本文整理汇总了Python中troposphere.iam.Role方法的典型用法代码示例。如果您正苦于以下问题:Python iam.Role方法的具体用法?Python iam.Role怎么用?Python iam.Role使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类troposphere.iam的用法示例。
在下文中一共展示了iam.Role方法的10个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: _codebuild_builder
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def _codebuild_builder(role: iam.Role, application_bucket: s3.Bucket) -> codebuild.Project:
"""Build and return the CodeBuild Project resource to be used to build the decrypt oracle."""
artifacts = codebuild.Artifacts(Type="CODEPIPELINE")
environment = codebuild.Environment(
ComputeType="BUILD_GENERAL1_SMALL",
Image=CODEBUILD_IMAGE,
Type="LINUX_CONTAINER",
EnvironmentVariables=[codebuild.EnvironmentVariable(Name="APP_S3_BUCKET", Value=Ref(application_bucket))],
)
source = codebuild.Source(Type="CODEPIPELINE", BuildSpec=BUILDSPEC)
return codebuild.Project(
"{}Build".format(APPLICATION_NAME),
Artifacts=artifacts,
Environment=environment,
Name=APPLICATION_NAME,
ServiceRole=Ref(role),
Source=source,
) 示例2: add_instance_profile
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def add_instance_profile(self, layer_name, iam_policies, path_prefix):
"""
Helper function to add role and instance profile resources to this template
using the provided iam_policies. The instance_profile will be created at:
'/<path_prefix>/<layer_name>/'
"""
iam_role_obj = iam.Role(layer_name + 'IAMRole',
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {'Service': ['ec2.amazonaws.com']},
'Action': ['sts:AssumeRole']
}]},
Path=Join('', ['/' + path_prefix + '/', layer_name , '/']))
if iam_policies != None:
iam_role_obj.Policies = iam_policies
iam_role = self.add_resource(iam_role_obj)
return self.add_resource(iam.InstanceProfile(layer_name + 'InstancePolicy',
Path='/' + path_prefix + '/',
Roles=[Ref(iam_role)])) 示例3: create_instance_profile
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def create_instance_profile(c, RoleName, model, named=False):
cfn_name = scrub_name(RoleName + "InstanceProfile")
kw_args = {
"Path": "/",
"Roles": [Ref(scrub_name(RoleName + "Role"))]
}
if named:
kw_args["InstanceProfileName"] = RoleName
if "retain_on_delete" in model:
if model["retain_on_delete"] is True:
kw_args["DeletionPolicy"] = "Retain"
c.template[c.current_account].add_resource(InstanceProfile(
cfn_name,
**kw_args
))
if c.config['global']['template_outputs'] == "enabled":
c.template[c.current_account].add_output([
Output(
cfn_name + "Arn",
Description="Instance profile for Role " + RoleName + " ARN",
Value=Ref(cfn_name),
Export=Export(Sub("${AWS::StackName}-" + cfn_name + "Arn"))
)
]) 示例4: add_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def add_role(c, RoleName, model, named=False):
cfn_name = scrub_name(RoleName + "Role")
kw_args = {
"Path": "/",
"AssumeRolePolicyDocument": build_role_trust(c, model['trusts']),
"ManagedPolicyArns": [],
"Policies": []
}
if named:
kw_args["RoleName"] = RoleName
if "managed_policies" in model:
kw_args["ManagedPolicyArns"] = parse_managed_policies(
c, model["managed_policies"], RoleName)
if "max_role_duration" in model:
kw_args['MaxSessionDuration'] = int(model["max_role_duration"])
if "retain_on_delete" in model:
if model["retain_on_delete"] is True:
kw_args["DeletionPolicy"] = "Retain"
c.template[c.current_account].add_resource(Role(
cfn_name,
**kw_args
))
if c.config['global']['template_outputs'] == "enabled":
c.template[c.current_account].add_output([
Output(
cfn_name + "Arn",
Description="Role " + RoleName + " ARN",
Value=GetAtt(cfn_name, "Arn"),
Export=Export(Sub("${AWS::StackName}-" + cfn_name + "Arn"))
)
]) 示例5: _codebuild_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def _codebuild_role() -> iam.Role:
"""Build and return the IAM Role resource to be used by CodeBuild to run the build project."""
policy = iam.Policy(
"CodeBuildPolicy",
PolicyName="CodeBuildPolicy",
PolicyDocument=AWS.PolicyDocument(
Statement=[
AllowEverywhere(Action=[LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents]),
AllowEverywhere(Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject]),
]
),
)
return iam.Role("CodeBuildRole", AssumeRolePolicyDocument=_service_assume_role(CODEBUILD.prefix), Policies=[policy]) 示例6: _cloudformation_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def _cloudformation_role() -> iam.Role:
"""Build and return the IAM Role resource to be used by the pipeline to interact with CloudFormation."""
