def configure(create,
path,
max_session_duration,
trust_policy,
trust_root,
trusted_service,
trusted_saml_provider,
role_policy,
attached_policy,
role_name):
"""Create/configure/get IAM role."""
iam_conn = awscontext.GLOBAL.iam
try:
role = iamclient.get_role(iam_conn, role_name)
except exc.NotFoundError:
if not create:
raise
role = None
if trust_policy:
with io.open(trust_policy) as f:
trust_document = f.read()
elif trust_root or trusted_service or trusted_saml_provider:
trust_document = _generate_trust_document(trust_root,
trusted_service,
trusted_saml_provider)
else:
trust_document = None
if not role:
_create_role(iam_conn,
role_name,
path,
trust_document,
max_session_duration)
else:
if max_session_duration:
iamclient.update_role(iam_conn,
role_name,
max_session_duration)
if trust_document:
iamclient.update_assume_role_policy(iam_conn,
role_name,
trust_document)
if role_policy:
_set_role_policy(iam_conn, role_name, role_policy)
if attached_policy:
_set_attached_policy(iam_conn, role_name, attached_policy)
role = iamclient.get_role(iam_conn, role_name)
role['RolePolicies'] = iamclient.list_role_policies(iam_conn,
role_name)
role['AttachedPolicies'] = iamclient.list_attached_role_policies(
iam_conn,
role_name)
cli.out(formatter(role))
def _set_attached_policy(iam_conn, role_name, attached_policy):
sts = awscontext.GLOBAL.sts
accountid = sts.get_caller_identity().get('Account')
del_pols = {}
for policy in iamclient.list_attached_role_policies(iam_conn,
role_name):
del_pols[policy['PolicyArn']] = 1
new_pols = {}
for policy in attached_policy:
scope, policy_name = policy.split(':', 2)
if scope == 'global':
new_pols['arn:aws:iam::aws:policy/%s' % policy_name] = 1
elif scope == 'local':
pol = 'arn:aws:iam::%s:policy/%s' % (accountid, policy_name)
new_pols[pol] = 1
else:
raise click.UsageError('Invalid policy scope [%s]' % scope)
for policy_arn in del_pols:
if policy_arn not in new_pols:
iamclient.detach_role_policy(iam_conn,
role_name,
policy_arn)
else:
del new_pols[policy_arn]
for policy_arn in new_pols:
iamclient.attach_role_policy(iam_conn, role_name, policy_arn)
def delete(force, role_name):
"""Delete IAM role."""
iam_conn = awscontext.GLOBAL.iam
if force:
role_policies = iamclient.list_role_policies(iam_conn, role_name)
for policy in role_policies:
_LOGGER.info('deleting inline policy: %s', policy)
iamclient.delete_role_policy(iam_conn, role_name, policy)
attached_pols = iamclient.list_attached_role_policies(
iam_conn, role_name)
for policy in attached_pols:
_LOGGER.info('detaching policy: %s', policy['PolicyArn'])
iamclient.detach_role_policy(iam_conn, role_name,
policy['PolicyArn'])
try:
iamclient.delete_role(iam_conn, role_name)
except iam_conn.exceptions.DeleteConflictException:
raise click.UsageError('Role [%s] has inline or attached policies,'
'use --force to force delete.' % role_name)
def configure(create,
path,
max_session_duration,
trust_policy,
trusted_entities,
inline_policies,
attached_policies,
role_name):
"""Create/configure/get IAM role.
Arguments for --trusted-entities are of the form:
Entities are form:\n
* root: : trusted AWS account
* user:<user-name> : trusted IAM user
* saml-provider:<provider-name>: : trusted SAML Provider
* service:<service-name>: : trusted AWS Service
"""
iam_conn = awscontext.GLOBAL.iam
try:
role = iamclient.get_role(iam_conn, role_name)
except exc.NotFoundError:
if not create:
raise
role = None
if trust_policy:
with io.open(trust_policy) as f:
trust_document = f.read()
elif trusted_entities:
trust_document = _generate_trust_document(trusted_entities)
elif create:
raise click.UsageError('Must specify one:\n'
' --trust-policy\n'
' --trusted-entties')
else:
trust_document = None
if not role:
_create_role(iam_conn,
role_name,
path,
trust_document,
max_session_duration)
else:
if max_session_duration:
iamclient.update_role(iam_conn,
role_name,
max_session_duration)
if trust_document:
iamclient.update_assume_role_policy(iam_conn,
role_name,
trust_document)
if inline_policies:
_set_role_policies(iam_conn, role_name, inline_policies)
if attached_policies:
_set_attached_policies(iam_conn, role_name, attached_policies)
role = iamclient.get_role(iam_conn, role_name)
role['RolePolicies'] = iamclient.list_role_policies(iam_conn,
role_name)
role['AttachedPolicies'] = iamclient.list_attached_role_policies(
iam_conn,
role_name)
cli.out(formatter(role))