def create_user(module, iam, name, pwd, path, key_state, key_count): key_qty = 0 keys = [] try: user_meta = iam.create_user( name, path).create_user_response.create_user_result.user changed = True if pwd is not None: pwd = iam.create_login_profile(name, pwd) if key_state in ['create']: if key_count: while key_count > key_qty: keys.append( iam.create_access_key( user_name=name).create_access_key_response. create_access_key_result.access_key) key_qty += 1 else: keys = None except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: user_info = dict(created_user=user_meta, password=pwd, access_keys=keys) return (user_info, changed)
def update_user(module, iam, name, new_name, new_path, key_state, keys, pwd): changed = False name_change = False current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata] updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True user = iam.update_user( name, new_name, new_path).update_user_response.response_metadata user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) name = new_name name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: changed = True iam.create_login_profile(name, pwd) else: try: iam.delete_login_profile(name) changed = True except boto.exception.BotoServerError: changed = False if key_state == 'Create': try: new_key = iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key changed = True except boto.exception.BotoServerError, e: module.fail_json(msg=str(e))
def create_users(): try: iam.create_group(group) except boto.exception.BotoServerError as e: if e.code == 'EntityAlreadyExists': print e.message + " Will overwrite." else: print "Exception: %s" % str(e) exit(1) # attach policy to group # security policy: allows access to everything but IAM # if the IAM lab is included in the day, then remove the line "NotAction": "iam:*", policy = '''{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] }''' iam.put_group_policy(group, policy_name, policy) # add users to group with open(DATA_FILE_NAME, 'rU') as data_file: user_reader = csv.reader(data_file) for row in user_reader: user, password = row[0], row[1] try: iam.create_user(user) iam.create_login_profile(user, password) iam.add_user_to_group(group, user) print("Added " + user) except boto.exception.BotoServerError as e: print "Problems creating %s. Exiting due to error: %s" % ( user, str(e.message)) exit(1) print "Users created. They can login to the AWS Console using this link: " + iam.get_signin_url( )
def create_users(): try: iam.create_group(group) except boto.exception.BotoServerError as e: if e.code == 'EntityAlreadyExists': print e.message + " Will overwrite." else: print "Exception: %s" % str(e) exit(1) # attach policy to group # security policy: allows access to everything but IAM # if the IAM lab is included in the day, then remove the line "NotAction": "iam:*", policy = '''{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] }''' iam.put_group_policy(group, policy_name, policy) # add users to group with open(DATA_FILE_NAME, 'rU') as data_file: user_reader = csv.reader(data_file) for row in user_reader: user, password = row[0], row[1] try: iam.create_user(user) iam.create_login_profile(user, password) iam.add_user_to_group(group, user) print("Added " + user) except boto.exception.BotoServerError as e: print "Problems creating %s. Exiting due to error: %s" % (user, str(e.message)) exit(1) print "Users created. They can login to the AWS Console using this link: " + iam.get_signin_url()
def create_user(iam, name, pwd, path, key_state): user_meta = iam.create_user( name, path).create_user_response.create_user_result.user changed = True if pwd is not None: pwd = iam.create_login_profile(name, pwd) if key_state in ['create', 'active']: keys = iam.create_access_key( user_name=name).create_access_key_response.\ create_access_key_result.\ access_key else: keys = None user_info = dict(created_user=user_meta, password=pwd, access_keys=keys) return (user_info, changed)
def create_user(module, iam, name, pwd, path, key_state, key_count): key_qty = 0 keys = [] try: user_meta = iam.create_user( name, path).create_user_response.create_user_result.user changed = True if pwd is not None: pwd = iam.create_login_profile(name, pwd) if key_state in ['create']: if key_count: while key_count > key_qty: keys.append(iam.create_access_key( user_name=name).create_access_key_response.\ create_access_key_result.\ access_key) key_qty += 1 else: keys = None except boto.exception.BotoServerError, err: module.fail_json(changed=False, msg=str(err))
user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError, err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: try: iam.create_login_profile(name, pwd) changed = True except boto.exception.BotoServerError, err: error_msg = boto_exception(str(err)) if 'Password does not conform to the account password policy' in error_msg: module.fail_json(changed=False, msg="Passsword doesn't conform to policy") else: module.fail_json(msg=error_msg) if key_state == 'create': try: while key_count > key_qty: new_key = iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key key_qty += 1 changed = True
def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated): changed = False name_change = False if updated and new_name: name = new_name try: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] name = new_name else: module.fail_json(changed=False, msg=str(err)) updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path ).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path ).update_user_response.response_metadata user['updates'] = dict(old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: try: iam.create_login_profile(name, pwd) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(str(err)) if 'Password does not conform to the account password policy' in error_msg: module.fail_json(changed=False, msg="Password doesn't conform to policy") else: module.fail_json(msg=error_msg) try: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] name = new_name else: module.fail_json(changed=False, msg=str(err)) new_keys = [] if key_state == 'create': try: while key_count > key_qty: new_keys.append( iam.create_access_key( user_name=name).create_access_key_response. create_access_key_result.access_key) key_qty += 1 changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) if keys and key_state: for access_key in keys: if key_state in ('active', 'inactive'): if access_key in current_keys: for current_key, current_key_state in zip( current_keys, status): if key_state != current_key_state.lower(): try: iam.update_access_key(access_key, key_state.capitalize(), user_name=name) changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: module.fail_json(msg="Supplied keys not found for %s. " "Current keys: %s. " "Supplied key(s): %s" % (name, current_keys, keys)) if key_state == 'remove': if access_key in current_keys: try: iam.delete_access_key(access_key, user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True try: final_keys, final_key_status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata] except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) for fk, fks in zip(final_keys, final_key_status): updated_key_list.update({fk: fks}) return name_change, updated_key_list, changed, new_keys
def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated): changed = False name_change = False if updated and new_name: name = new_name try: current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata] name = new_name else: module.fail_json(changed=False, msg=str(err)) updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path).update_user_response.response_metadata user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: try: iam.create_login_profile(name, pwd) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(str(err)) if 'Password does not conform to the account password policy' in error_msg: module.fail_json(changed=False, msg="Password doesn't conform to policy") else: module.fail_json(msg=error_msg) if key_state == 'create': try: while key_count > key_qty: new_key = iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key key_qty += 1 changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) if keys and key_state: for access_key in keys: if access_key in current_keys: for current_key, current_key_state in zip(current_keys, status): if key_state != current_key_state.lower(): try: iam.update_access_key( access_key, key_state.capitalize(), user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True if key_state == 'remove': try: iam.delete_access_key(access_key, user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True try: final_keys, final_key_status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata] except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) for fk, fks in zip(final_keys, final_key_status): updated_key_list.update({fk: fks}) return name_change, updated_key_list, changed