Skip to main content

Creates AWS Rolee.

Project description

AWS Role Creator

Features

aws-role-creator creates an aws role.

The primary purpose is to create roles for projects, which automatically allows them access to various AWS resources based-on their project name. If the project name is 'test', they can only access resources which begin with 'TEST' or 'test'

Installation

aws-role-creator is on PyPI so all you need is:

$ pip install aws-role-creator

Example

Getting help

$ role-creator upsert --help
Usage: role-creator upsert [OPTIONS]

  Creates a new role

Options:
  -v, --version TEXT              code version
  -d, --dryrun                    dry run
  --no-poll                       Start the stack work but do not poll
  -i, --ini TEXT                  INI file with needed information
  -n, --project-name TEXT         project name
  -e, --environment-abbreviation TEXT
                                  environment abbreviation (i.e. dev, pd,
                                  sb,etc)
  -a, --aws-account-number TEXT   aws account number for role or account
                                  number for aws account role will jump to if
                                  project_role_jump_account
  -b, --bucket TEXT               bucket to upload cf template
  -t, --template-type TEXT        template type - whether a project_role or
                                  project_role_jump_account
  -r, --region TEXT               aws region
  -p, --aws-profile TEXT          aws profile
  -w, --aws-resources TEXT        comma delimited list of aws resources the
                                  role will have access to. Includes: ec2,clou
                                  dformation,s3,ecs,support,events,kms,waf,sns
                                  ,states,iam,elasticloadbalancing,cloudwatch,
                                  cloudfront,elasticbeanstalk,ecr,autoscaling,
                                  dynamodb,sqs,acm,route53,codebuild,codepipel
                                  ine,ssm,batch,apigateway,logs,elasticmapredu
                                  ce
  -m, --template TEXT             cloudformation template path/name
  --debug                         Turn on debugging
  --help                          Show this message and exit.

Background

If you have multiple AWS accounts, such as one for Dev, one for , QA, and one for Prod. Then you usually have an AWS jump account where
users can login, and then assume roles in to other AWS accounts - this is the purpose of the project_role_jump_account

The project_role account is the role which projects will utilize in various AWS accounts, and the role only has permissions
to AWS resources which begin with the project-name - which the exception of S3 buckets.  Because S3 buckets are globally scoped, the
S3 bucket should be named environment-abbreviation, dash, project-name.

Permissions are created with both upper and lower case.

Utilize the aws-resources parameter to pass-in which resources the project will need access to.

Running From Command-Line

To create a project jump account role:
    role-creator upsert --project-name test --environment-abbreviation dv --aws-account-number 1234567890 --template-type project_role_jump_account --region us-east-1 --aws-profile will  --bucket cf-templates-987654
To create a normal role for a project:
    role-creator upsert --project-name test --environment-abbreviation dv --aws-account-number 12345678 --template-type project_role --region us-east-1 --aws-profile will --aws-resources ec2,cloudformation,s3,ecs,support,events,kms,waf,sns,states,iam,elasticloadbalancing,cloudwatch,cloudfront,elasticbeanstalk,ecr,autoscaling,dynamodb,sqs,acm,route53,codebuild,codepipeline,ssm,batch,apigateway,logs,elasticmapreduce --bucket cf-templates-987654
NOTE: When you run from the command-line, and template.json file will automatically be created for future use
NOTE: Project name and environment abbreviation are capitalized automatically for consistency

Running from and Ini File

Example Ini file

[environment]
template=template.json
bucket = cf-templates
template_type = project_role
region = us-east-1
stack_name = iam-role
profile = me

[tags]
DeployedBy = me

[parameters]
UppercaseAwsEnvironmentPrefix = UT
LowercaseAwsEnvironmentPrefix = ut
AccountNumber = 123456789
UppercaseProjectName = my-role
LowercaseProjectName = my-role
Resources = ec2,cloudformation,s3,ecs,support,events,kms,waf,sns,states,iam,elasticloadbalancing,cloudwatch,cloudfront,elasticbeanstalk,ecr,autoscaling,dynamodb,sqs,acm,route53,codebuild,codepipeline,ssm,batch,apigateway,logs,elasticmapreduce

