1932 lines
70 KiB
Python
1932 lines
70 KiB
Python
# Copyright (c) 2010-2011 Mitch Garnaat http://garnaat.org/
|
|
# Copyright (c) 2010-2011, Eucalyptus Systems, Inc.
|
|
#
|
|
# Permission is hereby granted, free of charge, to any person obtaining a
|
|
# copy of this software and associated documentation files (the
|
|
# "Software"), to deal in the Software without restriction, including
|
|
# without limitation the rights to use, copy, modify, merge, publish, dis-
|
|
# tribute, sublicense, and/or sell copies of the Software, and to permit
|
|
# persons to whom the Software is furnished to do so, subject to the fol-
|
|
# lowing conditions:
|
|
#
|
|
# The above copyright notice and this permission notice shall be included
|
|
# in all copies or substantial portions of the Software.
|
|
#
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
|
|
# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
|
|
# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
|
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
# IN THE SOFTWARE.
|
|
import boto
|
|
import boto.jsonresponse
|
|
from boto.compat import json, six
|
|
from boto.resultset import ResultSet
|
|
from boto.iam.summarymap import SummaryMap
|
|
from boto.connection import AWSQueryConnection
|
|
|
|
DEFAULT_POLICY_DOCUMENTS = {
|
|
'default': {
|
|
'Statement': [
|
|
{
|
|
'Principal': {
|
|
'Service': ['ec2.amazonaws.com']
|
|
},
|
|
'Effect': 'Allow',
|
|
'Action': ['sts:AssumeRole']
|
|
}
|
|
]
|
|
},
|
|
'amazonaws.com.cn': {
|
|
'Statement': [
|
|
{
|
|
'Principal': {
|
|
'Service': ['ec2.amazonaws.com.cn']
|
|
},
|
|
'Effect': 'Allow',
|
|
'Action': ['sts:AssumeRole']
|
|
}
|
|
]
|
|
},
|
|
}
|
|
# For backward-compatibility, we'll preserve this here.
|
|
ASSUME_ROLE_POLICY_DOCUMENT = json.dumps(DEFAULT_POLICY_DOCUMENTS['default'])
|
|
|
|
|
|
class IAMConnection(AWSQueryConnection):
|
|
|
|
APIVersion = '2010-05-08'
|
|
|
|
def __init__(self, aws_access_key_id=None, aws_secret_access_key=None,
|
|
is_secure=True, port=None, proxy=None, proxy_port=None,
|
|
proxy_user=None, proxy_pass=None, host='iam.amazonaws.com',
|
|
debug=0, https_connection_factory=None, path='/',
|
|
security_token=None, validate_certs=True, profile_name=None):
|
|
super(IAMConnection, self).__init__(aws_access_key_id,
|
|
aws_secret_access_key,
|
|
is_secure, port, proxy,
|
|
proxy_port, proxy_user, proxy_pass,
|
|
host, debug, https_connection_factory,
|
|
path, security_token,
|
|
validate_certs=validate_certs,
|
|
profile_name=profile_name)
|
|
|
|
def _required_auth_capability(self):
|
|
return ['hmac-v4']
|
|
|
|
def get_response(self, action, params, path='/', parent=None,
|
|
verb='POST', list_marker='Set'):
|
|
"""
|
|
Utility method to handle calls to IAM and parsing of responses.
|
|
"""
|
|
if not parent:
|
|
parent = self
|
|
response = self.make_request(action, params, path, verb)
|
|
body = response.read()
|
|
boto.log.debug(body)
|
|
if response.status == 200:
|
|
if body:
|
|
e = boto.jsonresponse.Element(list_marker=list_marker,
|
|
pythonize_name=True)
|
|
h = boto.jsonresponse.XmlHandler(e, parent)
|
|
h.parse(body)
|
|
return e
|
|
else:
|
|
# Support empty responses, e.g. deleting a SAML provider
|
|
# according to the official documentation.
|
|
return {}
|
|
else:
|
|
boto.log.error('%s %s' % (response.status, response.reason))
|
|
boto.log.error('%s' % body)
|
|
raise self.ResponseError(response.status, response.reason, body)
|
|
|
|
#
|
|
# Group methods
|
|
#
|
|
|
|
def get_all_groups(self, path_prefix='/', marker=None, max_items=None):
|
|
"""
|
|
List the groups that have the specified path prefix.
|
|
|
|
:type path_prefix: string
|
|
:param path_prefix: If provided, only groups whose paths match
|
|
the provided prefix will be returned.
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
"""
|
|
params = {}
|
|
if path_prefix:
|
|
params['PathPrefix'] = path_prefix
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListGroups', params,
|
|
list_marker='Groups')
|
|
|
|
def get_group(self, group_name, marker=None, max_items=None):
|
|
"""
|
|
Return a list of users that are in the specified group.
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the group whose information should
|
|
be returned.
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
"""
|
|
params = {'GroupName': group_name}
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('GetGroup', params, list_marker='Users')
|
|
|
|
def create_group(self, group_name, path='/'):
|
|
"""
|
|
Create a group.
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the new group
|
|
|
|
:type path: string
|
|
:param path: The path to the group (Optional). Defaults to /.
|
|
|
|
"""
|
|
params = {'GroupName': group_name,
|
|
'Path': path}
|
|
return self.get_response('CreateGroup', params)
|
|
|
|
def delete_group(self, group_name):
|
|
"""
|
|
Delete a group. The group must not contain any Users or
|
|
have any attached policies
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the group to delete.
|
|
|
|
"""
|
|
params = {'GroupName': group_name}
|
|
return self.get_response('DeleteGroup', params)
|
|
|
|
def update_group(self, group_name, new_group_name=None, new_path=None):
|
|
"""
|
|
Updates name and/or path of the specified group.
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the new group
|
|
|
|
:type new_group_name: string
|
|
:param new_group_name: If provided, the name of the group will be
|
|
changed to this name.
|
|
|
|
:type new_path: string
|
|
:param new_path: If provided, the path of the group will be
|
|
changed to this path.
|
|
|
|
"""
|
|
params = {'GroupName': group_name}
|
|
if new_group_name:
|
|
params['NewGroupName'] = new_group_name
|
|
if new_path:
|
|
params['NewPath'] = new_path
|
|
return self.get_response('UpdateGroup', params)
|
|
|
|
def add_user_to_group(self, group_name, user_name):
|
|
"""
|
|
Add a user to a group
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the group
|
|
|
|
:type user_name: string
|
|
:param user_name: The to be added to the group.
|
|
|
|
"""
|
|
params = {'GroupName': group_name,
|
|
'UserName': user_name}
|
|
return self.get_response('AddUserToGroup', params)
|
|
|
|
def remove_user_from_group(self, group_name, user_name):
|
|
"""
|
|
Remove a user from a group.
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the group
|
|
|
|
:type user_name: string
|
|
:param user_name: The user to remove from the group.
|
|
|
|
"""
|
|
params = {'GroupName': group_name,
|
|
'UserName': user_name}
|
|
return self.get_response('RemoveUserFromGroup', params)
|
|
|
|
def put_group_policy(self, group_name, policy_name, policy_json):
|
|
"""
|
|
Adds or updates the specified policy document for the specified group.
