def _ensure_grants(role, grants):
encrypt_constraint = {
'EncryptionContextSubset': {
'from': role.role_name
}
}
decrypt_constraint = {
'EncryptionContextSubset': {
'to': role.role_name
}
}
encrypt_grant, decrypt_grant = _grants_exist(role, grants)
if not encrypt_grant:
log.info('Creating encrypt grant for {0}'.format(role.arn))
kms.create_grant(
KeyId=get_key_id(app.config['AUTH_KEY']),
GranteePrincipal=role.arn,
Operations=['Encrypt', 'Decrypt'],
Constraints=encrypt_constraint
)
if not decrypt_grant:
log.info('Creating decrypt grant for {0}'.format(role.arn))
kms.create_grant(
KeyId=get_key_id(app.config['AUTH_KEY']),
GranteePrincipal=role.arn,
Operations=['Decrypt'],
Constraints=decrypt_constraint
)
def run(self):
grants = keymanager.get_grants()
for grant in grants:
kms.revoke_grant(KeyId=keymanager.get_key_id(
app.config['AUTH_KEY']),
GrantId=grant['GrantId'])
log.info('Finished revoking grants.')
def run(self):
grants = keymanager.get_grants()
for grant in grants:
kms.revoke_grant(
KeyId=keymanager.get_key_id(app.config['AUTH_KEY']),
GrantId=grant['GrantId']
)
log.info('Finished revoking grants.')
def run(self):
grants = keymanager.get_grants()
try:
roles = [x for x in iam.roles.all()]
except ClientError:
log.error('Failed to fetch IAM roles.')
return
services = []
for service in Service.data_type_date_index.query('service'):
services.append(service.id)
for role in roles:
if role.name in services:
log.info('Managing grants for {0}.'.format(role.name))
keymanager._ensure_grants(role, grants)
log.info('Finished managing grants.')
def run(self):
grants = keymanager.get_grants()
try:
roles = [x for x in iam.roles.all()]
except ClientError:
log.error('Failed to fetch IAM roles.')
return
services = []
for service in Service.data_type_date_index.query('service'):
services.append(service.id)
for role in roles:
if role.name in services:
log.info('Managing grants for {0}.'.format(role.name))
keymanager._ensure_grants(role, grants)
log.info('Finished managing grants.')
def _ensure_grants(role, grants):
encrypt_constraint = {'EncryptionContextSubset': {'from': role.role_name}}
decrypt_constraint = {'EncryptionContextSubset': {'to': role.role_name}}
encrypt_grant, decrypt_grant = _grants_exist(role, grants)
if not encrypt_grant:
log.info('Creating encrypt grant for {0}'.format(role.arn))
kms.create_grant(KeyId=get_key_id(app.config['AUTH_KEY']),
GranteePrincipal=role.arn,
Operations=['Encrypt', 'Decrypt'],
Constraints=encrypt_constraint)
if not decrypt_grant:
log.info('Creating decrypt grant for {0}'.format(role.arn))
kms.create_grant(KeyId=get_key_id(app.config['AUTH_KEY']),
GranteePrincipal=role.arn,
Operations=['Decrypt'],
Constraints=decrypt_constraint)
