class GetGroup(IAMRequest):
DESCRIPTION = 'List all the users in a group'
ARGS = [arg_group(help='name of the group to enumerate (required)'),
AS_ACCOUNT]
LIST_TAGS = ['Users']
def main(self):
return PaginatedResponse(self, (None,), ('Users',))
def prepare_for_page(self, page):
# Pages are defined by markers
self.params['Marker'] = page
# pylint: disable=no-self-use
def get_next_page(self, response):
if response.get('IsTruncated') == 'true':
return response['Marker']
# pylint: enable=no-self-use
# pylint: disable=no-self-use
def print_result(self, result):
print result['Group']['Arn']
print ' ', 'users'
for user in result.get('Users', []):
print ' ', user['Arn']
class ListGroupPolicies(IAMRequest):
DESCRIPTION = 'List one or all policies attached to a group'
ARGS = [
arg_group(help='group owning the policies to list (required)'),
Arg('-p',
'--policy-name',
metavar='POLICY',
route_to=None,
help='display a specific policy'),
Arg('-v',
'--verbose',
action='store_true',
route_to=None,
help='''display the contents of the resulting policies (in
addition to their names)'''),
Arg('--pretty-print',
action='store_true',
route_to=None,
help='''when printing the contents of policies, reformat them
for easier reading'''), AS_ACCOUNT
]
LIST_TAGS = ['PolicyNames']
def main(self):
return PaginatedResponse(self, (None, ), ('PolicyNames', ))
def prepare_for_page(self, page):
# Pages are defined by markers
self.params['Marker'] = page
def get_next_page(self, response):
if response.get('IsTruncated') == 'true':
return response['Marker']
def print_result(self, result):
if self.args.get('policy_name'):
# Look for the specific policy the user asked for
for policy_name in result.get('PolicyNames', []):
if policy_name == self.args['policy_name']:
if self.args['verbose']:
self.print_policy(policy_name)
else:
print policy_name
break
else:
for policy_name in result.get('PolicyNames', []):
print policy_name
if self.args['verbose']:
self.print_policy(policy_name)
def print_policy(self, policy_name):
req = GetGroupPolicy.from_other(
self,
GroupName=self.args['GroupName'],
PolicyName=policy_name,
pretty_print=self.args['pretty_print'],
DelegateAccount=self.params.get('DelegateAccount'))
response = req.main()
req.print_result(response)
class AddUserToGroup(IAMRequest):
DESCRIPTION = 'Add a user to a group'
ARGS = [
arg_group(help='the group to add the user to (required)'),
Arg('-u',
'--user-name',
dest='UserName',
required=True,
help='the user to add (required)'), AS_ACCOUNT
]
class DeleteGroupPolicy(IAMRequest):
DESCRIPTION = 'Remove a policy from a group'
ARGS = [
arg_group(help='group the policy is attached to (required)'),
Arg('-p',
'--policy-name',
dest='PolicyName',
metavar='POLICY',
required=True,
help='name of the policy to delete (required)'), AS_ACCOUNT
]
class AddGroupPolicy(IAMRequest):
DESCRIPTION = ('Add a new policy to a group. To add more complex policies '
'than this tool supports, see euare-groupuploadpolicy(1).')
ARGS = [
arg_group(help='group to attach the policy to (required)'),
Arg('-p',
'--policy-name',
metavar='POLICY',
required=True,
help='name of the new policy (required)'),
Arg('-e',
'--effect',
choices=('Allow', 'Deny'),
required=True,
help='whether the new policy should Allow or Deny (required)'),
Arg('-a',
'--action',
dest='actions',
action='append',
required=True,
help='''action(s) the policy should apply to
(at least one required)'''),
Arg('-r',
'--resource',
dest='resources',
action='append',
required=True,
help='''resource(s) the policy should apply to
(at least one required)'''),
Arg('-o',
'--output',
action='store_true',
help='display the newly-created policy'), AS_ACCOUNT
]
def main(self):
policy = build_iam_policy(self.args['effect'], self.args['resources'],
self.args['actions'])
policy_doc = json.dumps(policy)
req = PutGroupPolicy.from_other(
self,
GroupName=self.args['GroupName'],
PolicyName=self.args['policy_name'],
PolicyDocument=policy_doc,
DelegateAccount=self.params['DelegateAccount'])
response = req.main()
response['PolicyDocument'] = policy_doc
return response
def print_result(self, result):
if self.args['output']:
print result['PolicyDocument']
class CreateGroup(IAMRequest):
DESCRIPTION = 'Create a new group'
ARGS = [arg_group(help='name of the new group (required)'),
Arg('-p', '--path', dest='Path',