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the group the policy is associated with.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: The policy document to get.
|
|
|
|
:type policy_json: string
|
|
:param policy_json: The policy document.
|
|
|
|
"""
|
|
params = {'GroupName': group_name,
|
|
'PolicyName': policy_name,
|
|
'PolicyDocument': policy_json}
|
|
return self.get_response('PutGroupPolicy', params, verb='POST')
|
|
|
|
def get_all_group_policies(self, group_name, marker=None, max_items=None):
|
|
"""
|
|
List the names of the policies associated with the specified group.
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the group the policy is associated with.
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
"""
|
|
params = {'GroupName': group_name}
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListGroupPolicies', params,
|
|
list_marker='PolicyNames')
|
|
|
|
def get_group_policy(self, group_name, policy_name):
|
|
"""
|
|
Retrieves the specified policy document for the specified group.
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the group the policy is associated with.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: The policy document to get.
|
|
|
|
"""
|
|
params = {'GroupName': group_name,
|
|
'PolicyName': policy_name}
|
|
return self.get_response('GetGroupPolicy', params, verb='POST')
|
|
|
|
def delete_group_policy(self, group_name, policy_name):
|
|
"""
|
|
Deletes the specified policy document for the specified group.
|
|
|
|
:type group_name: string
|
|
:param group_name: The name of the group the policy is associated with.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: The policy document to delete.
|
|
|
|
"""
|
|
params = {'GroupName': group_name,
|
|
'PolicyName': policy_name}
|
|
return self.get_response('DeleteGroupPolicy', params, verb='POST')
|
|
|
|
def get_all_users(self, path_prefix='/', marker=None, max_items=None):
|
|
"""
|
|
List the users that have the specified path prefix.
|
|
|
|
:type path_prefix: string
|
|
:param path_prefix: If provided, only users whose paths match
|
|
the provided prefix will be returned.
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
"""
|
|
params = {'PathPrefix': path_prefix}
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListUsers', params, list_marker='Users')
|
|
|
|
#
|
|
# User methods
|
|
#
|
|
|
|
def create_user(self, user_name, path='/'):
|
|
"""
|
|
Create a user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the new user
|
|
|
|
:type path: string
|
|
:param path: The path in which the user will be created.
|
|
Defaults to /.
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'Path': path}
|
|
return self.get_response('CreateUser', params)
|
|
|
|
def delete_user(self, user_name):
|
|
"""
|
|
Delete a user including the user's path, GUID and ARN.
|
|
|
|
If the user_name is not specified, the user_name is determined
|
|
implicitly based on the AWS Access Key ID used to sign the request.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user to delete.
|
|
|
|
"""
|
|
params = {'UserName': user_name}
|
|
return self.get_response('DeleteUser', params)
|
|
|
|
def get_user(self, user_name=None):
|
|
"""
|
|
Retrieve information about the specified user.
|
|
|
|
If the user_name is not specified, the user_name is determined
|
|
implicitly based on the AWS Access Key ID used to sign the request.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user to retrieve.
|
|
If not specified, defaults to user making request.
|
|
"""
|
|
params = {}
|
|
if user_name:
|
|
params['UserName'] = user_name
|
|
return self.get_response('GetUser', params)
|
|
|
|
def update_user(self, user_name, new_user_name=None, new_path=None):
|
|
"""
|
|
Updates name and/or path of the specified user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user
|
|
|
|
:type new_user_name: string
|
|
:param new_user_name: If provided, the username of the user will be
|
|
changed to this username.
|
|
|
|
:type new_path: string
|
|
:param new_path: If provided, the path of the user will be
|
|
changed to this path.
|
|
|
|
"""
|
|
params = {'UserName': user_name}
|
|
if new_user_name:
|
|
params['NewUserName'] = new_user_name
|
|
if new_path:
|
|
params['NewPath'] = new_path
|
|
return self.get_response('UpdateUser', params)
|
|
|
|
def get_all_user_policies(self, user_name, marker=None, max_items=None):
|
|
"""
|
|
List the names of the policies associated with the specified user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user the policy is associated with.
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
"""
|
|
params = {'UserName': user_name}
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListUserPolicies', params,
|
|
list_marker='PolicyNames')
|
|
|
|
def put_user_policy(self, user_name, policy_name, policy_json):
|
|
"""
|
|
Adds or updates the specified policy document for the specified user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user the policy is associated with.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: The policy document to get.
|
|
|
|
:type policy_json: string
|
|
:param policy_json: The policy document.
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'PolicyName': policy_name,
|
|
'PolicyDocument': policy_json}
|
|
return self.get_response('PutUserPolicy', params, verb='POST')
|
|
|
|
def get_user_policy(self, user_name, policy_name):
|
|
"""
|
|
Retrieves the specified policy document for the specified user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user the policy is associated with.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: The policy document to get.
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'PolicyName': policy_name}
|
|
return self.get_response('GetUserPolicy', params, verb='POST')
|
|
|
|
def delete_user_policy(self, user_name, policy_name):
|
|
"""
|
|
Deletes the specified policy document for the specified user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user the policy is associated with.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: The policy document to delete.
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'PolicyName': policy_name}
|
|
return self.get_response('DeleteUserPolicy', params, verb='POST')
|
|
|
|
def get_groups_for_user(self, user_name, marker=None, max_items=None):
|
|
"""
|
|
List the groups that a specified user belongs to.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user to list groups for.
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
"""
|
|
params = {'UserName': user_name}
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListGroupsForUser', params,
|
|
list_marker='Groups')
|
|
|
|
#
|
|
# Access Keys
|
|
#
|
|
|
|
def get_all_access_keys(self, user_name, marker=None, max_items=None):
|
|
"""
|
|
Get all access keys associated with an account.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
"""
|
|
params = {'UserName': user_name}
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListAccessKeys', params,
|
|
list_marker='AccessKeyMetadata')
|
|
|
|
def create_access_key(self, user_name=None):
|
|
"""
|
|
Create a new AWS Secret Access Key and corresponding AWS Access Key ID
|
|
for the specified user. The default status for new keys is Active
|
|
|
|
If the user_name is not specified, the user_name is determined
|
|
implicitly based on the AWS Access Key ID used to sign the request.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
"""
|
|
params = {'UserName': user_name}
|
|
return self.get_response('CreateAccessKey', params)
|
|
|
|
def update_access_key(self, access_key_id, status, user_name=None):
|
|
"""
|
|
Changes the status of the specified access key from Active to Inactive
|
|
or vice versa. This action can be used to disable a user's key as
|
|
part of a key rotation workflow.
|
|
|
|
If the user_name is not specified, the user_name is determined
|
|
implicitly based on the AWS Access Key ID used to sign the request.
|
|
|
|
:type access_key_id: string
|
|
:param access_key_id: The ID of the access key.
|
|
|
|
:type status: string
|
|
:param status: Either Active or Inactive.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of user (optional).
|
|
|
|
"""
|
|
params = {'AccessKeyId': access_key_id,
|
|
'Status': status}
|
|
if user_name:
|
|
params['UserName'] = user_name
|
|
return self.get_response('UpdateAccessKey', params)
|
|
|
|
def delete_access_key(self, access_key_id, user_name=None):
|
|
"""
|
|
Delete an access key associated with a user.
|
|
|
|
If the user_name is not specified, it is determined implicitly based
|
|
on the AWS Access Key ID used to sign the request.
|
|
|
|
:type access_key_id: string
|
|
:param access_key_id: The ID of the access key to be deleted.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
"""
|
|
params = {'AccessKeyId': access_key_id}
|
|
if user_name:
|
|
params['UserName'] = user_name
|
|
return self.get_response('DeleteAccessKey', params)
|
|
|
|
#
|
|
# Signing Certificates
|
|
#
|
|
|
|
def get_all_signing_certs(self, marker=None, max_items=None,
|
|
user_name=None):
|
|
"""
|
|
Get all signing certificates associated with an account.
|
|
|
|
If the user_name is not specified, it is determined implicitly based
|
|
on the AWS Access Key ID used to sign the request.
