def _ensure_grants(role, grants): encrypt_constraint = { 'EncryptionContextSubset': { 'from': role.role_name } } decrypt_constraint = { 'EncryptionContextSubset': { 'to': role.role_name } } encrypt_grant, decrypt_grant = _grants_exist(role, grants) if not encrypt_grant: log.info('Creating encrypt grant for {0}'.format(role.arn)) kms.create_grant( KeyId=get_key_id(app.config['AUTH_KEY']), GranteePrincipal=role.arn, Operations=['Encrypt', 'Decrypt'], Constraints=encrypt_constraint ) if not decrypt_grant: log.info('Creating decrypt grant for {0}'.format(role.arn)) kms.create_grant( KeyId=get_key_id(app.config['AUTH_KEY']), GranteePrincipal=role.arn, Operations=['Decrypt'], Constraints=decrypt_constraint )
def run(self): grants = keymanager.get_grants() for grant in grants: kms.revoke_grant(KeyId=keymanager.get_key_id( app.config['AUTH_KEY']), GrantId=grant['GrantId']) log.info('Finished revoking grants.')
def run(self): grants = keymanager.get_grants() for grant in grants: kms.revoke_grant( KeyId=keymanager.get_key_id(app.config['AUTH_KEY']), GrantId=grant['GrantId'] ) log.info('Finished revoking grants.')
def run(self): grants = keymanager.get_grants() try: roles = [x for x in iam.roles.all()] except ClientError: log.error('Failed to fetch IAM roles.') return services = [] for service in Service.data_type_date_index.query('service'): services.append(service.id) for role in roles: if role.name in services: log.info('Managing grants for {0}.'.format(role.name)) keymanager._ensure_grants(role, grants) log.info('Finished managing grants.')
def _ensure_grants(role, grants): encrypt_constraint = {'EncryptionContextSubset': {'from': role.role_name}} decrypt_constraint = {'EncryptionContextSubset': {'to': role.role_name}} encrypt_grant, decrypt_grant = _grants_exist(role, grants) if not encrypt_grant: log.info('Creating encrypt grant for {0}'.format(role.arn)) kms.create_grant(KeyId=get_key_id(app.config['AUTH_KEY']), GranteePrincipal=role.arn, Operations=['Encrypt', 'Decrypt'], Constraints=encrypt_constraint) if not decrypt_grant: log.info('Creating decrypt grant for {0}'.format(role.arn)) kms.create_grant(KeyId=get_key_id(app.config['AUTH_KEY']), GranteePrincipal=role.arn, Operations=['Decrypt'], Constraints=decrypt_constraint)