def add_account_assume_policy(self, account_id, external_id=None):
policy_document = PolicyDocument()
account_statement = Statement("Allow", ["sts:AssumeRole"])
account_statement.set_account_principal(account_id,
external_id=external_id)
policy_document.add_statement(account_statement)
self.AssumeRolePolicyDocument = \
transform_policy_document(policy_document)
def test_multiple_statements(self):
test_policy_doc = PolicyDocument().add_statements([
Statement('Allow', 's3:*', '*'),
Statement('Allow', 'ec2:*', '*'),
Statement('Allow', 'es:*', '*')
])
self.assertEquals(len(test_policy_doc.statements), 3)
for statement in test_policy_doc.statements:
self.assertIsInstance(statement, Statement)
def add_service_assume_policy(self, service_principal):
policy_document = PolicyDocument()
service_statement = Statement("Allow", ["sts:AssumeRole"])
service_statement.set_service_principal([service_principal])
policy_document.add_statement(service_statement)
# An example of using a transform to make the Rack IAM
# objects usable by Troposphere
self.AssumeRolePolicyDocument =\
transform_policy_document(policy_document)
def setUp(self):
test_role = Role("BlankRole")
asdoc = PolicyDocument()
astatement = Statement("Allow", ["sts:AssumeRole"])
astatement.set_service_principal(["ec2.amazonaws.com"])
asdoc.add_statement(astatement)
test_role.set_assume_policy(asdoc)
self.test_role = test_role
def setUp(self):
test_role = Role("RootRole")
adoc = PolicyDocument()
astatement = Statement("Allow", ["sts:AssumeRole"])
astatement.set_service_principal(["ec2.amazonaws.com"])
adoc.add_statement(astatement)
allpolicy = InlinePolicy("root")
allpolicydoc = PolicyDocument()
allstatement = Statement("Allow", ["*"], "*")
allpolicydoc.add_statement(allstatement)
allpolicy.set_policy_document(allpolicydoc)
test_role.set_assume_policy(adoc)
test_role.add_policy(allpolicy)
self.test_role = test_role
def setUp(self):
test_policy = Policy('TestPolicy')
allpolicydoc = PolicyDocument(policy_id='Policy123456')
allstatement = Statement("Allow", ["*"], "*")
allpolicydoc.add_statement(allstatement)
test_policy.set_policy_document(allpolicydoc)
self.test_policy = test_policy
def test_chaining(self):
test_user = User('TestUser').set_login_profile('mypass'). \
set_managed_policy_arns(['arn1', 'arn2'])
test_group = Group('TestGroup').add_policy(
InlinePolicy('MyPolicy').set_policy_document(
PolicyDocument().add_statement(
Statement('Allow', 's3:*', '*')
)
)
)
test_role = Role('TestRole').add_policy(
InlinePolicy('MyPolicy').set_policy_document(
PolicyDocument().add_statement(
Statement('Allow', 's3:*', '*')
)
)
)
self.assertIsInstance(test_user, User)
self.assertIsInstance(test_group, Group)
self.assertIsInstance(test_role, Role)
def add_policy(self, policy_name, effect, action="*", resource="*"):
# Troposphere object
policy = Policy(title=policy_name)
policy.PolicyName = policy_name
policy_document = PolicyDocument()
statement = Statement(effect, action, resource=resource)
policy_document.add_statement(statement)
policy.PolicyDocument = transform_policy_document(policy_document)
self.Policies.append(policy)
def setUp(self):
test_policy = Policy('TestPolicy',
groups=['group1', 'group2'],
users=['user1', 'user2'],
roles=['role1', 'role2'])
allpolicydoc = PolicyDocument(policy_id='Policy123456')
allstatement = Statement("Allow", ["*"], "*")
allpolicydoc.add_statement(allstatement)
test_policy.set_policy_document(allpolicydoc)
self.test_dict = transform_policy(test_policy)
def setUp(self):
test_group = Group('TestGroup', users=['user1', 'user2'])
allpolicy = InlinePolicy('TestPolicy')
allpolicydoc = PolicyDocument()
allstatement = Statement("Allow", ["*"], "*")
allpolicydoc.add_statement(allstatement)
allpolicy.set_policy_document(allpolicydoc)
test_group.add_policy(allpolicy)
test_group.set_managed_policy_arns(['arn1', 'arn2'])