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
"""
|
|
params = {}
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
if user_name:
|
|
params['UserName'] = user_name
|
|
return self.get_response('ListSigningCertificates',
|
|
params, list_marker='Certificates')
|
|
|
|
def update_signing_cert(self, cert_id, status, user_name=None):
|
|
"""
|
|
Change the status of the specified signing certificate from
|
|
Active to Inactive or vice versa.
|
|
|
|
If the user_name is not specified, it is determined implicitly based
|
|
on the AWS Access Key ID used to sign the request.
|
|
|
|
:type cert_id: string
|
|
:param cert_id: The ID of the signing certificate
|
|
|
|
:type status: string
|
|
:param status: Either Active or Inactive.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
"""
|
|
params = {'CertificateId': cert_id,
|
|
'Status': status}
|
|
if user_name:
|
|
params['UserName'] = user_name
|
|
return self.get_response('UpdateSigningCertificate', params)
|
|
|
|
def upload_signing_cert(self, cert_body, user_name=None):
|
|
"""
|
|
Uploads an X.509 signing certificate and associates it with
|
|
the specified user.
|
|
|
|
If the user_name is not specified, it is determined implicitly based
|
|
on the AWS Access Key ID used to sign the request.
|
|
|
|
:type cert_body: string
|
|
:param cert_body: The body of the signing certificate.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
"""
|
|
params = {'CertificateBody': cert_body}
|
|
if user_name:
|
|
params['UserName'] = user_name
|
|
return self.get_response('UploadSigningCertificate', params,
|
|
verb='POST')
|
|
|
|
def delete_signing_cert(self, cert_id, user_name=None):
|
|
"""
|
|
Delete a signing certificate associated with a user.
|
|
|
|
If the user_name is not specified, it is determined implicitly based
|
|
on the AWS Access Key ID used to sign the request.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
:type cert_id: string
|
|
:param cert_id: The ID of the certificate.
|
|
|
|
"""
|
|
params = {'CertificateId': cert_id}
|
|
if user_name:
|
|
params['UserName'] = user_name
|
|
return self.get_response('DeleteSigningCertificate', params)
|
|
|
|
#
|
|
# Server Certificates
|
|
#
|
|
|
|
def list_server_certs(self, path_prefix='/',
|
|
marker=None, max_items=None):
|
|
"""
|
|
Lists the server certificates that have the specified path prefix.
|
|
If none exist, the action returns an empty list.
|
|
|
|
:type path_prefix: string
|
|
:param path_prefix: If provided, only certificates whose paths match
|
|
the provided prefix will be returned.
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
|
|
"""
|
|
params = {}
|
|
if path_prefix:
|
|
params['PathPrefix'] = path_prefix
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListServerCertificates',
|
|
params,
|
|
list_marker='ServerCertificateMetadataList')
|
|
|
|
# Preserves backwards compatibility.
|
|
# TODO: Look into deprecating this eventually?
|
|
get_all_server_certs = list_server_certs
|
|
|
|
def update_server_cert(self, cert_name, new_cert_name=None,
|
|
new_path=None):
|
|
"""
|
|
Updates the name and/or the path of the specified server certificate.
|
|
|
|
:type cert_name: string
|
|
:param cert_name: The name of the server certificate that you want
|
|
to update.
|
|
|
|
:type new_cert_name: string
|
|
:param new_cert_name: The new name for the server certificate.
|
|
Include this only if you are updating the
|
|
server certificate's name.
|
|
|
|
:type new_path: string
|
|
:param new_path: If provided, the path of the certificate will be
|
|
changed to this path.
|
|
"""
|
|
params = {'ServerCertificateName': cert_name}
|
|
if new_cert_name:
|
|
params['NewServerCertificateName'] = new_cert_name
|
|
if new_path:
|
|
params['NewPath'] = new_path
|
|
return self.get_response('UpdateServerCertificate', params)
|
|
|
|
def upload_server_cert(self, cert_name, cert_body, private_key,
|
|
cert_chain=None, path=None):
|
|
"""
|
|
Uploads a server certificate entity for the AWS Account.
|
|
The server certificate entity includes a public key certificate,
|
|
a private key, and an optional certificate chain, which should
|
|
all be PEM-encoded.
|
|
|
|
:type cert_name: string
|
|
:param cert_name: The name for the server certificate. Do not
|
|
include the path in this value.
|
|
|
|
:type cert_body: string
|
|
:param cert_body: The contents of the public key certificate
|
|
in PEM-encoded format.
|
|
|
|
:type private_key: string
|
|
:param private_key: The contents of the private key in
|
|
PEM-encoded format.
|
|
|
|
:type cert_chain: string
|
|
:param cert_chain: The contents of the certificate chain. This
|
|
is typically a concatenation of the PEM-encoded
|
|
public key certificates of the chain.
|
|
|
|
:type path: string
|
|
:param path: The path for the server certificate.
|
|
"""
|
|
params = {'ServerCertificateName': cert_name,
|
|
'CertificateBody': cert_body,
|
|
'PrivateKey': private_key}
|
|
if cert_chain:
|
|
params['CertificateChain'] = cert_chain
|
|
if path:
|
|
params['Path'] = path
|
|
return self.get_response('UploadServerCertificate', params,
|
|
verb='POST')
|
|
|
|
def get_server_certificate(self, cert_name):
|
|
"""
|
|
Retrieves information about the specified server certificate.
|
|
|
|
:type cert_name: string
|
|
:param cert_name: The name of the server certificate you want
|
|
to retrieve information about.
|
|
|
|
"""
|
|
params = {'ServerCertificateName': cert_name}
|
|
return self.get_response('GetServerCertificate', params)
|
|
|
|
def delete_server_cert(self, cert_name):
|
|
"""
|
|
Delete the specified server certificate.
|
|
|
|
:type cert_name: string
|
|
:param cert_name: The name of the server certificate you want
|
|
to delete.
|
|
|
|
"""
|
|
params = {'ServerCertificateName': cert_name}
|
|
return self.get_response('DeleteServerCertificate', params)
|
|
|
|
#
|
|
# MFA Devices
|
|
#
|
|
|
|
def get_all_mfa_devices(self, user_name, marker=None, max_items=None):
|
|
"""
|
|
Get all MFA devices associated with an account.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
:type marker: string
|
|
:param marker: Use this only when paginating results and only
|
|
in follow-up request after you've received a response
|
|
where the results are truncated. Set this to the value of
|
|
the Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this only when paginating results to indicate
|
|
the maximum number of groups you want in the response.
|
|
|
|
"""
|
|
params = {'UserName': user_name}
|
|
if marker:
|
|
params['Marker'] = marker
|
|
if max_items:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListMFADevices',
|
|
params, list_marker='MFADevices')
|
|
|
|
def enable_mfa_device(self, user_name, serial_number,
|
|
auth_code_1, auth_code_2):
|
|
"""
|
|
Enables the specified MFA device and associates it with the
|
|
specified user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
:type serial_number: string
|
|
:param serial_number: The serial number which uniquely identifies
|
|
the MFA device.
|
|
|
|
:type auth_code_1: string
|
|
:param auth_code_1: An authentication code emitted by the device.
|
|
|
|
:type auth_code_2: string
|
|
:param auth_code_2: A subsequent authentication code emitted
|
|
by the device.
