1# Copyright (c) 2010-2011 Mitch Garnaat http://garnaat.org/ 2# Copyright (c) 2010-2011, Eucalyptus Systems, Inc. 3# 4# Permission is hereby granted, free of charge, to any person obtaining a 5# copy of this software and associated documentation files (the 6# "Software"), to deal in the Software without restriction, including 7# without limitation the rights to use, copy, modify, merge, publish, dis- 8# tribute, sublicense, and/or sell copies of the Software, and to permit 9# persons to whom the Software is furnished to do so, subject to the fol- 10# lowing conditions: 11# 12# The above copyright notice and this permission notice shall be included 13# in all copies or substantial portions of the Software. 14# 15# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 16# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL- 17# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 18# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 19# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 21# IN THE SOFTWARE. 22import boto 23import boto.jsonresponse 24from boto.compat import json, six 25from boto.resultset import ResultSet 26from boto.iam.summarymap import SummaryMap 27from boto.connection import AWSQueryConnection 28 29DEFAULT_POLICY_DOCUMENTS = { 30 'default': { 31 'Statement': [ 32 { 33 'Principal': { 34 'Service': ['ec2.amazonaws.com'] 35 }, 36 'Effect': 'Allow', 37 'Action': ['sts:AssumeRole'] 38 } 39 ] 40 }, 41 'amazonaws.com.cn': { 42 'Statement': [ 43 { 44 'Principal': { 45 'Service': ['ec2.amazonaws.com.cn'] 46 }, 47 'Effect': 'Allow', 48 'Action': ['sts:AssumeRole'] 49 } 50 ] 51 }, 52} 53# For backward-compatibility, we'll preserve this here. 54ASSUME_ROLE_POLICY_DOCUMENT = json.dumps(DEFAULT_POLICY_DOCUMENTS['default']) 55 56 57class IAMConnection(AWSQueryConnection): 58 59 APIVersion = '2010-05-08' 60 61 def __init__(self, aws_access_key_id=None, aws_secret_access_key=None, 62 is_secure=True, port=None, proxy=None, proxy_port=None, 63 proxy_user=None, proxy_pass=None, host='iam.amazonaws.com', 64 debug=0, https_connection_factory=None, path='/', 65 security_token=None, validate_certs=True, profile_name=None): 66 super(IAMConnection, self).__init__(aws_access_key_id, 67 aws_secret_access_key, 68 is_secure, port, proxy, 69 proxy_port, proxy_user, proxy_pass, 70 host, debug, https_connection_factory, 71 path, security_token, 72 validate_certs=validate_certs, 73 profile_name=profile_name) 74 75 def _required_auth_capability(self): 76 return ['hmac-v4'] 77 78 def get_response(self, action, params, path='/', parent=None, 79 verb='POST', list_marker='Set'): 80 """ 81 Utility method to handle calls to IAM and parsing of responses. 82 """ 83 if not parent: 84 parent = self 85 response = self.make_request(action, params, path, verb) 86 body = response.read() 87 boto.log.debug(body) 88 if response.status == 200: 89 if body: 90 e = boto.jsonresponse.Element(list_marker=list_marker, 91 pythonize_name=True) 92 h = boto.jsonresponse.XmlHandler(e, parent) 93 h.parse(body) 94 return e 95 else: 96 # Support empty responses, e.g. deleting a SAML provider 97 # according to the official documentation. 98 return {} 99 else: 100 boto.log.error('%s %s' % (response.status, response.reason)) 101 boto.log.error('%s' % body) 102 raise self.ResponseError(response.status, response.reason, body) 103 104 # 105 # Group methods 106 # 107 108 def get_all_groups(self, path_prefix='/', marker=None, max_items=None): 109 """ 110 List the groups that have the specified path prefix. 111 112 :type path_prefix: string 113 :param path_prefix: If provided, only groups whose paths match 114 the provided prefix will be returned. 115 116 :type marker: string 117 :param marker: Use this only when paginating results and only 118 in follow-up request after you've received a response 119 where the results are truncated. Set this to the value of 120 the Marker element in the response you just received. 121 122 :type max_items: int 123 :param max_items: Use this only when paginating results to indicate 124 the maximum number of groups you want in the response. 125 """ 126 params = {} 127 if path_prefix: 128 params['PathPrefix'] = path_prefix 129 if marker: 130 params['Marker'] = marker 131 if max_items: 132 params['MaxItems'] = max_items 133 return self.get_response('ListGroups', params, 134 list_marker='Groups') 135 136 def get_group(self, group_name, marker=None, max_items=None): 137 """ 138 Return a list of users that are in the specified group. 139 140 :type group_name: string 141 :param group_name: The name of the group whose information should 142 be returned. 143 :type marker: string 144 :param marker: Use this only when paginating results and only 145 in follow-up request after you've received a response 146 where the results are truncated. Set this to the value of 147 the Marker element in the response you just received. 148 149 :type max_items: int 150 :param max_items: Use this only when paginating results to indicate 151 the maximum number of groups you want in the response. 152 """ 153 params = {'GroupName': group_name} 154 if marker: 155 params['Marker'] = marker 156 if max_items: 157 params['MaxItems'] = max_items 158 return self.get_response('GetGroup', params, list_marker='Users') 159 160 def create_group(self, group_name, path='/'): 161 """ 162 Create a group. 163 164 :type group_name: string 165 :param group_name: The name of the new group 166 167 :type path: string 168 :param path: The path to the group (Optional). Defaults to /. 169 170 """ 171 params = {'GroupName': group_name, 172 'Path': path} 173 return self.get_response('CreateGroup', params) 174 175 def delete_group(self, group_name): 176 """ 177 Delete a group. The group must not contain any Users or 178 have any attached policies 179 180 :type group_name: string 181 :param group_name: The name of the group to delete. 182 183 """ 184 params = {'GroupName': group_name} 185 return self.get_response('DeleteGroup', params) 186 187 def update_group(self, group_name, new_group_name=None, new_path=None): 188 """ 189 Updates name and/or path of the specified group. 190 191 :type group_name: string 192 :param group_name: The name of the new group 193 194 :type new_group_name: string 195 :param new_group_name: If provided, the name of the group will be 196 changed to this name. 197 198 :type new_path: string 199 :param new_path: If provided, the path of the group will be 200 changed to this path. 201 202 """ 203 params = {'GroupName': group_name} 204 if new_group_name: 205 params['NewGroupName'] = new_group_name 206 if new_path: 207 params['NewPath'] = new_path 208 return self.get_response('UpdateGroup', params) 209 210 def add_user_to_group(self, group_name, user_name): 211 """ 212 Add a user to a group 213 214 :type group_name: string 215 :param group_name: The name of the group 216 217 :type user_name: string 218 :param user_name: The to be added to the group. 219 220 """ 221 params = {'GroupName': group_name, 222 'UserName': user_name} 223 return self.get_response('AddUserToGroup', params) 224 225 def remove_user_from_group(self, group_name, user_name): 226 """ 227 Remove a user from a group. 228 229 :type group_name: string 230 :param group_name: The name of the group 231 232 :type user_name: string 233 :param user_name: The user to remove from the group. 234 235 """ 236 params = {'GroupName': group_name, 237 'UserName': user_name} 238 return self.get_response('RemoveUserFromGroup', params) 239 240 def put_group_policy(self, group_name, policy_name, policy_json): 241 """ 242 Adds or updates the specified policy document for the specified group. 243 244 :type group_name: string 245 :param group_name: The name of the group the policy is associated with. 246 247 :type policy_name: string 248 :param policy_name: The policy document to get. 249 250 :type policy_json: string 251 :param policy_json: The policy document. 252 253 """ 254 params = {'GroupName': group_name, 255 'PolicyName': policy_name, 256 'PolicyDocument': policy_json} 257 return self.get_response('PutGroupPolicy', params, verb='POST') 258 259 def get_all_group_policies(self, group_name, marker=None, max_items=None): 260 """ 261 List the names of the policies associated with the specified group. 