Python get_lambda_assumerole_policy示例，awacs.helpers.trust.get_lambda_assumerole_policy Python示例

示例#1

0

显示文件

    def add_lambda_role(self, title, extra_permissions):
        perms = self.DEFAULT_PERMISSIONS.union(extra_permissions)
        permissions = [Action(*perm) for perm in perms]

        return self.template.add_resource(
            iam.Role(title + 'LambdaRole',
                     Path='/',
                     Policies=[
                         iam.Policy(
                             PolicyName=title + 'LambdaExecution',
                             PolicyDocument=Policy(
                                 Version='2012-10-17',
                                 Statement=[
                                     Statement(Effect=Allow,
                                               Action=[Action('logs', '*')],
                                               Resource=['arn:aws:logs:*:*:*'
                                                         ]),
                                     Statement(
                                         Effect=Allow,
                                         Action=list(permissions),
                                         Resource=['*'],
                                     )
                                 ]))
                     ],
                     AssumeRolePolicyDocument=get_lambda_assumerole_policy()))

示例#2

0

显示文件

    def create_role(self):
        t = self.template

        vpc_policy = NoValue
        if self.get_variables()["VpcConfig"]:
            # allow this Lambda to modify ENIs to allow it to run in our VPC.
            policy_prefix = self.context.get_fqn(self.name)
            vpc_policy = [
                iam.Policy(
                    PolicyName="%s-vpc-policy" % policy_prefix,
                    PolicyDocument=Policy(
                        Statement=lambda_vpc_execution_statements()
                    ),
                )
            ]

        self.role = t.add_resource(
            iam.Role(
                "Role",
                AssumeRolePolicyDocument=get_lambda_assumerole_policy(),
                Policies=vpc_policy
            )
        )

        t.add_output(
            Output("RoleName", Value=Ref(self.role))
        )

        role_arn = self.role.GetAtt("Arn")
        self.role_arn = role_arn

        t.add_output(
            Output("RoleArn", Value=role_arn)
        )

示例#3

0

显示文件

文件： aws_lambda.py 项目： Xenwar/aws-infrastructure

    def create_role(self):
        t = self.template

        self.role = t.add_resource(
            iam.Role(
                "Role",
                AssumeRolePolicyDocument=get_lambda_assumerole_policy()
            )
        )

        if self.get_variables()["VpcConfig"]:
            # allow this Lambda to modify ENIs to allow it to run in our VPC.
            self.role.Policies = [
                iam.Policy(
                    PolicyName=Sub("${AWS::StackName}-vpc-policy"),
                    PolicyDocument=Policy(
                        Statement=lambda_vpc_execution_statements()
                    ),
                )
            ]

        t.add_output(
            Output("RoleName", Value=Ref(self.role))
        )

        role_arn = self.role.GetAtt("Arn")
        self.role_arn = role_arn

        t.add_output(
            Output("RoleArn", Value=role_arn)
        )

示例#4

0

显示文件

    def create_role(self):
        t = self.template

        self.role = t.add_resource(
            iam.Role(
                "Role",
                AssumeRolePolicyDocument=get_lambda_assumerole_policy(),
            )
        )

        t.add_output(
            Output("RoleName", Value=Ref(self.role))
        )
        t.add_output(
            Output("RoleArn", Value=GetAtt(self.role.title, "Arn"))
        )

示例#5

0

显示文件

 def create_lambda_role(self, name):
     return self.create_role(name, get_lambda_assumerole_policy())

