本文整理汇总了Python中awacs.aws.Statement方法的典型用法代码示例。如果您正苦于以下问题:Python aws.Statement方法的具体用法?Python aws.Statement怎么用?Python aws.Statement使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类awacs.aws
的用法示例。
在下文中一共展示了aws.Statement方法的7个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: build_policy_bucket
# 需要导入模块: from awacs import aws [as 别名]
# 或者: from awacs.aws import Statement [as 别名]
def build_policy_bucket(self, bucket, name, statements):
"""
Generate bucket policy for S3 bucket
:param bucket: The bucket to attach policy to
:param name: The name of the bucket (to generate policy name from it)
:param statements: The "rules" the policy should have
:return: Ref to new policy
"""
policy = self.__template.add_resource(
BucketPolicy(
self.name_strip(name, True, False),
Bucket=troposphere.Ref(bucket),
DependsOn=[
troposphere.Name(bucket)
],
PolicyDocument=Policy(
Version=self.VERSION_IAM,
Statement=statements
)
)
)
return policy
示例2: add_role
# 需要导入模块: from awacs import aws [as 别名]
# 或者: from awacs.aws import Statement [as 别名]
def add_role(self, name, principal_services, policies, path='/'):
"""
Helper method for creating roles with pre defined policies
"""
policies_for_role = [self.get_policy(policy, name) for policy in policies]
return self.add_resource(iam.Role(
name + "Role",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": principal_services
},
"Action": ["sts:AssumeRole"]
}]
},
Path=path,
Policies=policies_for_role
))
示例3: build_policy
# 需要导入模块: from awacs import aws [as 别名]
# 或者: from awacs.aws import Statement [as 别名]
def build_policy(self, name, statements, roles, is_managed_policy=False):
"""
Generate policy for IAM cloudformation template
:param name: Name of the policy
:param statements: The "rules" the policy should have
:param roles: The roles associated with this policy
:param is_managed_policy: True if managed policy
:return: Ref to new policy
"""
if is_managed_policy:
policy = ManagedPolicy(
self.name_strip(name, True),
PolicyDocument={
"Version": self.VERSION_IAM,
"Statement": statements,
},
Roles=roles,
Path=self.__role_path,
)
else:
policy = PolicyType(
self.name_strip(name, True),
PolicyName=self.name_strip(name, True),
PolicyDocument={
"Version": self.VERSION_IAM,
"Statement": statements,
},
Roles=roles,
)
self.__template.add_resource(policy)
return policy
示例4: add_kms_key
# 需要导入模块: from awacs import aws [as 别名]
# 或者: from awacs.aws import Statement [as 别名]
def add_kms_key(self, name):
print('Adding KMS key for %s service' % name)
account_id = self.config.get('account_id', None)
if not account_id:
print('Unable to add KMS Key')
sys.exit('Unable to add KMS Key! No Account ID')
keypolicy = {
"Version": "2012-10-17",
"Id": name,
"Statement": [{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {"AWS": ("arn:aws:iam::%s:root" % account_id)},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}]
}
return self.add_resource(kms.Key(name, KeyPolicy=keypolicy))
示例5: add_instance_profile_ecs
# 需要导入模块: from awacs import aws [as 别名]
# 或者: from awacs.aws import Statement [as 别名]
def add_instance_profile_ecs(self, layer_name, iam_policies, path_prefix):
"""
Helper function to add role and instance profile resources to this
template using the provided iam_policies. The instance_profile will be
created at:
'/<path_prefix>/<layer_name>/'
"""
iam_role_obj = iam.Role(
layer_name + 'IAMRole',
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {'Service': ['ec2.amazonaws.com', 'ecs.amazonaws.com']},
'Action': ['sts:AssumeRole']
}]
},
Path=Join('', ['/' + path_prefix + '/', layer_name, '/'])
)
if iam_policies is not None:
iam_role_obj.Policies = iam_policies
iam_role = self.add_resource(iam_role_obj)
return self.add_resource(
iam.InstanceProfile(
layer_name + 'InstancePolicy',
Path='/' + path_prefix + '/',
Roles=[Ref(iam_role)]
)
)
示例6: build_role
# 需要导入模块: from awacs import aws [as 别名]
# 或者: from awacs.aws import Statement [as 别名]
def build_role(self, name, policies=False):
"""
Generate role for IAM cloudformation template
:param name: Name of role
:param policies: List of policies to attach to this role (False = none)
:return: Ref to new role
"""
# Build role template
if policies:
role = self.__template.add_resource(
Role(
self.name_strip(name),
AssumeRolePolicyDocument=Policy(
Version=self.VERSION_IAM,
Statement=[
Statement(
Effect=Allow,
Principal=Principal(
"Service", self.__role_principals
),
Action=[AssumeRole],
)
]
),
Path=self.__role_path,
ManagedPolicyArns=policies,
))
# Add role to list for default policy
self.__roles_list.append(troposphere.Ref(role))
else:
role = self.__template.add_resource(
Role(
self.name_strip(name),
AssumeRolePolicyDocument=Policy(
Version=self.VERSION_IAM,
Statement=[
Statement(
Effect=Allow,
Principal=Principal(
"Service", self.__role_principals
),
Action=[AssumeRole],
)
]
),
Path=self.__role_path,
))
# Add role to list for default policy
self.__roles_list.append(troposphere.Ref(role))
return role
示例7: add_bucket
# 需要导入模块: from awacs import aws [as 别名]
# 或者: from awacs.aws import Statement [as 别名]
def add_bucket(self, name, access_control, static_site, route53, public_hosted_zone):
"""
Helper method creates a directory service resource
@param name [string] Fully qualified name for the bucket
(corp.example.com)
@param access_control [string] type of access control for the bucket
@param static_site [boolean] should the bucket host a static site
@param route53 [boolean] create a route53 entry?
"""
if route53:
self.add_dns_alias(
name,
"s3-website-us-east-1.amazonaws.com",
"Z3AQBSTGFYJSTF",
public_hosted_zone
)
if access_control == "PublicRead":
policy = s3.BucketPolicy(
name.replace('.', '') + "BucketPolicy",
Bucket=name,
PolicyDocument={
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::%s/*" % name
}
]
}
)
self.add_resource(policy)
bucket = s3.Bucket(
name.replace('.', '') + "Bucket",
BucketName=name,
AccessControl=access_control,
)
if static_site:
web_config = s3.WebsiteConfiguration(IndexDocument='index.html')
bucket.properties['WebsiteConfiguration'] = web_config
return self.add_resource(bucket)