def show_user_info(options):
'''Lookup user by email and show app role assignments.'''
graph_token = auth.get_bearer_token('https://graph.microsoft.com')
user = graph_api.find_user_by_email(graph_token, options.user_email)
if not user:
raise Exception(
f'User with email [{options.user_email}] was not found.')
user = user[0]
application = graph_api.get_application(graph_token)
assignments = graph_api.get_user_app_roles(graph_token, user['id'])
app_role_ids = [a['appRoleId'] for a in assignments]
app_roles = []
app_roles = [
app_role for app_role in application['appRoles']
if app_role['id'] in app_role_ids
]
if not app_roles:
log.info(f'No AWS App Roles assigned to {options.user_email}')
return 0
log.info('User id: %s, name: %s', user['id'], user['displayName'])
log.info('Assignments:')
for app_role in app_roles:
app_role_name = app_role['displayName']
if app_role['value']:
role_arn, idp_arn = app_role['value'].split(',')
log.info('Role id: %s, name: %s, AWS Role Arn: %s', app_role['id'],
app_role_name, role_arn)
else:
log.info('Role id: %s, name: %s, ---', app_role['id'],
app_role_name)
def unassign_user(options):
'''Remove assignment of AWS App Role from a user.'''
graph_token = auth.get_bearer_token('https://graph.microsoft.com')
user = graph_api.find_user_by_email(graph_token, options.user_email)
if not user:
raise Exception(
f'User with email [{options.user_email}] was not found.')
user = user[0]
log.info('Unassigning user id: %s, name: %s', user['id'],
user['displayName'])
application = graph_api.get_application(graph_token)
app_role = find_app_role_by_name(options.role_name,
application['appRoles'])
if not app_role:
raise Exception(
f'AWS App role with name {options.role_name} was not found')
log.info('From app role id: %s, name: %s', app_role['id'],
app_role['displayName'])
aws_role_name, aws_account = app_role['description'].split('@')
log.info('From AWS role name: %s, account id: %s', aws_role_name,
aws_account)
assignments = graph_api.get_user_app_roles(graph_token, user['id'])
assignment = [a for a in assignments if a['appRoleId'] == app_role['id']]
if not assignment:
raise Exception(
f'AWS App role {options.role_name} is not assigned to {options.user_email}'
)
assignment = assignment[0]
log.info('Removing assignment id: %s', assignment['id'])
graph_api.remove_user_from_app_role(graph_token, user['id'],
assignment['id'])
def assign_user(options):
'''Assign specified AWS App Role to a user.'''
graph_token = auth.get_bearer_token('https://graph.microsoft.com')
user = graph_api.find_user_by_email(graph_token, options.user_email)
if not user:
raise Exception(
f'User with email [{options.user_email}] was not found.')
user = user[0]
log.info('Assigning user id: %s, name: %s', user['id'],
user['displayName'])
application = graph_api.get_application(graph_token)
app_role = find_app_role_by_name(options.role_name,
application['appRoles'])
if not app_role:
raise Exception(
f'AWS App role with name {options.role_name} was not found')
log.info('To app role id: %s, name: %s', app_role['id'],
app_role['displayName'])
aws_role_name, aws_account = app_role['description'].split('@')
log.info('To AWS role name: %s, account id: %s', aws_role_name,
aws_account)
assignments = graph_api.get_user_app_roles(graph_token, user['id'])
existing_role_ids = [a['appRoleId'] for a in assignments]
if app_role['id'] in existing_role_ids:
raise Exception(
f'AWS App role {options.role_name} is already assigned to {options.user_email}'
)
graph_api.assign_user_to_app_role(graph_token, user['id'], app_role['id'])
def delete_app_role(options):
'''Delete existing app role from application manifest'''
token = auth.get_bearer_token('https://graph.microsoft.com')
application = graph_api.get_application(token)
app_role = find_app_role_by_name(options.role_name, application['appRoles'])
if not app_role:
raise Exception(f'AWS App role with name {options.role_name} was not found')
app_role['isEnabled'] = False
graph_api.patch_application(token, application)
application['appRoles'].remove(app_role)
graph_api.patch_application(token, application)
log.info('Deleted app role [%s] "%s"', app_role['id'], app_role['displayName'])
def list_app_roles(options):
'''List Registered App Roles for AWS Application.'''
token = auth.get_bearer_token('https://graph.microsoft.com')
application = graph_api.get_application(token)
log.info('Get application details with %d roles', len(application['appRoles']))
for app_role in application['appRoles']:
if app_role['displayName'] == 'msiam_access':
continue
if '@' not in app_role['description']:
log.warning('Found app role %s without expected description format', app_role['displayName'])
continue
aws_role_name, aws_account_id = app_role['description'].split('@')
log.info('Found id: %s, name: %s, aws role: %s, aws account: %s', app_role['id'], app_role['displayName'],
aws_role_name, aws_account_id)
def show_app_role_info(options):
'''Information about app role.'''
token = auth.get_bearer_token('https://graph.microsoft.com')
application = graph_api.get_application(token)
app_role = find_app_role_by_name(options.role_name, application['appRoles'])
if not app_role:
raise Exception(f'AWS App role with name {options.role_name} was not found')
aws_role_name, aws_account_id = app_role['description'].split('@')
iam_resource = amazon.resource('iam', aws_account_id)
role_arn = 'Not Found'
for iam_role in iam_resource.roles.filter(PathPrefix='/aad'):
if iam_role.name == aws_role_name:
role_arn = iam_role.arn
break
log.info('AzureAD App Role ID: %s, Name: %s', app_role['id'], options.role_name)
log.info('AWS Account: %s, AWS Role Name: %s, AWS Role ARN: %s', aws_account_id, aws_role_name, role_arn)
def new_app_role(options):
'''Create new app role for corresponding iam role in some aws account.'''
token = auth.get_bearer_token('https://graph.microsoft.com')
application = graph_api.get_application(token)
iam_role_arn = f'arn:aws:iam::{options.account_id}:role/aad/{options.aws_role_name}'
if not options.app_role_name:
options.app_role_name = f'{options.aws_role_name}/{options.account_id}'
saml_provider_arn = f'arn:aws:iam::{options.account_id}:saml-provider/AAD'
app_role = {
'allowedMemberTypes': ['User'],
'description': f'{options.aws_role_name}@{options.account_id}',
'displayName': options.app_role_name,
'id': str(uuid.uuid4()),
'isEnabled': True,
'origin': 'Application',
'value': f'{iam_role_arn},{saml_provider_arn}'
}
application['appRoles'].append(app_role)
graph_api.patch_application(token, application)
log.info('Created new app role [%s] for aws role "%s" in account %s',
app_role['id'], options.aws_role_name, options.account_id)