|
11 | 11 | import click |
12 | 12 |
|
13 | 13 | from . import policies |
14 | | - |
15 | | - |
16 | | -def ensure_s3_role_exists(iam, sts): |
17 | | - "Create s3-credentials.AmazonS3FullAccess role if not exists, return ARN" |
18 | | - role_name = "s3-credentials.AmazonS3FullAccess" |
19 | | - account_id = sts.get_caller_identity()["Account"] |
20 | | - try: |
21 | | - role = iam.get_role(RoleName=role_name) |
22 | | - return role["Role"]["Arn"] |
23 | | - except iam.exceptions.NoSuchEntityException: |
24 | | - create_role_response = iam.create_role( |
25 | | - Description=( |
26 | | - "Role used by the s3-credentials tool to create time-limited " |
27 | | - "credentials that are restricted to specific buckets" |
28 | | - ), |
29 | | - RoleName=role_name, |
30 | | - AssumeRolePolicyDocument=json.dumps( |
31 | | - { |
32 | | - "Version": "2012-10-17", |
33 | | - "Statement": [ |
34 | | - { |
35 | | - "Effect": "Allow", |
36 | | - "Principal": { |
37 | | - "AWS": "arn:aws:iam::{}:root".format(account_id) |
38 | | - }, |
39 | | - "Action": "sts:AssumeRole", |
40 | | - } |
41 | | - ], |
42 | | - } |
43 | | - ), |
44 | | - MaxSessionDuration=12 * 60 * 60, |
45 | | - ) |
46 | | - # Attach AmazonS3FullAccess to it - note that even though we use full access |
47 | | - # on the role itself any time we call sts.assume_role() we attach an additional |
48 | | - # policy to ensure reduced access for the temporary credentials |
49 | | - iam.attach_role_policy( |
50 | | - RoleName="s3-credentials.AmazonS3FullAccess", |
51 | | - PolicyArn="arn:aws:iam::aws:policy/AmazonS3FullAccess", |
52 | | - ) |
53 | | - return create_role_response["Role"]["Arn"] |
| 14 | +from .cli import ensure_s3_role_exists |
54 | 15 |
|
55 | 16 |
|
56 | 17 | class CredentialCache: |
|
0 commit comments