262 263 :type group_name: string 264 :param group_name: The name of the group the policy is associated with. 265 266 :type marker: string 267 :param marker: Use this only when paginating results and only 268 in follow-up request after you've received a response 269 where the results are truncated. Set this to the value of 270 the Marker element in the response you just received. 271 272 :type max_items: int 273 :param max_items: Use this only when paginating results to indicate 274 the maximum number of groups you want in the response. 275 """ 276 params = {'GroupName': group_name} 277 if marker: 278 params['Marker'] = marker 279 if max_items: 280 params['MaxItems'] = max_items 281 return self.get_response('ListGroupPolicies', params, 282 list_marker='PolicyNames') 283 284 def get_group_policy(self, group_name, policy_name): 285 """ 286 Retrieves the specified policy document for the specified group. 287 288 :type group_name: string 289 :param group_name: The name of the group the policy is associated with. 290 291 :type policy_name: string 292 :param policy_name: The policy document to get. 293 294 """ 295 params = {'GroupName': group_name, 296 'PolicyName': policy_name} 297 return self.get_response('GetGroupPolicy', params, verb='POST') 298 299 def delete_group_policy(self, group_name, policy_name): 300 """ 301 Deletes the specified policy document for the specified group. 302 303 :type group_name: string 304 :param group_name: The name of the group the policy is associated with. 305 306 :type policy_name: string 307 :param policy_name: The policy document to delete. 308 309 """ 310 params = {'GroupName': group_name, 311 'PolicyName': policy_name} 312 return self.get_response('DeleteGroupPolicy', params, verb='POST') 313 314 def get_all_users(self, path_prefix='/', marker=None, max_items=None): 315 """ 316 List the users that have the specified path prefix. 317 318 :type path_prefix: string 319 :param path_prefix: If provided, only users whose paths match 320 the provided prefix will be returned. 321 322 :type marker: string 323 :param marker: Use this only when paginating results and only 324 in follow-up request after you've received a response 325 where the results are truncated. Set this to the value of 326 the Marker element in the response you just received. 327 328 :type max_items: int 329 :param max_items: Use this only when paginating results to indicate 330 the maximum number of groups you want in the response. 331 """ 332 params = {'PathPrefix': path_prefix} 333 if marker: 334 params['Marker'] = marker 335 if max_items: 336 params['MaxItems'] = max_items 337 return self.get_response('ListUsers', params, list_marker='Users') 338 339 # 340 # User methods 341 # 342 343 def create_user(self, user_name, path='/'): 344 """ 345 Create a user. 346 347 :type user_name: string 348 :param user_name: The name of the new user 349 350 :type path: string 351 :param path: The path in which the user will be created. 352 Defaults to /. 353 354 """ 355 params = {'UserName': user_name, 356 'Path': path} 357 return self.get_response('CreateUser', params) 358 359 def delete_user(self, user_name): 360 """ 361 Delete a user including the user's path, GUID and ARN. 362 363 If the user_name is not specified, the user_name is determined 364 implicitly based on the AWS Access Key ID used to sign the request. 365 366 :type user_name: string 367 :param user_name: The name of the user to delete. 368 369 """ 370 params = {'UserName': user_name} 371 return self.get_response('DeleteUser', params) 372 373 def get_user(self, user_name=None): 374 """ 375 Retrieve information about the specified user. 376 377 If the user_name is not specified, the user_name is determined 378 implicitly based on the AWS Access Key ID used to sign the request. 379 380 :type user_name: string 381 :param user_name: The name of the user to retrieve. 382 If not specified, defaults to user making request. 383 """ 384 params = {} 385 if user_name: 386 params['UserName'] = user_name 387 return self.get_response('GetUser', params) 388 389 def update_user(self, user_name, new_user_name=None, new_path=None): 390 """ 391 Updates name and/or path of the specified user. 392 393 :type user_name: string 394 :param user_name: The name of the user 395 396 :type new_user_name: string 397 :param new_user_name: If provided, the username of the user will be 398 changed to this username. 399 400 :type new_path: string 401 :param new_path: If provided, the path of the user will be 402 changed to this path. 403 404 """ 405 params = {'UserName': user_name} 406 if new_user_name: 407 params['NewUserName'] = new_user_name 408 if new_path: 409 params['NewPath'] = new_path 410 return self.get_response('UpdateUser', params) 411 412 def get_all_user_policies(self, user_name, marker=None, max_items=None): 413 """ 414 List the names of the policies associated with the specified user. 415 416 :type user_name: string 417 :param user_name: The name of the user the policy is associated with. 418 419 :type marker: string 420 :param marker: Use this only when paginating results and only 421 in follow-up request after you've received a response 422 where the results are truncated. Set this to the value of 423 the Marker element in the response you just received. 424 425 :type max_items: int 426 :param max_items: Use this only when paginating results to indicate 427 the maximum number of groups you want in the response. 428 """ 429 params = {'UserName': user_name} 430 if marker: 431 params['Marker'] = marker 432 if max_items: 433 params['MaxItems'] = max_items 434 return self.get_response('ListUserPolicies', params, 435 list_marker='PolicyNames') 436 437 def put_user_policy(self, user_name, policy_name, policy_json): 438 """ 439 Adds or updates the specified policy document for the specified user. 440 441 :type user_name: string 442 :param user_name: The name of the user the policy is associated with. 443 444 :type policy_name: string 445 :param policy_name: The policy document to get. 446 447 :type policy_json: string 448 :param policy_json: The policy document. 449 450 """ 451 params = {'UserName': user_name, 452 'PolicyName': policy_name, 453 'PolicyDocument': policy_json} 454 return self.get_response('PutUserPolicy', params, verb='POST') 455 456 def get_user_policy(self, user_name, policy_name): 457 """ 458 Retrieves the specified policy document for the specified user. 459 460 :type user_name: string 461 :param user_name: The name of the user the policy is associated with. 462 463 :type policy_name: string 464 :param policy_name: The policy document to get. 465 466 """ 467 params = {'UserName': user_name, 468 'PolicyName': policy_name} 469 return self.get_response('GetUserPolicy', params, verb='POST') 470 471 def delete_user_policy(self, user_name, policy_name): 472 """ 473 Deletes the specified policy document for the specified user. 474 475 :type user_name: string 476 :param user_name: The name of the user the policy is associated with. 477 478 :type policy_name: string 479 :param policy_name: The policy document to delete. 480 481 """ 482 params = {'UserName': user_name, 483 'PolicyName': policy_name} 484 return self.get_response('DeleteUserPolicy', params, verb='POST') 485 486 def get_groups_for_user(self, user_name, marker=None, max_items=None): 487 """ 488 List the groups that a specified user belongs to. 489 490 :type user_name: string 491 :param user_name: The name of the user to list groups for. 492 493 :type marker: string 494 :param marker: Use this only when paginating results and only 495 in follow-up request after you've received a response 496 where the results are truncated. Set this to the value of 497 the Marker element in the response you just received. 498 499 :type max_items: int 500 :param max_items: Use this only when paginating results to indicate 501 the maximum number of groups you want in the response. 