[meta-parameters]
RoleName = my-role

Demonstration

AWS role creator tutorial

Example of a Jump Account Role which allows the assumption of a role in another account

{
    "Parameters": {
        "AccountNumber": {
            "Description": "AWS Account Number",
            "Type": "String"
        },
        "IAMNamespace": {
            "Default": "/",
            "Description": "Namespace for IAM users, policies, etc.",
            "Type": "String"
        },
        "LowercaseAwsEnvironmentPrefix": {
            "Description": "Lowercase abbreviation for AWS account (i.e. dev,qa,prod)",
            "Type": "String"
        },
        "LowercaseProjectName": {
            "Description": "Lowercase Project Name",
            "Type": "String"
        },
        "UppercaseAwsEnvironmentPrefix": {
            "Description": "Uppercase abbreviation for AWS account (i.e. DEV,QA,PROD)",
            "Type": "String"
        },
        "UppercaseProjectName": {
            "Description": "Uppercase Project Name",
            "Type": "String"
        }
    },
    "Resources": {
        "Group": {
            "Properties": {
                "GroupName": {
                    "Fn::Join": [
                        "-",
                        [
                            {
                                "Ref": "UppercaseAwsEnvironmentPrefix"
                            },
                            {
                                "Ref": "UppercaseProjectName"
                            }
                        ]
                    ]
                }
            },
            "Type": "AWS::IAM::Group"
        },
        "ManagedPolicy": {
            "Properties": {
                "Description": {
                    "Fn::Join": [
                        "-",
                        [
                            {
                                "Ref": "UppercaseAwsEnvironmentPrefix"
                            },
                            {
                                "Ref": "UppercaseProjectName"
                            },
                            "project"
                        ]
                    ]
                },
                "ManagedPolicyName": {
                    "Fn::Join": [
                        "-",
                        [
                            {
                                "Ref": "UppercaseAwsEnvironmentPrefix"
                            },
                            {
                                "Ref": "UppercaseProjectName"
                            }
                        ]
                    ]
                },
                "Path": {
                    "Ref": "IAMNamespace"
                },
                "PolicyDocument": {
                    "Statement": [
                        {
                            "Action": [
                                "sts:AssumeRole"
                            ],
                            "Effect": "Allow",
                            "Resource": [
                                "arn:aws:sts::1234567890:role/DV-TEST"
                            ],
                            "Sid": "StsAccess"
                        }
                    ],
                    "Version": "2012-10-17"
                }
            },
            "Type": "AWS::IAM::ManagedPolicy"
        }
    }
}

