def get_bucket_account(bucket_name, assumed_role):
'''Given a bucket_name determine what AWS account the bucket resides in.
Check
* The bucket_account_map dictionary in the config file
* The local AWS account that this tool runs from
* The AWS account of the assumed_role argument passed in
Return the AWS account number or False'''
if bucket_name in options.bucket_account_map:
# Check if the bucket is in the bucket account map
return options.bucket_account_map[bucket_name]
try:
# Check if the bucket is in our local AWS account
conn_s3 = boto.s3.connect_to_region('us-east-1',
aws_access_key_id=options.aws_access_key_id,
aws_secret_access_key=options.aws_secret_access_key)
conn_s3.get_bucket(bucket_name)
return boto.connect_iam().get_user().arn.split(':')[4].lstrip('0')
except:
pass
try:
# Check if the bucket is in the AWS account of the passed role
conn_s3 = boto.s3.connect_to_region('us-east-1',
**assumed_role)
conn_s3.get_bucket(bucket_name)
return boto.connect_iam().get_user().arn.split(':')[4].lstrip('0')
except:
pass
logger.error("Unable to determine what account the bucket %s resides in. "
"Checked the AWS account containing the mozdef user, the AWS account "
"of the target CloudTrail, and the following bucket map : %s" %
options.bucket_account_map)
return False
def create_s3_creds(proc_name, username, key=None, secret=None):
'''
Create temporary S3 credentials with a time-limit to allow users to
access their analysis products.
Parameters
----------
proc_name : str
Name of the process.
username : str
Name of the user
key : str
Credentials to connect to IAM
secret : str
Credentials to connect to IAM
'''
# Connect to IAM with boto
# Try loading credentials in when not given.
if key is None or secret is None:
iam = boto.connect_iam()
else:
iam = boto.connect_iam(key, secret)
# Create user. The credentials need to be attached to the process, so
# combine the username and the proc_name
cred_user_name = "{0}_{1}".format(username, proc_name)
user_response = iam.create_user(crepkd_user_name)
# Create Policy to only allow access to the one S3 bucket
# The bucket name is assumed to have the same name as the proc_name.
policy = {}
policy['Statement'] = \
[{'Sid': 'AwsIamUserPython',
'Effect': 'Allow',
'Action': 's3:*',
'Resource': ['arn:aws:s3:::{}'.format(proc_name),
'arn:aws:s3:::{}/*'.format(proc_name)]}]
policy_json = json.dumps(policy, indent=2)
iam.put_user_policy(cred_user_name, 'allow_access_{}'.format(proc_name),
policy_json)
# Generate new access key pair for 'aws-user'
key_response = \
iam.create_access_key(cred_user_name)[u'create_access_key_response'][u'create_access_key_result']
key_id = key_response[u'access_key']['access_key_id']
key_secret = key_response[u'access_key']['secret_access_key']
return {"username": cred_user_name, "key_id": key_id,
"key_secret": key_secret}
def test_upload_server_cert():
conn = boto.connect_iam()
conn.upload_server_cert("certname", "certbody", "privatekey")
cert = conn.get_server_certificate("certname")
cert.server_certificate_name.should.equal("certname")
cert.arn.should.equal("arn:aws:iam::123456789012:server-certificate/certname")
def _delete_iam_group(name):
try:
iam = boto.connect_iam()
iam.delete_group(name)
except BotoServerError as e:
if e.status != 404:
raise e
def test_get_all_groups():
conn = boto.connect_iam()
conn.create_group('my-group1')
conn.create_group('my-group2')
groups = conn.get_all_groups()['list_groups_response'][
'list_groups_result']['groups']
groups.should.have.length_of(2)
def get_iam_user_info():
# IAM user info
iam = boto.connect_iam(security_token=security_token)
verbose("Getting IAM user info:")
user_info = []
users = iam.get_all_users().list_users_response.list_users_result.users
debug(users)
for user in users:
verbose("User: "******"iam:userpolicy", user.user_name, policy_name, policy))
# access keys
access_keys = iam.get_all_access_keys(user.user_name)
access_keys = access_keys.list_access_keys_response.list_access_keys_result.access_key_metadata
for access_key in access_keys:
user_info.append(
config_line("iam:accesskey", access_key.user_name, access_key.status, access_key.access_key_id))
# group membership
groups = iam.get_groups_for_user(user.user_name)
groups = groups.list_groups_for_user_response.list_groups_for_user_result.groups
for group in groups:
user_info.append(config_line("iam:useringroup", user.user_name, "", group.group_name))
return sorted(user_info)
def connect_iam():
logger.debug('Connecting to the Amazon Identity and Access Management (Amazon IAM) service.')
iam = boto.connect_iam(aws_access_key_id=config['AWS_ACCESS_KEY_ID'],
aws_secret_access_key=config['AWS_SECRET_ACCESS_KEY'])
logger.debug('Connected to Amazon IAM.')
