def create_assetstore_iam_user(bucket_name): import boto.iam iam = boto.iam.IAMConnection() username = bucket_name + '-user' iam.create_user(username) access_key = iam.create_access_key(username) result = access_key['create_access_key_response']['create_access_key_result']['access_key'] access_key_id = result['access_key_id'] secret_access_key = result['secret_access_key'] policyname = username + '-s3-policy' policy_json = """{ "Version": "2012-10-17", "Statement": [ { "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::%s", "arn:aws:s3:::%s/*" ] } ] }""" % (bucket_name, bucket_name) iam.put_user_policy(username, policyname, policy_json) return username, access_key_id, secret_access_key
def create_user(module, iam, name, pwd, path, key_state, key_count): key_qty = 0 keys = [] try: user_meta = iam.create_user( name, path).create_user_response.create_user_result.user changed = True if pwd is not None: pwd = iam.create_login_profile(name, pwd) if key_state in ['create']: if key_count: while key_count > key_qty: keys.append( iam.create_access_key( user_name=name).create_access_key_response. create_access_key_result.access_key) key_qty += 1 else: keys = None except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: user_info = dict(created_user=user_meta, password=pwd, access_keys=keys) return (user_info, changed)
def main(): """The main function.""" parser = argparse.ArgumentParser(description="Rotate Access Keys.") parser.add_argument( "-a", "--access_key_id", help="The access key to rotate and use for authentication." ) parser.add_argument( "-s", "--secret_access_key", help="The secret key to rotate and use for authentication." ) args = parser.parse_args() if not args.access_key_id: args.access_key_id = raw_input("Enter Access Key: ") if not args.secret_access_key: args.secret_access_key = raw_input("Enter Secret Key: ") iam = boto.iam.connection.IAMConnection( aws_access_key_id=args.access_key_id, aws_secret_access_key=args.secret_access_key ) get_user_response = iam.get_user()['get_user_response'] get_user_result = get_user_response['get_user_result'] user = get_user_result['user'] user_name = user['user_name'] try: response = iam.create_access_key(user_name) except boto.exception.BotoServerError as exception: print "Cannot create new keys: %s" % exception raise ak_response = response['create_access_key_response'] access_key = ak_response['create_access_key_result']['access_key'] print """Access Key:\t%s\nSecret Key:\t%s""" % ( access_key['access_key_id'], access_key['secret_access_key'] ) ans = raw_input( "Ready to delete Access Key %s? (yes/no) " % args.access_key_id ) if ans == "yes": try: iam.delete_access_key(args.access_key_id, user_name) except boto.exception.BotoServerError as exception: print "Cannot remove old key: %s" % exception raise else: print "Warning: your old Access Key was kept.", print " Be sure to clean up the mess."
def main(): """The main function.""" parser = argparse.ArgumentParser(description="Rotate Access Keys.") parser.add_argument( "-a", "--access_key_id", help="The access key to rotate and use for authentication.") parser.add_argument( "-s", "--secret_access_key", help="The secret key to rotate and use for authentication.") args = parser.parse_args() if not args.access_key_id: args.access_key_id = raw_input("Enter Access Key: ") if not args.secret_access_key: args.secret_access_key = raw_input("Enter Secret Key: ") iam = boto.iam.connection.IAMConnection( aws_access_key_id=args.access_key_id, aws_secret_access_key=args.secret_access_key) get_user_response = iam.get_user()['get_user_response'] get_user_result = get_user_response['get_user_result'] user = get_user_result['user'] user_name = user['user_name'] try: response = iam.create_access_key(user_name) except boto.exception.BotoServerError as exception: print "Cannot create new keys: %s" % exception raise ak_response = response['create_access_key_response'] access_key = ak_response['create_access_key_result']['access_key'] print """Access Key:\t%s\nSecret Key:\t%s""" % ( access_key['access_key_id'], access_key['secret_access_key']) ans = raw_input("Ready to delete Access Key %s? (yes/no) " % args.access_key_id) if ans == "yes": try: iam.delete_access_key(args.access_key_id, user_name) except boto.exception.BotoServerError as exception: print "Cannot remove old key: %s" % exception raise else: print "Warning: your old Access Key was kept.", print " Be sure to clean up the mess."