502 """ 503 params = {'UserName': user_name} 504 if marker: 505 params['Marker'] = marker 506 if max_items: 507 params['MaxItems'] = max_items 508 return self.get_response('ListGroupsForUser', params, 509 list_marker='Groups') 510 511 # 512 # Access Keys 513 # 514 515 def get_all_access_keys(self, user_name, marker=None, max_items=None): 516 """ 517 Get all access keys associated with an account. 518 519 :type user_name: string 520 :param user_name: The username of the user 521 522 :type marker: string 523 :param marker: Use this only when paginating results and only 524 in follow-up request after you've received a response 525 where the results are truncated. Set this to the value of 526 the Marker element in the response you just received. 527 528 :type max_items: int 529 :param max_items: Use this only when paginating results to indicate 530 the maximum number of groups you want in the response. 531 """ 532 params = {'UserName': user_name} 533 if marker: 534 params['Marker'] = marker 535 if max_items: 536 params['MaxItems'] = max_items 537 return self.get_response('ListAccessKeys', params, 538 list_marker='AccessKeyMetadata') 539 540 def create_access_key(self, user_name=None): 541 """ 542 Create a new AWS Secret Access Key and corresponding AWS Access Key ID 543 for the specified user. The default status for new keys is Active 544 545 If the user_name is not specified, the user_name is determined 546 implicitly based on the AWS Access Key ID used to sign the request. 547 548 :type user_name: string 549 :param user_name: The username of the user 550 551 """ 552 params = {'UserName': user_name} 553 return self.get_response('CreateAccessKey', params) 554 555 def update_access_key(self, access_key_id, status, user_name=None): 556 """ 557 Changes the status of the specified access key from Active to Inactive 558 or vice versa. This action can be used to disable a user's key as 559 part of a key rotation workflow. 560 561 If the user_name is not specified, the user_name is determined 562 implicitly based on the AWS Access Key ID used to sign the request. 563 564 :type access_key_id: string 565 :param access_key_id: The ID of the access key. 566 567 :type status: string 568 :param status: Either Active or Inactive. 569 570 :type user_name: string 571 :param user_name: The username of user (optional). 572 573 """ 574 params = {'AccessKeyId': access_key_id, 575 'Status': status} 576 if user_name: 577 params['UserName'] = user_name 578 return self.get_response('UpdateAccessKey', params) 579 580 def delete_access_key(self, access_key_id, user_name=None): 581 """ 582 Delete an access key associated with a user. 583 584 If the user_name is not specified, it is determined implicitly based 585 on the AWS Access Key ID used to sign the request. 586 587 :type access_key_id: string 588 :param access_key_id: The ID of the access key to be deleted. 589 590 :type user_name: string 591 :param user_name: The username of the user 592 593 """ 594 params = {'AccessKeyId': access_key_id} 595 if user_name: 596 params['UserName'] = user_name 597 return self.get_response('DeleteAccessKey', params) 598 599 # 600 # Signing Certificates 601 # 602 603 def get_all_signing_certs(self, marker=None, max_items=None, 604 user_name=None): 605 """ 606 Get all signing certificates associated with an account. 607 608 If the user_name is not specified, it is determined implicitly based 609 on the AWS Access Key ID used to sign the request. 610 611 :type marker: string 612 :param marker: Use this only when paginating results and only 613 in follow-up request after you've received a response 614 where the results are truncated. Set this to the value of 615 the Marker element in the response you just received. 616 617 :type max_items: int 618 :param max_items: Use this only when paginating results to indicate 619 the maximum number of groups you want in the response. 620 621 :type user_name: string 622 :param user_name: The username of the user 623 624 """ 625 params = {} 626 if marker: 627 params['Marker'] = marker 628 if max_items: 629 params['MaxItems'] = max_items 630 if user_name: 631 params['UserName'] = user_name 632 return self.get_response('ListSigningCertificates', 633 params, list_marker='Certificates') 634 635 def update_signing_cert(self, cert_id, status, user_name=None): 636 """ 637 Change the status of the specified signing certificate from 638 Active to Inactive or vice versa. 639 640 If the user_name is not specified, it is determined implicitly based 641 on the AWS Access Key ID used to sign the request. 642 643 :type cert_id: string 644 :param cert_id: The ID of the signing certificate 645 646 :type status: string 647 :param status: Either Active or Inactive. 648 649 :type user_name: string 650 :param user_name: The username of the user 651 """ 652 params = {'CertificateId': cert_id, 653 'Status': status} 654 if user_name: 655 params['UserName'] = user_name 656 return self.get_response('UpdateSigningCertificate', params) 657 658 def upload_signing_cert(self, cert_body, user_name=None): 659 """ 660 Uploads an X.509 signing certificate and associates it with 661 the specified user. 662 663 If the user_name is not specified, it is determined implicitly based 664 on the AWS Access Key ID used to sign the request. 665 666 :type cert_body: string 667 :param cert_body: The body of the signing certificate. 668 669 :type user_name: string 670 :param user_name: The username of the user 671 672 """ 673 params = {'CertificateBody': cert_body} 674 if user_name: 675 params['UserName'] = user_name 676 return self.get_response('UploadSigningCertificate', params, 677 verb='POST') 678 679 def delete_signing_cert(self, cert_id, user_name=None): 680 """ 681 Delete a signing certificate associated with a user. 682 683 If the user_name is not specified, it is determined implicitly based 684 on the AWS Access Key ID used to sign the request. 685 686 :type user_name: string 687 :param user_name: The username of the user 688 689 :type cert_id: string 690 :param cert_id: The ID of the certificate. 691 692 """ 693 params = {'CertificateId': cert_id} 694 if user_name: 695 params['UserName'] = user_name 696 return self.get_response('DeleteSigningCertificate', params) 697 698 # 699 # Server Certificates 700 # 701 702 def list_server_certs(self, path_prefix='/', 703 marker=None, max_items=None): 704 """ 705 Lists the server certificates that have the specified path prefix. 706 If none exist, the action returns an empty list. 707 708 :type path_prefix: string 709 :param path_prefix: If provided, only certificates whose paths match 710 the provided prefix will be returned. 711 712 :type marker: string 713 :param marker: Use this only when paginating results and only 714 in follow-up request after you've received a response 715 where the results are truncated. Set this to the value of 716 the Marker element in the response you just received. 717 718 :type max_items: int 719 :param max_items: Use this only when paginating results to indicate 720 the maximum number of groups you want in the response. 721 722 """ 723 params = {} 724 if path_prefix: 725 params['PathPrefix'] = path_prefix 726 if marker: 727 params['Marker'] = marker 728 if max_items: 729 params['MaxItems'] = max_items 730 return self.get_response('ListServerCertificates', 731 params, 732 list_marker='ServerCertificateMetadataList') 733 734 # Preserves backwards compatibility. 735 # TODO: Look into deprecating this eventually? 736 get_all_server_certs = list_server_certs 737 738 def update_server_cert(self, cert_name, new_cert_name=None, 739 new_path=None): 740 """ 741 Updates the name and/or the path of the specified server certificate. 742 743 :type cert_name: string 744 :param cert_name: The name of the server certificate that you want 745 to update. 746 747 :type new_cert_name: string 748 :param new_cert_name: The new name for the server certificate. 