示例#6

0

显示文件

def create_template():
    t = Template(Description="Infrastructure for routezero")
    api_key = t.add_parameter(Parameter("ZerotierApiKey", Type="String", NoEcho=True))
    network_id = t.add_parameter(Parameter("ZerotierNetworkId", Type="String"))
    role = t.add_resource(
        Role(
            "Role",
            AssumeRolePolicyDocument=get_lambda_assumerole_policy(),
            Policies=[
                Policy(
                    PolicyName="cloudformation-route53-update",
                    PolicyDocument=PolicyDocument(
                        Statement=[
                            Statement(
                                Effect=Allow,
                                Action=[
                                    cloudformation.Action("*"),
                                    route53.Action("*"),
                                ],
                                Resource=["*"],
                            )
                        ]
                    ),
                )
            ],
            ManagedPolicyArns=[
                "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
            ],
        )
    )
    function = t.add_resource(
        CLIFunction(
            "Function",
            MemorySize=256,
            Timeout=60 * 15,
            Handler=".".join([routezero.__name__, routezero.handler.__name__]),
            Runtime="python3.6",
            Code=create_bundle(),
            Role=GetAtt(role, "Arn"),
            Environment=Environment(
                Variables={
                    "ZEROTIER_API_KEY": Ref(api_key),
                    "ZEROTIER_NETWORK_ID": Ref(network_id),
                    "ROUTE53_RECORD_STACK_NAME": Sub("${AWS::StackName}Records"),
                }
            ),
        )
    )
    log_group = t.add_resource(
        LogGroup(
            "LogGroup", LogGroupName=Sub("/aws/lambda/${Function}"), RetentionInDays=30
        )
    )
    permission = t.add_resource(
        Permission(
            "Permission",
            FunctionName=GetAtt(function, "Arn"),
            Principal="events.amazonaws.com",
            Action="lambda:InvokeFunction",
            SourceArn=Sub(
                "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*"
            ),
            DependsOn=[log_group],
        )
    )
    rule = t.add_resource(
        Rule(
            "Rule",
            ScheduleExpression="rate(15 minutes)",
            Targets=[Target(Id=Ref(function), Arn=GetAtt(function, "Arn"))],
            DependsOn=[permission],
        )
    )
    return t

示例#7

0

显示文件

文件： iam_roles.py 项目： cyommer/stacker_blueprints

 def create_lambda_role(self, name):
     return self.create_role(name, get_lambda_assumerole_policy())

示例#8

0

显示文件

def create_template(website_template, website_parameters):
    template = Template()

    runtime = template.add_parameter(
        Parameter("LambdaRuntime", Default="python3.7", Type="String"))

    smite_developer_id = template.add_parameter(
        Parameter("SmiteDeveloperId", Type="String"))

    smite_auth_key = template.add_parameter(
        Parameter("SmiteAuthKey", Type="String", NoEcho=True))

    twitter_consumer_key = template.add_parameter(
        Parameter("TwitterConsumerKey", Type="String"))

    twitter_consumer_secret = template.add_parameter(
        Parameter("TwitterConsumerSecret", Type="String", NoEcho=True))

    twitter_access_key = template.add_parameter(
        Parameter("TwitterAccessKey", Type="String"))

    twitter_access_secret = template.add_parameter(
        Parameter("TwitterAccessSecret", Type="String", NoEcho=True))

    table = template.add_resource(
        Table(
            "StorageTable",
            AttributeDefinitions=[
                AttributeDefinition(AttributeName="key", AttributeType="N")
            ],
            KeySchema=[KeySchema(AttributeName="key", KeyType="HASH")],
            BillingMode="PAY_PER_REQUEST",
            DeletionPolicy="Retain",
        ))

    website = template.add_resource(
        Stack("Website",
              TemplateURL=website_template,
              Parameters=website_parameters))

    role = template.add_resource(
        Role(
            "LambdaRole",
            AssumeRolePolicyDocument=get_lambda_assumerole_policy(),
            ManagedPolicyArns=[
                "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
                "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
                "arn:aws:iam::aws:policy/AmazonS3FullAccess",
                "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
            ],
        ))

