def create_ecs_service_role(region, namespace, mappings, parameters, **kwargs): """Used to create the ecsServieRole, which has to be named exactly that currently, so cannot be created via CloudFormation. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role """ role_name = kwargs.get("role_name", "ecsServiceRole") client = boto3.client("iam", region_name=region) try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()) except ClientError as e: if "already exists" in e.message: pass else: raise policy = Policy(Statement=[ Statement(Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*") ]) ]) client.put_role_policy(RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json()) return True
def create_ecs_service_role(provider, context, **kwargs): """Create ecsServieRole, which has to be named exactly that currently. http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role Args: provider (:class:`runway.cfngin.providers.base.BaseProvider`): Provider instance. (passed in by CFNgin) context (:class:`runway.cfngin.context.Context`): Context instance. (passed in by CFNgin) Keyword Args: role_name (str): Name of the role to create. (*default: ecsServiceRole*) Returns: bool: Whether or not the hook succeeded. """ role_name = kwargs.get("role_name", "ecsServiceRole") client = get_session(provider.region).client("iam") try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json(), ) except ClientError as err: if "already exists" in str(err): pass else: raise policy = Policy( Version="2012-10-17", Statement=[ Statement( Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*"), ], ) ], ) client.put_role_policy( RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json(), ) return True
def build_response(*, principal_id, region, acct_id, apig_id, stage): resource_arn = \ f'arn:aws:execute-api:{region}:{acct_id}:{apig_id}/{stage}/*/responses' policy = Policy(Version="2012-10-17", Statement=[ Statement(Effect=Allow, Action=[Invoke], Resource=[resource_arn]) ]) response = { 'principalId': principal_id, 'policyDocument': json.loads(policy.to_json()) } return response
def create_ecs_service_role(context: CfnginContext, *, role_name: str = "ecsServiceRole", **_: Any) -> bool: """Create ecsServiceRole IAM role. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html Args: context: Context instance. (passed in by CFNgin) role_name: Name of the role to create. """ client = context.get_session().client("iam") try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json(), ) except ClientError as err: if "already exists" not in str(err): raise policy = Policy( Version="2012-10-17", Statement=[ Statement( Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*"), ], ) ], ) client.put_role_policy( RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json(), ) return True
def create_ecs_service_role(provider, context, **kwargs): """Used to create the ecsServieRole, which has to be named exactly that currently, so cannot be created via CloudFormation. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role Args: provider (:class:`stacker.providers.base.BaseProvider`): provider instance context (:class:`stacker.context.Context`): context instance Returns: boolean for whether or not the hook succeeded. """ role_name = kwargs.get("role_name", "ecsServiceRole") client = get_session(provider.region).client('iam') try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json() ) except ClientError as e: if "already exists" in str(e): pass else: raise policy = Policy( Statement=[ Statement( Effect=Allow, Resource=["*"], Action=[ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*")] ) ]) client.put_role_policy( RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json() ) return True
def create_ecs_service_role(provider, context, **kwargs): """Used to create the ecsServieRole, which has to be named exactly that currently, so cannot be created via CloudFormation. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role Args: provider (:class:`stacker.providers.base.BaseProvider`): provider instance context (:class:`stacker.context.Context`): context instance Returns: boolean for whether or not the hook succeeded. """ role_name = kwargs.get("role_name", "ecsServiceRole") client = get_session(provider.region).client('iam') try: client.create_role( RoleName=role_name, AssumeRolePolicyDocument=get_ecs_assumerole_policy().to_json()) except ClientError as e: if "already exists" in str(e): pass else: raise policy = Policy(Version='2012-10-17', Statement=[ Statement(Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.Action("Submit*") ]) ]) client.put_role_policy(RoleName=role_name, PolicyName="AmazonEC2ContainerServiceRolePolicy", PolicyDocument=policy.to_json()) return True
def create_ecs_service_role(region, namespace, mappings, parameters, **kwargs): """Used to create the ecsServieRole, which has to be named exactly that currently, so cannot be created via CloudFormation. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role """ conn = connect_to_region(region) policy = Policy(Statement=[ Statement(Effect=Allow, Resource=["*"], Action=[ ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.ECSAction("Submit*") ]) ]) conn.put_role_policy("ecsServiceRole", "AmazonEC2ContainerServiceRole", policy.to_json()) return True
