private CreateStackTask readyStackTask() { CreateStackTask stackTask = new CreateStackTask(); stackTask.setProject(project); stackTask.setName("AntTaskTestStack"); stackTask.setRegion("us-east-1"); stackTask .setDefaultInstanceProfileArn(iamClient .getInstanceProfile( new GetInstanceProfileRequest() .withInstanceProfileName("aws-opsworks-ec2-role")) .getInstanceProfile().getArn()); stackTask.setServiceRoleArn(iamClient .getRole( new GetRoleRequest() .withRoleName("aws-opsworks-service-role")) .getRole().getArn()); return stackTask; }
/** * Sets the "instanceProfile" and "serviceRole" properties according to the * set parameters. */ public void execute() { checkParams(); AmazonIdentityManagementClient iamClient = getOrCreateClient(AmazonIdentityManagementClient.class); getProject() .setProperty( "instanceProfileArn", iamClient .getInstanceProfile( new GetInstanceProfileRequest() .withInstanceProfileName(instanceProfile)) .getInstanceProfile().getArn()); getProject() .setProperty( "serviceRoleArn", iamClient .getRole( new GetRoleRequest() .withRoleName(serviceRole)) .getRole().getArn()); }
public String createIAMRoleIfNotExist(String roleName) { GetRoleRequest getRoleRequest = new GetRoleRequest() .withRoleName(roleName); try { GetRoleResult getRoleResult = identityManagement.getRole(getRoleRequest); return getRoleResult.getRole().getArn(); } catch (NoSuchEntityException e) { CreateRoleRequest request = new CreateRoleRequest().withRoleName(roleName) .withAssumeRolePolicyDocument("{\"Version\": \"2008-10-17\"," + "\"Statement\": [" + "{" + "\"Sid\": \"1\"," + "\"Effect\": \"Allow\"," + "\"Principal\": {" + "\"Service\": \"elastictranscoder.amazonaws.com\"" + "}," + "\"Action\": \"sts:AssumeRole\"" + "}" + "]" + "}"); CreateRoleResult roleResult = identityManagement.createRole(request); PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest() .withPolicyName("s3video_generated_policy") .withPolicyDocument("{\"Version\":\"2008-10-17\",\"Statement\":[{\"Sid\":\"1\",\"Effect\":\"Allow\",\"Action\":[\"s3:ListBucket\",\"s3:Put*\",\"s3:Get*\",\"s3:*MultipartUpload*\"],\"Resource\":\"*\"},{\"Sid\":\"2\",\"Effect\":\"Allow\",\"Action\":\"sns:Publish\",\"Resource\":\"*\"},{\"Sid\":\"3\",\"Effect\":\"Deny\",\"Action\":[\"s3:*Policy*\",\"sns:*Permission*\",\"sns:*Delete*\",\"s3:*Delete*\",\"sns:*Remove*\"],\"Resource\":\"*\"}]}") .withRoleName(roleName); identityManagement.putRolePolicy(putRolePolicyRequest); return roleResult.getRole().getArn(); } }
private String getAccountIdFromInstanceProfile() throws IOException { URLConnection con = new URL( "http://169.254.169.254/latest/meta-data/iam/security-credentials/" ).openConnection(); con.setConnectTimeout( 5000 ); con.setReadTimeout( 2000 ); String text; InputStream in = con.getInputStream(); try { text = IOUtils.toString( in ); } finally { IOUtils.closeQuietly( in ); } LOG.info( "Read instance profile " + text + " from EC2 metadata" ); String profileName = StringUtils.trimToNull( text ); if ( profileName == null ) { throw new IllegalStateException( "Can't read profile name from content [" + profileName + "]" ); } Role role = aim.getRole( new GetRoleRequest().withRoleName( profileName ) ).getRole(); String[] parts = role.getArn().split( ":" ); if ( parts.length < 5 ) { throw new IllegalStateException( "Can't parse role ARN from " + role ); } return parts[4]; }
@Override public boolean load(GetRoleRequest request) { return load(request, null); }
@Override public boolean load(GetRoleRequest request, ResultCapture<GetRoleResult> extractor) { return resource.load(request, extractor); }
private void validateInstanceProfileCreation(AwsCredentialView awsCredentialView) { GetRoleRequest roleRequest = new GetRoleRequest(); String roleName = awsCredentialView.getRoleArn().split("/")[1]; LOGGER.info("Start validate {} role for S3 access.", roleName); roleRequest.withRoleName(roleName); AmazonIdentityManagement client = awsClient.createAmazonIdentityManagement(awsCredentialView); try { ListRolePoliciesRequest listRolePoliciesRequest = new ListRolePoliciesRequest(); listRolePoliciesRequest.setRoleName(roleName); ListRolePoliciesResult listRolePoliciesResult = client.listRolePolicies(listRolePoliciesRequest); for (String s : listRolePoliciesResult.getPolicyNames()) { if (checkIamOrS3Statement(roleName, client, s)) { LOGGER.info("Validation successful for s3 or iam access."); return; } } ListAttachedRolePoliciesRequest listAttachedRolePoliciesRequest = new ListAttachedRolePoliciesRequest(); listAttachedRolePoliciesRequest.setRoleName(roleName); ListAttachedRolePoliciesResult listAttachedRolePoliciesResult = client.listAttachedRolePolicies(listAttachedRolePoliciesRequest); for (AttachedPolicy attachedPolicy : listAttachedRolePoliciesResult.getAttachedPolicies()) { if (checkIamOrS3Access(client, attachedPolicy)) { LOGGER.info("Validation successful for s3 or iam access."); return; } } } catch (AmazonServiceException ase) { if (ase.getStatusCode() == UNAUTHORIZED) { String policyMEssage = "Could not get policies on the role because the arn role do not have enough permission: %s"; LOGGER.info(String.format(policyMEssage, ase.getErrorMessage())); throw new CloudConnectorException(String.format(policyMEssage, ase.getErrorMessage())); } else { LOGGER.info(ase.getMessage()); throw new CloudConnectorException(ase.getErrorMessage()); } } catch (Exception e) { LOGGER.info(e.getMessage()); throw new CloudConnectorException(e.getMessage()); } LOGGER.info("Could not get policies on the role because the arn role do not have enough permission."); throw new CloudConnectorException("Could not get policies on the role because the arn role do not have enough permission."); }
/** * Makes a call to the service to load this resource's attributes if they * are not loaded yet. * The following request parameters will be populated from the data of this * <code>Role</code> resource, and any conflicting parameter value set in * the request will be overridden: * <ul> * <li> * <b><code>RoleName</code></b> * - mapped from the <code>Name</code> identifier. * </li> * </ul> * * <p> * * @return Returns {@code true} if the resource is not yet loaded when this * method was invoked, which indicates that a service call has been * made to retrieve the attributes. * @see GetRoleRequest */ boolean load(GetRoleRequest request);
/** * Makes a call to the service to load this resource's attributes if they * are not loaded yet, and use a ResultCapture to retrieve the low-level * client response * The following request parameters will be populated from the data of this * <code>Role</code> resource, and any conflicting parameter value set in * the request will be overridden: * <ul> * <li> * <b><code>RoleName</code></b> * - mapped from the <code>Name</code> identifier. * </li> * </ul> * * <p> * * @return Returns {@code true} if the resource is not yet loaded when this * method was invoked, which indicates that a service call has been * made to retrieve the attributes. * @see GetRoleRequest */ boolean load(GetRoleRequest request, ResultCapture<GetRoleResult> extractor) ;
