def policy_create_for_task_role(self, role_name, skip_if_exists=True):
policy = { "Version" : "2008-10-17",
"Statement" : [ { "Effect": "Allow",
"Principal": { "Service": "ecs-tasks.amazonaws.com"},
"Action": "sts:AssumeRole" }]}
iam_role = IAM_Role(role_name=role_name)
iam_role.create(policy,skip_if_exists=skip_if_exists)
return iam_role
def policy_create_for_execution_role(self, role_name, skip_if_exists=True):
#cloud_watch_arn = "arn:aws:logs:{0}:{1}:log-group:awslogs-*".format(self.region, self.account_id)
cloud_watch_arn = f"arn:aws:logs:{self.region}:{self.account_id}:log-group:*"
role_document = { "Version" : "2008-10-17",
"Statement" : [ { "Effect": "Allow",
"Principal": { "Service": "ecs-tasks.amazonaws.com"},
"Action": "sts:AssumeRole" }]}
policy_document = { "Version" : "2012-10-17",
"Statement": [{ "Effect" : "Allow" ,
"Action" : [ "ecr:GetAuthorizationToken" ,
"ecr:BatchCheckLayerAvailability" ,
"ecr:GetDownloadUrlForLayer" ,
"ecr:GetRepositoryPolicy" ,
"ecr:DescribeRepositories" ,
"ecr:ListImages" ,
"ecr:DescribeImages" ,
"ecr:BatchGetImage" ],
"Resource": "*" },
{ "Effect" : "Allow",
"Action" : [ "logs:CreateLogStream" ,
"logs:PutLogEvents" ],
"Resource": [ cloud_watch_arn ]}]}
policy_name = 'policy_for_{0}'.format(role_name)
iam_role = IAM_Role(role_name=role_name)
if iam_role.exists() and skip_if_exists:
return iam_role
if iam_role.create(policy_document=role_document, skip_if_exists=skip_if_exists):
iam_role.attach_policy(policy_name=policy_name, policy_document=policy_document)
if policy_name in iam_role.iam.role_policies():
return iam_role