def get_instance_profile(self):
        # Check to see if it was specified on the command line
        profile = self.app.pargs.instance_profile

        if profile is None:
            try:
                # Check to see if it is associated with the workspace
                profile = fileoperations.get_instance_profile()
            except NotInitializedError:
                pass

        if profile is None:
            # Check to see if the default instance profile already exists
            try:
                existing_profiles = iam.get_instance_profile_names()
                if iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE in existing_profiles:
                    profile = iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE
            except NotAuthorizedError:
                io.log_warning(strings['platformcreateiamdescribeerror.info'])

        if profile is None:
            # We will now create the default role for the customer
            try:
                profile = iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE
                try:
                    iam.create_instance_profile(profile)
                    io.log_info(strings['platformcreateiamcreated.info'])
                except AlreadyExistsError:
                    pass

                document = iam_documents.EC2_ASSUME_ROLE_PERMISSION
                try:
                    # Create a role with the same name
                    iam.create_role(profile, document)

                    # Attach required custom platform builder permissions
                    iam.put_role_policy(
                        profile,
                        iam_attributes.PLATFORM_BUILDER_INLINE_POLICY_NAME,
                        iam_documents.CUSTOM_PLATFORM_BUILDER_INLINE_POLICY)
                    # Associate instance profile with the required role
                    iam.add_role_to_profile(profile, profile)
                    io.log_info(strings['platformcreateiampolicyadded.info'])
                except AlreadyExistsError:
                    # If the role exists then we leave it as is, we do not try to add or modify its policies
                    pass

            except NotAuthorizedError:
                io.log_warning(strings['platformcreateiamcreateerror.info'])

        # Save to disk
        write_config_setting('global', 'instance_profile', profile)
Esempio n. 2
0
def create_instance_profile(
        profile_name,
        policy_arns,
        role_name=None,
        inline_policy_name=None,
        inline_policy_doc=None
):
    """
    Create instance profile and associated IAM role, and attach policy ARNs.
    If role_name is omitted profile_name will be used as role name.
    Inline policy is optional.
    """
    try:
        name = iam.create_instance_profile(profile_name)
        if name:
            io.log_info('Created instance profile: {}.'.format(name))

        if not role_name:
            role_name = profile_name
        name = _create_instance_role(role_name, policy_arns)
        if name:
            io.log_info('Created instance role: {}.'.format(name))

        if inline_policy_name:
            iam.put_role_policy(role_name, inline_policy_name, inline_policy_doc)

        iam.add_role_to_profile(profile_name, role_name)
    except NotAuthorizedError:
        io.log_warning(strings['platformcreateiamdescribeerror.info'].format(profile_name=profile_name))

    return profile_name
def get_default_profile():
    """  Get the default elasticbeanstalk IAM profile,
            Create it if it doesn't exist """

    # get list of profiles
    try:
        profile = DEFAULT_ROLE_NAME
        try:
            iam.create_instance_profile(profile)
            io.log_info('Created default instance profile.')
            role = get_default_role()
            iam.add_role_to_profile(profile, role)
        except AlreadyExistsError:
            pass
    except NotAuthorizedError:
        # Not a root account. Just assume role exists
        io.log_info('No IAM privileges: assuming default '
                    'instance profile exists.')
        return DEFAULT_ROLE_NAME

    return profile