def configure(create,
path,
max_session_duration,
trust_policy,
trust_root,
trusted_service,
trusted_saml_provider,
role_policy,
attached_policy,
role_name):
"""Create/configure/get IAM role."""
iam_conn = awscontext.GLOBAL.iam
try:
role = iamclient.get_role(iam_conn, role_name)
except exc.NotFoundError:
if not create:
raise
role = None
if trust_policy:
with io.open(trust_policy) as f:
trust_document = f.read()
elif trust_root or trusted_service or trusted_saml_provider:
trust_document = _generate_trust_document(trust_root,
trusted_service,
trusted_saml_provider)
else:
trust_document = None
if not role:
_create_role(iam_conn,
role_name,
path,
trust_document,
max_session_duration)
else:
if max_session_duration:
iamclient.update_role(iam_conn,
role_name,
max_session_duration)
if trust_document:
iamclient.update_assume_role_policy(iam_conn,
role_name,
trust_document)
if role_policy:
_set_role_policy(iam_conn, role_name, role_policy)
if attached_policy:
_set_attached_policy(iam_conn, role_name, attached_policy)
role = iamclient.get_role(iam_conn, role_name)
role['RolePolicies'] = iamclient.list_role_policies(iam_conn,
role_name)
role['AttachedPolicies'] = iamclient.list_attached_role_policies(
iam_conn,
role_name)
cli.out(formatter(role))
def _set_role_policy(iam_conn, role_name, role_policy):
new_pols = []
for pol in role_policy:
policy_name, policy_file = pol.split(':', 2)
new_pols.append(policy_name)
with io.open(policy_file) as f:
policy_document = f.read()
_LOGGER.info('updated/created role policy: %s', policy_name)
iamclient.put_role_policy(iam_conn,
role_name,
policy_name,
policy_document)
all_pols = iamclient.list_role_policies(iam_conn, role_name)
for policy_name in all_pols:
if policy_name not in new_pols:
_LOGGER.info('removing role policy: %s', policy_name)
iamclient.delete_role_policy(iam_conn,
role_name,
policy_name)
def delete(force, role_name):
"""Delete IAM role."""
iam_conn = awscontext.GLOBAL.iam
if force:
role_policies = iamclient.list_role_policies(iam_conn, role_name)
for policy in role_policies:
_LOGGER.info('deleting inline policy: %s', policy)
iamclient.delete_role_policy(iam_conn, role_name, policy)
attached_pols = iamclient.list_attached_role_policies(
iam_conn, role_name)
for policy in attached_pols:
_LOGGER.info('detaching policy: %s', policy['PolicyArn'])
iamclient.detach_role_policy(iam_conn, role_name,
policy['PolicyArn'])
try:
iamclient.delete_role(iam_conn, role_name)
except iam_conn.exceptions.DeleteConflictException:
raise click.UsageError('Role [%s] has inline or attached policies,'
'use --force to force delete.' % role_name)
def configure(create,
path,
max_session_duration,
trust_policy,
trusted_entities,
inline_policies,
attached_policies,
role_name):
"""Create/configure/get IAM role.
Arguments for --trusted-entities are of the form:
Entities are form:\n
* root: : trusted AWS account
* user:<user-name> : trusted IAM user
* saml-provider:<provider-name>: : trusted SAML Provider
* service:<service-name>: : trusted AWS Service
"""
iam_conn = awscontext.GLOBAL.iam
try:
role = iamclient.get_role(iam_conn, role_name)
except exc.NotFoundError:
if not create:
raise
role = None
if trust_policy:
with io.open(trust_policy) as f:
trust_document = f.read()
elif trusted_entities:
trust_document = _generate_trust_document(trusted_entities)
elif create:
raise click.UsageError('Must specify one:\n'
' --trust-policy\n'
' --trusted-entties')
else:
trust_document = None
if not role:
_create_role(iam_conn,
role_name,
path,
trust_document,
max_session_duration)
else:
if max_session_duration:
iamclient.update_role(iam_conn,
role_name,
max_session_duration)
if trust_document:
iamclient.update_assume_role_policy(iam_conn,
role_name,
trust_document)
if inline_policies:
_set_role_policies(iam_conn, role_name, inline_policies)
if attached_policies:
_set_attached_policies(iam_conn, role_name, attached_policies)
role = iamclient.get_role(iam_conn, role_name)
role['RolePolicies'] = iamclient.list_role_policies(iam_conn,
role_name)
role['AttachedPolicies'] = iamclient.list_attached_role_policies(
iam_conn,
role_name)
cli.out(formatter(role))