def show_user_info(options): '''Lookup user by email and show app role assignments.''' graph_token = auth.get_bearer_token('https://graph.microsoft.com') user = graph_api.find_user_by_email(graph_token, options.user_email) if not user: raise Exception( f'User with email [{options.user_email}] was not found.') user = user[0] application = graph_api.get_application(graph_token) assignments = graph_api.get_user_app_roles(graph_token, user['id']) app_role_ids = [a['appRoleId'] for a in assignments] app_roles = [] app_roles = [ app_role for app_role in application['appRoles'] if app_role['id'] in app_role_ids ] if not app_roles: log.info(f'No AWS App Roles assigned to {options.user_email}') return 0 log.info('User id: %s, name: %s', user['id'], user['displayName']) log.info('Assignments:') for app_role in app_roles: app_role_name = app_role['displayName'] if app_role['value']: role_arn, idp_arn = app_role['value'].split(',') log.info('Role id: %s, name: %s, AWS Role Arn: %s', app_role['id'], app_role_name, role_arn) else: log.info('Role id: %s, name: %s, ---', app_role['id'], app_role_name)
def unassign_user(options): '''Remove assignment of AWS App Role from a user.''' graph_token = auth.get_bearer_token('https://graph.microsoft.com') user = graph_api.find_user_by_email(graph_token, options.user_email) if not user: raise Exception( f'User with email [{options.user_email}] was not found.') user = user[0] log.info('Unassigning user id: %s, name: %s', user['id'], user['displayName']) application = graph_api.get_application(graph_token) app_role = find_app_role_by_name(options.role_name, application['appRoles']) if not app_role: raise Exception( f'AWS App role with name {options.role_name} was not found') log.info('From app role id: %s, name: %s', app_role['id'], app_role['displayName']) aws_role_name, aws_account = app_role['description'].split('@') log.info('From AWS role name: %s, account id: %s', aws_role_name, aws_account) assignments = graph_api.get_user_app_roles(graph_token, user['id']) assignment = [a for a in assignments if a['appRoleId'] == app_role['id']] if not assignment: raise Exception( f'AWS App role {options.role_name} is not assigned to {options.user_email}' ) assignment = assignment[0] log.info('Removing assignment id: %s', assignment['id']) graph_api.remove_user_from_app_role(graph_token, user['id'], assignment['id'])
def assign_user(options): '''Assign specified AWS App Role to a user.''' graph_token = auth.get_bearer_token('https://graph.microsoft.com') user = graph_api.find_user_by_email(graph_token, options.user_email) if not user: raise Exception( f'User with email [{options.user_email}] was not found.') user = user[0] log.info('Assigning user id: %s, name: %s', user['id'], user['displayName']) application = graph_api.get_application(graph_token) app_role = find_app_role_by_name(options.role_name, application['appRoles']) if not app_role: raise Exception( f'AWS App role with name {options.role_name} was not found') log.info('To app role id: %s, name: %s', app_role['id'], app_role['displayName']) aws_role_name, aws_account = app_role['description'].split('@') log.info('To AWS role name: %s, account id: %s', aws_role_name, aws_account) assignments = graph_api.get_user_app_roles(graph_token, user['id']) existing_role_ids = [a['appRoleId'] for a in assignments] if app_role['id'] in existing_role_ids: raise Exception( f'AWS App role {options.role_name} is already assigned to {options.user_email}' ) graph_api.assign_user_to_app_role(graph_token, user['id'], app_role['id'])
def delete_app_role(options): '''Delete existing app role from application manifest''' token = auth.get_bearer_token('https://graph.microsoft.com') application = graph_api.get_application(token) app_role = find_app_role_by_name(options.role_name, application['appRoles']) if not app_role: raise Exception(f'AWS App role with name {options.role_name} was not found') app_role['isEnabled'] = False graph_api.patch_application(token, application) application['appRoles'].remove(app_role) graph_api.patch_application(token, application) log.info('Deleted app role [%s] "%s"', app_role['id'], app_role['displayName'])
def list_app_roles(options): '''List Registered App Roles for AWS Application.''' token = auth.get_bearer_token('https://graph.microsoft.com') application = graph_api.get_application(token) log.info('Get application details with %d roles', len(application['appRoles'])) for app_role in application['appRoles']: if app_role['displayName'] == 'msiam_access': continue if '@' not in app_role['description']: log.warning('Found app role %s without expected description format', app_role['displayName']) continue aws_role_name, aws_account_id = app_role['description'].split('@') log.info('Found id: %s, name: %s, aws role: %s, aws account: %s', app_role['id'], app_role['displayName'], aws_role_name, aws_account_id)
def show_app_role_info(options): '''Information about app role.''' token = auth.get_bearer_token('https://graph.microsoft.com') application = graph_api.get_application(token) app_role = find_app_role_by_name(options.role_name, application['appRoles']) if not app_role: raise Exception(f'AWS App role with name {options.role_name} was not found') aws_role_name, aws_account_id = app_role['description'].split('@') iam_resource = amazon.resource('iam', aws_account_id) role_arn = 'Not Found' for iam_role in iam_resource.roles.filter(PathPrefix='/aad'): if iam_role.name == aws_role_name: role_arn = iam_role.arn break log.info('AzureAD App Role ID: %s, Name: %s', app_role['id'], options.role_name) log.info('AWS Account: %s, AWS Role Name: %s, AWS Role ARN: %s', aws_account_id, aws_role_name, role_arn)
def new_app_role(options): '''Create new app role for corresponding iam role in some aws account.''' token = auth.get_bearer_token('https://graph.microsoft.com') application = graph_api.get_application(token) iam_role_arn = f'arn:aws:iam::{options.account_id}:role/aad/{options.aws_role_name}' if not options.app_role_name: options.app_role_name = f'{options.aws_role_name}/{options.account_id}' saml_provider_arn = f'arn:aws:iam::{options.account_id}:saml-provider/AAD' app_role = { 'allowedMemberTypes': ['User'], 'description': f'{options.aws_role_name}@{options.account_id}', 'displayName': options.app_role_name, 'id': str(uuid.uuid4()), 'isEnabled': True, 'origin': 'Application', 'value': f'{iam_role_arn},{saml_provider_arn}' } application['appRoles'].append(app_role) graph_api.patch_application(token, application) log.info('Created new app role [%s] for aws role "%s" in account %s', app_role['id'], options.aws_role_name, options.account_id)