    smite_api_function = template.add_resource(
        Function(
            "SmiteApiFunction",
            Code=Code(ZipFile=inspect.getsource(smite)),
            Handler="index.handler",
            MemorySize=256,
            Timeout=30,
            Runtime=Ref(runtime),
            Role=GetAtt(role, "Arn"),
            Environment=Environment(
                Variables={
                    smite.Config.SMITE_DEVELOPER_ID.name: Ref(
                        smite_developer_id),
                    smite.Config.SMITE_AUTH_KEY.name: Ref(smite_auth_key),
                }),
        ))
    smite_api_logs = template.add_resource(
        log_group_for_function(smite_api_function))

    twitter_api_function = template.add_resource(
        Function(
            "TwitterApiFunction",
            Code=Code(ZipFile=inspect.getsource(twitter)),
            Handler="index.handler",
            MemorySize=256,
            Timeout=30,
            Runtime=Ref(runtime),
            Role=GetAtt(role, "Arn"),
            Environment=Environment(
                Variables={
                    twitter.Config.TWITTER_CONSUMER_KEY.name:
                    Ref(twitter_consumer_key),
                    twitter.Config.TWITTER_CONSUMER_SECRET.name:
                    Ref(twitter_consumer_secret),
                    twitter.Config.TWITTER_ACCESS_KEY.name:
                    Ref(twitter_access_key),
                    twitter.Config.TWITTER_ACCESS_SECRET.name:
                    Ref(twitter_access_secret),
                }),
        ))
    twitter_api_logs = template.add_resource(
        log_group_for_function(twitter_api_function))

    table_export_function = template.add_resource(
        Function(
            "TableExportFunction",
            Code=Code(ZipFile=packmodule.pack(inspect.getsource(exporter))),
            Handler="index.handler",
            MemorySize=512,
            Timeout=30,
            Runtime=Ref(runtime),
            Role=GetAtt(role, "Arn"),
            Environment=Environment(
                Variables={
                    exporter.Config.DDB_TABLE_NAME.name:
                    Ref(table),
                    exporter.Config.S3_BUCKET_NAME.name:
                    Select(
                        5,
                        Split(":", GetAtt(website,
                                          "Outputs.ContentBucketArn"))),
                    exporter.Config.SMITE_API_LAMBDA_ARN.name:
                    GetAtt(smite_api_function, "Arn"),
                }),
        ))
    table_export_logs = template.add_resource(
        log_group_for_function(table_export_function))

    update_check_function = template.add_resource(
        Function(
            "UpdateCheckFunction",
            Code=Code(ZipFile=inspect.getsource(updater)),
            Handler="index.handler",
            MemorySize=256,
            Timeout=30,
            Runtime=Ref(runtime),
            Role=GetAtt(role, "Arn"),
            Environment=Environment(
                Variables={
                    updater.Config.TWITTER_API_LAMBDA_ARN.name:
                    GetAtt(twitter_api_function, "Arn"),
                    updater.Config.SMITE_API_LAMBDA_ARN.name:
                    GetAtt(smite_api_function, "Arn"),
                    updater.Config.TABLE_EXPORT_LAMBDA_ARN.name:
                    GetAtt(table_export_function, "Arn"),
                    updater.Config.DDB_TABLE_NAME.name:
                    Ref(table),
                }),
        ))

    update_check_logs = template.add_resource(
        log_group_for_function(update_check_function))

    update_check_rule = template.add_resource(
        Rule(
            "UpdateCheckRule",
            ScheduleExpression="rate(5 minutes)",
            Targets=[
                Target(
                    Id=Ref(update_check_function),
                    Arn=GetAtt(update_check_function, "Arn"),
                )
            ],
            DependsOn=[
                update_check_logs,
                table_export_logs,
                smite_api_logs,
                twitter_api_logs,
            ],
        ))

    template.add_resource(
        Permission(
            "UpdateCheckPermission",
            Action="lambda:InvokeFunction",
            FunctionName=Ref(update_check_function),
            SourceArn=GetAtt(update_check_rule, "Arn"),
            Principal="events.amazonaws.com",
        ))

    return template