toil.lib.aws.iam¶
Attributes¶
Functions¶
|
|
|
Deletes an AWS IAM role. Any separate policies are detached from the role, and any inline policies are deleted. |
|
Creates an AWS IAM role. Any separate policies are detached from the role, and any inline policies are deleted. |
Initialization of an action collection, an action collection contains allowed Actions and NotActions |
|
|
Combines two action collections |
|
Check whether given set of actions are a subset of another given set of actions, returns true if they are |
|
Takes a permission and checks whether it's contained within a list of given permissions |
|
Given a policy document, go through each statement and create an AllowedActionCollection representing the |
|
Go through all attached policy documents and create an AllowedActionCollection representing granted permissions. |
|
Returns a dictionary containing a list of all aws actions allowed for a given role. |
|
Collect all of the actions allowed by the given policy documents into one AllowedActionCollection. |
|
Gets all allowed actions for a user given by user_name, returns a dictionary, keyed by resource, |
|
Gets all allowed actions for a group given by group_name, returns a dictionary, keyed by resource, |
|
Returns an action collection containing lists of all permission grant patterns keyed by resource |
Returns AWS account num |
Module Contents¶
- toil.lib.aws.iam.logger¶
- toil.lib.aws.iam.CLUSTER_LAUNCHING_PERMISSIONS = ['iam:CreateRole', 'iam:CreateInstanceProfile', 'iam:TagInstanceProfile', 'iam:DeleteRole',...¶
- toil.lib.aws.iam.AllowedActionCollection¶
- toil.lib.aws.iam.delete_iam_instance_profile(instance_profile_name, region=None, quiet=True)¶
- toil.lib.aws.iam.delete_iam_role(role_name, region=None, quiet=True)¶
Deletes an AWS IAM role. Any separate policies are detached from the role, and any inline policies are deleted.
- toil.lib.aws.iam.create_iam_role(role_name, assume_role_policy_document, policies, region=None)¶
Creates an AWS IAM role. Any separate policies are detached from the role, and any inline policies are deleted.
- toil.lib.aws.iam.init_action_collection()¶
Initialization of an action collection, an action collection contains allowed Actions and NotActions by resource, these are patterns containing wildcards, an Action explicitly allows a matched pattern, eg ec2:* will explicitly allow all ec2 permissions
A NotAction will explicitly allow all actions that don’t match a specific pattern eg iam:* allows all non iam actions
- Return type:
AllowedActionCollection
- toil.lib.aws.iam.add_to_action_collection(a, b)¶
Combines two action collections
- Parameters:
a (AllowedActionCollection)
b (AllowedActionCollection)
- Return type:
AllowedActionCollection
- toil.lib.aws.iam.policy_permissions_allow(given_permissions, required_permissions=[])¶
Check whether given set of actions are a subset of another given set of actions, returns true if they are otherwise false and prints a warning.
- toil.lib.aws.iam.permission_matches_any(perm, list_perms)¶
Takes a permission and checks whether it’s contained within a list of given permissions Returns True if it is otherwise False
- toil.lib.aws.iam.get_actions_from_policy_document(policy_doc)¶
Given a policy document, go through each statement and create an AllowedActionCollection representing the permissions granted in the policy document.
- Parameters:
policy_doc (mypy_boto3_iam.type_defs.PolicyDocumentDictTypeDef) – A policy document to examine
- Return type:
AllowedActionCollection
- toil.lib.aws.iam.allowed_actions_attached(iam, attached_policies)¶
Go through all attached policy documents and create an AllowedActionCollection representing granted permissions.
- Parameters:
iam (mypy_boto3_iam.IAMClient) – IAM client to use
attached_policies (list[mypy_boto3_iam.type_defs.AttachedPolicyTypeDef]) – Attached policies
- Return type:
AllowedActionCollection
- toil.lib.aws.iam.allowed_actions_roles(iam, policy_names, role_name)¶
Returns a dictionary containing a list of all aws actions allowed for a given role. This dictionary is keyed by resource and gives a list of policies allowed on that resource.
- toil.lib.aws.iam.collect_policy_actions(policy_documents)¶
Collect all of the actions allowed by the given policy documents into one AllowedActionCollection.
- toil.lib.aws.iam.allowed_actions_user(iam, policy_names, user_name)¶
Gets all allowed actions for a user given by user_name, returns a dictionary, keyed by resource, with a list of permissions allowed for each given resource.
- toil.lib.aws.iam.allowed_actions_group(iam, policy_names, group_name)¶
Gets all allowed actions for a group given by group_name, returns a dictionary, keyed by resource, with a list of permissions allowed for each given resource.
- toil.lib.aws.iam.get_policy_permissions(region)¶
Returns an action collection containing lists of all permission grant patterns keyed by resource that they are allowed upon. Requires AWS credentials to be associated with a user or assumed role.
- Parameters:
zone – AWS zone to connect to
region (str)
- Return type:
AllowedActionCollection