Skip to main content
Help us improve PyPI by participating in user testing. All experience levels needed!

Syncs iam roles

Project description

IAM syncr

A tool for keeping iam roles synced.

Installation

Just use pip:

pip install iam_syncr

Usage

You make a folder for each amazon account you have and you put in there files that define the roles you want to define in that account.

You then run:

iam_syncr <folder>

It will find the roles you have defined and ensure they exist and only have the policies you have defined.

It will leave alone other roles in your account.

Note that for the roles you have defined, it will remove any policies that don’t match what you have.

It is up to you to put the necessary amazon credentials in your environment via AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Format

accounts.yaml

The script will look for an accounts.yaml in the directory above the folder you specified. This is expected to be a mapping of {account_name:account_id} where account_id is the 12 digit id without hyphens for each amazon account.

The script will use these values to both check that the credentials you supplied is for the account you are syncing and will also use the values if you specify you account names in the policies.

Any yaml file in the specified folder
Currently only supports files with a “roles” or “remove_roles” definition in it.

Yaml Configuration

The yaml looks something like:

 ---

 templates:
   <template_name>: template

 roles:
   <role_name>:
      use: <template_name>

      description: <optional>

      make_instance_profile: <boolean saying whether to make an instance profile with this role in it>

      allow_to_assume_me: [<assume_role_statements>]
      disallow_to_assume_me: [<assume_role_statements>]

      permission: [<permission_statements>]
      deny_permission: [<permission_statemnt> where "Effect" is set to "Deny"]
      allow_permission: [<permission_statemnt> where "Effect" is set to "Allow"]

buckets:
   <bucket_name>:
      location: <ap-southeast-2, us-east-1, etc>
      permission: [<permission_statements>]
      deny_permission: [<permission_statemnt> where "Effect" is set to "Deny"]
      allow_permission: [<permission_statemnt> where "Effect" is set to "Allow"]

keys:
   <kms key alias>:
      location: <ap-southeast-2, us-east-1, etc>
      admin_users: <iam_specifier>

      permission: [<permission_statements>]
      deny_permission: [<permission_statemnt> where "Effect" is set to "Deny"]
      allow_permission: [<permission_statemnt> where "Effect" is set to "Allow"]

      grant:
         - grantee: <iam_specifier>
           retiree: <iam_specifier>
           operations: (see http://boto.readthedocs.org/en/latest/ref/kms.html#boto.kms.layer1.KMSConnection.create_grant)
           constraints: <dictionary>
           grant_tokens: <list>

remove_role:
   - <role_name>
   - <role_name>
   - ...

Where <assume_role_statement> can be:

{service: ec2}

Sets the principle to {"Service": "ec2.amazonaws.com"}

You’ll want to do this if you want to use metdata credentials on an ec2 box

<iam_specifier>

See below, it specifies an iam resource

Basically allows the iam role specified to call assume role to be this role.

{federated: <string>}

Sets the principle to {"Federated": <string>}

With an Action of AssumeRoleWithSAML.

{federated: <iam_specifier>}

Sets the principle to {"Federated": <expanded iam specifier>}

With an Action of AssumeRoleWithSAML.

Anything in the dictionary starting with an upper case character is included as is in the statement.

Also, the difference between allow_to_assume_me and disallow_to_assume_me is one sets Principle in the trust document, whereas the other sets NotPrinciple.

And <permission_statement> can be:

{"action": <action>, resource: <resource>, "allow":<True|False>}

Allows <action> for specified <resource> (string or list of strings)

“allow” will override any default allow or “Effect” you specify

And anything starting with an upper case character is included in the statement as is.

Where action and resource can be notaction and notresource.

And <resource> can be:

A single string
Placed in the policy as a list of that one string
A list of <resource>
Placed in the policy with each <resource> expanded
<iam_specifier>
See below, it specifies an iam resource
{"s3": <s3_specifier>}
“arn:aws:s3:::<s3_specifier>
{"s3": [<s3_specifier>, <s3_specifier>, ...]}
[“arn:aws:s3:::<s3_specifier>”, “arn:aws:s3:::<s3_specifier>”, …]

Where <iam_specifer> can be:

{"iam":"__self__"}
arn for the role/user this policy is being given to
{"iam":<specifier>, "account":<account>"}

“arn:aws:iam::<account>:<specifier>”

Where account is retrieved from our accounts dictionary from accounts.yaml

KMS keys

You can create kms keys and associated grants using the keys namespace.

These keys will automatically get access from the root of the account, as well as all kms actions from any admin_users you specify.

Dry Run

You can use the --dry-run option to make iam_syncr tell you what changes will be made without making those changes.

It will print out the changes to stdout.

Lines starting with “+” indicate additions, lines starting with “-” indicate deletions and lines starting with “M” indicate modifications.

Modifications are followed by an indented diff of the differences to be made.

The Future

In order of importance:

  • More Tests

Project details


Release history Release notifications

This version
History Node

0.4.3.2

History Node

0.4.3.1

History Node

0.4.3

History Node

0.4.2

History Node

0.4.1

History Node

0.4.0

History Node

0.3.9

History Node

0.3.8

History Node

0.3.7

History Node

0.3.5

History Node

0.3.0

History Node

0.2.6

History Node

0.2.5.1

History Node

0.2.5

History Node

0.2.4

History Node

0.2.3

History Node

0.2.2

History Node

0.2.1

History Node

0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
iam_syncr-0.4.3.2.tar.gz (17.8 kB) Copy SHA256 hash SHA256 Source None May 28, 2015

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging CloudAMQP CloudAMQP RabbitMQ AWS AWS Cloud computing Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page