本文整理汇总了Python中troposphere.iam.Policy方法的典型用法代码示例。如果您正苦于以下问题:Python iam.Policy方法的具体用法?Python iam.Policy怎么用?Python iam.Policy使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类troposphere.iam的用法示例。
在下文中一共展示了iam.Policy方法的9个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: get_cfn_policy
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def get_cfn_policy(self):
"""
Helper method returns the standard IAM policy to allow cloudformation read actions
"""
return iam.Policy(
PolicyName='cloudformationRead',
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:ListStackResources"],
"Resource": "*"}]
}) 示例2: find
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def find(self, test_name):
"""Gets the policies for the given integration test."""
file_path = path.abspath(self.file_path(test_name))
policies = []
if path.isfile(file_path):
with open(file_path, 'r') as stream:
entries = yaml.safe_load(stream)
for entry in entries:
policy = iam.Policy(
PolicyName='inline-policy',
PolicyDocument=entry
)
policies.append(policy)
else:
LOGGER.warning('policies.yaml not found for %s at %s', test_name,
file_path)
return policies 示例3: _service_assume_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def _service_assume_role(service: str) -> AWS.Policy:
"""Build and return the IAM AssumeRolePolicy for use in service roles."""
return AWS.Policy(
Statement=[
AWS.Statement(
Effect=AWS.Allow,
Action=[STS.AssumeRole],
Principal=AWS.Principal("Service", ["{}.amazonaws.com".format(service)]),
)
]
) 示例4: _codebuild_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def _codebuild_role() -> iam.Role:
"""Build and return the IAM Role resource to be used by CodeBuild to run the build project."""
policy = iam.Policy(
"CodeBuildPolicy",
PolicyName="CodeBuildPolicy",
PolicyDocument=AWS.PolicyDocument(
Statement=[
AllowEverywhere(Action=[LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents]),
AllowEverywhere(Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject]),
]
),
)
return iam.Role("CodeBuildRole", AssumeRolePolicyDocument=_service_assume_role(CODEBUILD.prefix), Policies=[policy]) 示例5: _cloudformation_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def _cloudformation_role() -> iam.Role:
"""Build and return the IAM Role resource to be used by the pipeline to interact with CloudFormation."""
policy = iam.Policy(
"CloudFormationPolicy",
PolicyName="CloudFormationPolicy",
PolicyDocument=AWS.PolicyDocument(Statement=[AllowEverywhere(Action=[AWS.Action("*")])]),
)
return iam.Role(
"CloudFormationRole", AssumeRolePolicyDocument=_service_assume_role(CLOUDFORMATION.prefix), Policies=[policy]
) 示例6: create_vpcflowlogs_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def create_vpcflowlogs_role(self):
flowlogs_policy = aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Sid="",
Effect=aws.Allow,
Resource=['*'],
Action=[awacs_logs.CreateLogGroup,
awacs_logs.CreateLogStream,
awacs_logs.PutLogEvents,
awacs_logs.DescribeLogGroups,
awacs_logs.DescribeLogStreams],
)
]
)
flowlogs_trust_policy = aws.Policy(
Version="2012-10-17",
Statement=[make_simple_assume_statement("vpc-flow-logs.amazonaws.com")]
)
vpcflowlogs_role = iam.Role(
'VPCFlowLogsIAMRole',
AssumeRolePolicyDocument=flowlogs_trust_policy,
Path='/',
Policies=[
iam.Policy(PolicyName='vpcflowlogs_policy', PolicyDocument=flowlogs_policy)
])
return vpcflowlogs_role 示例7: create_base_policy
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def create_base_policy():
"""Creates the base policy."""
deploy_name_list = ['runway-int-test-']
return iam.Policy(
PolicyName='base-policy',
PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Action=[
awacs.logs.CreateLogGroup,
awacs.logs.CreateLogStream,
awacs.logs.PutLogEvents
],
Effect=Allow,
Resource=[
Join(
'',
[
'arn:',
Partition,
':logs:',
Region,
':',
AccountId,
':log-group:/aws/codebuild/'
] + deploy_name_list + [
'*'
] + x
) for x in [[':*'], [':*/*']]
]
)
]
)
) 示例8: _pipeline_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def _pipeline_role(buckets: Iterable[s3.Bucket]) -> iam.Role:
"""Build and return the IAM Role resource to be used by CodePipeline to run the pipeline."""
bucket_statements = [
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetBucketVersioning, S3.PutBucketVersioning],
Resource=[GetAtt(bucket, "Arn") for bucket in buckets],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.PutObject],
Resource=[Sub("${{{bucket}.Arn}}/*".format(bucket=bucket.title)) for bucket in buckets],
),
]
policy = iam.Policy(
"PipelinePolicy",
PolicyName="PipelinePolicy",
PolicyDocument=AWS.PolicyDocument(
Statement=bucket_statements
+ [
AllowEverywhere(Action=[CLOUDWATCH.Action("*"), IAM.PassRole]),
AllowEverywhere(Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions]),
AllowEverywhere(
Action=[
CLOUDFORMATION.CreateStack,
CLOUDFORMATION.DeleteStack,
CLOUDFORMATION.DescribeStacks,
CLOUDFORMATION.UpdateStack,
CLOUDFORMATION.CreateChangeSet,
CLOUDFORMATION.DeleteChangeSet,
CLOUDFORMATION.DescribeChangeSet,
CLOUDFORMATION.ExecuteChangeSet,
CLOUDFORMATION.SetStackPolicy,
CLOUDFORMATION.ValidateTemplate,
]
),
AllowEverywhere(Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild]),
]
),
)
return iam.Role(
"CodePipelinesRole", AssumeRolePolicyDocument=_service_assume_role(CODEPIPELINE.prefix), Policies=[policy]
) 示例9: add_nat_instance_profile
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Policy [as 别名]
def add_nat_instance_profile(self):
'''
Create the NAT role and instance profile
'''
policy_actions = [
"ec2:DescribeInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:ReplaceRoute",
"ec2:StartInstances",
"ec2:StopInstances"
]
if self.enable_ntp:
policy_actions.extend([
"ec2:*DhcpOptions*",
"ec2:DescribeVpcs"
])
nat_role = self.add_resource(Role(
"Nat%sRole" % str(self.subnet_index),
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Path="/",
Policies=[Policy(
PolicyName="NAT%sPolicy" % str(self.subnet_index),
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": policy_actions,
"Resource": "*"
}] + self.get_extra_policy_statements()
}
)]
))
self.instance_profile = self.add_resource(InstanceProfile(
"Nat%sInstanceProfile" % str(self.subnet_index),
Path="/",
Roles=[Ref(nat_role)]
))