749 Include this only if you are updating the 750 server certificate's name. 751 752 :type new_path: string 753 :param new_path: If provided, the path of the certificate will be 754 changed to this path. 755 """ 756 params = {'ServerCertificateName': cert_name} 757 if new_cert_name: 758 params['NewServerCertificateName'] = new_cert_name 759 if new_path: 760 params['NewPath'] = new_path 761 return self.get_response('UpdateServerCertificate', params) 762 763 def upload_server_cert(self, cert_name, cert_body, private_key, 764 cert_chain=None, path=None): 765 """ 766 Uploads a server certificate entity for the AWS Account. 767 The server certificate entity includes a public key certificate, 768 a private key, and an optional certificate chain, which should 769 all be PEM-encoded. 770 771 :type cert_name: string 772 :param cert_name: The name for the server certificate. Do not 773 include the path in this value. 774 775 :type cert_body: string 776 :param cert_body: The contents of the public key certificate 777 in PEM-encoded format. 778 779 :type private_key: string 780 :param private_key: The contents of the private key in 781 PEM-encoded format. 782 783 :type cert_chain: string 784 :param cert_chain: The contents of the certificate chain. This 785 is typically a concatenation of the PEM-encoded 786 public key certificates of the chain. 787 788 :type path: string 789 :param path: The path for the server certificate. 790 """ 791 params = {'ServerCertificateName': cert_name, 792 'CertificateBody': cert_body, 793 'PrivateKey': private_key} 794 if cert_chain: 795 params['CertificateChain'] = cert_chain 796 if path: 797 params['Path'] = path 798 return self.get_response('UploadServerCertificate', params, 799 verb='POST') 800 801 def get_server_certificate(self, cert_name): 802 """ 803 Retrieves information about the specified server certificate. 804 805 :type cert_name: string 806 :param cert_name: The name of the server certificate you want 807 to retrieve information about. 808 809 """ 810 params = {'ServerCertificateName': cert_name} 811 return self.get_response('GetServerCertificate', params) 812 813 def delete_server_cert(self, cert_name): 814 """ 815 Delete the specified server certificate. 816 817 :type cert_name: string 818 :param cert_name: The name of the server certificate you want 819 to delete. 820 821 """ 822 params = {'ServerCertificateName': cert_name} 823 return self.get_response('DeleteServerCertificate', params) 824 825 # 826 # MFA Devices 827 # 828 829 def get_all_mfa_devices(self, user_name, marker=None, max_items=None): 830 """ 831 Get all MFA devices associated with an account. 832 833 :type user_name: string 834 :param user_name: The username of the user 835 836 :type marker: string 837 :param marker: Use this only when paginating results and only 838 in follow-up request after you've received a response 839 where the results are truncated. Set this to the value of 840 the Marker element in the response you just received. 841 842 :type max_items: int 843 :param max_items: Use this only when paginating results to indicate 844 the maximum number of groups you want in the response. 845 846 """ 847 params = {'UserName': user_name} 848 if marker: 849 params['Marker'] = marker 850 if max_items: 851 params['MaxItems'] = max_items 852 return self.get_response('ListMFADevices', 853 params, list_marker='MFADevices') 854 855 def enable_mfa_device(self, user_name, serial_number, 856 auth_code_1, auth_code_2): 857 """ 858 Enables the specified MFA device and associates it with the 859 specified user. 860 861 :type user_name: string 862 :param user_name: The username of the user 863 864 :type serial_number: string 865 :param serial_number: The serial number which uniquely identifies 866 the MFA device. 867 868 :type auth_code_1: string 869 :param auth_code_1: An authentication code emitted by the device. 870 871 :type auth_code_2: string 872 :param auth_code_2: A subsequent authentication code emitted 873 by the device. 874 875 """ 876 params = {'UserName': user_name, 877 'SerialNumber': serial_number, 878 'AuthenticationCode1': auth_code_1, 879 'AuthenticationCode2': auth_code_2} 880 return self.get_response('EnableMFADevice', params) 881 882 def deactivate_mfa_device(self, user_name, serial_number): 883 """ 884 Deactivates the specified MFA device and removes it from 885 association with the user. 886 887 :type user_name: string 888 :param user_name: The username of the user 889 890 :type serial_number: string 891 :param serial_number: The serial number which uniquely identifies 892 the MFA device. 893 894 """ 895 params = {'UserName': user_name, 896 'SerialNumber': serial_number} 897 return self.get_response('DeactivateMFADevice', params) 898 899 def resync_mfa_device(self, user_name, serial_number, 900 auth_code_1, auth_code_2): 901 """ 902 Syncronizes the specified MFA device with the AWS servers. 903 904 :type user_name: string 905 :param user_name: The username of the user 906 907 :type serial_number: string 908 :param serial_number: The serial number which uniquely identifies 909 the MFA device. 910 911 :type auth_code_1: string 912 :param auth_code_1: An authentication code emitted by the device. 913 914 :type auth_code_2: string 915 :param auth_code_2: A subsequent authentication code emitted 916 by the device. 917 918 """ 919 params = {'UserName': user_name, 920 'SerialNumber': serial_number, 921 'AuthenticationCode1': auth_code_1, 922 'AuthenticationCode2': auth_code_2} 923 return self.get_response('ResyncMFADevice', params) 924 925 # 926 # Login Profiles 927 # 928 929 def get_login_profiles(self, user_name): 930 """ 931 Retrieves the login profile for the specified user. 932 933 :type user_name: string 934 :param user_name: The username of the user 935 936 """ 937 params = {'UserName': user_name} 938 return self.get_response('GetLoginProfile', params) 939 940 def create_login_profile(self, user_name, password): 941 """ 942 Creates a login profile for the specified user, give the user the 943 ability to access AWS services and the AWS Management Console. 944 945 :type user_name: string 946 :param user_name: The name of the user 947 948 :type password: string 949 :param password: The new password for the user 950 951 """ 952 params = {'UserName': user_name, 953 'Password': password} 954 return self.get_response('CreateLoginProfile', params) 955 956 def delete_login_profile(self, user_name): 957 """ 958 Deletes the login profile associated with the specified user. 959 960 :type user_name: string 961 :param user_name: The name of the user to delete. 962 963 """ 964 params = {'UserName': user_name} 965 return self.get_response('DeleteLoginProfile', params) 966 967 def update_login_profile(self, user_name, password): 968 """ 969 Resets the password associated with the user's login profile. 970 971 :type user_name: string 972 :param user_name: The name of the user 973 974 :type password: string 975 :param password: The new password for the user 976 977 """ 978 params = {'UserName': user_name, 979 'Password': password} 980 return self.get_response('UpdateLoginProfile', params) 981 982 def create_account_alias(self, alias): 983 """ 984 Creates a new alias for the AWS account. 985 986 For more information on account id aliases, please see 987 http://goo.gl/ToB7G 988 989 :type alias: string 990 :param alias: The alias to attach to the account. 991 """ 992 params = {'AccountAlias': alias} 993 return self.get_response('CreateAccountAlias', params) 994 995 def delete_account_alias(self, alias): 996 """ 997 Deletes an alias for the AWS account. 998 999 For more information on account id aliases, please see 1000 http://goo.gl/ToB7G 1001 1002 :type alias: string 1003 :param alias: The alias to remove from the account. 1004 """ 1005 params = {'AccountAlias': alias} 1006 return self.get_response('DeleteAccountAlias', params) 1007 1008 def get_account_alias(self): 1009 """ 1010 Get the alias for the current account. 1011 1012 This is referred to in the docs as list_account_aliases, 1013 but it seems you can only have one account alias currently. 1014 1015 For more information on account id aliases, please see 1016 http://goo.gl/ToB7G 1017 """ 1018 return self.get_response('ListAccountAliases', {}, 1019 list_marker='AccountAliases') 1020 1021 def get_signin_url(self, service='ec2'): 1022 """ 1023 Get the URL where IAM users can use their login profile to sign in 1024 to this account's console. 