return iam
def create_user(self, user_name):
self.iam_connection = boto.connect_iam()
try:
resp = self.iam_connection.create_user(user_name)
except boto.exception.BotoServerError, e:
logging.error(e)
return False
def create_account():
#connect to IAM
iam = boto.connect_iam(ACCESS_KEY,SECRET_KEY)
#create user
iam.create_user(new_account_name)
#add user to group
iam.add_user_to_group("Administrators", new_account_name)
#create access keys
keys = iam.create_access_key(new_account_name)
# try statements to attach user to policy.
# some versions of boto do not have attach_user_policy, however put_user_policy
try:
iam.attach_user_policy(account_perm_policy_arn,new_account_name)
except:
print "[-] Unable to execute method 'attach_user_policy()'"
print "[-] Attempting put_user_policy "
try:
iam.put_user_policy(new_account_name,account_perm_policy_arn)
except:
print "[-] Failed executing method 'put_user_policy()'"
print "[-] Execute command: aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name %s" % new_account_name
#create AWS Web Console Login
iam.create_login_profile(new_account_name,new_account_password)
print "User %s created with password %s" % (new_account_name, new_account_password)
print "Access Key ID: %s" % str(keys.access_key_id)
print "Secret Key ID %s" % str(keys.secret_access_key)
def main():
args = parse_args()
if args.verbose > 1:
print(args)
# Get a complete list of usernames to act on
if args.usernames is not None:
usernames = args.usernames
else:
usernames = [i.strip() for i in args.username_file.readlines()]
# Set up the connection to IAM
conn = boto.connect_iam()
# Take action on the usernames after asking for confirmation
confirmation = confirm(
"{}\nAre you sure you want to {} these users in IAM? [yes/NO]: ".format(
'\n'.join(usernames), args.action)
)
if confirmation or args.no_verify:
if args.action == "create":
create_accounts(usernames, conn, verbosity=args.verbose)
elif args.action == "delete":
delete_accounts(usernames, conn, verbosity=args.verbose)
elif args.action == "purge":
purge_accounts(usernames, conn, verbosity=args.verbose)
else:
print("Unknown action '{}'".format(args.action))
exit(1)
def copyseconddata(record):
region = os.environ["REGION"]
dest_bucket_name = os.environ["S3_BUCKET_NAME"]
source_bucket_name = os.environ["S3_SOURCE_SECOND_BUCKET_NAME"]
dynamo_table_name = os.environ["DYN_TABLENAME"]
print "Deleting and recreating dynamo table so only new records are inserted into redshift"
dynamo_conn = boto.dynamodb.connect_to_region(region)
table = dynamo_conn.get_table(dynamo_table_name)
dynamo_conn.delete_table(table)
dynamo_schema = dynamo_conn.create_schema(hash_key_name='key',hash_key_proto_value=str)
time.sleep(5)
print "Sleeping for 5 seconds to let table delete"
table = dynamo_conn.create_table(name=dynamo_table_name,schema=dynamo_schema,read_units=500, write_units=150)
role_name = "NucleatorBucketandqDistributorServiceRunner"
iam_conn = boto.connect_iam()
role = iam_conn.get_role(role_name)
role_arn = role["get_role_response"]["get_role_result"]["role"]["arn"]
stsconn = sts.STSConnection()
response = stsconn.assume_role(role_arn, "redshift_copy_session")
access_key = response.credentials.access_key
secret_key = response.credentials.secret_key
session_token = response.credentials.session_token
print "Running S3 Copy Command"
command = "export AWS_ACCESS_KEY_ID=%s; export AWS_SECRET_ACCESS_KEY=%s; export AWS_SESSION_TOKEN=%s; aws s3 cp s3://%s/ s3://%s/ --recursive --include '*' > /dev/null" % (access_key, secret_key, session_token, source_bucket_name, dest_bucket_name)
subprocess.call(command, shell=True)
copytoredshift(record)
def get_iam_roles():
# IAM Roles
iam = boto.connect_iam(aws_access_key_id=assume_role.credentials.access_key,
aws_secret_access_key=assume_role.credentials.secret_key,
security_token=assume_role.credentials.session_token)
verbose("Getting IAM role info:")
role_policy = []
roles = iam.list_roles().list_roles_response.list_roles_result.roles
for role in roles:
verbose("Role: " + role.role_name)
# Policy controling use of the role (always present)
assume_role_policy = role.assume_role_policy_document
assume_role_policy = urllib.unquote(assume_role_policy)
role_policy.append(config_line_policy("iam:assumerolepolicy", role.role_name, role.arn, assume_role_policy))
# Policies around what the assumed role can do
policies = iam.list_role_policies(role.role_name)
policies = policies.list_role_policies_response.list_role_policies_result.policy_names
for policy_name in policies:
policy = iam.get_role_policy(role.role_name, policy_name)
policy = policy.get_role_policy_response.get_role_policy_result.policy_document
policy = urllib.unquote(policy)
role_policy.append(config_line_policy("iam:rolepolicy", role.role_name, policy_name, policy))
debug(policies)
return sorted(role_policy)
def connection(self):
"""
Lazily creates boto2 IAM connection
"""
if not self._boto2_connection:
self._boto2_connection = boto.connect_iam()
return self._boto2_connection
def test_list_instance_profiles_for_role():
conn = boto.connect_iam()
conn.create_role(role_name="my-role", assume_role_policy_document="some policy", path="my-path")
conn.create_role(role_name="my-role2", assume_role_policy_document="some policy2", path="my-path2")
profile_name_list = ['my-profile', 'my-profile2']
profile_path_list = ['my-path', 'my-path2']
for profile_count in range(0, 2):
conn.create_instance_profile(profile_name_list[profile_count], path=profile_path_list[profile_count])
for profile_count in range(0, 2):
conn.add_role_to_instance_profile(profile_name_list[profile_count], "my-role")
profile_dump = conn.list_instance_profiles_for_role(role_name="my-role")
profile_list = profile_dump['list_instance_profiles_for_role_response']['list_instance_profiles_for_role_result']['instance_profiles']
for profile_count in range(0, len(profile_list)):
profile_name_list.remove(profile_list[profile_count]["instance_profile_name"])
