@Test public void testGetRolePolicies() throws Exception { when(clientMock.listAttachedRolePolicies(any())) .thenReturn(new ListAttachedRolePoliciesResult().withAttachedPolicies( new AttachedPolicy().withPolicyName("bar1"), new AttachedPolicy().withPolicyName("bar2"))); when(clientMock.listRolePolicies(any())) .thenReturn(new ListRolePoliciesResult().withPolicyNames("foo", "bar")); when(clientMock.getRolePolicy(any())) .thenReturn(new GetRolePolicyResult().withPolicyDocument("%7B%22hello%22%3A%22world%22%7D")); final RolePolicies rolePolicies = policyProvider.getRolePolicies("foo", Region.getRegion(US_EAST_1), "123456789012"); assertThat(rolePolicies).isNotNull(); assertThat(rolePolicies.getAttachedPolicyNames()).containsOnly("bar1", "bar2"); assertThat(rolePolicies.getInlinePolicyNames()).containsOnly("foo", "bar"); assertThat(rolePolicies.getMainPolicy()).isEqualTo("{\"hello\":\"world\"}"); verify(clientMock).listAttachedRolePolicies(any()); verify(clientMock).listRolePolicies(any()); verify(clientMock).getRolePolicy(any()); }
private Set<String> fetchAttachedPolicyNames(String roleName, AmazonIdentityManagementClient iamClient) { return Optional.of(new ListAttachedRolePoliciesRequest().withRoleName(roleName)) .map(iamClient::listAttachedRolePolicies) .map(ListAttachedRolePoliciesResult::getAttachedPolicies) .map(attachedPolicies -> attachedPolicies.stream().map(AttachedPolicy::getPolicyName).collect(toSet())) .orElseGet(Collections::emptySet); }
private boolean checkIamOrS3Access(AmazonIdentityManagement client, AttachedPolicy attachedPolicy) { GetPolicyRequest getRolePolicyRequest = new GetPolicyRequest(); getRolePolicyRequest.setPolicyArn(attachedPolicy.getPolicyArn()); GetPolicyResult policy = client.getPolicy(getRolePolicyRequest); if (policy.getPolicy().getArn().toLowerCase().contains("iam")) { LOGGER.info("Role has policy for iam resources: {}.", policy.getPolicy().getArn()); return true; } return false; }
public static void main(String[] args) { final String USAGE = "To run this example, supply a role name\n" + "Ex: AttachRolePolicy <role-name>\n"; if (args.length != 1) { System.out.println(USAGE); System.exit(1); } String role_name = args[0]; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); ListAttachedRolePoliciesRequest request = new ListAttachedRolePoliciesRequest() .withRoleName(role_name); List<AttachedPolicy> matching_policies = new ArrayList<>(); boolean done = false; while(!done) { ListAttachedRolePoliciesResult response = iam.listAttachedRolePolicies(request); matching_policies.addAll( response.getAttachedPolicies() .stream() .filter(p -> p.getPolicyName().equals(role_name)) .collect(Collectors.toList())); if(!response.getIsTruncated()) { done = true; } request.setMarker(response.getMarker()); } if (matching_policies.size() > 0) { System.out.println(role_name + " policy is already attached to this role."); return; } AttachRolePolicyRequest attach_request = new AttachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(POLICY_ARN); iam.attachRolePolicy(attach_request); System.out.println("Successfully attached policy " + POLICY_ARN + " to role " + role_name); }
private void validateInstanceProfileCreation(AwsCredentialView awsCredentialView) { GetRoleRequest roleRequest = new GetRoleRequest(); String roleName = awsCredentialView.getRoleArn().split("/")[1]; LOGGER.info("Start validate {} role for S3 access.", roleName); roleRequest.withRoleName(roleName); AmazonIdentityManagement client = awsClient.createAmazonIdentityManagement(awsCredentialView); try { ListRolePoliciesRequest listRolePoliciesRequest = new ListRolePoliciesRequest(); listRolePoliciesRequest.setRoleName(roleName); ListRolePoliciesResult listRolePoliciesResult = client.listRolePolicies(listRolePoliciesRequest); for (String s : listRolePoliciesResult.getPolicyNames()) { if (checkIamOrS3Statement(roleName, client, s)) { LOGGER.info("Validation successful for s3 or iam access."); return; } } ListAttachedRolePoliciesRequest listAttachedRolePoliciesRequest = new ListAttachedRolePoliciesRequest(); listAttachedRolePoliciesRequest.setRoleName(roleName); ListAttachedRolePoliciesResult listAttachedRolePoliciesResult = client.listAttachedRolePolicies(listAttachedRolePoliciesRequest); for (AttachedPolicy attachedPolicy : listAttachedRolePoliciesResult.getAttachedPolicies()) { if (checkIamOrS3Access(client, attachedPolicy)) { LOGGER.info("Validation successful for s3 or iam access."); return; } } } catch (AmazonServiceException ase) { if (ase.getStatusCode() == UNAUTHORIZED) { String policyMEssage = "Could not get policies on the role because the arn role do not have enough permission: %s"; LOGGER.info(String.format(policyMEssage, ase.getErrorMessage())); throw new CloudConnectorException(String.format(policyMEssage, ase.getErrorMessage())); } else { LOGGER.info(ase.getMessage()); throw new CloudConnectorException(ase.getErrorMessage()); } } catch (Exception e) { LOGGER.info(e.getMessage()); throw new CloudConnectorException(e.getMessage()); } LOGGER.info("Could not get policies on the role because the arn role do not have enough permission."); throw new CloudConnectorException("Could not get policies on the role because the arn role do not have enough permission."); }