1025 1026 :type service: string 1027 :param service: Default service to go to in the console. 1028 """ 1029 alias = self.get_account_alias() 1030 1031 if not alias: 1032 raise Exception('No alias associated with this account. Please use iam.create_account_alias() first.') 1033 1034 resp = alias.get('list_account_aliases_response', {}) 1035 result = resp.get('list_account_aliases_result', {}) 1036 aliases = result.get('account_aliases', []) 1037 1038 if not len(aliases): 1039 raise Exception('No alias associated with this account. Please use iam.create_account_alias() first.') 1040 1041 # We'll just use the first one we find. 1042 alias = aliases[0] 1043 1044 if self.host == 'iam.us-gov.amazonaws.com': 1045 return "https://%s.signin.amazonaws-us-gov.com/console/%s" % ( 1046 alias, 1047 service 1048 ) 1049 elif self.host.endswith('amazonaws.com.cn'): 1050 return "https://%s.signin.amazonaws.cn/console/%s" % ( 1051 alias, 1052 service 1053 ) 1054 else: 1055 return "https://%s.signin.aws.amazon.com/console/%s" % ( 1056 alias, 1057 service 1058 ) 1059 1060 def get_account_summary(self): 1061 """ 1062 Get the alias for the current account. 1063 1064 This is referred to in the docs as list_account_aliases, 1065 but it seems you can only have one account alias currently. 1066 1067 For more information on account id aliases, please see 1068 http://goo.gl/ToB7G 1069 """ 1070 return self.get_object('GetAccountSummary', {}, SummaryMap) 1071 1072 # 1073 # IAM Roles 1074 # 1075 1076 def add_role_to_instance_profile(self, instance_profile_name, role_name): 1077 """ 1078 Adds the specified role to the specified instance profile. 1079 1080 :type instance_profile_name: string 1081 :param instance_profile_name: Name of the instance profile to update. 1082 1083 :type role_name: string 1084 :param role_name: Name of the role to add. 1085 """ 1086 return self.get_response('AddRoleToInstanceProfile', 1087 {'InstanceProfileName': instance_profile_name, 1088 'RoleName': role_name}) 1089 1090 def create_instance_profile(self, instance_profile_name, path=None): 1091 """ 1092 Creates a new instance profile. 1093 1094 :type instance_profile_name: string 1095 :param instance_profile_name: Name of the instance profile to create. 1096 1097 :type path: string 1098 :param path: The path to the instance profile. 1099 """ 1100 params = {'InstanceProfileName': instance_profile_name} 1101 if path is not None: 1102 params['Path'] = path 1103 return self.get_response('CreateInstanceProfile', params) 1104 1105 def _build_policy(self, assume_role_policy_document=None): 1106 if assume_role_policy_document is not None: 1107 if isinstance(assume_role_policy_document, six.string_types): 1108 # Historically, they had to pass a string. If it's a string, 1109 # assume the user has already handled it. 1110 return assume_role_policy_document 1111 else: 1112 1113 for tld, policy in DEFAULT_POLICY_DOCUMENTS.items(): 1114 if tld is 'default': 1115 # Skip the default. We'll fall back to it if we don't find 1116 # anything. 1117 continue 1118 1119 if self.host and self.host.endswith(tld): 1120 assume_role_policy_document = policy 1121 break 1122 1123 if not assume_role_policy_document: 1124 assume_role_policy_document = DEFAULT_POLICY_DOCUMENTS['default'] 1125 1126 # Dump the policy (either user-supplied ``dict`` or one of the defaults) 1127 return json.dumps(assume_role_policy_document) 1128 1129 def create_role(self, role_name, assume_role_policy_document=None, path=None): 1130 """ 1131 Creates a new role for your AWS account. 1132 1133 The policy grants permission to an EC2 instance to assume the role. 1134 The policy is URL-encoded according to RFC 3986. Currently, only EC2 1135 instances can assume roles. 1136 1137 :type role_name: string 1138 :param role_name: Name of the role to create. 1139 1140 :type assume_role_policy_document: ``string`` or ``dict`` 1141 :param assume_role_policy_document: The policy that grants an entity 1142 permission to assume the role. 1143 1144 :type path: string 1145 :param path: The path to the role. 1146 """ 1147 params = { 1148 'RoleName': role_name, 1149 'AssumeRolePolicyDocument': self._build_policy( 1150 assume_role_policy_document 1151 ), 1152 } 1153 if path is not None: 1154 params['Path'] = path 1155 return self.get_response('CreateRole', params) 1156 1157 def delete_instance_profile(self, instance_profile_name): 1158 """ 1159 Deletes the specified instance profile. The instance profile must not 1160 have an associated role. 1161 1162 :type instance_profile_name: string 1163 :param instance_profile_name: Name of the instance profile to delete. 1164 """ 1165 return self.get_response( 1166 'DeleteInstanceProfile', 1167 {'InstanceProfileName': instance_profile_name}) 1168 1169 def delete_role(self, role_name): 1170 """ 1171 Deletes the specified role. The role must not have any policies 1172 attached. 1173 1174 :type role_name: string 1175 :param role_name: Name of the role to delete. 1176 """ 1177 return self.get_response('DeleteRole', {'RoleName': role_name}) 1178 1179 def delete_role_policy(self, role_name, policy_name): 1180 """ 1181 Deletes the specified policy associated with the specified role. 1182 1183 :type role_name: string 1184 :param role_name: Name of the role associated with the policy. 1185 1186 :type policy_name: string 1187 :param policy_name: Name of the policy to delete. 1188 """ 1189 return self.get_response( 1190 'DeleteRolePolicy', 1191 {'RoleName': role_name, 'PolicyName': policy_name}) 1192 1193 def get_instance_profile(self, instance_profile_name): 1194 """ 1195 Retrieves information about the specified instance profile, including 1196 the instance profile's path, GUID, ARN, and role. 1197 1198 :type instance_profile_name: string 1199 :param instance_profile_name: Name of the instance profile to get 1200 information about. 1201 """ 1202 return self.get_response('GetInstanceProfile', 1203 {'InstanceProfileName': instance_profile_name}) 1204 1205 def get_role(self, role_name): 1206 """ 1207 Retrieves information about the specified role, including the role's 1208 path, GUID, ARN, and the policy granting permission to EC2 to assume 1209 the role. 1210 1211 :type role_name: string 1212 :param role_name: Name of the role associated with the policy. 1213 """ 1214 return self.get_response('GetRole', {'RoleName': role_name}) 1215 1216 def get_role_policy(self, role_name, policy_name): 1217 """ 1218 Retrieves the specified policy document for the specified role. 1219 1220 :type role_name: string 1221 :param role_name: Name of the role associated with the policy. 1222 1223 :type policy_name: string 1224 :param policy_name: Name of the policy to get. 1225 """ 1226 return self.get_response('GetRolePolicy', 1227 {'RoleName': role_name, 1228 'PolicyName': policy_name}) 1229 1230 def list_instance_profiles(self, path_prefix=None, marker=None, 1231 max_items=None): 1232 """ 1233 Lists the instance profiles that have the specified path prefix. If 1234 there are none, the action returns an empty list. 1235 1236 :type path_prefix: string 1237 :param path_prefix: The path prefix for filtering the results. For 1238 example: /application_abc/component_xyz/, which would get all 1239 instance profiles whose path starts with 1240 /application_abc/component_xyz/. 1241 1242 :type marker: string 1243 :param marker: Use this parameter only when paginating results, and 1244 only in a subsequent request after you've received a response 1245 where the results are truncated. Set it to the value of the 1246 Marker element in the response you just received. 1247 1248 :type max_items: int 1249 :param max_items: Use this parameter only when paginating results to 1250 indicate the maximum number of user names you want in the response. 