profile_path_list.remove(profile_list[profile_count]["path"])
profile_list[profile_count]["roles"]["member"]["role_name"].should.equal("my-role")
len(profile_name_list).should.equal(0)
len(profile_path_list).should.equal(0)
profile_dump2 = conn.list_instance_profiles_for_role(role_name="my-role2")
profile_list = profile_dump2['list_instance_profiles_for_role_response']['list_instance_profiles_for_role_result']['instance_profiles']
len(profile_list).should.equal(0)
def delete_user(user_name, access_key_id):
deleted = False
iam = boto.connect_iam(
aws_access_key_id = private_settings.AWS_ACCESS_KEY_ID,
aws_secret_access_key = private_settings.AWS_SECRET_ACCESS_KEY)
try:
# Must remove access key and groups from user before deleting
iam.delete_access_key(access_key_id = access_key_id, user_name = user_name)
groups = iam.get_groups_for_user(user_name = user_name)
for group in groups['list_groups_for_user_response']['list_groups_for_user_result']['groups']:
iam.remove_user_from_group(group_name = group['group_name'], user_name = user_name)
iam.delete_user(user_name = user_name)
logger.info('Deleted iam user "{}"'.format(user_name))
deleted = True
except BotoServerError, e:
logger.error('Unable to delete iam user "{}": {}, {}'.format(user_name,
e.status, e.reason))
def getAllInstances(self):
try:
#尝试Key的有效性并判断属于大陆区还是海外区,并获得相应的regions列表
conn = ec2.connect_to_region('ap-southeast-1')
regions = conn.get_all_regions()
accountid = boto.connect_iam().get_user().arn.split(':')[4]
except EC2ResponseError as e:
print e
instances=[]
for region in regions:
conn=ec2.connect_to_region(region.name)
for instance in conn.get_only_instances():
ins={}
ins['instance_id']=instance.id
ins['name']=instance.tags.get('Name','')
ins['project']=instance.tags.get('PROJECT','')
ins['instance_type']=instance.instance_type
ins['state']=instance.state
ins['placement']=instance.placement
ins['private_ip']=instance.private_ip_address
ins['public_ip']=instance.ip_address
ins['vpc_id']=instance.vpc_id
ins['subnet_id']=instance.subnet_id
ins['image_id']=instance.image_id
ins['virtualization_type']=instance.virtualization_type
ins['launch_time']=instance.launch_time
instances.append(ins)
return instances
def setup_boto_connections(self, aws_access_key_id=None, aws_secret_access_key=None, clc_ip=None, walrus_ip=None):
if aws_access_key_id is None:
aws_access_key_id = self.aws_access_key_id
if aws_secret_access_key is None:
aws_secret_access_key = self.aws_secret_access_key
if clc_ip is None:
clc_ip = self.get_clc_ip()
if walrus_ip is None:
walrus_ip = self.get_walrus_ip()
self.ec2 = boto.connect_ec2(aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
is_secure=False,
api_version = '2009-11-30',
region=RegionInfo(name="eucalyptus", endpoint=clc_ip),
port=8773,
path="/services/Eucalyptus",
debug=self.boto_debug)
self.s3 = boto.connect_s3(aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
is_secure=False,
host=walrus_ip,
port=8773,
path="/services/Walrus",
calling_format=OrdinaryCallingFormat(),
debug=self.boto_debug)
self.euare = boto.connect_iam(aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
is_secure=False,
host=clc_ip,
port=8773,
path="/services/Euare",
debug=self.boto_debug)
def create_user(shortname=None):
import boto
conn = boto.connect_iam()
try:
_response = conn.create_group(shortname)
print green('create group response: \n{}'.format(_response))
except:
print red('Problem creating group: {}'.format(shortname))
print green(policy.format(shortname))
_response = conn.put_group_policy(shortname, shortname + 'Policy', policy.format(shortname))
print green('put group polocy response: \n{}'.format(_response))
# make the user
try:
_response = conn.create_user(shortname)
print green('create user response: \n{}'.format(_response))
except:
print red('Problem creating user: {}'.format(shortname))
_response = conn.add_user_to_group(shortname, shortname)
print green('add user to group response: \n{}'.format(_response))
_response = conn.create_access_key(shortname)
print green('added new account, access key: \n{}'.format(_response))
sleep(5) # give the access key a chance to propogate
create_buckets(shortname=shortname)
def create_role():
"""
Creates IAM role using CloudFormation for AWS Lambda service
"""
client_cf = boto.cloudformation.connect_to_region(REGION)
response = client_cf.create_stack(
stack_name=STACK_NAME,
template_url=TEMPLATE_URL,
capabilities=CAPABILITIES
)
print response
time.sleep(7)
print "Creating roles"
time.sleep(7)
print "Still creating"
time.sleep(7)
print "Giving Lambda proper permissions"
# get name of LambdaExecRole
client_iam = boto.connect_iam()
roles = client_iam.list_roles()
list_roles = roles['list_roles_response']['list_roles_result']['roles']
for i in range(len(list_roles)):
if STACK_NAME+"-LambdaExecRole" in list_roles[i].arn:
IAM_ROLE = list_roles[i].role_name
print "Trying..."
# grants Admin access to LambdaExecRole to access Cloudwatch, DynamoDB, Kinesis
client_iam.put_role_policy(IAM_ROLE, POLICY_NAME, POLICY)
print "Created role"
def getAllVolumes(self):
try:
#尝试Key的有效性并判断属于大陆区还是海外区,并获得相应的regions列表
conn = ec2.connect_to_region('ap-southeast-1')
regions = conn.get_all_regions()
accountid = boto.connect_iam().get_user().arn.split(':')[4]
except EC2ResponseError as e:
print e
volumes=[]
for region in regions:
#print "connect to region", region
conn = ec2.connect_to_region(region.name)
for volume in conn.get_all_volumes():
vol={}
vol['volume_id'] = volume.id
vol['type'] = volume.type
vol['size'] = volume.size
vol['status'] = volume.status
vol['iops'] = volume.iops
vol['zone'] = volume.zone
vol['project'] = volume.tags.get('PROJECT','')
vol_attr = volume.attach_data
vol['instance_id'] = vol_attr.instance_id
vol['snapshot_id'] = volume.snapshot_id
vol['create_time'] = volume.create_time
volumes.append(vol)
return volumes
def main():
#Assumes that your AWS credentials are exported in the local environment.