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'SerialNumber': serial_number,
|
|
'AuthenticationCode1': auth_code_1,
|
|
'AuthenticationCode2': auth_code_2}
|
|
return self.get_response('EnableMFADevice', params)
|
|
|
|
def deactivate_mfa_device(self, user_name, serial_number):
|
|
"""
|
|
Deactivates the specified MFA device and removes it from
|
|
association with the user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
:type serial_number: string
|
|
:param serial_number: The serial number which uniquely identifies
|
|
the MFA device.
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'SerialNumber': serial_number}
|
|
return self.get_response('DeactivateMFADevice', params)
|
|
|
|
def resync_mfa_device(self, user_name, serial_number,
|
|
auth_code_1, auth_code_2):
|
|
"""
|
|
Syncronizes the specified MFA device with the AWS servers.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
:type serial_number: string
|
|
:param serial_number: The serial number which uniquely identifies
|
|
the MFA device.
|
|
|
|
:type auth_code_1: string
|
|
:param auth_code_1: An authentication code emitted by the device.
|
|
|
|
:type auth_code_2: string
|
|
:param auth_code_2: A subsequent authentication code emitted
|
|
by the device.
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'SerialNumber': serial_number,
|
|
'AuthenticationCode1': auth_code_1,
|
|
'AuthenticationCode2': auth_code_2}
|
|
return self.get_response('ResyncMFADevice', params)
|
|
|
|
#
|
|
# Login Profiles
|
|
#
|
|
|
|
def get_login_profiles(self, user_name):
|
|
"""
|
|
Retrieves the login profile for the specified user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The username of the user
|
|
|
|
"""
|
|
params = {'UserName': user_name}
|
|
return self.get_response('GetLoginProfile', params)
|
|
|
|
def create_login_profile(self, user_name, password):
|
|
"""
|
|
Creates a login profile for the specified user, give the user the
|
|
ability to access AWS services and the AWS Management Console.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user
|
|
|
|
:type password: string
|
|
:param password: The new password for the user
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'Password': password}
|
|
return self.get_response('CreateLoginProfile', params)
|
|
|
|
def delete_login_profile(self, user_name):
|
|
"""
|
|
Deletes the login profile associated with the specified user.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user to delete.
|
|
|
|
"""
|
|
params = {'UserName': user_name}
|
|
return self.get_response('DeleteLoginProfile', params)
|
|
|
|
def update_login_profile(self, user_name, password):
|
|
"""
|
|
Resets the password associated with the user's login profile.
|
|
|
|
:type user_name: string
|
|
:param user_name: The name of the user
|
|
|
|
:type password: string
|
|
:param password: The new password for the user
|
|
|
|
"""
|
|
params = {'UserName': user_name,
|
|
'Password': password}
|
|
return self.get_response('UpdateLoginProfile', params)
|
|
|
|
def create_account_alias(self, alias):
|
|
"""
|
|
Creates a new alias for the AWS account.
|
|
|
|
For more information on account id aliases, please see
|
|
http://goo.gl/ToB7G
|
|
|
|
:type alias: string
|
|
:param alias: The alias to attach to the account.
|
|
"""
|
|
params = {'AccountAlias': alias}
|
|
return self.get_response('CreateAccountAlias', params)
|
|
|
|
def delete_account_alias(self, alias):
|
|
"""
|
|
Deletes an alias for the AWS account.
|
|
|
|
For more information on account id aliases, please see
|
|
http://goo.gl/ToB7G
|
|
|
|
:type alias: string
|
|
:param alias: The alias to remove from the account.
|
|
"""
|
|
params = {'AccountAlias': alias}
|
|
return self.get_response('DeleteAccountAlias', params)
|
|
|
|
def get_account_alias(self):
|
|
"""
|
|
Get the alias for the current account.
|
|
|
|
This is referred to in the docs as list_account_aliases,
|
|
but it seems you can only have one account alias currently.
|
|
|
|
For more information on account id aliases, please see
|
|
http://goo.gl/ToB7G
|
|
"""
|
|
return self.get_response('ListAccountAliases', {},
|
|
list_marker='AccountAliases')
|
|
|
|
def get_signin_url(self, service='ec2'):
|
|
"""
|
|
Get the URL where IAM users can use their login profile to sign in
|
|
to this account's console.
|
|
|
|
:type service: string
|
|
:param service: Default service to go to in the console.
|
|
"""
|
|
alias = self.get_account_alias()
|
|
|
|
if not alias:
|
|
raise Exception('No alias associated with this account. Please use iam.create_account_alias() first.')
|
|
|
|
resp = alias.get('list_account_aliases_response', {})
|
|
result = resp.get('list_account_aliases_result', {})
|
|
aliases = result.get('account_aliases', [])
|
|
|
|
if not len(aliases):
|
|
raise Exception('No alias associated with this account. Please use iam.create_account_alias() first.')
|
|
|
|
# We'll just use the first one we find.
|
|
alias = aliases[0]
|
|
|
|
if self.host == 'iam.us-gov.amazonaws.com':
|
|
return "https://%s.signin.amazonaws-us-gov.com/console/%s" % (
|
|
alias,
|
|
service
|
|
)
|
|
elif self.host.endswith('amazonaws.com.cn'):
|
|
return "https://%s.signin.amazonaws.cn/console/%s" % (
|
|
alias,
|
|
service
|
|
)
|
|
else:
|
|
return "https://%s.signin.aws.amazon.com/console/%s" % (
|
|
alias,
|
|
service
|
|
)
|
|
|
|
def get_account_summary(self):
|
|
"""
|
|
Get the alias for the current account.
|
|
|
|
This is referred to in the docs as list_account_aliases,
|
|
but it seems you can only have one account alias currently.
|
|
|
|
For more information on account id aliases, please see
|
|
http://goo.gl/ToB7G
|
|
"""
|
|
return self.get_object('GetAccountSummary', {}, SummaryMap)
|
|
|
|
#
|
|
# IAM Roles
|
|
#
|
|
|
|
def add_role_to_instance_profile(self, instance_profile_name, role_name):
|
|
"""
|
|
Adds the specified role to the specified instance profile.
|
|
|
|
:type instance_profile_name: string
|
|
:param instance_profile_name: Name of the instance profile to update.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role to add.