1251 """ 1252 params = {} 1253 if path_prefix is not None: 1254 params['PathPrefix'] = path_prefix 1255 if marker is not None: 1256 params['Marker'] = marker 1257 if max_items is not None: 1258 params['MaxItems'] = max_items 1259 1260 return self.get_response('ListInstanceProfiles', params, 1261 list_marker='InstanceProfiles') 1262 1263 def list_instance_profiles_for_role(self, role_name, marker=None, 1264 max_items=None): 1265 """ 1266 Lists the instance profiles that have the specified associated role. If 1267 there are none, the action returns an empty list. 1268 1269 :type role_name: string 1270 :param role_name: The name of the role to list instance profiles for. 1271 1272 :type marker: string 1273 :param marker: Use this parameter only when paginating results, and 1274 only in a subsequent request after you've received a response 1275 where the results are truncated. Set it to the value of the 1276 Marker element in the response you just received. 1277 1278 :type max_items: int 1279 :param max_items: Use this parameter only when paginating results to 1280 indicate the maximum number of user names you want in the response. 1281 """ 1282 params = {'RoleName': role_name} 1283 if marker is not None: 1284 params['Marker'] = marker 1285 if max_items is not None: 1286 params['MaxItems'] = max_items 1287 return self.get_response('ListInstanceProfilesForRole', params, 1288 list_marker='InstanceProfiles') 1289 1290 def list_role_policies(self, role_name, marker=None, max_items=None): 1291 """ 1292 Lists the names of the policies associated with the specified role. If 1293 there are none, the action returns an empty list. 1294 1295 :type role_name: string 1296 :param role_name: The name of the role to list policies for. 1297 1298 :type marker: string 1299 :param marker: Use this parameter only when paginating results, and 1300 only in a subsequent request after you've received a response 1301 where the results are truncated. Set it to the value of the 1302 marker element in the response you just received. 1303 1304 :type max_items: int 1305 :param max_items: Use this parameter only when paginating results to 1306 indicate the maximum number of user names you want in the response. 1307 """ 1308 params = {'RoleName': role_name} 1309 if marker is not None: 1310 params['Marker'] = marker 1311 if max_items is not None: 1312 params['MaxItems'] = max_items 1313 return self.get_response('ListRolePolicies', params, 1314 list_marker='PolicyNames') 1315 1316 def list_roles(self, path_prefix=None, marker=None, max_items=None): 1317 """ 1318 Lists the roles that have the specified path prefix. If there are none, 1319 the action returns an empty list. 1320 1321 :type path_prefix: string 1322 :param path_prefix: The path prefix for filtering the results. 1323 1324 :type marker: string 1325 :param marker: Use this parameter only when paginating results, and 1326 only in a subsequent request after you've received a response 1327 where the results are truncated. Set it to the value of the 1328 marker element in the response you just received. 1329 1330 :type max_items: int 1331 :param max_items: Use this parameter only when paginating results to 1332 indicate the maximum number of user names you want in the response. 1333 """ 1334 params = {} 1335 if path_prefix is not None: 1336 params['PathPrefix'] = path_prefix 1337 if marker is not None: 1338 params['Marker'] = marker 1339 if max_items is not None: 1340 params['MaxItems'] = max_items 1341 return self.get_response('ListRoles', params, list_marker='Roles') 1342 1343 def put_role_policy(self, role_name, policy_name, policy_document): 1344 """ 1345 Adds (or updates) a policy document associated with the specified role. 1346 1347 :type role_name: string 1348 :param role_name: Name of the role to associate the policy with. 1349 1350 :type policy_name: string 1351 :param policy_name: Name of the policy document. 1352 1353 :type policy_document: string 1354 :param policy_document: The policy document. 1355 """ 1356 return self.get_response('PutRolePolicy', 1357 {'RoleName': role_name, 1358 'PolicyName': policy_name, 1359 'PolicyDocument': policy_document}) 1360 1361 def remove_role_from_instance_profile(self, instance_profile_name, 1362 role_name): 1363 """ 1364 Removes the specified role from the specified instance profile. 1365 1366 :type instance_profile_name: string 1367 :param instance_profile_name: Name of the instance profile to update. 1368 1369 :type role_name: string 1370 :param role_name: Name of the role to remove. 1371 """ 1372 return self.get_response('RemoveRoleFromInstanceProfile', 1373 {'InstanceProfileName': instance_profile_name, 1374 'RoleName': role_name}) 1375 1376 def update_assume_role_policy(self, role_name, policy_document): 1377 """ 1378 Updates the policy that grants an entity permission to assume a role. 1379 Currently, only an Amazon EC2 instance can assume a role. 1380 1381 :type role_name: string 1382 :param role_name: Name of the role to update. 1383 1384 :type policy_document: string 1385 :param policy_document: The policy that grants an entity permission to 1386 assume the role. 1387 """ 1388 return self.get_response('UpdateAssumeRolePolicy', 1389 {'RoleName': role_name, 1390 'PolicyDocument': policy_document}) 1391 1392 def create_saml_provider(self, saml_metadata_document, name): 1393 """ 1394 Creates an IAM entity to describe an identity provider (IdP) 1395 that supports SAML 2.0. 1396 1397 The SAML provider that you create with this operation can be 1398 used as a principal in a role's trust policy to establish a 1399 trust relationship between AWS and a SAML identity provider. 1400 You can create an IAM role that supports Web-based single 1401 sign-on (SSO) to the AWS Management Console or one that 1402 supports API access to AWS. 1403 1404 When you create the SAML provider, you upload an a SAML 1405 metadata document that you get from your IdP and that includes 1406 the issuer's name, expiration information, and keys that can 1407 be used to validate the SAML authentication response 1408 (assertions) that are received from the IdP. You must generate 1409 the metadata document using the identity management software 1410 that is used as your organization's IdP. 1411 This operation requires `Signature Version 4`_. 1412 For more information, see `Giving Console Access Using SAML`_ 1413 and `Creating Temporary Security Credentials for SAML 1414 Federation`_ in the Using Temporary Credentials guide. 1415 1416 :type saml_metadata_document: string 1417 :param saml_metadata_document: An XML document generated by an identity 1418 provider (IdP) that supports SAML 2.0. The document includes the 1419 issuer's name, expiration information, and keys that can be used to 1420 validate the SAML authentication response (assertions) that are 1421 received from the IdP. You must generate the metadata document 1422 using the identity management software that is used as your 1423 organization's IdP. 1424 For more information, see `Creating Temporary Security Credentials for 1425 SAML Federation`_ in the Using Temporary Security Credentials 1426 guide. 1427 1428 :type name: string 1429 :param name: The name of the provider to create. 1430 1431 """ 1432 params = { 1433 'SAMLMetadataDocument': saml_metadata_document, 1434 'Name': name, 1435 } 1436 return self.get_response('CreateSAMLProvider', params) 1437 1438 def list_saml_providers(self): 1439 """ 1440 Lists the SAML providers in the account. 1441 This operation requires `Signature Version 4`_. 1442 """ 1443 return self.get_response('ListSAMLProviders', {}, list_marker='SAMLProviderList') 1444 1445 def get_saml_provider(self, saml_provider_arn): 1446 """ 1447 Returns the SAML provider metadocument that was uploaded when 1448 the provider was created or updated. 1449 This operation requires `Signature Version 4`_. 1450 1451 :type saml_provider_arn: string 1452 :param saml_provider_arn: The Amazon Resource Name (ARN) of the SAML 1453 provider to get information about. 1454 1455 """ 1456 params = {'SAMLProviderArn': saml_provider_arn} 1457 return self.get_response('GetSAMLProvider', params) 1458 1459 def update_saml_provider(self, saml_provider_arn, saml_metadata_document): 1460 """ 1461 Updates the metadata document for an existing SAML provider. 1462 This operation requires `Signature Version 4`_. 