iam = boto.connect_iam()
user_names = []
if aws_key_report_file:
with open(aws_key_report_file) as report_fp:
for line in report_fp:
user_names.append(line.split(',')[0])
#remove first two elements, they are the csv legend, and the <root_account>
user_names = user_names[2:]
else:
print 'Skipping AWS credential check, no aws key report file specified'
access_key_ids = []
#do AWS key lookup.
for user_name in user_names:
keys = iam.get_all_access_keys(user_name)
for key in keys['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
print_key_info(key)
access_key_ids.append(tuple(['AWS:' + key['user_name'], key['access_key_id']]))
#Read in extra search terms
if extra_token_file:
with open(extra_token_file) as report_fp:
for line in report_fp:
print line.rstrip()
access_key_ids.append(line.split(','))
else:
print 'Skipping extra credential check, no csv file specified'
for key in access_key_ids:
print '\n'
search_github(key)
def apply_policy(group, policy_name, bucket_name):
logging.debug(policy_template[policy_name])
iam = boto.connect_iam()
formatted = formatstring_json_escape(policy_template[policy_name]).format(bucket=bucket_name)
policy = json.dumps(json.loads(formatted), sort_keys=True, indent=4)
response = iam.put_group_policy(group, policy_name, policy)
return response
def createTopicArn(region_name, topic_name):
from boto_cli.iam.accountinfo import AccountInfo
iam = boto.connect_iam(**credentials)
accountInfo = AccountInfo(iam)
account = accountInfo.describe()
return "arn:aws:sns:" + region_name + ":" + account.id + ":" + topic_name
def create_instance_profile(name, policy):
# Remove it before starting
delete_instance_profile(name)
# Next, you need to create an Instance Profile in IAM.
c = boto.connect_iam()
instance_profile = c.create_instance_profile(name)
# Once you have the instance profile, you need to create the role,
# add the role to the instance profile and associate the policy with the role.
role = c.create_role(name)
c.add_role_to_instance_profile(name, name)
c.put_role_policy(name, name, policy)
# Wait for it to be available
for _ in xrange(10):
# We want to wait in all cases, because I've seen the roles created
# and available via the API but not to EC2 instances. So we better wait
# for at least 1min
logging.debug('Waiting for role %s to be available...' % name)
time.sleep(60)
try:
c.get_role(name)
c.get_instance_profile(name)
break
except:
pass
else:
raise RuntimeError('Role creation for instance profile failed.')
# Now, you can use that instance profile when you launch an instance
return name
def test_delete_login_profile():
conn = boto.connect_iam()
conn.create_user('my-user')
with assert_raises(BotoServerError):
conn.delete_login_profile('my-user')
conn.create_login_profile('my-user', 'my-pass')
conn.delete_login_profile('my-user')
def assume_service(account_number, service, region='us-east-1'):
conn = boto.connect_sts()
role = conn.assume_role('arn:aws:iam::{0}:role/{1}'.format(
account_number, current_app.config.get('LEMUR_INSTANCE_PROFILE', 'Lemur')), 'blah')
if service in 'iam':
return boto.connect_iam(
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token)
elif service in 'elb':
return boto.ec2.elb.connect_to_region(
region,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token)
elif service in 'vpc':
return boto.connect_vpc(
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token)
elif service in 's3':
return boto.s3.connect_to_region(
region,
aws_access_key_id=role.credentials.access_key,
aws_secret_access_key=role.credentials.secret_key,
security_token=role.credentials.session_token)
def get_account_number():
""" Gets the current account number
Created so I do not have to remember how to do this every time
:return: Returns the current account number
"""
import boto
return boto.connect_iam().get_user().arn.split(':')[4]
def IamGroup(group_name=None):
con = boto.connect_iam()
if group_name == None:
''' http://localhost/iam/group '''
gr = con.get_all_groups()
gl = [{
'id': g.group_id,
'name': g.group_name,
'arn': g.arn,
'created': g.create_date
} for g in gr['list_groups_response']['list_groups_result']['groups']]
return render_template('iam/GroupIndex.html',
gl=gl)
elif group_name != None:
''' http://localhost/iam/group/<group_name> '''
gr = con.get_group(group_name)
group = gr['get_group_response']['get_group_result']['group']
gd = {'id':group.group_id,
'name':group.group_name,
'created':group.create_date,
'arn':group.arn}
ul = gr['get_group_response']['get_group_result']['users']
users = [{
'id':u.user_id,
'name':u.user_name,
'arn':u.arn,
'created':u.create_date
} for u in ul]
return render_template('iam/GroupView.html',
gd=gd, users=users)
def create_user(user_name):
secret_access_key = None
access_key_id = None
iam = boto.connect_iam(
aws_access_key_id = private_settings.AWS_ACCESS_KEY_ID,
aws_secret_access_key = private_settings.AWS_SECRET_ACCESS_KEY)
try:
response = iam.create_user(user_name = user_name)
iam.add_user_to_group(private_settings.AWS_IAM_GROUP, user_name)
response = iam.create_access_key(user_name = user_name)