|
|
"""
|
|
return self.get_response('AddRoleToInstanceProfile',
|
|
{'InstanceProfileName': instance_profile_name,
|
|
'RoleName': role_name})
|
|
|
|
def create_instance_profile(self, instance_profile_name, path=None):
|
|
"""
|
|
Creates a new instance profile.
|
|
|
|
:type instance_profile_name: string
|
|
:param instance_profile_name: Name of the instance profile to create.
|
|
|
|
:type path: string
|
|
:param path: The path to the instance profile.
|
|
"""
|
|
params = {'InstanceProfileName': instance_profile_name}
|
|
if path is not None:
|
|
params['Path'] = path
|
|
return self.get_response('CreateInstanceProfile', params)
|
|
|
|
def _build_policy(self, assume_role_policy_document=None):
|
|
if assume_role_policy_document is not None:
|
|
if isinstance(assume_role_policy_document, six.string_types):
|
|
# Historically, they had to pass a string. If it's a string,
|
|
# assume the user has already handled it.
|
|
return assume_role_policy_document
|
|
else:
|
|
|
|
for tld, policy in DEFAULT_POLICY_DOCUMENTS.items():
|
|
if tld is 'default':
|
|
# Skip the default. We'll fall back to it if we don't find
|
|
# anything.
|
|
continue
|
|
|
|
if self.host and self.host.endswith(tld):
|
|
assume_role_policy_document = policy
|
|
break
|
|
|
|
if not assume_role_policy_document:
|
|
assume_role_policy_document = DEFAULT_POLICY_DOCUMENTS['default']
|
|
|
|
# Dump the policy (either user-supplied ``dict`` or one of the defaults)
|
|
return json.dumps(assume_role_policy_document)
|
|
|
|
def create_role(self, role_name, assume_role_policy_document=None, path=None):
|
|
"""
|
|
Creates a new role for your AWS account.
|
|
|
|
The policy grants permission to an EC2 instance to assume the role.
|
|
The policy is URL-encoded according to RFC 3986. Currently, only EC2
|
|
instances can assume roles.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role to create.
|
|
|
|
:type assume_role_policy_document: ``string`` or ``dict``
|
|
:param assume_role_policy_document: The policy that grants an entity
|
|
permission to assume the role.
|
|
|
|
:type path: string
|
|
:param path: The path to the role.
|
|
"""
|
|
params = {
|
|
'RoleName': role_name,
|
|
'AssumeRolePolicyDocument': self._build_policy(
|
|
assume_role_policy_document
|
|
),
|
|
}
|
|
if path is not None:
|
|
params['Path'] = path
|
|
return self.get_response('CreateRole', params)
|
|
|
|
def delete_instance_profile(self, instance_profile_name):
|
|
"""
|
|
Deletes the specified instance profile. The instance profile must not
|
|
have an associated role.
|
|
|
|
:type instance_profile_name: string
|
|
:param instance_profile_name: Name of the instance profile to delete.
|
|
"""
|
|
return self.get_response(
|
|
'DeleteInstanceProfile',
|
|
{'InstanceProfileName': instance_profile_name})
|
|
|
|
def delete_role(self, role_name):
|
|
"""
|
|
Deletes the specified role. The role must not have any policies
|
|
attached.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role to delete.
|
|
"""
|
|
return self.get_response('DeleteRole', {'RoleName': role_name})
|
|
|
|
def delete_role_policy(self, role_name, policy_name):
|
|
"""
|
|
Deletes the specified policy associated with the specified role.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role associated with the policy.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: Name of the policy to delete.
|
|
"""
|
|
return self.get_response(
|
|
'DeleteRolePolicy',
|
|
{'RoleName': role_name, 'PolicyName': policy_name})
|
|
|
|
def get_instance_profile(self, instance_profile_name):
|
|
"""
|
|
Retrieves information about the specified instance profile, including
|
|
the instance profile's path, GUID, ARN, and role.
|
|
|
|
:type instance_profile_name: string
|
|
:param instance_profile_name: Name of the instance profile to get
|
|
information about.
|
|
"""
|
|
return self.get_response('GetInstanceProfile',
|
|
{'InstanceProfileName': instance_profile_name})
|
|
|
|
def get_role(self, role_name):
|
|
"""
|
|
Retrieves information about the specified role, including the role's
|
|
path, GUID, ARN, and the policy granting permission to EC2 to assume
|
|
the role.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role associated with the policy.
|
|
"""
|
|
return self.get_response('GetRole', {'RoleName': role_name})
|
|
|
|
def get_role_policy(self, role_name, policy_name):
|
|
"""
|
|
Retrieves the specified policy document for the specified role.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role associated with the policy.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: Name of the policy to get.
|
|
"""
|
|
return self.get_response('GetRolePolicy',
|
|
{'RoleName': role_name,
|
|
'PolicyName': policy_name})
|
|
|
|
def list_instance_profiles(self, path_prefix=None, marker=None,
|
|
max_items=None):
|
|
"""
|
|
Lists the instance profiles that have the specified path prefix. If
|
|
there are none, the action returns an empty list.
|
|
|
|
:type path_prefix: string
|
|
:param path_prefix: The path prefix for filtering the results. For
|
|
example: /application_abc/component_xyz/, which would get all
|
|
instance profiles whose path starts with
|
|
/application_abc/component_xyz/.
|
|
|
|
:type marker: string
|
|
:param marker: Use this parameter only when paginating results, and
|
|
only in a subsequent request after you've received a response
|
|
where the results are truncated. Set it to the value of the
|
|
Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this parameter only when paginating results to
|
|
indicate the maximum number of user names you want in the response.
|
|
"""
|
|
params = {}
|
|
if path_prefix is not None:
|
|
params['PathPrefix'] = path_prefix
|
|
if marker is not None:
|
|
params['Marker'] = marker
|
|
if max_items is not None:
|
|
params['MaxItems'] = max_items
|
|
|
|
return self.get_response('ListInstanceProfiles', params,
|
|
list_marker='InstanceProfiles')
|
|
|
|
def list_instance_profiles_for_role(self, role_name, marker=None,
|
|
max_items=None):
|
|
"""
|
|
Lists the instance profiles that have the specified associated role. If
|
|
there are none, the action returns an empty list.
|
|
|
|
:type role_name: string
|
|
:param role_name: The name of the role to list instance profiles for.
|
|
|
|
:type marker: string
|
|
:param marker: Use this parameter only when paginating results, and
|
|
only in a subsequent request after you've received a response
|
|
where the results are truncated. Set it to the value of the
|
|
Marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this parameter only when paginating results to
|
|
indicate the maximum number of user names you want in the response.
|
|
"""
|
|
params = {'RoleName': role_name}
|
|
if marker is not None:
|
|
params['Marker'] = marker
|
|
if max_items is not None:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListInstanceProfilesForRole', params,
|
|
list_marker='InstanceProfiles')
|
|
|
|
def list_role_policies(self, role_name, marker=None, max_items=None):
|
|
"""
|
|
Lists the names of the policies associated with the specified role. If
|
|
there are none, the action returns an empty list.
|
|
|
|
:type role_name: string
|
|
:param role_name: The name of the role to list policies for.
|
|
|
|
:type marker: string
|
|
:param marker: Use this parameter only when paginating results, and
|
|
only in a subsequent request after you've received a response
|
|
where the results are truncated. Set it to the value of the
|
|
marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this parameter only when paginating results to
|
|
indicate the maximum number of user names you want in the response.