1463 1464 :type saml_provider_arn: string 1465 :param saml_provider_arn: The Amazon Resource Name (ARN) of the SAML 1466 provider to update. 1467 1468 :type saml_metadata_document: string 1469 :param saml_metadata_document: An XML document generated by an identity 1470 provider (IdP) that supports SAML 2.0. The document includes the 1471 issuer's name, expiration information, and keys that can be used to 1472 validate the SAML authentication response (assertions) that are 1473 received from the IdP. You must generate the metadata document 1474 using the identity management software that is used as your 1475 organization's IdP. 1476 1477 """ 1478 params = { 1479 'SAMLMetadataDocument': saml_metadata_document, 1480 'SAMLProviderArn': saml_provider_arn, 1481 } 1482 return self.get_response('UpdateSAMLProvider', params) 1483 1484 def delete_saml_provider(self, saml_provider_arn): 1485 """ 1486 Deletes a SAML provider. 1487 1488 Deleting the provider does not update any roles that reference 1489 the SAML provider as a principal in their trust policies. Any 1490 attempt to assume a role that references a SAML provider that 1491 has been deleted will fail. 1492 This operation requires `Signature Version 4`_. 1493 1494 :type saml_provider_arn: string 1495 :param saml_provider_arn: The Amazon Resource Name (ARN) of the SAML 1496 provider to delete. 1497 1498 """ 1499 params = {'SAMLProviderArn': saml_provider_arn} 1500 return self.get_response('DeleteSAMLProvider', params) 1501 1502 # 1503 # IAM Reports 1504 # 1505 1506 def generate_credential_report(self): 1507 """ 1508 Generates a credential report for an account 1509 1510 A new credential report can only be generated every 4 hours. If one 1511 hasn't been generated in the last 4 hours then get_credential_report 1512 will error when called 1513 """ 1514 params = {} 1515 return self.get_response('GenerateCredentialReport', params) 1516 1517 def get_credential_report(self): 1518 """ 1519 Retrieves a credential report for an account 1520 1521 A report must have been generated in the last 4 hours to succeed. 1522 The report is returned as a base64 encoded blob within the response. 1523 """ 1524 params = {} 1525 return self.get_response('GetCredentialReport', params) 1526 1527 def create_virtual_mfa_device(self, path, device_name): 1528 """ 1529 Creates a new virtual MFA device for the AWS account. 1530 1531 After creating the virtual MFA, use enable-mfa-device to 1532 attach the MFA device to an IAM user. 1533 1534 :type path: string 1535 :param path: The path for the virtual MFA device. 1536 1537 :type device_name: string 1538 :param device_name: The name of the virtual MFA device. 1539 Used with path to uniquely identify a virtual MFA device. 1540 1541 """ 1542 params = { 1543 'Path': path, 1544 'VirtualMFADeviceName': device_name 1545 } 1546 return self.get_response('CreateVirtualMFADevice', params) 1547 1548 # 1549 # IAM password policy 1550 # 1551 1552 def get_account_password_policy(self): 1553 """ 1554 Returns the password policy for the AWS account. 1555 """ 1556 params = {} 1557 return self.get_response('GetAccountPasswordPolicy', params) 1558 1559 def delete_account_password_policy(self): 1560 """ 1561 Delete the password policy currently set for the AWS account. 1562 """ 1563 params = {} 1564 return self.get_response('DeleteAccountPasswordPolicy', params) 1565 1566 def update_account_password_policy(self, allow_users_to_change_password=None, 1567 hard_expiry=None, max_password_age=None , 1568 minimum_password_length=None , 1569 password_reuse_prevention=None, 1570 require_lowercase_characters=None, 1571 require_numbers=None, require_symbols=None , 1572 require_uppercase_characters=None): 1573 """ 1574 Update the password policy for the AWS account. 1575 1576 Notes: unset parameters will be reset to Amazon default settings! 1577 Most of the password policy settings are enforced the next time your users 1578 change their passwords. When you set minimum length and character type 1579 requirements, they are enforced the next time your users change their 1580 passwords - users are not forced to change their existing passwords, even 1581 if the pre-existing passwords do not adhere to the updated password 1582 policy. When you set a password expiration period, the expiration period 1583 is enforced immediately. 1584 1585 :type allow_users_to_change_password: bool 1586 :param allow_users_to_change_password: Allows all IAM users in your account 1587 to use the AWS Management Console to change their own passwords. 1588 1589 :type hard_expiry: bool 1590 :param hard_expiry: Prevents IAM users from setting a new password after 1591 their password has expired. 1592 1593 :type max_password_age: int 1594 :param max_password_age: The number of days that an IAM user password is valid. 1595 1596 :type minimum_password_length: int 1597 :param minimum_password_length: The minimum number of characters allowed in 1598 an IAM user password. 1599 1600 :type password_reuse_prevention: int 1601 :param password_reuse_prevention: Specifies the number of previous passwords 1602 that IAM users are prevented from reusing. 1603 1604 :type require_lowercase_characters: bool 1605 :param require_lowercase_characters: Specifies whether IAM user passwords 1606 must contain at least one lowercase character from the ISO basic Latin 1607 alphabet (``a`` to ``z``). 1608 1609 :type require_numbers: bool 1610 :param require_numbers: Specifies whether IAM user passwords must contain at 1611 least one numeric character (``0`` to ``9``). 1612 1613 :type require_symbols: bool 1614 :param require_symbols: Specifies whether IAM user passwords must contain at 1615 least one of the following non-alphanumeric characters: 1616 ``! @ # $ % ^ & * ( ) _ + - = [ ] { } | '`` 1617 1618 :type require_uppercase_characters: bool 1619 :param require_uppercase_characters: Specifies whether IAM user passwords 1620 must contain at least one uppercase character from the ISO basic Latin 1621 alphabet (``A`` to ``Z``). 1622 """ 1623 params = {} 1624 if allow_users_to_change_password is not None and type(allow_users_to_change_password) is bool: 1625 params['AllowUsersToChangePassword'] = str(allow_users_to_change_password).lower() 1626 if hard_expiry is not None and type(allow_users_to_change_password) is bool: 1627 params['HardExpiry'] = str(hard_expiry).lower() 1628 if max_password_age is not None: 1629 params['MaxPasswordAge'] = max_password_age 1630 if minimum_password_length is not None: 1631 params['MinimumPasswordLength'] = minimum_password_length 1632 if password_reuse_prevention is not None: 1633 params['PasswordReusePrevention'] = password_reuse_prevention 1634 if require_lowercase_characters is not None and type(allow_users_to_change_password) is bool: 1635 params['RequireLowercaseCharacters'] = str(require_lowercase_characters).lower() 1636 if require_numbers is not None and type(allow_users_to_change_password) is bool: 1637 params['RequireNumbers'] = str(require_numbers).lower() 1638 if require_symbols is not None and type(allow_users_to_change_password) is bool: 1639 params['RequireSymbols'] = str(require_symbols).lower() 1640 if require_uppercase_characters is not None and type(allow_users_to_change_password) is bool: 1641 params['RequireUppercaseCharacters'] = str(require_uppercase_characters).lower() 1642 return self.get_response('UpdateAccountPasswordPolicy', params) 1643 1644 def create_policy(self, policy_name, policy_document, path='/', 1645 description=None): 1646 """ 1647 Create a policy. 1648 1649 :type policy_name: string 1650 :param policy_name: The name of the new policy 1651 1652 :type policy_document string 1653 :param policy_document: The document of the new policy 1654 1655 :type path: string 1656 :param path: The path in which the policy will be created. 1657 Defaults to /. 1658 1659 :type description: string 1660 :param path: A description of the new policy. 