toil.lib.aws.iam

Attributes

logger

CLUSTER_LAUNCHING_PERMISSIONS

AllowedActionCollection

Functions

delete_iam_instance_profile(instance_profile_name[, ...])

delete_iam_role(role_name[, region, quiet])

Deletes an AWS IAM role. Any separate policies are detached from the role, and any inline policies are deleted.

create_iam_role(role_name, ...[, region])

Creates an AWS IAM role. Any separate policies are detached from the role, and any inline policies are deleted.

init_action_collection()

Initialization of an action collection, an action collection contains allowed Actions and NotActions

add_to_action_collection(a, b)

Combines two action collections

policy_permissions_allow(given_permissions[, ...])

Check whether given set of actions are a subset of another given set of actions, returns true if they are

permission_matches_any(perm, list_perms)

Takes a permission and checks whether it's contained within a list of given permissions

get_actions_from_policy_document(policy_doc)

Given a policy document, go through each statement and create an AllowedActionCollection representing the

allowed_actions_attached(iam, attached_policies)

Go through all attached policy documents and create an AllowedActionCollection representing granted permissions.

allowed_actions_roles(iam, policy_names, role_name)

Returns a dictionary containing a list of all aws actions allowed for a given role.

collect_policy_actions(policy_documents)

Collect all of the actions allowed by the given policy documents into one AllowedActionCollection.

allowed_actions_user(iam, policy_names, user_name)

Gets all allowed actions for a user given by user_name, returns a dictionary, keyed by resource,

allowed_actions_group(iam, policy_names, group_name)

Gets all allowed actions for a group given by group_name, returns a dictionary, keyed by resource,

get_policy_permissions(region)

Returns an action collection containing lists of all permission grant patterns keyed by resource

get_aws_account_num()

Returns AWS account num

Module Contents

toil.lib.aws.iam.logger
toil.lib.aws.iam.CLUSTER_LAUNCHING_PERMISSIONS = ['iam:CreateRole', 'iam:CreateInstanceProfile', 'iam:TagInstanceProfile', 'iam:DeleteRole',...
toil.lib.aws.iam.AllowedActionCollection
toil.lib.aws.iam.delete_iam_instance_profile(instance_profile_name, region=None, quiet=True)
Parameters:
  • instance_profile_name (str)

  • region (Optional[str])

  • quiet (bool)

Return type:

None

toil.lib.aws.iam.delete_iam_role(role_name, region=None, quiet=True)

Deletes an AWS IAM role. Any separate policies are detached from the role, and any inline policies are deleted.

Parameters:
  • role_name (str) – The name of the AWS IAM role.

  • region (Optional[str]) – The AWS region that the role_name is in.

  • quiet (bool) – Whether or not to print/log information about the deletion to stdout.

Return type:

None

toil.lib.aws.iam.create_iam_role(role_name, assume_role_policy_document, policies, region=None)

Creates an AWS IAM role. Any separate policies are detached from the role, and any inline policies are deleted.

Parameters:
  • role_name (str) – The name of the AWS IAM role.

  • region (Optional[str]) – The AWS region that the role_name is in.

  • assume_role_policy_document (str) – Policies to create inline with the role.

  • policies (dict[str, Any]) – Global policies to attach to the role.

Return type:

str

toil.lib.aws.iam.init_action_collection()

Initialization of an action collection, an action collection contains allowed Actions and NotActions by resource, these are patterns containing wildcards, an Action explicitly allows a matched pattern, eg ec2:* will explicitly allow all ec2 permissions

A NotAction will explicitly allow all actions that don’t match a specific pattern eg iam:* allows all non iam actions

Return type:

AllowedActionCollection

toil.lib.aws.iam.add_to_action_collection(a, b)

Combines two action collections

Parameters:
  • a (AllowedActionCollection)

  • b (AllowedActionCollection)

Return type:

AllowedActionCollection

toil.lib.aws.iam.policy_permissions_allow(given_permissions, required_permissions=[])

Check whether given set of actions are a subset of another given set of actions, returns true if they are otherwise false and prints a warning.

Parameters:
  • required_permissions (list[str]) – Dictionary containing actions required, keyed by resource

  • given_permissions (AllowedActionCollection) – Set of actions that are granted to a user or role

Return type:

bool

toil.lib.aws.iam.permission_matches_any(perm, list_perms)

Takes a permission and checks whether it’s contained within a list of given permissions Returns True if it is otherwise False

Parameters:
  • perm (str) – Permission to check in string form

  • list_perms (list[str]) – Permission list to check against

Return type:

bool

toil.lib.aws.iam.get_actions_from_policy_document(policy_doc)

Given a policy document, go through each statement and create an AllowedActionCollection representing the permissions granted in the policy document.

Parameters:

policy_doc (mypy_boto3_iam.type_defs.PolicyDocumentDictTypeDef) – A policy document to examine

Return type:

AllowedActionCollection

toil.lib.aws.iam.allowed_actions_attached(iam, attached_policies)

Go through all attached policy documents and create an AllowedActionCollection representing granted permissions.

Parameters:
  • iam (mypy_boto3_iam.IAMClient) – IAM client to use

  • attached_policies (list[mypy_boto3_iam.type_defs.AttachedPolicyTypeDef]) – Attached policies

Return type:

AllowedActionCollection

toil.lib.aws.iam.allowed_actions_roles(iam, policy_names, role_name)

Returns a dictionary containing a list of all aws actions allowed for a given role. This dictionary is keyed by resource and gives a list of policies allowed on that resource.

Parameters:
  • iam (mypy_boto3_iam.IAMClient) – IAM client to use

  • policy_names (list[str]) – Name of policy document associated with a role

  • role_name (str) – Name of role to get associated policies

Return type:

AllowedActionCollection

toil.lib.aws.iam.collect_policy_actions(policy_documents)

Collect all of the actions allowed by the given policy documents into one AllowedActionCollection.

Parameters:

policy_documents (list[Union[str, mypy_boto3_iam.type_defs.PolicyDocumentDictTypeDef]])

Return type:

AllowedActionCollection

toil.lib.aws.iam.allowed_actions_user(iam, policy_names, user_name)

Gets all allowed actions for a user given by user_name, returns a dictionary, keyed by resource, with a list of permissions allowed for each given resource.

Parameters:
  • iam (mypy_boto3_iam.IAMClient) – IAM client to use

  • policy_names (list[str]) – Name of policy document associated with a user

  • user_name (str) – Name of user to get associated policies

Return type:

AllowedActionCollection

toil.lib.aws.iam.allowed_actions_group(iam, policy_names, group_name)

Gets all allowed actions for a group given by group_name, returns a dictionary, keyed by resource, with a list of permissions allowed for each given resource.

Parameters:
  • iam (mypy_boto3_iam.IAMClient) – IAM client to use

  • policy_names (list[str]) – Name of policy document associated with a user

  • group_name (str) – Name of group to get associated policies

Return type:

AllowedActionCollection

toil.lib.aws.iam.get_policy_permissions(region)

Returns an action collection containing lists of all permission grant patterns keyed by resource that they are allowed upon. Requires AWS credentials to be associated with a user or assumed role.

Parameters:
  • zone – AWS zone to connect to

  • region (str)

Return type:

AllowedActionCollection

toil.lib.aws.iam.get_aws_account_num()

Returns AWS account num

Return type:

Optional[str]