Example of the Role Created

{
	"Parameters": {
		"AccountNumber": {
			"Description": "AWS Account Number",
			"Type": "String"
		},
		"IAMNamespace": {
			"Default": "/",
			"Description": "Namespace for IAM users, policies, etc.",
			"Type": "String"
		},
		"LowercaseAwsEnvironmentPrefix": {
			"Description": "Lowercase abbreviation for AWS account (i.e. dev,qa,prod)",
			"Type": "String"
		},
		"LowercaseProjectName": {
			"Description": "Lowercase Project Name",
			"Type": "String"
		},
		"UppercaseAwsEnvironmentPrefix": {
			"Description": "Uppercase abbreviation for AWS account (i.e. DEV,QA,PROD)",
			"Type": "String"
		},
		"UppercaseProjectName": {
			"Description": "Uppercase Project Name",
			"Type": "String"
		}
	},
	"Resources": {
		"IamGroup": {
			"Properties": {
				"GroupName": {
					"Fn::Join": [
						"-", [{
								"Ref": "UppercaseAwsEnvironmentPrefix"
							},
							{
								"Ref": "UppercaseProjectName"
							}
						]
					]
				},
				"Path": {
					"Ref": "IAMNamespace"
				}
			},
			"Type": "AWS::IAM::Group"
		},
		"ManagedPolicy": {
			"Properties": {
				"Description": {
					"Fn::Join": [
						"-", [{
								"Ref": "UppercaseAwsEnvironmentPrefix"
							},
							{
								"Ref": "UppercaseProjectName"
							},
							"project"
						]
					]
				},
				"Groups": [{
					"Fn::Join": [
						"-", [{
								"Ref": "UppercaseAwsEnvironmentPrefix"
							},
							{
								"Ref": "UppercaseProjectName"
							}
						]
					]
				}],
				"ManagedPolicyName": {
					"Fn::Join": [
						"-", [{
								"Ref": "UppercaseAwsEnvironmentPrefix"
							},
							{
								"Ref": "UppercaseProjectName"
							}
						]
					]
				},
				"Path": {
					"Ref": "IAMNamespace"
				},
				"PolicyDocument": {
					"Ref": {
						"Id": "Account-Permissions",
						"Statement": [{
								"Action": [
									"ec2:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:ec2:us-east-1:1234567890:TEST*",
									"arn:aws:ec2:us-east-1:1234567890:test*"
								],
								"Sid": "Ec2Access"
							},
							{
								"Action": [
									"cloudformation:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:cloudformation:us-east-1:1234567890:TEST*",
									"arn:aws:cloudformation:us-east-1:1234567890:test*"
								],
								"Sid": "CloudformationAccess"
							},
							{
								"Action": [
									"s3:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:s3:::DV-TEST/*",
									"arn:aws:s3:::DV-TEST*",
									"arn:aws:s3:::DV-test/*",
									"arn:aws:s3:::DV-test*"
								],
								"Sid": "S3Access"
							},
							{
								"Action": [
									"ecs:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:ecs:us-east-1:1234567890:TEST*",
									"arn:aws:ecs:us-east-1:1234567890:test*"
								],
								"Sid": "ECSAccess"
							},
							{
								"Action": [
									"support:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:support:us-east-1:1234567890:TEST*",
									"arn:aws:support:us-east-1:1234567890:test*"
								],
								"Sid": "SupportAccess"
							},
							{
								"Action": [
									"events:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:events:us-east-1:1234567890:TEST*",
									"arn:aws:events:us-east-1:1234567890:test*"
								],
								"Sid": "EventsAccess"
							},
							{
								"Action": [
									"kms:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:kms:us-east-1:1234567890:TEST*",
									"arn:aws:kms:us-east-1:1234567890:test*"
								],
								"Sid": "KmsAccess"
							},
							{
								"Action": [
									"waf:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:waf:us-east-1:1234567890:TEST*",
									"arn:aws:waf:us-east-1:1234567890:test*"
								],
								"Sid": "WafAccess"
							},
							{
								"Action": [
									"sns:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:sns:us-east-1:1234567890:TEST*",
									"arn:aws:sns:us-east-1:1234567890:test*"
								],
								"Sid": "SnsAccess"
							},
							{
								"Action": [
									"states:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:states:us-east-1:1234567890:TEST*",
									"arn:aws:states:us-east-1:1234567890:test*"
								],
								"Sid": "StatesAccess"
							},
							{
								"Action": [
									"iam:Get*",
									"iam:List*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:iam::1234567890:TEST*",
									"arn:aws:iam::1234567890:test*"
								],
								"Sid": "IamAccess"
							},
							{
								"Action": [
									"elasticloadbalancing:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:elasticloadbalancing:us-east-1:1234567890:TEST*",