help='path for the new group (default: "/")'),
Arg('-v', '--verbose', action='store_true', route_to=None,
help="print the new group's ARN and GUID"),
AS_ACCOUNT]
def print_result(self, result):
if self.args['verbose']:
print result['Group']['Arn']
print result['Group']['GroupId']
class PutGroupPolicy(IAMRequest):
DESCRIPTION = 'Attach a policy to a group'
ARGS = [arg_group(help='group to attach the policy to (required)'),
Arg('-p', '--policy-name', dest='PolicyName', metavar='POLICY',
required=True, help='name of the policy (required)'),
MutuallyExclusiveArgList(
Arg('-o', '--policy-content', dest='PolicyDocument',
metavar='POLICY_CONTENT', help='the policy to attach'),
Arg('-f', '--policy-document', dest='PolicyDocument',
metavar='FILE', type=open,
help='file containing the policy to attach'))
.required(),
AS_ACCOUNT]
class UpdateGroup(IAMRequest):
DESCRIPTION = 'Change the name and/or path of a group'
ARGS = [
arg_group(help='name of the group to update (required)'),
Arg('-n',
'--new-group-name',
dest='NewGroupName',
metavar='GROUP',
help='new name for the group'),
Arg('-p',
'--new-path',
dest='NewPath',
metavar='PATH',
help='new path for the group'), AS_ACCOUNT
]
class RemoveUserFromGroup(IAMRequest):
DESCRIPTION = 'Remove a user from a group'
ARGS = [Arg('-u', '--user-name', dest='user_names', metavar='USER',
action='append', route_to=None, required=True,
help='user to remove from the group (required)'),
arg_group(help='group to remove the user from (required)'),
AS_ACCOUNT]
def main(self):
for user in self.args['user_names']:
self.params['UserName'] = user
self.send()
# The response doesn't actually contain anything of interest, so don't
# bother returning anything
return None
class GetGroupPolicy(IAMRequest):
DESCRIPTION = "Display a group's policy"
ARGS = [arg_group(help='group the policy is attached to (required)'),
Arg('-p', '--policy-name', dest='PolicyName', metavar='POLICY',
required=True, help='name of the policy to show (required)'),
Arg('--pretty-print', action='store_true', route_to=None,
help='reformat the policy for easier reading'),
AS_ACCOUNT]
def print_result(self, result):
policy_content = urllib.unquote(result['PolicyDocument'])
if self.args['pretty_print']:
try:
policy_json = json.loads(policy_content)
except ValueError:
self.log.debug('JSON parse error', exc_info=True)
raise ValueError(
"policy '{0}' does not appear to be valid JSON"
.format(self.args['PolicyName']))
policy_content = json.dumps(policy_json, indent=4)
print policy_content
class DeleteGroup(IAMRequest):
DESCRIPTION = 'Delete a group'
ARGS = [
arg_group(help='name of the group to delete (required)'),
Arg('-r',
'--recursive',
action='store_true',
route_to=None,
help='''remove all user memberships and policies associated
with the group first'''),
Arg('-R',
'--recursive-euca',
dest='IsRecursive',
action='store_const',
const='true',
help=argparse.SUPPRESS),
Arg('-p',
'--pretend',
action='store_true',
route_to=None,
help='''list the user memberships and policies that would be
deleted instead of actually deleting them. Implies -r.'''),
AS_ACCOUNT
]
def main(self):
if self.args['recursive'] or self.args['pretend']:
# Figure out what we'd have to delete
req = GetGroup.from_other(
self,
GroupName=self.args['GroupName'],
DelegateAccount=self.params['DelegateAccount'])
members = req.main().get('Users', [])
req = ListGroupPolicies.from_other(
self,
GroupName=self.args['GroupName'],
DelegateAccount=self.params['DelegateAccount'])
policies = req.main().get('PolicyNames', [])
else:
# Just in case
members = []
policies = []
if self.args['pretend']:
return {
'members': [member['Arn'] for member in members],
'policies': policies
}
else:
if self.args['recursive']:
member_names = [member['UserName'] for member in members]
req = RemoveUserFromGroup.from_other(
self,
GroupName=self.args['GroupName'],
user_names=member_names,
DelegateAccount=self.params['DelegateAccount'])
req.main()
for policy in policies:
req = DeleteGroupPolicy.from_other(
self,
GroupName=self.args['GroupName'],
PolicyName=policy,
DelegateAccount=self.params['DelegateAccount'])
req.main()
return self.send()
def print_result(self, result):
if self.args['pretend']:
print 'users'
for arn in result['members']:
print '\t' + arn
print 'policies'
for policy in result['policies']:
print '\t' + policy