1661 1662 """ 1663 params = {'PolicyName': policy_name, 1664 'PolicyDocument': policy_document, 1665 'Path': path} 1666 if description is not None: 1667 params['Description'] = str(description) 1668 1669 return self.get_response('CreatePolicy', params) 1670 1671 def create_policy_version( 1672 self, 1673 policy_arn, 1674 policy_document, 1675 set_as_default=None): 1676 """ 1677 Create a policy version. 1678 1679 :type policy_arn: string 1680 :param policy_arn: The ARN of the policy 1681 1682 :type policy_document string 1683 :param policy_document: The document of the new policy version 1684 1685 :type set_as_default: bool 1686 :param set_as_default: Sets the policy version as default 1687 Defaults to None. 1688 1689 """ 1690 params = {'PolicyArn': policy_arn, 1691 'PolicyDocument': policy_document} 1692 if type(set_as_default) == bool: 1693 params['SetAsDefault'] = str(set_as_default).lower() 1694 return self.get_response('CreatePolicyVersion', params) 1695 1696 def delete_policy(self, policy_arn): 1697 """ 1698 Delete a policy. 1699 1700 :type policy_arn: string 1701 :param policy_arn: The ARN of the policy to delete 1702 1703 """ 1704 params = {'PolicyArn': policy_arn} 1705 return self.get_response('DeletePolicy', params) 1706 1707 def delete_policy_version(self, policy_arn, version_id): 1708 """ 1709 Delete a policy version. 1710 1711 :type policy_arn: string 1712 :param policy_arn: The ARN of the policy to delete a version from 1713 1714 :type version_id: string 1715 :param version_id: The id of the version to delete 1716 1717 """ 1718 params = {'PolicyArn': policy_arn, 1719 'VersionId': version_id} 1720 return self.get_response('DeletePolicyVersion', params) 1721 1722 def get_policy(self, policy_arn): 1723 """ 1724 Get policy information. 1725 1726 :type policy_arn: string 1727 :param policy_arn: The ARN of the policy to get information for 1728 1729 """ 1730 params = {'PolicyArn': policy_arn} 1731 return self.get_response('GetPolicy', params) 1732 1733 def get_policy_version(self, policy_arn, version_id): 1734 """ 1735 Get policy information. 1736 1737 :type policy_arn: string 1738 :param policy_arn: The ARN of the policy to get information for a 1739 specific version 1740 1741 :type version_id: string 1742 :param version_id: The id of the version to get information for 1743 1744 """ 1745 params = {'PolicyArn': policy_arn, 1746 'VersionId': version_id} 1747 return self.get_response('GetPolicyVersion', params) 1748 1749 def list_policies(self, marker=None, max_items=None, only_attached=None, 1750 path_prefix=None, scope=None): 1751 """ 1752 List policies of account. 1753 1754 :type marker: string 1755 :param marker: A marker used for pagination (received from previous 1756 accesses) 1757 1758 :type max_items: int 1759 :param max_items: Send only max_items; allows paginations 1760 1761 :type only_attached: bool 1762 :param only_attached: Send only policies attached to other resources 1763 1764 :type path_prefix: string 1765 :param path_prefix: Send only items prefixed by this path 1766 1767 :type scope: string 1768 :param scope: AWS|Local. Choose between AWS policies or your own 1769 """ 1770 params = {} 1771 if path_prefix is not None: 1772 params['PathPrefix'] = path_prefix 1773 if marker is not None: 1774 params['Marker'] = marker 1775 if max_items is not None: 1776 params['MaxItems'] = max_items 1777 if type(only_attached) == bool: 1778 params['OnlyAttached'] = str(only_attached).lower() 1779 if scope is not None: 1780 params['Scope'] = scope 1781 return self.get_response( 1782 'ListPolicies', 1783 params, 1784 list_marker='Policies') 1785 1786 def list_policy_versions(self, policy_arn, marker=None, max_items=None): 1787 """ 1788 List policy versions. 1789 1790 :type policy_arn: string 1791 :param policy_arn: The ARN of the policy to get versions of 1792 1793 :type marker: string 1794 :param marker: A marker used for pagination (received from previous 1795 accesses) 1796 1797 :type max_items: int 1798 :param max_items: Send only max_items; allows paginations 1799 1800 """ 1801 params = {'PolicyArn': policy_arn} 1802 if marker is not None: 1803 params['Marker'] = marker 1804 if max_items is not None: 1805 params['MaxItems'] = max_items 1806 return self.get_response( 1807 'ListPolicyVersions', 1808 params, 1809 list_marker='Versions') 1810 1811 def set_default_policy_version(self, policy_arn, version_id): 1812 """ 1813 Set default policy version. 1814 1815 :type policy_arn: string 1816 :param policy_arn: The ARN of the policy to set the default version 1817 for 1818 1819 :type version_id: string 1820 :param version_id: The id of the version to set as default 1821 """ 1822 params = {'PolicyArn': policy_arn, 1823 'VersionId': version_id} 1824 return self.get_response('SetDefaultPolicyVersion', params) 1825 1826 def list_entities_for_policy(self, policy_arn, path_prefix=None, 1827 marker=None, max_items=None, 1828 entity_filter=None): 1829 """ 1830 :type policy_arn: string 1831 :param policy_arn: The ARN of the policy to get entities for 1832 1833 :type marker: string 1834 :param marker: A marker used for pagination (received from previous 1835 accesses) 1836 1837 :type max_items: int 1838 :param max_items: Send only max_items; allows paginations 1839 1840 :type path_prefix: string 1841 :param path_prefix: Send only items prefixed by this path 1842 1843 :type entity_filter: string 1844 :param entity_filter: Which entity type of User | Role | Group | 1845 LocalManagedPolicy | AWSManagedPolicy to return 1846 1847 """ 1848 params = {'PolicyArn': policy_arn} 1849 if marker is not None: 1850 params['Marker'] = marker 1851 if max_items is not None: 1852 params['MaxItems'] = max_items 1853 if path_prefix is not None: 1854 params['PathPrefix'] = path_prefix 1855 if entity_filter is not None: 1856 params['EntityFilter'] = entity_filter 1857 return self.get_response('ListEntitiesForPolicy', params, 1858 list_marker=('PolicyGroups', 1859 'PolicyUsers', 1860 'PolicyRoles')) 1861 1862 def attach_group_policy(self, policy_arn, group_name): 1863 """ 1864 :type policy_arn: string 1865 :param policy_arn: The ARN of the policy to attach 1866 1867 :type group_name: string 1868 :param group_name: Group to attach the policy to 1869 1870 """ 1871 params = {'PolicyArn': policy_arn, 'GroupName': group_name} 1872 return self.get_response('AttachGroupPolicy', params) 1873 1874 def attach_role_policy(self, policy_arn, role_name): 1875 """ 1876 :type policy_arn: string 1877 :param policy_arn: The ARN of the policy to attach 1878 1879 :type role_name: string 1880 :param role_name: Role to attach the policy to 1881 1882 """ 1883 params = {'PolicyArn': policy_arn, 'RoleName': role_name} 1884 return self.get_response('AttachRolePolicy', params) 1885 1886 def attach_user_policy(self, policy_arn, user_name): 1887 """ 1888 :type policy_arn: string 1889 :param policy_arn: The ARN of the policy to attach 1890 1891 :type user_name: string 1892 :param user_name: User to attach the policy to 1893 1894 """ 1895 params = {'PolicyArn': policy_arn, 'UserName': user_name} 1896 return self.get_response('AttachUserPolicy', params) 1897 1898 def detach_group_policy(self, policy_arn, group_name): 1899 """ 1900 :type policy_arn: string 1901 :param policy_arn: The ARN of the policy to detach 1902 1903 :type group_name: string 1904 :param group_name: Group to detach the policy from 1905 1906 """ 1907 params = {'PolicyArn': policy_arn, 'GroupName': group_name} 1908 return self.get_response('DetachGroupPolicy', params) 1909 1910 def detach_role_policy(self, policy_arn, role_name): 1911 """ 1912 :type policy_arn: string 1913 :param policy_arn: The ARN of the policy to detach 1914 1915 :type role_name: string 1916 :param role_name: Role to detach the policy from 1917 1918 """ 1919 params = {'PolicyArn': policy_arn, 'RoleName': role_name} 1920 return self.get_response('DetachRolePolicy', params) 1921 1922 def detach_user_policy(self, policy_arn, user_name): 1923 """ 1924 :type policy_arn: string 1925 :param policy_arn: The ARN of the policy to detach 1926 1927 :type user_name: string 1928 :param user_name: User to detach the policy from 1929 1930 """ 1931 params = {'PolicyArn': policy_arn, 'UserName': user_name} 1932 return self.get_response('DetachUserPolicy', params) 1933