-
Notifications
You must be signed in to change notification settings - Fork 0
/
01_customer_setup.py
46 lines (39 loc) · 1.05 KB
/
01_customer_setup.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
"""Creates a role named easy-describe in an account.
This role contains an access policy that grants DescribeInstance and CreateTags
permission.
Allows the role to be assumed by `cmp_account_id`.
"""
import boto.iam
import iam_utils
from awacs.aws import Allow, Policy, Statement, AWSPrincipal
from awacs import ec2, iam, sts
cmp_account_id = '032298565451'
access_policy = Policy(
Statement=[
Statement(
Effect=Allow,
Action=[ec2.DescribeInstances, ec2.CreateTags],
Resource=['*'],
),
]
)
print access_policy.to_json()
cloud_mgmt_platform_arn = 'arn:aws:iam::%s:root' % (cmp_account_id,)
trust_policy = Policy(
Statement=[
Statement(
Effect=Allow,
Action=[sts.AssumeRole],
Principal=AWSPrincipal(cloud_mgmt_platform_arn),
),
],
)
print trust_policy.to_json()
iam_conn = boto.iam.connect_to_region('universal')
iam_utils.update_policy(
iam_conn,
'easy-describe',
'easy-describe',
trust_policy.to_json(),
access_policy.to_json()
)