def add_service_assume_policy(self, service_principal):
policy_document = PolicyDocument()
service_statement = Statement("Allow", ["sts:AssumeRole"])
service_statement.set_service_principal([service_principal])
policy_document.add_statement(service_statement)
# An example of using a transform to make the Rack IAM
# objects usable by Troposphere
self.AssumeRolePolicyDocument =\
transform_policy_document(policy_document)
def setUp(self):
test_role = Role("BlankRole")
asdoc = PolicyDocument()
astatement = Statement("Allow", ["sts:AssumeRole"])
astatement.set_service_principal(["ec2.amazonaws.com"])
asdoc.add_statement(astatement)
test_role.set_assume_policy(asdoc)
self.test_role = test_role
def setUp(self):
test_role = Role("RootRole")
adoc = PolicyDocument()
astatement = Statement("Allow", ["sts:AssumeRole"])
astatement.set_service_principal(["ec2.amazonaws.com"])
adoc.add_statement(astatement)
allpolicy = InlinePolicy("root")
allpolicydoc = PolicyDocument()
allstatement = Statement("Allow", ["*"], "*")
allpolicydoc.add_statement(allstatement)
allpolicy.set_policy_document(allpolicydoc)
test_role.set_assume_policy(adoc)
test_role.add_policy(allpolicy)
self.test_role = test_role
# This is a use case for blank policy roles, allowing the user to easily
# add permissions later (for example Redshift accessing an S3 bucket to
# import data).
from rack_iam import Role
from rack_iam import PolicyDocument
from rack_iam import Statement
redshift_role = Role("RedshiftRole")
asdoc = PolicyDocument()
astatement = Statement("Allow", ["sts:AssumeRole"])
astatement.set_service_principal(["redshift.amazonaws.com"])
asdoc.add_statement(astatement)
redshift_role.set_assume_policy(asdoc)
from rack_iam import Role
from rack_iam import PolicyDocument, InlinePolicy
from rack_iam import Statement
# In some cases standard object construction can lead to a lot of temporary
# variables. For example:
myRole = Role('TestRole')
assumed_policy_doc = PolicyDocument()
lambda_assume = Statement('Allow', 'sts:AssumeRole')
lambda_assume.set_service_principal(['lambda.amazonaws.com'])
assumed_policy_doc.add_statement(lambda_assume)
myRole.set_assume_policy(assumed_policy_doc)
all_s3_policy = InlinePolicy('AllS3')
all_s3_doc = PolicyDocument()
all_s3_permissions = Statement('Allow', 's3:*', '*')
all_s3_doc.add_statement(all_s3_permissions)
all_s3_policy.set_policy_document(all_s3_doc)
myRole.add_policy(all_s3_policy)
# This can get pretty cumbersome and hard to read. To avoid the use of temporary
# variables for one time type assignment you can use method chaining like so:
myOtherRole = Role('TestRole').set_assume_policy(
PolicyDocument().add_statement(
Statement('Allow', 'sts:AssumeRole').set_service_principal(
['lambda.amazonaws.com']
)
)
).add_policy(