Utilities package for pynamodb.
Project description
AWS IAM Generator
Cross-account IAM resources made easier
Introduction
During my work as a cloud engineer, I often needed to deploy some IAM resources tangled together with some parameters. I had to do it so often I decided to wrap it all in a feasible and easy to use the library.
Generates AWS IAM Managed Policies and Roles for multiple accounts using the easy templating language. Example cross-account template and deployment execution shown below.
Installation
- Run
pip install pynamodb-utilsor executepython setup.py installin the source directory - Add
aws_iam_generatorto yourINSTALLED_APPS
Example
from iam_aws_generator import AWSIAMGenerator
example_roles_specification = {
'Regions': {
'PipelineRegion': {},
'AppsRegion': {}
},
'Accounts': {
'PipelineAccount': {
'Description': 'Account where deployment pipeline will be created',
'AccessRoleName': 'DefaultAccessRole'
},
'AppsAccount': {
'Description': 'Account where apps will be deployed',
'AccessRoleName': 'DefaultAccessRole'
},
'MaintenanceAccount': {
'Id': '123456789002',
'Description': 'Remote account owned by Workload Provider that will be performing maintenance tasks'
}
},
'Variables': {
'HostedZoneID': {
'Type': 'string',
'Description': 'Hosted Zone ID of workload domain'
},
'TrustRolesArns': {
'Type': 'list(string)',
'Description': 'Operations Account of Workload Provider and customer.'
}
},
'Policies': {
'Route53Policy': {
'Description': 'Policy that enables a user to perform actions on Route53',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': ['route53:*'],
'Resource': [
'arn:aws:route53:::hostedzone/{{Variables.HostedZoneID.Value}}',
'arn:aws:route53:::healthcheck/{{Variables.HostedZoneID.Value}}'
],
'Effect': 'Allow'
}
]
}
},
'DeployPipelinePolicy': {
'Description': 'Policy that enables to deploy pipeline',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': [
'cloudformation:CreateStack',
'cloudformation:DescribeStackEvents',
'cloudformation:DescribeStacks',
'cloudformation:UpdateStack'
],
'Effect': 'Allow',
'Resource': [
'arn:aws:cloudformation:{{Regions.PipelineRegion.Id}}:{{Accounts.PipelineAccount.Id}}:stack/deployment-pipeline/*'
]
},
{
'Action': [
's3:CreateBucket',
's3:GetObject',
's3:ListBucket',
's3:PutObject'
],
'Effect': 'Allow',
'Resource': 'arn:aws:s3:::{{Regions.PipelineRegion.Id}}-pipeline-bucket'
}
]
}
},
'DeployAppPolicy': {
'Description': 'Policy that enables to deploy pipeline',
'PolicyDocument': {
'Version': '2012-10-17',
'Statement': [
{
'Action': [
's3:CreateBucket',
's3:GetObject',
's3:ListBucket',
's3:PutObject'
],
'Effect': 'Allow',
'Resource': 'arn:aws:s3:::{{Accounts.AppsAccount.Id}}-{{Regions.AppsRegion.Id}}-app-bucket'
}
]
}
}
},
'Roles': {
'DNSRole': {
'Trusts': ['{{Variables.TrustRolesArns.Value}}', 'Accounts.MaintenanceAccount.Id'],
'ManagedPolicies': ['Policies.Route53Policy'],
'InAccounts': ['Accounts.AppsAccount.Id']
},
'DeployPipelineRole': {
'Trusts': ['Accounts.MaintenanceAccount.Id'],
'ManagedPolicies': ['Policies.DeployPipelinePolicy'],
'InAccounts': ['Accounts.PipelineAccount.Id']},
'DeployAppRole': {
'Trusts': ['Accounts.PipelineAccount.Id'],
'ManagedPolicies': ['Policies.DeployAppPolicy'],
'InAccounts': ['Accounts.AppsAccount.Id']
},
'APIGatewayCloudWatchLogRole': {
'Trusts': ['apigateway.amazonaws.com'],
'ManagedPolicies': ['arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'],
'InAccounts': ['Accounts.AppsAccount.Id']
}
},
'ServiceLinkedRoles': {
'AWSServiceRoleForECS': {
'ServiceName': 'ecs.amazonaws.com',
'InAccounts': [
'Accounts.PipelineAccount.Id',
'Accounts.AppsAccount.Id'
]
}
}
}
generator = AWSIAMGenerator(reference_name='test')
generator.load_spec(spec=example_roles_specification)
generator.set_parameters(
Accounts={
'AppsAccount': {
"Id": '112345678901'
},
'PipelineAccount': {
"Id": '212345678901'
}
},
Regions={
'PipelineRegion': {
"Id": "us-east-1"
},
'AppsRegion': {
"Id": "us-east-1"
}
},
Variables={
"HostedZoneID": {
"Value": "*"
},
"TrustRolesArns": {
"Value": ["arn:aws:iam::123456789011:role/ExternalAccessRole"]
}
}
)
generator.deploy()
Links
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
aws-iam-generator-0.9.1.tar.gz
(13.4 kB
view details)
Built Distribution
File details
Details for the file aws-iam-generator-0.9.1.tar.gz.
File metadata
- Download URL: aws-iam-generator-0.9.1.tar.gz
- Upload date:
- Size: 13.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/47.1.0 requests-toolbelt/0.9.1 tqdm/4.56.2 CPython/3.7.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 328a40072e2d58abe3c7a3591515df549358699b065489e6fbc69b90284a8ba8 |
|
| MD5 | 29e6bdb083823254ce8d0d211d02f967 |
|
| BLAKE2b-256 | 4ded5769b8ecb0fbc8b9c609dc70a70ef02d6d8dd76a602d00e5a51390dfdba7 |
File details
Details for the file aws_iam_generator-0.9.1-py3-none-any.whl.
File metadata
- Download URL: aws_iam_generator-0.9.1-py3-none-any.whl
- Upload date:
- Size: 19.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/47.1.0 requests-toolbelt/0.9.1 tqdm/4.56.2 CPython/3.7.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 8f820422ba8dbf13ea476150641a616fb71e1b880ad018e3141c6eab335f513b |
|
| MD5 | 34975c3346843263a7897e1ec32a1a50 |
|
| BLAKE2b-256 | d56f92ef7ca3ad8fc4950a5819db0f4df41699eb574cae63eb264775b478352a |
