def create_instance_profile(
profile_name,
policy_arns,
role_name=None,
inline_policy_name=None,
inline_policy_doc=None
):
"""
Create instance profile and associated IAM role, and attach policy ARNs.
If role_name is omitted profile_name will be used as role name.
Inline policy is optional.
"""
try:
name = iam.create_instance_profile(profile_name)
if name:
io.log_info('Created instance profile: {}.'.format(name))
if not role_name:
role_name = profile_name
name = _create_instance_role(role_name, policy_arns)
if name:
io.log_info('Created instance role: {}.'.format(name))
if inline_policy_name:
iam.put_role_policy(role_name, inline_policy_name, inline_policy_doc)
iam.add_role_to_profile(profile_name, role_name)
except NotAuthorizedError:
io.log_warning(strings['platformcreateiamdescribeerror.info'].format(profile_name=profile_name))
return profile_name
def get_instance_profile(self):
# Check to see if it was specified on the command line
profile = self.app.pargs.instance_profile
if profile is None:
try:
# Check to see if it is associated with the workspace
profile = fileoperations.get_instance_profile()
except NotInitializedError:
pass
if profile is None:
# Check to see if the default instance profile already exists
try:
existing_profiles = iam.get_instance_profile_names()
if iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE in existing_profiles:
profile = iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE
except NotAuthorizedError:
io.log_warning(strings['platformcreateiamdescribeerror.info'])
if profile is None:
# We will now create the default role for the customer
try:
profile = iam_attributes.DEFAULT_PLATFORM_BUILDER_ROLE
try:
iam.create_instance_profile(profile)
io.log_info(strings['platformcreateiamcreated.info'])
except AlreadyExistsError:
pass
document = iam_documents.EC2_ASSUME_ROLE_PERMISSION
try:
# Create a role with the same name
iam.create_role(profile, document)
# Attach required custom platform builder permissions
iam.put_role_policy(
profile,
iam_attributes.PLATFORM_BUILDER_INLINE_POLICY_NAME,
iam_documents.CUSTOM_PLATFORM_BUILDER_INLINE_POLICY)
# Associate instance profile with the required role
iam.add_role_to_profile(profile, profile)
io.log_info(strings['platformcreateiampolicyadded.info'])
except AlreadyExistsError:
# If the role exists then we leave it as is, we do not try to add or modify its policies
pass
except NotAuthorizedError:
io.log_warning(strings['platformcreateiamcreateerror.info'])
# Save to disk
write_config_setting('global', 'instance_profile', profile)
def get_default_profile():
""" Get the default elasticbeanstalk IAM profile,
Create it if it doesn't exist """
# get list of profiles
try:
profile = DEFAULT_ROLE_NAME
try:
iam.create_instance_profile(profile)
io.log_info('Created default instance profile.')
role = get_default_role()
iam.add_role_to_profile(profile, role)
except AlreadyExistsError:
pass
except NotAuthorizedError:
# Not a root account. Just assume role exists
io.log_info('No IAM privileges: assuming default '
'instance profile exists.')
return DEFAULT_ROLE_NAME
return profile