def create_user(iam, name, pwd, path, key_state): user_meta = iam.create_user( name, path).create_user_response.create_user_result.user changed = True if pwd is not None: pwd = iam.create_login_profile(name, pwd) if key_state in ['create', 'active']: keys = iam.create_access_key( user_name=name).create_access_key_response.\ create_access_key_result.\ access_key else: keys = None user_info = dict(created_user=user_meta, password=pwd, access_keys=keys) return (user_info, changed)
def update_user(module, iam, name, new_name, new_path, key_state, keys, pwd): changed = False name_change = False current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata] updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True user = iam.update_user( name, new_name, new_path).update_user_response.response_metadata user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) name = new_name name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: changed = True iam.create_login_profile(name, pwd) else: try: iam.delete_login_profile(name) changed = True except boto.exception.BotoServerError: changed = False if key_state == 'Create': try: new_key = iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key changed = True except boto.exception.BotoServerError, e: module.fail_json(msg=str(e))
def create_user(module, iam, name, pwd, path, key_state, key_count): key_qty = 0 keys = [] try: user_meta = iam.create_user( name, path).create_user_response.create_user_result.user changed = True if pwd is not None: pwd = iam.create_login_profile(name, pwd) if key_state in ['create']: if key_count: while key_count > key_qty: keys.append(iam.create_access_key( user_name=name).create_access_key_response.\ create_access_key_result.\ access_key) key_qty += 1 else: keys = None except boto.exception.BotoServerError, err: module.fail_json(changed=False, msg=str(err))
"--secret_access_key", help="The secret key to rotate and use for authentication.") args = parser.parse_args() if not args.access_key_id: args.access_key_id = raw_input("Enter Access Key: ") if not args.secret_access_key: args.secret_access_key = raw_input("Enter Secret Key: ") iam = boto.iam.connection.IAMConnection( aws_access_key_id=args.access_key_id, aws_secret_access_key=args.secret_access_key) try: response = iam.create_access_key(args.user) except boto.exception.BotoServerError as e: print "Cannot create new keys: %s" % e raise access_key = response['create_access_key_response'][ 'create_access_key_result']['access_key'] print """Access Key: %s Secret Key. %s""" % (access_key['access_key_id'], access_key['secret_access_key']) ans = raw_input("Ready to delete Access Key %s? (yes/no) " % args.access_key_id) if ans == "yes": try:
changed = True except boto.exception.BotoServerError: try: iam.create_login_profile(name, pwd) changed = True except boto.exception.BotoServerError, err: error_msg = boto_exception(str(err)) if 'Password does not conform to the account password policy' in error_msg: module.fail_json(changed=False, msg="Passsword doesn't conform to policy") else: module.fail_json(msg=error_msg) if key_state == 'create': try: while key_count > key_qty: new_key = iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key key_qty += 1 changed = True except boto.exception.BotoServerError, err: module.fail_json(changed=False, msg=str(err)) if keys and key_state: for access_key in keys: if access_key in current_keys: for current_key, current_key_state in zip(current_keys, status): if key_state != current_key_state.lower(): try: iam.update_access_key( access_key, key_state.capitalize(), user_name=name) except boto.exception.BotoServerError, err:
def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated): changed = False name_change = False if updated and new_name: name = new_name try: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] name = new_name else: module.fail_json(changed=False, msg=str(err)) updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path ).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path ).update_user_response.response_metadata user['updates'] = dict(old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: try: iam.create_login_profile(name, pwd) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(str(err)) if 'Password does not conform to the account password policy' in error_msg: module.fail_json(changed=False, msg="Password doesn't conform to policy") else: module.fail_json(msg=error_msg) try: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] name = new_name else: module.fail_json(changed=False, msg=str(err)) new_keys = [] if key_state == 'create': try: while key_count > key_qty: new_keys.append( iam.create_access_key( user_name=name).create_access_key_response. create_access_key_result.access_key) key_qty += 1 changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) if keys and key_state: for access_key in keys: if key_state in ('active', 'inactive'): if access_key in current_keys: for current_key, current_key_state in zip( current_keys, status): if key_state != current_key_state.lower(): try: iam.update_access_key(access_key, key_state.capitalize(), user_name=name) changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: module.fail_json(msg="Supplied keys not found for %s. " "Current keys: %s. " "Supplied key(s): %s" % (name, current_keys, keys)) if key_state == 'remove': if access_key in current_keys: try: iam.delete_access_key(access_key, user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True try: final_keys, final_key_status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata] except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) for fk, fks in zip(final_keys, final_key_status): updated_key_list.update({fk: fks}) return name_change, updated_key_list, changed, new_keys
def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated): changed = False name_change = False if updated and new_name: name = new_name try: current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata] name = new_name else: module.fail_json(changed=False, msg=str(err)) updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path).update_user_response.response_metadata user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: try: iam.create_login_profile(name, pwd) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(str(err)) if 'Password does not conform to the account password policy' in error_msg: module.fail_json(changed=False, msg="Password doesn't conform to policy") else: module.fail_json(msg=error_msg) if key_state == 'create': try: while key_count > key_qty: new_key = iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key key_qty += 1 changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) if keys and key_state: for access_key in keys: if access_key in current_keys: for current_key, current_key_state in zip(current_keys, status): if key_state != current_key_state.lower(): try: iam.update_access_key( access_key, key_state.capitalize(), user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True if key_state == 'remove': try: iam.delete_access_key(access_key, user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True try: final_keys, final_key_status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata] except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) for fk, fks in zip(final_keys, final_key_status): updated_key_list.update({fk: fks}) return name_change, updated_key_list, changed
error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata] name = new_name else: module.fail_json(changed=False, msg=str(err)) new_keys = [] if key_state == 'create': try: while key_count > key_qty: new_keys.append(iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key) key_qty += 1 changed = True except boto.exception.BotoServerError, err: module.fail_json(changed=False, msg=str(err)) if keys and key_state: for access_key in keys: if key_state in ('active','inactive'): if access_key in current_keys: for current_key, current_key_state in zip(current_keys, status): if current_key == access_key: if key_state != current_key_state.lower(): try: iam.update_access_key(
) args = parser.parse_args() if not args.access_key_id: args.access_key_id = raw_input("Enter Access Key: ") if not args.secret_access_key: args.secret_access_key = raw_input("Enter Secret Key: ") iam = boto.iam.connection.IAMConnection( aws_access_key_id=args.access_key_id, aws_secret_access_key=args.secret_access_key ) try: response = iam.create_access_key(args.user) except boto.exception.BotoServerError as e: print "Cannot create new keys: %s" % e raise access_key = response['create_access_key_response']['create_access_key_result']['access_key'] print """Access Key: %s Secret Key. %s""" % ( access_key['access_key_id'], access_key['secret_access_key'] ) ans = raw_input("Ready to delete Access Key %s? (yes/no) " % args.access_key_id) if ans == "yes": try: