def test_get_policy_arn_suffix(self): self.assertEqual("aws-cn", utils.get_policy_arn_suffix("cn-northwest-1")) self.assertEqual("aws-cn", utils.get_policy_arn_suffix("cn-northwest-2")) self.assertEqual("aws-cn", utils.get_policy_arn_suffix("cn-north-1")) self.assertEqual("aws-us-gov", utils.get_policy_arn_suffix("us-gov-west-1")) self.assertEqual("aws", utils.get_policy_arn_suffix("ca-central-1")) self.assertEqual("aws", utils.get_policy_arn_suffix("us-east-1")) self.assertEqual("aws", utils.get_policy_arn_suffix("sa-east-1")) self.assertEqual("aws", utils.get_policy_arn_suffix("ap-south-1"))
def _update_role_trust_policy(self, parsed_globals): """Method to update trust policy if not done already""" base36 = Base36() eks_client = EKS( self._session.create_client('eks', region_name=self._region, verify=parsed_globals.verify_ssl)) account_id = eks_client.get_account_id(self._cluster_name) oidc_provider = eks_client.get_oidc_issuer_id(self._cluster_name) base36_encoded_role_name = base36.encode(self._role_name) LOG.debug('Base36 encoded role name: %s', base36_encoded_role_name) trust_policy_statement = json.loads( TRUST_POLICY_STATEMENT_FORMAT % { "AWS_ACCOUNT_ID": account_id, "OIDC_PROVIDER": oidc_provider, "NAMESPACE": self._namespace, "BASE36_ENCODED_ROLE_NAME": base36_encoded_role_name, "AWS_PARTITION": get_policy_arn_suffix(self._region) }) LOG.debug('Computed Trust Policy Statement:\n%s', json.dumps(trust_policy_statement, indent=2)) iam_client = IAM( self._session.create_client('iam', region_name=self._region, endpoint_url=self._endpoint_url, verify=parsed_globals.verify_ssl)) assume_role_document = iam_client.get_assume_role_policy( self._role_name) matches = check_if_statement_exists(trust_policy_statement, assume_role_document) if not matches: LOG.debug('Role %s does not have the required trust policy ', self._role_name) existing_statements = assume_role_document.get("Statement") if existing_statements is None: assume_role_document["Statement"] = [trust_policy_statement] else: existing_statements.append(trust_policy_statement) if self._dry_run: return json.dumps(assume_role_document, indent=2) else: LOG.debug('Updating trust policy of role %s', self._role_name) iam_client.update_assume_role_policy(self._role_name, assume_role_document) return TRUST_POLICY_UPDATE_SUCCESSFUL % self._role_name else: return TRUST_POLICY_STATEMENT_ALREADY_EXISTS % self._role_name
def get_role_policy_arn(region, policy_name): region_suffix = get_policy_arn_suffix(region) role_arn = ROLE_ARN_PATTERN.replace("{{region_suffix}}", region_suffix) role_arn = role_arn.replace("{{policy_name}}", policy_name) return role_arn
def get_policy_arn(region, policy_name): region_suffix = get_policy_arn_suffix(region) role_arn = POLICY_ARN_PATTERN.format(region_suffix, policy_name) return role_arn