def get_group_policy(group_name,
policy_name,
region=None,
key=None,
keyid=None,
profile=None):
'''
Retrieves the specified policy document for the specified group.
.. versionadded:: Beryllium
CLI example::
salt myminion boto_iam.get_group_policy mygroup policyname
'''
conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
try:
info = conn.get_group_policy(group_name, policy_name)
log.debug('info for group policy is : {0}'.format(info))
if not info:
return False
info = info.get_group_policy_response.get_group_policy_result.policy_document
info = _unquote(info)
info = json.loads(info, object_pairs_hook=odict.OrderedDict)
return info
except boto.exception.BotoServerError as e:
log.debug(e)
msg = 'Failed to get group {0} info.'
log.error(msg.format(group_name))
return False
def get_role_policy(role_name,
policy_name,
region=None,
key=None,
keyid=None,
profile=None):
'''
Get a role policy.
CLI example::
salt myminion boto_iam.get_role_policy myirole mypolicy
'''
conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
try:
_policy = conn.get_role_policy(role_name, policy_name)
# I _hate_ you for not giving me an object boto.
_policy = _policy.get_role_policy_response.policy_document
# Policy is url encoded
_policy = _unquote(_policy)
_policy = json.loads(_policy, object_pairs_hook=odict.OrderedDict)
return _policy
except boto.exception.BotoServerError:
return {}
def describe_role(name, region=None, key=None, keyid=None, profile=None):
'''
Get information for a role.
CLI Example:
.. code-block:: bash
salt myminion boto_iam.describe_role myirole
'''
conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
try:
info = conn.get_role(name)
if not info:
return False
role = info.get_role_response.get_role_result.role
role['assume_role_policy_document'] = json.loads(_unquote(
role.assume_role_policy_document
))
# If Sid wasn't defined by the user, boto will still return a Sid in
# each policy. To properly check idempotently, let's remove the Sid
# from the return if it's not actually set.
for policy_key, policy in role['assume_role_policy_document'].items():
if policy_key == 'Statement':
for val in policy:
if 'Sid' in val and not val['Sid']:
del val['Sid']
return role
except boto.exception.BotoServerError as e:
log.debug(e)
msg = 'Failed to get {0} information.'
log.error(msg.format(name))
return False
def get_group_policy(group_name, policy_name, region=None, key=None,
keyid=None, profile=None):
'''
Retrieves the specified policy document for the specified group.
.. versionadded:: 2015.8.0
CLI Example:
.. code-block:: bash
salt myminion boto_iam.get_group_policy mygroup policyname
'''
conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
try:
info = conn.get_group_policy(group_name, policy_name)
log.debug('info for group policy is : {0}'.format(info))
if not info:
return False
info = info.get_group_policy_response.get_group_policy_result.policy_document
info = _unquote(info)
info = json.loads(info, object_pairs_hook=odict.OrderedDict)
return info
except boto.exception.BotoServerError as e:
log.debug(e)
msg = 'Failed to get group {0} info.'
log.error(msg.format(group_name))
return False
def describe_role(name, region=None, key=None, keyid=None, profile=None):
'''
Get information for a role.
CLI Example:
.. code-block:: bash
salt myminion boto_iam.describe_role myirole
'''
conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
try:
info = conn.get_role(name)
if not info:
return False
role = info.get_role_response.get_role_result.role
role['assume_role_policy_document'] = json.loads(_unquote(
role.assume_role_policy_document
))
# If Sid wasn't defined by the user, boto will still return a Sid in
# each policy. To properly check idempotently, let's remove the Sid
# from the return if it's not actually set.
for policy_key, policy in role['assume_role_policy_document'].items():
if policy_key == 'Statement':
for val in policy:
if 'Sid' in val and not val['Sid']:
del val['Sid']
return role
except boto.exception.BotoServerError as e:
log.debug(e)
msg = 'Failed to get {0} information.'
log.error(msg.format(name))
return False
def get_user_policy(user_name, policy_name, region=None, key=None, keyid=None, profile=None):
'''
Retrieves the specified policy document for the specified user.