|
|
"""
|
|
params = {'RoleName': role_name}
|
|
if marker is not None:
|
|
params['Marker'] = marker
|
|
if max_items is not None:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListRolePolicies', params,
|
|
list_marker='PolicyNames')
|
|
|
|
def list_roles(self, path_prefix=None, marker=None, max_items=None):
|
|
"""
|
|
Lists the roles that have the specified path prefix. If there are none,
|
|
the action returns an empty list.
|
|
|
|
:type path_prefix: string
|
|
:param path_prefix: The path prefix for filtering the results.
|
|
|
|
:type marker: string
|
|
:param marker: Use this parameter only when paginating results, and
|
|
only in a subsequent request after you've received a response
|
|
where the results are truncated. Set it to the value of the
|
|
marker element in the response you just received.
|
|
|
|
:type max_items: int
|
|
:param max_items: Use this parameter only when paginating results to
|
|
indicate the maximum number of user names you want in the response.
|
|
"""
|
|
params = {}
|
|
if path_prefix is not None:
|
|
params['PathPrefix'] = path_prefix
|
|
if marker is not None:
|
|
params['Marker'] = marker
|
|
if max_items is not None:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response('ListRoles', params, list_marker='Roles')
|
|
|
|
def put_role_policy(self, role_name, policy_name, policy_document):
|
|
"""
|
|
Adds (or updates) a policy document associated with the specified role.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role to associate the policy with.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: Name of the policy document.
|
|
|
|
:type policy_document: string
|
|
:param policy_document: The policy document.
|
|
"""
|
|
return self.get_response('PutRolePolicy',
|
|
{'RoleName': role_name,
|
|
'PolicyName': policy_name,
|
|
'PolicyDocument': policy_document})
|
|
|
|
def remove_role_from_instance_profile(self, instance_profile_name,
|
|
role_name):
|
|
"""
|
|
Removes the specified role from the specified instance profile.
|
|
|
|
:type instance_profile_name: string
|
|
:param instance_profile_name: Name of the instance profile to update.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role to remove.
|
|
"""
|
|
return self.get_response('RemoveRoleFromInstanceProfile',
|
|
{'InstanceProfileName': instance_profile_name,
|
|
'RoleName': role_name})
|
|
|
|
def update_assume_role_policy(self, role_name, policy_document):
|
|
"""
|
|
Updates the policy that grants an entity permission to assume a role.
|
|
Currently, only an Amazon EC2 instance can assume a role.
|
|
|
|
:type role_name: string
|
|
:param role_name: Name of the role to update.
|
|
|
|
:type policy_document: string
|
|
:param policy_document: The policy that grants an entity permission to
|
|
assume the role.
|
|
"""
|
|
return self.get_response('UpdateAssumeRolePolicy',
|
|
{'RoleName': role_name,
|
|
'PolicyDocument': policy_document})
|
|
|
|
def create_saml_provider(self, saml_metadata_document, name):
|
|
"""
|
|
Creates an IAM entity to describe an identity provider (IdP)
|
|
that supports SAML 2.0.
|
|
|
|
The SAML provider that you create with this operation can be
|
|
used as a principal in a role's trust policy to establish a
|
|
trust relationship between AWS and a SAML identity provider.
|
|
You can create an IAM role that supports Web-based single
|
|
sign-on (SSO) to the AWS Management Console or one that
|
|
supports API access to AWS.
|
|
|
|
When you create the SAML provider, you upload an a SAML
|
|
metadata document that you get from your IdP and that includes
|
|
the issuer's name, expiration information, and keys that can
|
|
be used to validate the SAML authentication response
|
|
(assertions) that are received from the IdP. You must generate
|
|
the metadata document using the identity management software
|
|
that is used as your organization's IdP.
|
|
This operation requires `Signature Version 4`_.
|
|
For more information, see `Giving Console Access Using SAML`_
|
|
and `Creating Temporary Security Credentials for SAML
|
|
Federation`_ in the Using Temporary Credentials guide.
|
|
|
|
:type saml_metadata_document: string
|
|
:param saml_metadata_document: An XML document generated by an identity
|
|
provider (IdP) that supports SAML 2.0. The document includes the
|
|
issuer's name, expiration information, and keys that can be used to
|
|
validate the SAML authentication response (assertions) that are
|
|
received from the IdP. You must generate the metadata document
|
|
using the identity management software that is used as your
|
|
organization's IdP.
|
|
For more information, see `Creating Temporary Security Credentials for
|
|
SAML Federation`_ in the Using Temporary Security Credentials
|
|
guide.
|
|
|
|
:type name: string
|
|
:param name: The name of the provider to create.
|
|
|
|
"""
|
|
params = {
|
|
'SAMLMetadataDocument': saml_metadata_document,
|
|
'Name': name,
|
|
}
|
|
return self.get_response('CreateSAMLProvider', params)
|
|
|
|
def list_saml_providers(self):
|
|
"""
|
|
Lists the SAML providers in the account.
|
|
This operation requires `Signature Version 4`_.
|
|
"""
|
|
return self.get_response('ListSAMLProviders', {}, list_marker='SAMLProviderList')
|
|
|
|
def get_saml_provider(self, saml_provider_arn):
|
|
"""
|
|
Returns the SAML provider metadocument that was uploaded when
|
|
the provider was created or updated.
|
|
This operation requires `Signature Version 4`_.
|
|
|
|
:type saml_provider_arn: string
|
|
:param saml_provider_arn: The Amazon Resource Name (ARN) of the SAML
|
|
provider to get information about.
|
|
|
|
"""
|
|
params = {'SAMLProviderArn': saml_provider_arn}
|
|
return self.get_response('GetSAMLProvider', params)
|
|
|
|
def update_saml_provider(self, saml_provider_arn, saml_metadata_document):
|
|
"""
|
|
Updates the metadata document for an existing SAML provider.
|
|
This operation requires `Signature Version 4`_.
|
|
|
|
:type saml_provider_arn: string
|
|
:param saml_provider_arn: The Amazon Resource Name (ARN) of the SAML
|
|
provider to update.
|
|
|
|
:type saml_metadata_document: string
|
|
:param saml_metadata_document: An XML document generated by an identity
|
|
provider (IdP) that supports SAML 2.0. The document includes the
|
|
issuer's name, expiration information, and keys that can be used to
|
|
validate the SAML authentication response (assertions) that are
|
|
received from the IdP. You must generate the metadata document
|
|
using the identity management software that is used as your
|
|
organization's IdP.
|
|
|
|
"""
|
|
params = {
|
|
'SAMLMetadataDocument': saml_metadata_document,
|
|
'SAMLProviderArn': saml_provider_arn,
|
|
}
|
|
return self.get_response('UpdateSAMLProvider', params)
|
|
|
|
def delete_saml_provider(self, saml_provider_arn):
|
|
"""
|
|
Deletes a SAML provider.
|
|
|
|
Deleting the provider does not update any roles that reference
|
|
the SAML provider as a principal in their trust policies. Any
|
|
attempt to assume a role that references a SAML provider that
|
|
has been deleted will fail.
|
|
This operation requires `Signature Version 4`_.
