def get_instance_profile(self): # Check to see if it was specified on the command line profile = self.app.pargs.instance_profile if profile is None: try: # Check to see if it is associated with the workspace profile = fileoperations.get_instance_profile() except NotInitializedError: pass if profile is None: # Check to see if the default instance profile already exists try: existing_profiles = iam.get_instance_profile_names() if iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE in existing_profiles: profile = iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE except NotAuthorizedError: io.log_warning(strings['platformcreateiamdescribeerror.info']) if profile is None: # We will now create the default role for the customer try: profile = iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE try: iam.create_instance_profile(profile) io.log_info(strings['platformcreateiamcreated.info']) except AlreadyExistsError: pass document = iam_documents.EC2_ASSUME_ROLE_PERMISSION try: # Create a role with the same name iam.create_role(profile, document) # Attach required custom platform builder permissions iam.put_role_policy( profile, iam_attributes.PLATFORM_BUILDER_INLINE_POLICY_NAME, iam_documents.CUSTOM_PLATFORM_BUILDER_INLINE_POLICY) # Associate instance profile with the required role iam.add_role_to_profile(profile, profile) io.log_info(strings['platformcreateiampolicyadded.info']) except AlreadyExistsError: # If the role exists then we leave it as is, we do not try to add or modify its policies pass except NotAuthorizedError: io.log_warning(strings['platformcreateiamcreateerror.info']) # Save to disk write_config_setting('global', 'instance_profile', profile)
def create_instance_profile( profile_name, policy_arns, role_name=None, inline_policy_name=None, inline_policy_doc=None ): """ Create instance profile and associated IAM role, and attach policy ARNs. If role_name is omitted profile_name will be used as role name. Inline policy is optional. """ try: name = iam.create_instance_profile(profile_name) if name: io.log_info('Created instance profile: {}.'.format(name)) if not role_name: role_name = profile_name name = _create_instance_role(role_name, policy_arns) if name: io.log_info('Created instance role: {}.'.format(name)) if inline_policy_name: iam.put_role_policy(role_name, inline_policy_name, inline_policy_doc) iam.add_role_to_profile(profile_name, role_name) except NotAuthorizedError: io.log_warning(strings['platformcreateiamdescribeerror.info'].format(profile_name=profile_name)) return profile_name
def get_default_profile(): """ Get the default elasticbeanstalk IAM profile, Create it if it doesn't exist """ # get list of profiles try: profile = DEFAULT_ROLE_NAME try: iam.create_instance_profile(profile) io.log_info('Created default instance profile.') role = get_default_role() iam.add_role_to_profile(profile, role) except AlreadyExistsError: pass except NotAuthorizedError: # Not a root account. Just assume role exists io.log_info('No IAM privileges: assuming default ' 'instance profile exists.') return DEFAULT_ROLE_NAME return profile