access_key = response.create_access_key_response.create_access_key_result.access_key
secret_access_key = access_key.secret_access_key
access_key_id = access_key.access_key_id
logger.info('Created iam user "{}"'.format(user_name))
return {'secret_access_key': secret_access_key,
'access_key_id': access_key_id,
'user_name': user_name}
except BotoServerError, e:
logger.error('Unable to create iam user "{}": {}, {}'.format(user_name,
e.status, e.reason))
raise Exception('iam create error')
def test_managed_policy():
conn = boto.connect_iam()
conn.create_policy(policy_name='UserManagedPolicy',
policy_document={'mypolicy': 'test'},
path='/mypolicy/',
description='my user managed policy')
aws_policies = conn.list_policies(scope='AWS')['list_policies_response']['list_policies_result']['policies']
set(p.name for p in aws_managed_policies).should.equal(set(p['policy_name'] for p in aws_policies))
user_policies = conn.list_policies(scope='Local')['list_policies_response']['list_policies_result']['policies']
set(['UserManagedPolicy']).should.equal(set(p['policy_name'] for p in user_policies))
all_policies = conn.list_policies()['list_policies_response']['list_policies_result']['policies']
set(p['policy_name'] for p in aws_policies + user_policies).should.equal(set(p['policy_name'] for p in all_policies))
role_name = 'my-role'
conn.create_role(role_name, assume_role_policy_document={'policy': 'test'}, path="my-path")
for policy_name in ['AmazonElasticMapReduceRole',
'AmazonElasticMapReduceforEC2Role']:
policy_arn = 'arn:aws:iam::aws:policy/service-role/' + policy_name
conn.attach_role_policy(policy_arn, role_name)
rows = conn.list_policies(only_attached=True)['list_policies_response']['list_policies_result']['policies']
rows.should.have.length_of(2)
for x in rows:
int(x['attachment_count']).should.be.greater_than(0)
# boto has not implemented this end point but accessible this way
resp = conn.get_response('ListAttachedRolePolicies',
{'RoleName': role_name},
list_marker='AttachedPolicies')
resp['list_attached_role_policies_response']['list_attached_role_policies_result']['attached_policies'].should.have.length_of(2)
def test_remove_user_from_group():
conn = boto.connect_iam()
with assert_raises(BotoServerError):
conn.remove_user_from_group("my-group", "my-user")
conn.create_group("my-group")
conn.create_user("my-user")
with assert_raises(BotoServerError):
conn.remove_user_from_group("my-group", "my-user")
conn.add_user_to_group("my-group", "my-user")
conn.remove_user_from_group("my-group", "my-user")
def test_put_role_policy():
conn = boto.connect_iam()
conn.create_role("my-role",
assume_role_policy_document="some policy",
path="my-path")
conn.put_role_policy("my-role", "test policy", "my policy")
policy = conn.get_role_policy(
"my-role", "test policy"
)['get_role_policy_response']['get_role_policy_result']['policy_name']
policy.should.equal("test policy")
def get_gateway_iam_connection(gateway, credentials):
""" connect to iam api of the given gateway """
if gateway.iam_connection is None:
gateway.iam_connection = boto.connect_iam(
aws_access_key_id=credentials.access_key,
aws_secret_access_key=credentials.secret,
host=gateway.host,
port=gateway.port,
is_secure=False)
return gateway.iam_connection
def _connect(self):
if self._conn:
return self._conn
(access_key_id, secret_access_key) = nixops_aws.ec2_utils.fetch_aws_secret_key(
self.access_key_id
)
self._conn = boto.connect_iam(
aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key
)
return self._conn
def delete_iam_profile():
"""Delete AWS IAM profile"""
print 'Deleting IAM Profile: {0} ...'.format(IAM_PROFILE)
conn = boto.connect_iam()
conn.delete_role_policy(IAM_PROFILE, 'EC2-Describe')
conn.remove_role_from_instance_profile(IAM_PROFILE, IAM_PROFILE)
conn.delete_instance_profile(IAM_PROFILE)
conn.delete_role(IAM_PROFILE)
def test_delete_server_cert():
conn = boto.connect_iam()
conn.upload_server_cert("certname", "certbody", "privatekey")
conn.get_server_certificate("certname")
conn.delete_server_cert("certname")
with assert_raises(BotoServerError):
conn.get_server_certificate("certname")
with assert_raises(BotoServerError):
conn.delete_server_cert("certname")
def create_role(policy_name, assume_role_policy_document, policy_str):
iam = boto.connect_iam()
if role_exists(iam, policy_name):
print('Role "{0}" already exists. Assuming correct values.'.format(
policy_name))
else:
print('Creating policy: ' + policy_name)
iam.create_role(
policy_name,
assume_role_policy_document=assume_role_policy_document)
iam.put_role_policy(policy_name, 'inlinepolicy', policy_str)
def run(self, terms, variables=None, **kwargs):
try:
iam_conn = boto.connect_iam()
return [iam_conn.get_user().arn.split(':')[4]]
except:
response = urllib.request.urlopen(
'http://169.254.169.254/latest/meta-data/iam/info/')
response_content = response.read()
json_output = json.loads(response_content)
arn = json_output.get('InstanceProfileArn')
return [arn.split(':')[4]]
def test_get_credential_report():
conn = boto.connect_iam()
