def iam_purge_instance_profiles(): """ Instance profiles are not well-exposed in the AWS Console (the online management tool), this command will delete the instance profiles that are defined in this codebase. Note: you will probably have to go and manually delete a service role, though the error message should provide sufficient information for you to work out what to do. """ iam_client = create_iam_client() try: iam_client.delete_instance_profile(InstanceProfileName=EB_INSTANCE_PROFILE_ROLE) print("Deleted", EB_INSTANCE_PROFILE_ROLE) except Exception as e: print e try: iam_client.delete_instance_profile(InstanceProfileName=EB_INSTANCE_PROFILE_NAME) print("Deleted", EB_INSTANCE_PROFILE_NAME) except Exception as e: print e try: iam_client.delete_role(RoleName=EB_INSTANCE_PROFILE_ROLE) print("Deleted", EB_INSTANCE_PROFILE_ROLE) except Exception as e: print e try: iam_client.delete_role(RoleName=EB_SERVICE_ROLE) print("Deleted", EB_SERVICE_ROLE) except Exception as e: print e
def get_or_create_automation_policy(): iam_client = create_iam_client() for policy in iam_client.list_policies(MaxItems=1000)["Policies"]: if BEIWE_AUTOMATION_POLICY_NAME == policy['PolicyName']: return policy return iam_client.create_policy( PolicyName="beiwe_automation_policy", PolicyDocument=get_automation_policy(), Description="permissions the beiwe elastic beanstalk application." )['Policy']
def get_or_create_eb_instance_profile(): # """ This function creates the appropriate roles that apply to the instances in an elastic # beanstalk environment, based of of the roles created when using the online AWS console. """ iam_client = create_iam_client() try: return iam_find_instance_profile(iam_client, EB_INSTANCE_PROFILE_NAME) except IamEntityMissingError: log.info("eb instance _profile_ not found, creating...") iam_client.create_instance_profile( InstanceProfileName=EB_INSTANCE_PROFILE_NAME) _ = iam_client.add_role_to_instance_profile( InstanceProfileName=EB_INSTANCE_PROFILE_NAME, RoleName=get_or_create_eb_instance_profile_role()['RoleName']) return iam_find_instance_profile(iam_client, EB_INSTANCE_PROFILE_NAME)
def get_or_create_eb_instance_profile_role(): """ This function creates the appropriate roles that apply to the instances in an elastic beanstalk environment, based of of the roles created when using the online AWS console. """ iam_client = create_iam_client() try: iam_find_role(iam_client, EB_INSTANCE_PROFILE_ROLE) except IamEntityMissingError: log.info("eb instance profile _role_ not found, creating...") iam_create_role(iam_client, EB_INSTANCE_PROFILE_ROLE, get_instance_assume_role_policy_document()) # This first one is in the original role, but it is almost definitely not required. iam_attach_role_policy(iam_client, EB_INSTANCE_PROFILE_ROLE, AWS_EB_MULTICONTAINER_DOCKER) iam_attach_role_policy(iam_client, EB_INSTANCE_PROFILE_ROLE, AWS_EB_WEB_TIER) iam_attach_role_policy(iam_client, EB_INSTANCE_PROFILE_ROLE, AWS_EB_WORKER_TIER) return iam_find_role(iam_client, EB_INSTANCE_PROFILE_ROLE)
def get_or_create_eb_service_role(): """ This function creates the appropriate roles that apply to the elastic beanstalk environment, based of of the roles created when using the online AWS console. """ iam_client = create_iam_client() try: iam_find_role(iam_client, EB_SERVICE_ROLE) except IamEntityMissingError: log.info("eb service role not found, creating...") iam_create_role(iam_client, EB_SERVICE_ROLE, get_elasticbeanstalk_assume_role_policy_document()) iam_attach_role_policy(iam_client, EB_SERVICE_ROLE, AWS_EB_SERVICE) iam_attach_role_policy(iam_client, EB_SERVICE_ROLE, AWS_EB_ENHANCED_HEALTH) return iam_find_role(iam_client, EB_SERVICE_ROLE)
def get_or_create_s3_access_policy(s3_bucket_name): iam_client = create_iam_client() policy_name = "s3-data-access-" + s3_bucket_name for policy in iam_client.list_policies(MaxItems=1000)["Policies"]: if policy_name == policy['PolicyName']: return policy policy = get_s3_bucket_access_policy() % s3_bucket_name return iam_client.create_policy( PolicyName=policy_name, PolicyDocument=policy, Description="allows read and write access to s3 bucket %s" % s3_bucket_name )['Policy']
def create_s3_access_credentials(s3_bucket_name): iam_client = create_iam_client() user_name = "s3-data-access-user-" + s3_bucket_name user_name = user_name[:63] # limited to 63 characters user_info = iam_client.create_user(UserName=user_name) s3_policy = get_or_create_s3_access_policy(s3_bucket_name) iam_client.attach_user_policy(UserName=user_name, PolicyArn=s3_policy['Arn']) iam_resource = create_iam_resource() iam_user = iam_resource.User(user_name) access_key_pair = iam_user.create_access_key_pair() return { "S3_ACCESS_CREDENTIALS_USER": access_key_pair.access_key_id, "S3_ACCESS_CREDENTIALS_KEY": access_key_pair.secret_access_key, }