policy = iam.Policy(
"CloudFormationPolicy",
PolicyName="CloudFormationPolicy",
PolicyDocument=AWS.PolicyDocument(Statement=[AllowEverywhere(Action=[AWS.Action("*")])]),
)
return iam.Role(
"CloudFormationRole", AssumeRolePolicyDocument=_service_assume_role(CLOUDFORMATION.prefix), Policies=[policy]
) 示例7: create_vpcflowlogs_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def create_vpcflowlogs_role(self):
flowlogs_policy = aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Sid="",
Effect=aws.Allow,
Resource=['*'],
Action=[awacs_logs.CreateLogGroup,
awacs_logs.CreateLogStream,
awacs_logs.PutLogEvents,
awacs_logs.DescribeLogGroups,
awacs_logs.DescribeLogStreams],
)
]
)
flowlogs_trust_policy = aws.Policy(
Version="2012-10-17",
Statement=[make_simple_assume_statement("vpc-flow-logs.amazonaws.com")]
)
vpcflowlogs_role = iam.Role(
'VPCFlowLogsIAMRole',
AssumeRolePolicyDocument=flowlogs_trust_policy,
Path='/',
Policies=[
iam.Policy(PolicyName='vpcflowlogs_policy', PolicyDocument=flowlogs_policy)
])
return vpcflowlogs_role 示例8: create_template
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def create_template(self):
"""Create template (main function called by Stacker)."""
template = self.template
variables = self.get_variables()
template.set_version('2010-09-09')
template.set_description('Runway Integration Testing - IAM Role')
# Resources
template.add_resource(
iam.Role(
'CodeBuildRole',
AssumeRolePolicyDocument=PolicyDocument(
Statement=[
Statement(
Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal(
'AWS',
TESTING_ACCOUNT_ID
)
)
]
),
Description='Role used for cross account testing in runway',
ManagedPolicyArns=[
'arn:aws:iam::aws:policy/AdministratorAccess'
],
RoleName=Join('-', ['runway-integration-test-role',
variables['EnvironmentName'].ref])
)
) 示例9: _pipeline_role
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def _pipeline_role(buckets: Iterable[s3.Bucket]) -> iam.Role:
"""Build and return the IAM Role resource to be used by CodePipeline to run the pipeline."""
bucket_statements = [
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetBucketVersioning, S3.PutBucketVersioning],
Resource=[GetAtt(bucket, "Arn") for bucket in buckets],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.PutObject],
Resource=[Sub("${{{bucket}.Arn}}/*".format(bucket=bucket.title)) for bucket in buckets],
),
]
policy = iam.Policy(
"PipelinePolicy",
PolicyName="PipelinePolicy",
PolicyDocument=AWS.PolicyDocument(
Statement=bucket_statements
+ [
AllowEverywhere(Action=[CLOUDWATCH.Action("*"), IAM.PassRole]),
AllowEverywhere(Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions]),
AllowEverywhere(
Action=[
CLOUDFORMATION.CreateStack,
CLOUDFORMATION.DeleteStack,
CLOUDFORMATION.DescribeStacks,
CLOUDFORMATION.UpdateStack,
CLOUDFORMATION.CreateChangeSet,
CLOUDFORMATION.DeleteChangeSet,
CLOUDFORMATION.DescribeChangeSet,
CLOUDFORMATION.ExecuteChangeSet,
CLOUDFORMATION.SetStackPolicy,
CLOUDFORMATION.ValidateTemplate,
]
),
AllowEverywhere(Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild]),
]
),
)
return iam.Role(
"CodePipelinesRole", AssumeRolePolicyDocument=_service_assume_role(CODEPIPELINE.prefix), Policies=[policy]
) 示例10: add_nat_instance_profile
# 需要导入模块: from troposphere import iam [as 别名]
# 或者: from troposphere.iam import Role [as 别名]
def add_nat_instance_profile(self):
'''
Create the NAT role and instance profile
'''
policy_actions = [
"ec2:DescribeInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:ReplaceRoute",
"ec2:StartInstances",
"ec2:StopInstances"
]
if self.enable_ntp:
policy_actions.extend([
"ec2:*DhcpOptions*",
"ec2:DescribeVpcs"
])
nat_role = self.add_resource(Role(
"Nat%sRole" % str(self.subnet_index),
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Path="/",
Policies=[Policy(
PolicyName="NAT%sPolicy" % str(self.subnet_index),
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": policy_actions,
"Resource": "*"
}] + self.get_extra_policy_statements()
}
)]
))
self.instance_profile = self.add_resource(InstanceProfile(
"Nat%sInstanceProfile" % str(self.subnet_index),
Path="/",
Roles=[Ref(nat_role)]
))