conn.create_user('my-user')
with assert_raises(BotoServerError):
conn.get_credential_report()
result = conn.generate_credential_report()
while result['generate_credential_report_response']['generate_credential_report_result']['state'] != 'COMPLETE':
result = conn.generate_credential_report()
result = conn.get_credential_report()
report = base64.b64decode(result['get_credential_report_response']['get_credential_report_result']['content'].encode('ascii')).decode('ascii')
report.should.match(r'.*my-user.*')
def test_get_groups_for_user():
conn = boto.connect_iam()
conn.create_group('my-group1')
conn.create_group('my-group2')
conn.create_group('other-group')
conn.create_user('my-user')
conn.add_user_to_group('my-group1', 'my-user')
conn.add_user_to_group('my-group2', 'my-user')
groups = conn.get_groups_for_user('my-user')['list_groups_for_user_response']['list_groups_for_user_result']['groups']
groups.should.have.length_of(2)
def test_get_all_server_certs():
conn = boto.connect_iam()
conn.upload_server_cert("certname", "certbody", "privatekey")
certs = conn.get_all_server_certs()['list_server_certificates_response'][
'list_server_certificates_result']['server_certificate_metadata_list']
certs.should.have.length_of(1)
cert1 = certs[0]
cert1.server_certificate_name.should.equal("certname")
cert1.arn.should.equal(
"arn:aws:iam::123456789012:server-certificate/certname")
def test_get_all_access_keys():
conn = boto.connect_iam()
conn.create_user('my-user')
response = conn.get_all_access_keys('my-user')
assert_equals(
response['list_access_keys_response']['list_access_keys_result']
['access_key_metadata'], [])
conn.create_access_key('my-user')
response = conn.get_all_access_keys('my-user')
assert_not_equals(
response['list_access_keys_response']['list_access_keys_result']
['access_key_metadata'], [])
def test_get_all_group_policies():
conn = boto.connect_iam()
conn.create_group("my-group")
policies = conn.get_all_group_policies(
"my-group")["list_group_policies_response"][
"list_group_policies_result"]["policy_names"]
assert policies == []
conn.put_group_policy("my-group", "my-policy", MOCK_POLICY)
policies = conn.get_all_group_policies(
"my-group")["list_group_policies_response"][
"list_group_policies_result"]["policy_names"]
assert policies == ["my-policy"]
def test_list_instance_profiles():
conn = boto.connect_iam()
conn.create_instance_profile("my-profile", path="my-path")
conn.create_role("my-role", path="my-path")
conn.add_role_to_instance_profile("my-profile", "my-role")
profiles = conn.list_instance_profiles().instance_profiles
len(profiles).should.equal(1)
profiles[0].instance_profile_name.should.equal("my-profile")
profiles[0].roles.role_name.should.equal("my-role")
def get_iam_summary():
iam = boto.connect_iam(
aws_access_key_id=assume_role.credentials.access_key,
aws_secret_access_key=assume_role.credentials.secret_key,
security_token=assume_role.credentials.session_token)
verbose("Getting account summary:")
summary = iam.get_account_summary()
debug(summary)
return [
config_line("iam:accountsummary", "AccountMFAEnabled", "",
str(summary["AccountMFAEnabled"]))
]
def create_iam_profile():
"""Creates AWS IAM profile"""
print 'Creating IAM Profile: {0} ...'.format(IAM_PROFILE)
conn = boto.connect_iam()
instance_profile = conn.create_instance_profile(IAM_PROFILE)
role = conn.create_role(TRAINER + '-{0}'.format(VPC))
conn.add_role_to_instance_profile(IAM_PROFILE, IAM_PROFILE)
conn.put_role_policy(IAM_PROFILE, 'EC2-Describe', POLICY)
print 'IAM profile, role, and policy created ...'
def test_get_groups_for_user():
conn = boto.connect_iam()
conn.create_group("my-group1")
conn.create_group("my-group2")
conn.create_group("other-group")
conn.create_user("my-user")
conn.add_user_to_group("my-group1", "my-user")
conn.add_user_to_group("my-group2", "my-user")
groups = conn.get_groups_for_user(
"my-user"
)["list_groups_for_user_response"]["list_groups_for_user_result"]["groups"]
groups.should.have.length_of(2)
def _connect(self):
if self.in_ec2:
self.meta = boto.utils.get_instance_metadata()
if self.region is None:
if self.in_ec2:
self.region = self.meta['hostname'].split('.')[1]
else:
self.region = 'us-west-2'
self.ec2 = self.ec2 or boto.ec2.connect_to_region(self.region)
self.iam = self.iam or boto.connect_iam()
assert self.ec2
assert self.iam
def get_iam_info(key_id, secret, session_token, iam_info):
manage_dictionary(iam_info, 'groups', {})
manage_dictionary(iam_info, 'permissions', {})
manage_dictionary(iam_info, 'roles', {})
manage_dictionary(iam_info, 'users', {})
iam_connection = boto.connect_iam(aws_access_key_id=key_id,
aws_secret_access_key=secret,
security_token=session_token)
# Generate the report early so that download doesn't fail with "ReportInProgress".
try:
iam_connection.generate_credential_report()
except Exception, e:
pass
def test_cloudtrail(self):
cloudtrail = boto.connect_cloudtrail()
# Don't delete existing customer data!
res = cloudtrail.describe_trails()
if len(res['trailList']):
self.fail('A trail already exists on this account!')