									"arn:aws:elasticloadbalancing:us-east-1:1234567890:test*"
								],
								"Sid": "ElasticloadbalancingAccess"
							},
							{
								"Action": [
									"cloudwatch:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:cloudwatch:us-east-1:1234567890:TEST*",
									"arn:aws:cloudwatch:us-east-1:1234567890:test*"
								],
								"Sid": "CloudwatchAccess"
							},
							{
								"Action": [
									"cloudfront:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:cloudfront:us-east-1:1234567890:TEST*",
									"arn:aws:cloudfront:us-east-1:1234567890:test*"
								],
								"Sid": "CloudfrontAccess"
							},
							{
								"Action": [
									"elasticbeanstalk:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:elasticbeanstalk:us-east-1:1234567890:TEST*",
									"arn:aws:elasticbeanstalk:us-east-1:1234567890:test*"
								],
								"Sid": "ElasticbeanstalkAccess"
							},
							{
								"Action": [
									"ecr:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:ecr:us-east-1:1234567890:TEST*",
									"arn:aws:ecr:us-east-1:1234567890:test*"
								],
								"Sid": "EcrAccess"
							},
							{
								"Action": [
									"autoscaling:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:autoscaling:us-east-1:1234567890:TEST*",
									"arn:aws:autoscaling:us-east-1:1234567890:test*"
								],
								"Sid": "AutoscalingAccess"
							},
							{
								"Action": [
									"autoscaling:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:dynamodb:us-east-1:1234567890:TEST*",
									"arn:aws:dynamodb:us-east-1:1234567890:test*"
								],
								"Sid": "DynamodbAccess"
							},
							{
								"Action": [
									"sqs:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:sqs:us-east-1:1234567890:TEST*",
									"arn:aws:sqs:us-east-1:1234567890:test*"
								],
								"Sid": "SqsAccess"
							},
							{
								"Action": [
									"acm:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:acm:us-east-1:1234567890:TEST*",
									"arn:aws:acm:us-east-1:1234567890:test*"
								],
								"Sid": "AcmAccess"
							},
							{
								"Action": [
									"route53:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:route53:us-east-1:1234567890:TEST*",
									"arn:aws:route53:us-east-1:1234567890:test*"
								],
								"Sid": "Route53Access"
							},
							{
								"Action": [
									"codebuild:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:codebuild:us-east-1:1234567890:TEST*",
									"arn:aws:codebuild:us-east-1:1234567890:test*"
								],
								"Sid": "CodebuildAccess"
							},
							{
								"Action": [
									"codepipeline:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:codepipeline:us-east-1:1234567890:TEST*",
									"arn:aws:codepipeline:us-east-1:1234567890:test*"
								],
								"Sid": "CodepipelineAccess"
							},
							{
								"Action": [
									"ssm:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:ssm:us-east-1:1234567890:TEST*",
									"arn:aws:ssm:us-east-1:1234567890:test*"
								],
								"Sid": "SsmAccess"
							},
							{
								"Action": [
									"batch:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:batch:us-east-1:1234567890:TEST*",
									"arn:aws:batch:us-east-1:1234567890:test*"
								],
								"Sid": "BatchAccess"
							},
							{
								"Action": [
									"apigateway:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:apigateway:us-east-1:1234567890:TEST*",
									"arn:aws:apigateway:us-east-1:1234567890:test*"
								],
								"Sid": "ApigatewayAccess"
							},
							{
								"Action": [
									"logs:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:logs:us-east-1:1234567890:TEST*",
									"arn:aws:logs:us-east-1:1234567890:test*"
								],
								"Sid": "LogsAccess"
							},
							{
								"Action": [
									"elasticmapreduce:*"
								],
								"Effect": "Allow",
								"Resource": [
									"arn:aws:elasticmapreduce:us-east-1:1234567890:TEST*",
									"arn:aws:elasticmapreduce:us-east-1:1234567890:test*"
								],
								"Sid": "ElasticmapreduceAccess"
							}
						],
						"Version": "2012-10-17"
					}
				}
			},
			"Type": "AWS::IAM::ManagedPolicy"
		}
	}
}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws_role_creator-0.0.10.tar.gz (16.1 kB view hashes)

Uploaded source

Built Distribution

aws_role_creator-0.0.10-py2-none-any.whl (13.4 kB view hashes)

Uploaded py2

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page