self.test_dict = transform_group(test_group)
self.test_mapping = transform_group_users(test_group)
def setUp(self):
test_user = User('TestUser', groups=['group1', 'group2'])
allpolicy = InlinePolicy('TestPolicy')
allpolicydoc = PolicyDocument()
allstatement = Statement("Allow", ["*"], "*")
allpolicydoc.add_statement(allstatement)
allpolicy.set_policy_document(allpolicydoc)
test_user.add_policy(allpolicy)
test_user.set_login_profile('mypass')
test_user.set_managed_policy_arns(['arn1', 'arn2'])
self.test_dict = transform_user(test_user)
def setUp(self):
test_group = Group('TestGroup', ['user1', 'user2'])
allpolicydoc = PolicyDocument()
allstatement = Statement("Allow", ["*"], "*")
allpolicydoc.add_statement(allstatement)
allinlinepolicy = InlinePolicy('TestPolicy')
allinlinepolicy.set_policy_document(allpolicydoc)
test_group.add_policy(allinlinepolicy)
test_group.set_managed_policy_arns(['arn1', 'arn2'])
test_group.add_users(['user3'])
self.test_group = test_group
def test_sid(self):
test_statement = Statement('Allow', 's3:*', sid='Statement123456')
self.assertEquals(test_statement.sid, 'Statement123456')
test_dict = transform_statement(test_statement)
self.assertEquals(test_dict['Sid'], 'Statement123456')
# This is a use case for blank policy roles, allowing the user to easily
# add permissions later (for example Redshift accessing an S3 bucket to
# import data).
from rack_iam import Role
from rack_iam import PolicyDocument
from rack_iam import Statement
redshift_role = Role("RedshiftRole")
asdoc = PolicyDocument()
astatement = Statement("Allow", ["sts:AssumeRole"])
astatement.set_service_principal(["redshift.amazonaws.com"])
asdoc.add_statement(astatement)
redshift_role.set_assume_policy(asdoc)
from rack_iam import Role
from rack_iam import PolicyDocument, InlinePolicy
from rack_iam import Statement
# While objects should be created properly the first time,
# there may be instances such as user input data where that
# may not be possible. In such cases a few of the functional style
# parts of Python can be used to manipulate things:
myRole = Role('TestRole').set_assume_policy(PolicyDocument().add_statement(
Statement('Allow', 'sts:AssumeRole').set_service_principal(
['lambda.amazonaws.com']))).add_policy(
InlinePolicy('MyPolicy').set_policy_document(
PolicyDocument().add_statements([
Statement('Allow', 's3:*', '*'),
Statement('Allow', 'es:*', '*'),
Statement('Deny', 'ec2:*', '*', sid='DenyEc2')
])))
myRole.policies[0].policy_document.statements =\
filter((lambda x: x.sid != 'DenyEc2'),
myRole.policies[0].policy_document.statements)
print(len(myRole.policies[0].policy_document.statements))
print(myRole.policies[0].policy_document.statements[0].action)
print(myRole.policies[0].policy_document.statements[1].action)
# python mutation.py
# 2
# s3:*
# es:*
from rack_iam import Role
from rack_iam import PolicyDocument, InlinePolicy
from rack_iam import Statement
# In some cases standard object construction can lead to a lot of temporary
# variables. For example:
myRole = Role('TestRole')
assumed_policy_doc = PolicyDocument()
lambda_assume = Statement('Allow', 'sts:AssumeRole')
lambda_assume.set_service_principal(['lambda.amazonaws.com'])
assumed_policy_doc.add_statement(lambda_assume)
myRole.set_assume_policy(assumed_policy_doc)
all_s3_policy = InlinePolicy('AllS3')
all_s3_doc = PolicyDocument()
all_s3_permissions = Statement('Allow', 's3:*', '*')
all_s3_doc.add_statement(all_s3_permissions)
all_s3_policy.set_policy_document(all_s3_doc)
myRole.add_policy(all_s3_policy)
# This can get pretty cumbersome and hard to read. To avoid the use of temporary
# variables for one time type assignment you can use method chaining like so:
myOtherRole = Role('TestRole').set_assume_policy(
PolicyDocument().add_statement(
Statement('Allow', 'sts:AssumeRole').set_service_principal(
['lambda.amazonaws.com']
)
)
).add_policy(