# Who am I?
iam = boto.connect_iam()
response = iam.get_user()
account_id = response['get_user_response']['get_user_result'] \
['user']['user_id']
# Setup a new bucket
s3 = boto.connect_s3()
bucket_name = 'cloudtrail-integ-{0}'.format(time())
policy = DEFAULT_S3_POLICY.replace('<BucketName>', bucket_name)\
.replace('<CustomerAccountID>', account_id)\
.replace('<Prefix>/', '')
b = s3.create_bucket(bucket_name)
b.set_policy(policy)
# Setup CloudTrail
cloudtrail.create_trail(trail={'Name': 'test', 'S3BucketName': bucket_name})
cloudtrail.update_trail(trail={'Name': 'test', 'IncludeGlobalServiceEvents': False})
trails = cloudtrail.describe_trails()
self.assertEqual('test', trails['trailList'][0]['Name'])
self.assertFalse(trails['trailList'][0]['IncludeGlobalServiceEvents'])
cloudtrail.start_logging(name='test')
status = cloudtrail.get_trail_status(name='test')
self.assertTrue(status['IsLogging'])
cloudtrail.stop_logging(name='test')
status = cloudtrail.get_trail_status(name='test')
self.assertFalse(status['IsLogging'])
# Clean up
cloudtrail.delete_trail(name='test')
for key in b.list():
key.delete()
s3.delete_bucket(bucket_name)
def setup_iam_connection(self, endpoint="iam.amazonaws.com", aws_access_key_id=None,aws_secret_access_key=None,
is_secure=True, port=443, path='/', boto_debug=0 ):
try:
euare_connection_args = { 'aws_access_key_id' : aws_access_key_id,
'aws_secret_access_key': aws_secret_access_key,
'is_secure': is_secure,
'debug':boto_debug,
'port' : port,
'path' : path,
'host' : endpoint}
self.debug("Attempting to create IAM connection to " + endpoint + ':' + str(port) + path)
self.euare = boto.connect_iam(**euare_connection_args)
except Exception, e:
self.critical("Was unable to create IAM connection because of exception: " + str(e))
def delete_user(username, policy_name=None, key_name=None, iam_connec=None):
'''
Deletes IAM user credentials and any associated policy or key names.
Parameters
----------
username : string
Name of the user to delete.
policy_name : string, optional
Policy attached to the user. All must be deleted before the user can
be deleted.
key_name : string, optional
Name of the access key assigned to the user. All must be deleted before
the user can be deleted.
iam_connec : boto.iam.connection.IAMConnection, optional
Connection to IAM. If None, attempts to create one automatically using
credentials on the local system.
Returns
-------
True/False : bool
If True, the user was deleted. If False, some exception was raised
during the process.
'''
if iam_connec is None:
iam = boto.connect_iam()
else:
if not isinstance(iam_connec, boto.iam.connection.IAMConnection):
raise TypeError("Given iam_connec is not an IAMConnection.")
iam = iam_connec
if key_name is not None:
try:
iam.delete_access_key(key_name, user_name=username)
except Exception:
return False
if policy_name is not None:
try:
iam.delete_user_policy(username, policy_name)
except Exception:
return False
try:
iam.delete_user(username)
except Exception:
return False
return True
def test_remove_role_from_instance_profile():
conn = boto.connect_iam()
conn.create_instance_profile("my-profile", path="my-path")
conn.create_role("my-role", assume_role_policy_document="some policy", path="my-path")
conn.add_role_to_instance_profile("my-profile", "my-role")
profile = conn.get_instance_profile("my-profile")
role_from_profile = list(profile.roles.values())[0]
role_from_profile['role_name'].should.equal("my-role")
conn.remove_role_from_instance_profile("my-profile", "my-role")
profile = conn.get_instance_profile("my-profile")
dict(profile.roles).should.be.empty
def test_password_policy(self):
# A series of tests to check the password policy API
iam = boto.connect_iam()
# First preserve what is the current password policy
try:
initial_policy_result = iam.get_account_password_policy()
except boto.exception.BotoServerError as srv_error:
initial_policy = None
if srv_error.status != 404:
raise srv_error
# Update the policy and check it back
test_min_length = 88
iam.update_account_password_policy(minimum_password_length=test_min_length)
new_policy = iam.get_account_password_policy()
new_min_length = new_policy['get_account_password_policy_response']\
['get_account_password_policy_result']['password_policy']\
['minimum_password_length']
if test_min_length != int(new_min_length):
raise Exception("Failed to update account password policy")
# Delete the policy and check the correct deletion
test_policy = ''
iam.delete_account_password_policy()
try:
test_policy = iam.get_account_password_policy()
except boto.exception.BotoServerError as srv_error:
test_policy = None
if srv_error.status != 404:
raise srv_error
if test_policy is not None:
raise Exception("Failed to delete account password policy")
# Restore initial account password policy
if initial_policy:
p = initial_policy['get_account_password_policy_response']\
['get_account_password_policy_result']['password_policy']
iam.update_account_password_policy(minimum_password_length=int(p['minimum_password_length']),
allow_users_to_change_password=bool(p['allow_users_to_change_password']),
hard_expiry=bool(p['hard_expiry']),
max_password_age=int(p['max_password_age']),
password_reuse_prevention=int(p['password_reuse_prevention']),
require_lowercase_characters=bool(p['require_lowercase_characters']),
require_numbers=bool(p['require_numbers']),
require_symbols=bool(p['require_symbols']),
require_uppercase_characters=bool(p['require_uppercase_characters']))
def test_managed_policy():
conn = boto.connect_iam()
conn.create_policy(policy_name='UserManagedPolicy',
policy_document={'mypolicy': 'test'},
path='/mypolicy/',
description='my user managed policy')
aws_policies = conn.list_policies(
scope='AWS'
)['list_policies_response']['list_policies_result']['policies']
set(p.name for p in aws_managed_policies).should.equal(
set(p['policy_name'] for p in aws_policies))
user_policies = conn.list_policies(
scope='Local'