.. versionadded:: 2015.8.0
CLI Example:
.. code-block:: bash
salt myminion boto_iam.get_user_policy myuser mypolicyname
'''
conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
try:
info = conn.get_user_policy(user_name, policy_name)
log.debug('Info for user policy is : {0}.'.format(info))
if not info:
return False
info = info.get_user_policy_response.get_user_policy_result.policy_document
info = _unquote(info)
info = json.loads(info, object_pairs_hook=odict.OrderedDict)
return info
except boto.exception.BotoServerError as e:
log.debug(e)
msg = 'Failed to get user {0} policy.'
log.error(msg.format(user_name))
return False
def export_users(path_prefix='/',
region=None,
key=None,
keyid=None,
profile=None):
'''
Get all IAM user details. Produces results that can be used to create an
sls file.
.. versionadded:: Boron
CLI Example:
salt-call boto_iam.export_users --out=txt | sed "s/local: //" > iam_users.sls
'''
conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
if not conn:
return None
results = odict.OrderedDict()
_users = conn.get_all_users(path_prefix=path_prefix)
users = _users.list_users_response.list_users_result.users
marker = getattr(_users.list_users_response.list_users_result, 'marker',
None)
while marker:
_users = conn.get_all_users(path_prefix=path_prefix, marker=marker)
users = users + _users.list_users_response.list_users_result.users
marker = getattr(_users.list_users_response.list_users_result,
'marker', None)
for user in users:
name = user.user_name
_policies = conn.get_all_user_policies(name, max_items=100)
_policies = _policies.list_user_policies_response.list_user_policies_result.policy_names
policies = {}
for policy_name in _policies:
_policy = conn.get_user_policy(name, policy_name)
_policy = json.loads(
_unquote(_policy.get_user_policy_response.
get_user_policy_result.policy_document))
policies[policy_name] = _policy
user_sls = []
user_sls.append({"name": name})
user_sls.append({"policies": policies})
user_sls.append({"path": user.path})
results["manage user " + name] = {"boto_iam.user_present": user_sls}
return _safe_dump(results)
def export_users(path_prefix='/', region=None, key=None, keyid=None,
profile=None):
'''
Get all IAM user details. Produces results that can be used to create an
sls file.
.. versionadded:: Boron
CLI Example:
salt-call boto_iam.export_users --out=txt | sed "s/local: //" > iam_users.sls
'''
conn = _get_conn(region=region, key=key, keyid=keyid, profile=profile)
if not conn:
return None
results = odict.OrderedDict()
_users = conn.get_all_users(path_prefix=path_prefix)
users = _users.list_users_response.list_users_result.users
marker = getattr(
_users.list_users_response.list_users_result, 'marker', None
)
while marker:
_users = conn.get_all_users(path_prefix=path_prefix, marker=marker)
users = users + _users.list_users_response.list_users_result.users
marker = getattr(
_users.list_users_response.list_users_result, 'marker', None
)
for user in users:
name = user.user_name
_policies = conn.get_all_user_policies(name, max_items=100)
_policies = _policies.list_user_policies_response.list_user_policies_result.policy_names
policies = {}
for policy_name in _policies:
_policy = conn.get_user_policy(name, policy_name)
_policy = json.loads(_unquote(
_policy.get_user_policy_response.get_user_policy_result.policy_document
))
policies[policy_name] = _policy
user_sls = []
user_sls.append({"name": name})
user_sls.append({"policies": policies})
user_sls.append({"path": user.path})
results["manage user " + name] = {"boto_iam.user_present": user_sls}
return _safe_dump(results)
def get_role_policy(role_name, policy_name, region=None, key=None,
keyid=None, profile=None):
'''
Get a role policy.
CLI example::
salt myminion boto_iam.get_role_policy myirole mypolicy
'''
conn = _get_conn(region, key, keyid, profile)
if not conn:
return False
try:
_policy = conn.get_role_policy(role_name, policy_name)
# I _hate_ you for not giving me an object boto.
_policy = _policy.get_role_policy_response.policy_document
# Policy is url encoded
_policy = _unquote(_policy)
_policy = json.loads(_policy, object_pairs_hook=odict.OrderedDict)
return _policy
except boto.exception.BotoServerError:
return {}