|
|
|
|
:type saml_provider_arn: string
|
|
:param saml_provider_arn: The Amazon Resource Name (ARN) of the SAML
|
|
provider to delete.
|
|
|
|
"""
|
|
params = {'SAMLProviderArn': saml_provider_arn}
|
|
return self.get_response('DeleteSAMLProvider', params)
|
|
|
|
#
|
|
# IAM Reports
|
|
#
|
|
|
|
def generate_credential_report(self):
|
|
"""
|
|
Generates a credential report for an account
|
|
|
|
A new credential report can only be generated every 4 hours. If one
|
|
hasn't been generated in the last 4 hours then get_credential_report
|
|
will error when called
|
|
"""
|
|
params = {}
|
|
return self.get_response('GenerateCredentialReport', params)
|
|
|
|
def get_credential_report(self):
|
|
"""
|
|
Retrieves a credential report for an account
|
|
|
|
A report must have been generated in the last 4 hours to succeed.
|
|
The report is returned as a base64 encoded blob within the response.
|
|
"""
|
|
params = {}
|
|
return self.get_response('GetCredentialReport', params)
|
|
|
|
def create_virtual_mfa_device(self, path, device_name):
|
|
"""
|
|
Creates a new virtual MFA device for the AWS account.
|
|
|
|
After creating the virtual MFA, use enable-mfa-device to
|
|
attach the MFA device to an IAM user.
|
|
|
|
:type path: string
|
|
:param path: The path for the virtual MFA device.
|
|
|
|
:type device_name: string
|
|
:param device_name: The name of the virtual MFA device.
|
|
Used with path to uniquely identify a virtual MFA device.
|
|
|
|
"""
|
|
params = {
|
|
'Path': path,
|
|
'VirtualMFADeviceName': device_name
|
|
}
|
|
return self.get_response('CreateVirtualMFADevice', params)
|
|
|
|
#
|
|
# IAM password policy
|
|
#
|
|
|
|
def get_account_password_policy(self):
|
|
"""
|
|
Returns the password policy for the AWS account.
|
|
"""
|
|
params = {}
|
|
return self.get_response('GetAccountPasswordPolicy', params)
|
|
|
|
def delete_account_password_policy(self):
|
|
"""
|
|
Delete the password policy currently set for the AWS account.
|
|
"""
|
|
params = {}
|
|
return self.get_response('DeleteAccountPasswordPolicy', params)
|
|
|
|
def update_account_password_policy(self, allow_users_to_change_password=None,
|
|
hard_expiry=None, max_password_age=None ,
|
|
minimum_password_length=None ,
|
|
password_reuse_prevention=None,
|
|
require_lowercase_characters=None,
|
|
require_numbers=None, require_symbols=None ,
|
|
require_uppercase_characters=None):
|
|
"""
|
|
Update the password policy for the AWS account.
|
|
|
|
Notes: unset parameters will be reset to Amazon default settings!
|
|
Most of the password policy settings are enforced the next time your users
|
|
change their passwords. When you set minimum length and character type
|
|
requirements, they are enforced the next time your users change their
|
|
passwords - users are not forced to change their existing passwords, even
|
|
if the pre-existing passwords do not adhere to the updated password
|
|
policy. When you set a password expiration period, the expiration period
|
|
is enforced immediately.
|
|
|
|
:type allow_users_to_change_password: bool
|
|
:param allow_users_to_change_password: Allows all IAM users in your account
|
|
to use the AWS Management Console to change their own passwords.
|
|
|
|
:type hard_expiry: bool
|
|
:param hard_expiry: Prevents IAM users from setting a new password after
|
|
their password has expired.
|
|
|
|
:type max_password_age: int
|
|
:param max_password_age: The number of days that an IAM user password is valid.
|
|
|
|
:type minimum_password_length: int
|
|
:param minimum_password_length: The minimum number of characters allowed in
|
|
an IAM user password.
|
|
|
|
:type password_reuse_prevention: int
|
|
:param password_reuse_prevention: Specifies the number of previous passwords
|
|
that IAM users are prevented from reusing.
|
|
|
|
:type require_lowercase_characters: bool
|
|
:param require_lowercase_characters: Specifies whether IAM user passwords
|
|
must contain at least one lowercase character from the ISO basic Latin
|
|
alphabet (``a`` to ``z``).
|
|
|
|
:type require_numbers: bool
|
|
:param require_numbers: Specifies whether IAM user passwords must contain at
|
|
least one numeric character (``0`` to ``9``).
|
|
|
|
:type require_symbols: bool
|
|
:param require_symbols: Specifies whether IAM user passwords must contain at
|
|
least one of the following non-alphanumeric characters:
|
|
``! @ # $ % ^ & * ( ) _ + - = [ ] { } | '``
|
|
|
|
:type require_uppercase_characters: bool
|
|
:param require_uppercase_characters: Specifies whether IAM user passwords
|
|
must contain at least one uppercase character from the ISO basic Latin
|
|
alphabet (``A`` to ``Z``).
|
|
"""
|
|
params = {}
|
|
if allow_users_to_change_password is not None and type(allow_users_to_change_password) is bool:
|
|
params['AllowUsersToChangePassword'] = str(allow_users_to_change_password).lower()
|
|
if hard_expiry is not None and type(allow_users_to_change_password) is bool:
|
|
params['HardExpiry'] = str(hard_expiry).lower()
|
|
if max_password_age is not None:
|
|
params['MaxPasswordAge'] = max_password_age
|
|
if minimum_password_length is not None:
|
|
params['MinimumPasswordLength'] = minimum_password_length
|
|
if password_reuse_prevention is not None:
|
|
params['PasswordReusePrevention'] = password_reuse_prevention
|
|
if require_lowercase_characters is not None and type(allow_users_to_change_password) is bool:
|
|
params['RequireLowercaseCharacters'] = str(require_lowercase_characters).lower()
|
|
if require_numbers is not None and type(allow_users_to_change_password) is bool:
|
|
params['RequireNumbers'] = str(require_numbers).lower()
|
|
if require_symbols is not None and type(allow_users_to_change_password) is bool:
|
|
params['RequireSymbols'] = str(require_symbols).lower()
|
|
if require_uppercase_characters is not None and type(allow_users_to_change_password) is bool:
|
|
params['RequireUppercaseCharacters'] = str(require_uppercase_characters).lower()
|
|
return self.get_response('UpdateAccountPasswordPolicy', params)
|
|
|
|
def create_policy(self, policy_name, policy_document, path='/',
|
|
description=None):
|
|
"""
|
|
Create a policy.
|
|
|
|
:type policy_name: string
|
|
:param policy_name: The name of the new policy
|
|
|
|
:type policy_document string
|
|
:param policy_document: The document of the new policy
|
|
|
|
:type path: string
|
|
:param path: The path in which the policy will be created.
|
|
Defaults to /.
|
|
|
|
:type description: string
|
|
:param path: A description of the new policy.
|
|
|
|
"""
|
|
params = {'PolicyName': policy_name,
|
|
'PolicyDocument': policy_document,
|
|
'Path': path}
|
|
if description is not None:
|
|
params['Description'] = str(description)
|
|
|
|
return self.get_response('CreatePolicy', params)
|
|
|
|
def create_policy_version(
|
|
self,
|
|
policy_arn,
|
|
policy_document,
|
|
set_as_default=None):
|
|
"""
|
|
Create a policy version.
|
|
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy
|
|
|
|
:type policy_document string
|
|
:param policy_document: The document of the new policy version
|
|
|
|
:type set_as_default: bool
|
|
:param set_as_default: Sets the policy version as default
|
|
Defaults to None.