)['list_policies_response']['list_policies_result']['policies']
set(['UserManagedPolicy'
]).should.equal(set(p['policy_name'] for p in user_policies))
all_policies = conn.list_policies(
)['list_policies_response']['list_policies_result']['policies']
set(p['policy_name'] for p in aws_policies + user_policies).should.equal(
set(p['policy_name'] for p in all_policies))
role_name = 'my-role'
conn.create_role(role_name,
assume_role_policy_document={'policy': 'test'},
path="my-path")
for policy_name in [
'AmazonElasticMapReduceRole', 'AmazonElasticMapReduceforEC2Role'
]:
policy_arn = 'arn:aws:iam::aws:policy/service-role/' + policy_name
conn.attach_role_policy(policy_arn, role_name)
rows = conn.list_policies(
only_attached=True
)['list_policies_response']['list_policies_result']['policies']
rows.should.have.length_of(2)
for x in rows:
int(x['attachment_count']).should.be.greater_than(0)
# boto has not implemented this end point but accessible this way
resp = conn.get_response('ListAttachedRolePolicies',
{'RoleName': role_name},
list_marker='AttachedPolicies')
resp['list_attached_role_policies_response'][
'list_attached_role_policies_result'][
'attached_policies'].should.have.length_of(2)
def getAllVolumes(self, aws_access_key_id, aws_secret_access_key):
try:
#尝试Key的有效性并判断属于大陆区还是海外区,并获得相应的regions列表
conn = ec2.connect_to_region(
'ap-southeast-1',
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key)
regions = conn.get_all_regions()
accountid = boto.connect_iam(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key).get_user(
).arn.split(':')[4]
except EC2ResponseError as e:
print e
volumes = []
for region in regions:
print "connect to region", region
conn = ec2.connect_to_region(
region.name,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key)
for volume in conn.get_all_volumes():
vol = {}
vol['_id'] = volume.id
vol['status'] = volume.status
vol['attachment_state'] = volume.attachment_state()
vol['create_time'] = volume.create_time
vol['encrypted'] = volume.encrypted
vol['region'] = volume.region.name
vol['zone'] = volume.zone
vol['size'] = volume.size
vol['type'] = volume.type
vol['iops'] = volume.iops
vol['tags'] = volume.tags
vol['snapshot_id'] = volume.snapshot_id
vol['accountid'] = accountid
attachment = {}
vol_attr = volume.attach_data
attachment['_id'] = vol_attr.id
attachment['instance_id'] = vol_attr.instance_id
attachment['attach_time'] = vol_attr.attach_time
#attachment['deleteOnTermination'] = vol_attr.deleteOnTermination
attachment['device'] = vol_attr.device
vol['attach_data'] = attachment
volumes.append(vol)
return volumes
def test_get_all_access_keys():
"""If no access keys exist there should be none in the response,
if an access key is present it should have the correct fields present"""
conn = boto.connect_iam()
conn.create_user('my-user')
response = conn.get_all_access_keys('my-user')
assert_equals(
response['list_access_keys_response']['list_access_keys_result']
['access_key_metadata'], [])
conn.create_access_key('my-user')
response = conn.get_all_access_keys('my-user')
assert_equals(
sorted(response['list_access_keys_response']['list_access_keys_result']
['access_key_metadata'][0].keys()),
sorted(['status', 'create_date', 'user_name', 'access_key_id']))
def get_iam_info(key_id, secret, session_token):
iam_info = {}
manage_dictionary(iam_info, 'groups', {})
manage_dictionary(iam_info, 'permissions', {})
manage_dictionary(iam_info, 'roles', {})
manage_dictionary(iam_info, 'users', {})
iam_connection = boto.connect_iam(aws_access_key_id=key_id,
aws_secret_access_key=secret,
security_token=session_token)
print 'Fetching IAM users data...'
get_users_info(iam_connection, iam_info)
print 'Fetching IAM groups data...'
get_groups_info(iam_connection, iam_info)
print 'Fetching IAM roles data...'
get_roles_info(iam_connection, iam_info)
return iam_info
def test_group_users(self):
# A very basic test to create a group, a user, add the user
# to the group and then delete everything
iam = boto.connect_iam()
name = 'boto-test-%d' % time.time()
username = '******' % time.time()
iam.create_group(name)
iam.create_user(username)
iam.add_user_to_group(name, username)
iam.remove_user_from_group(name, username)
iam.delete_user(username)
iam.delete_group(name)
def copytoredshift(record):
dynamo_table_name = os.environ["DYN_TABLENAME"]
redshift_username = os.environ["RSDB_USERNAME"]
redshift_password = os.environ["RSDB_PASSWORD"]
redshift_database = os.environ["RSDB_DATABASE"]
redshift_port = os.environ["RSDB_PORT"]
customer = os.environ["CUSTOMER"]
cage = os.environ["CAGE"]
role_name = "NucleatorBucketandqDistributorServiceRunner"
iam_conn = boto.connect_iam()
role = iam_conn.get_role(role_name)
role_arn = role["get_role_response"]["get_role_result"]["role"]["arn"]
stsconn = sts.STSConnection()
response = stsconn.assume_role(role_arn, "redshift_copy_session")
access_key = response.credentials.access_key
secret_key = response.credentials.secret_key
session_token = response.credentials.session_token
if customer is "47Lining":
endpoint = "redshift.%s.%s.com" % (cage, customer)
else:
endpoint = "redshift.%s.%s.47lining.com" % (cage, customer)
print "Connecting to redshift cluster: %s" % endpoint
conn = psycopg2.connect(dbname=redshift_database,
host=endpoint,
port=redshift_port,
user=redshift_username,
password=redshift_password)
cur = conn.cursor()
print "Connected. Creating table"
cur.execute(
"CREATE TABLE IF NOT EXISTS imageproccessingtable(key varchar(50) NOT NULL, url varchar(200) NOT NULL, dateoriginal timestamp NOT NULL, gpslatitude float8 NOT NULL, gpslongitude float8 NOT NULL, image varchar(100));"
)
conn.commit()
print "Table recreated. Running copy command..."
cur.execute(
"copy imageproccessingtable from 'dynamodb://%s' credentials 'aws_access_key_id=%s;aws_secret_access_key=%s;token=%s' readratio 100;"
% (dynamo_table_name, access_key, secret_key, session_token))
conn.commit()
print "Copy command completed"
