc = PolicyDocument()
        allstatement = Statement("Allow", ["*"], "*")
        allpolicydoc.add_statement(allstatement)
        allpolicy.set_policy_document(allpolicydoc)

        test_role.set_assume_policy(adoc)
        test_role.add_policy(allpolicy)

        self.test_role = test_role
Beispiel #14
0
# This is a use case for blank policy roles, allowing the user to easily
# add permissions later (for example Redshift accessing an S3 bucket to
# import data).
from rack_iam import Role
from rack_iam import PolicyDocument
from rack_iam import Statement

redshift_role = Role("RedshiftRole")

asdoc = PolicyDocument()
astatement = Statement("Allow", ["sts:AssumeRole"])
astatement.set_service_principal(["redshift.amazonaws.com"])
asdoc.add_statement(astatement)
redshift_role.set_assume_policy(asdoc)
Beispiel #15
0
from rack_iam import Role
from rack_iam import PolicyDocument, InlinePolicy
from rack_iam import Statement

# While objects should be created properly the first time,
# there may be instances such as user input data where that
# may not be possible. In such cases a few of the functional style
# parts of Python can be used to manipulate things:
myRole = Role('TestRole').set_assume_policy(PolicyDocument().add_statement(
    Statement('Allow', 'sts:AssumeRole').set_service_principal(
        ['lambda.amazonaws.com']))).add_policy(
            InlinePolicy('MyPolicy').set_policy_document(
                PolicyDocument().add_statements([
                    Statement('Allow', 's3:*', '*'),
                    Statement('Allow', 'es:*', '*'),
                    Statement('Deny', 'ec2:*', '*', sid='DenyEc2')
                ])))

myRole.policies[0].policy_document.statements =\
    filter((lambda x: x.sid != 'DenyEc2'),
           myRole.policies[0].policy_document.statements)

print(len(myRole.policies[0].policy_document.statements))
print(myRole.policies[0].policy_document.statements[0].action)
print(myRole.policies[0].policy_document.statements[1].action)

# python mutation.py
# 2
# s3:*
# es:*
Beispiel #16
0
from rack_iam import Role
from rack_iam import PolicyDocument, InlinePolicy
from rack_iam import Statement

# In some cases standard object construction can lead to a lot of temporary
# variables. For example:
myRole = Role('TestRole')

assumed_policy_doc = PolicyDocument()
lambda_assume = Statement('Allow', 'sts:AssumeRole')
lambda_assume.set_service_principal(['lambda.amazonaws.com'])
assumed_policy_doc.add_statement(lambda_assume)
myRole.set_assume_policy(assumed_policy_doc)

all_s3_policy = InlinePolicy('AllS3')
all_s3_doc = PolicyDocument()
all_s3_permissions = Statement('Allow', 's3:*', '*')
all_s3_doc.add_statement(all_s3_permissions)
all_s3_policy.set_policy_document(all_s3_doc)

myRole.add_policy(all_s3_policy)

# This can get pretty cumbersome and hard to read. To avoid the use of temporary
# variables for one time type assignment you can use method chaining like so:
myOtherRole = Role('TestRole').set_assume_policy(
    PolicyDocument().add_statement(
        Statement('Allow', 'sts:AssumeRole').set_service_principal(
            ['lambda.amazonaws.com']
        )
    )
).add_policy(