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn,
|
|
'PolicyDocument': policy_document}
|
|
if type(set_as_default) == bool:
|
|
params['SetAsDefault'] = str(set_as_default).lower()
|
|
return self.get_response('CreatePolicyVersion', params)
|
|
|
|
def delete_policy(self, policy_arn):
|
|
"""
|
|
Delete a policy.
|
|
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to delete
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn}
|
|
return self.get_response('DeletePolicy', params)
|
|
|
|
def delete_policy_version(self, policy_arn, version_id):
|
|
"""
|
|
Delete a policy version.
|
|
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to delete a version from
|
|
|
|
:type version_id: string
|
|
:param version_id: The id of the version to delete
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn,
|
|
'VersionId': version_id}
|
|
return self.get_response('DeletePolicyVersion', params)
|
|
|
|
def get_policy(self, policy_arn):
|
|
"""
|
|
Get policy information.
|
|
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to get information for
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn}
|
|
return self.get_response('GetPolicy', params)
|
|
|
|
def get_policy_version(self, policy_arn, version_id):
|
|
"""
|
|
Get policy information.
|
|
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to get information for a
|
|
specific version
|
|
|
|
:type version_id: string
|
|
:param version_id: The id of the version to get information for
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn,
|
|
'VersionId': version_id}
|
|
return self.get_response('GetPolicyVersion', params)
|
|
|
|
def list_policies(self, marker=None, max_items=None, only_attached=None,
|
|
path_prefix=None, scope=None):
|
|
"""
|
|
List policies of account.
|
|
|
|
:type marker: string
|
|
:param marker: A marker used for pagination (received from previous
|
|
accesses)
|
|
|
|
:type max_items: int
|
|
:param max_items: Send only max_items; allows paginations
|
|
|
|
:type only_attached: bool
|
|
:param only_attached: Send only policies attached to other resources
|
|
|
|
:type path_prefix: string
|
|
:param path_prefix: Send only items prefixed by this path
|
|
|
|
:type scope: string
|
|
:param scope: AWS|Local. Choose between AWS policies or your own
|
|
"""
|
|
params = {}
|
|
if path_prefix is not None:
|
|
params['PathPrefix'] = path_prefix
|
|
if marker is not None:
|
|
params['Marker'] = marker
|
|
if max_items is not None:
|
|
params['MaxItems'] = max_items
|
|
if type(only_attached) == bool:
|
|
params['OnlyAttached'] = str(only_attached).lower()
|
|
if scope is not None:
|
|
params['Scope'] = scope
|
|
return self.get_response(
|
|
'ListPolicies',
|
|
params,
|
|
list_marker='Policies')
|
|
|
|
def list_policy_versions(self, policy_arn, marker=None, max_items=None):
|
|
"""
|
|
List policy versions.
|
|
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to get versions of
|
|
|
|
:type marker: string
|
|
:param marker: A marker used for pagination (received from previous
|
|
accesses)
|
|
|
|
:type max_items: int
|
|
:param max_items: Send only max_items; allows paginations
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn}
|
|
if marker is not None:
|
|
params['Marker'] = marker
|
|
if max_items is not None:
|
|
params['MaxItems'] = max_items
|
|
return self.get_response(
|
|
'ListPolicyVersions',
|
|
params,
|
|
list_marker='Versions')
|
|
|
|
def set_default_policy_version(self, policy_arn, version_id):
|
|
"""
|
|
Set default policy version.
|
|
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to set the default version
|
|
for
|
|
|
|
:type version_id: string
|
|
:param version_id: The id of the version to set as default
|
|
"""
|
|
params = {'PolicyArn': policy_arn,
|
|
'VersionId': version_id}
|
|
return self.get_response('SetDefaultPolicyVersion', params)
|
|
|
|
def list_entities_for_policy(self, policy_arn, path_prefix=None,
|
|
marker=None, max_items=None,
|
|
entity_filter=None):
|
|
"""
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to get entities for
|
|
|
|
:type marker: string
|
|
:param marker: A marker used for pagination (received from previous
|
|
accesses)
|
|
|
|
:type max_items: int
|
|
:param max_items: Send only max_items; allows paginations
|
|
|
|
:type path_prefix: string
|
|
:param path_prefix: Send only items prefixed by this path
|
|
|
|
:type entity_filter: string
|
|
:param entity_filter: Which entity type of User | Role | Group |
|
|
LocalManagedPolicy | AWSManagedPolicy to return
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn}
|
|
if marker is not None:
|
|
params['Marker'] = marker
|
|
if max_items is not None:
|
|
params['MaxItems'] = max_items
|
|
if path_prefix is not None:
|
|
params['PathPrefix'] = path_prefix
|
|
if entity_filter is not None:
|
|
params['EntityFilter'] = entity_filter
|
|
return self.get_response('ListEntitiesForPolicy', params,
|
|
list_marker=('PolicyGroups',
|
|
'PolicyUsers',
|
|
'PolicyRoles'))
|
|
|
|
def attach_group_policy(self, policy_arn, group_name):
|
|
"""
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to attach
|
|
|
|
:type group_name: string
|
|
:param group_name: Group to attach the policy to
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn, 'GroupName': group_name}
|
|
return self.get_response('AttachGroupPolicy', params)
|
|
|
|
def attach_role_policy(self, policy_arn, role_name):
|
|
"""
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to attach
|
|
|
|
:type role_name: string
|
|
:param role_name: Role to attach the policy to
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn, 'RoleName': role_name}
|
|
return self.get_response('AttachRolePolicy', params)
|
|
|
|
def attach_user_policy(self, policy_arn, user_name):
|
|
"""
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to attach
|
|
|
|
:type user_name: string
|
|
:param user_name: User to attach the policy to
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn, 'UserName': user_name}
|
|
return self.get_response('AttachUserPolicy', params)
|
|
|
|
def detach_group_policy(self, policy_arn, group_name):
|
|
"""
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to detach
|
|
|
|
:type group_name: string
|
|
:param group_name: Group to detach the policy from
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn, 'GroupName': group_name}
|
|
return self.get_response('DetachGroupPolicy', params)
|
|
|
|
def detach_role_policy(self, policy_arn, role_name):
|
|
"""
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to detach
|
|
|
|
:type role_name: string
|
|
:param role_name: Role to detach the policy from
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn, 'RoleName': role_name}
|
|
return self.get_response('DetachRolePolicy', params)
|
|
|
|
def detach_user_policy(self, policy_arn, user_name):
|
|
"""
|
|
:type policy_arn: string
|
|
:param policy_arn: The ARN of the policy to detach
|
|
|
|
:type user_name: string
|
|
:param user_name: User to detach the policy from
|
|
|
|
"""
|
|
params = {'PolicyArn': policy_arn, 'UserName': user_name}
|
|
return self.get_response('DetachUserPolicy', params)
|