def create_ecs_service_role(region, namespace, mappings, parameters, **kwargs): """ Used to create the ecsServieRole, which has to be named exactly that currently, so cannot be created via CloudFormation. See: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/IAM_policies.html#service_IAM_role """ conn = ConnectionManager(region).iam policy = Policy( Statement=[ Statement( Effect=Allow, Resource=["*"], Action=[ecs.CreateCluster, ecs.DeregisterContainerInstance, ecs.DiscoverPollEndpoint, ecs.Poll, ecs.ECSAction("Submit*")] ) ]) conn.put_role_policy("ecsServiceRole", "AmazonEC2ContainerServiceRole", policy.to_json()) return True
def temp_cloudformation_policy(awsclient): # policy: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html ''' { "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "cloudformation:CreateStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:ValidateTemplate" ], "Resource":"*" }] } ''' client_iam = awsclient.get_client('iam') name = 'unittest_%s_cloudformation_policy' % utils.random_string() pd = Policy( Version="2012-10-17", Id=name, Statement=[ Statement(Effect=Allow, Action=[Action('cloudformation', '*')], Resource=['*']), ], ) response = client_iam.create_policy(PolicyName=name, PolicyDocument=pd.to_json()) yield response['Policy']['Arn'] # cleanup client_iam.delete_policy(PolicyArn=response['Policy']['Arn'])
from awacs.aws import Allow, AWSPrincipal, Condition from awacs.aws import Policy, Statement from awacs.aws import DateGreaterThan, DateLessThan, IpAddress import awacs.sqs as sqs region = 'us-east-1' account = '444455556666' pd = Policy( Id="Queue1_Policy_UUID", Statement=[ Statement( Sid="Queue1_SendMessage", Effect=Allow, Principal=AWSPrincipal("111122223333"), Action=[sqs.SendMessage], Resource=[sqs.ARN(region, account, "queue1"), ], Condition=Condition([ DateGreaterThan("aws:CurrentTime", "2010-08-16T12:00:00Z"), DateLessThan("aws:CurrentTime", "2010-08-16T15:00:00Z"), IpAddress("aws:SourceIp", ["192.0.2.0/24", "203.0.113.0/24"]), ]), ), ], ) print(pd.to_json())
s3.S3_ARN("*"), ], ), Statement( Action=[s3.ListBucket], Effect=Allow, Resource=[s3.S3_ARN("myBucket")], Condition=Condition( StringEquals({ 's3:prefix': ['', 'home/'], 's3:delimiter': ['/'], }), ), ), Statement( Action=[s3.ListBucket], Effect=Allow, Resource=[s3.S3_ARN("myBucket")], Condition=Condition(StringLike("s3:prefix", ["home/${aws:username}/*"])), ), Statement( Action=[Action("s3", "*")], Effect=Allow, Resource=[ s3.S3_ARN("myBucket/home/${aws:username}"), s3.S3_ARN("myBucket/home/${aws:username}/*"), ], ), ], ) print(pd.to_json())
from awacs.aws import Allow, Policy, Statement, AWSPrincipal from awacs import ec2, iam, sts cmp_account_id = '032298565451' access_policy = Policy( Statement=[ Statement( Effect=Allow, Action=[ec2.DescribeInstances, ec2.CreateTags], Resource=['*'], ), ] ) print access_policy.to_json() cloud_mgmt_platform_arn = 'arn:aws:iam::%s:root' % (cmp_account_id,) trust_policy = Policy( Statement=[ Statement( Effect=Allow, Action=[sts.AssumeRole], Principal=AWSPrincipal(cloud_mgmt_platform_arn), ), ], ) print trust_policy.to_json() iam_conn = boto.iam.connect_to_region('universal') iam_utils.update_policy(
# Using the temporary creds, run DescribeInstances ec2_conn = boto.ec2.connect_to_region('us-west-2', **token.to_boto_dict()) instances = ec2_conn.get_only_instances() for instance in instances: print instance.id, instance.tags try: ec2_conn.create_tags(instance.id, {'Key': 'Value'}) except EC2ResponseError, e: if e.error_code != 'UnauthorizedOperation': raise print 'UnauthorizedOperation! Cannot set tags.' if __name__ == '__main__': # Get AWS to give us a set of temporary credentials that act inside of # `customer_id`'s account. Here we specify our reduced access policy which # does not specify the CreateTags operation. This means that when we call # do_tags it will fail. assumed_role = sts_conn.assume_role( role_arn, 'sec-403-demo', reduced_access_policy.to_json()) token = iam_utils.Token(assumed_role.credentials) print '------------ Trying with reduced privileges' do_tags(token) # Here we assume role again, this time without the reduced access policy. # The tagging will work assumed_role = sts_conn.assume_role(role_arn, 'sec-403-demo') token = iam_utils.Token(assumed_role.credentials) print '------------ Trying with full privileges' do_tags(token)
] ) instance_profile_trust = Policy( Statement=[ Statement( Effect=Allow, Action=[sts.AssumeRole], Principal=Principal('Service', 'ec2.amazonaws.com'), ) ] ) iam_utils.update_policy( iam_conn, 'worker', 'worker-access-policy', instance_profile_trust.to_json(), worker_access_policy.to_json(), profile=True, ) iam_utils.update_policy( iam_conn, 'apptier', 'apptier-access-policy', instance_profile_trust.to_json(), apptier_access_policy.to_json(), profile=True, )
Statement( Effect=Allow, Action=[sts.AssumeRole], Principal=AWSPrincipal(cloud_mgmt_platform_arn), Condition=Condition( StringEquals( 'sts:ExternalId', '2d6012e95f4942b9b5255274430a4ca2' ) ) ), ], ) iam_conn = boto.iam.connect_to_region('universal') iam_utils.update_policy( iam_conn, 'ReadonlyPolicy', 'ReadonlyPolicy', cloud_mgmt_platform_trust_policy.to_json(), readonly_access_policy.to_json() ) iam_utils.update_policy( iam_conn, 'ModifyInstancesPolicy', 'ModifyInstancesPolicy', cloud_mgmt_platform_trust_policy.to_json(), modifyinstances_access_policy.to_json() )