Google Git
Sign in
apache / incubator-datalab / 356dc8f2d5818f43c67c536a38ed414eaffb8f48 / . / infrastructure-provisioning / src / general / scripts / aws / common_create_policy.py
blob: 751fb8c565b2f77494c874e7b4239701e2727936 [file] [log] [blame]
#!/usr/bin/python
# *****************************************************************************
#
# Copyright (c) 2016, EPAM SYSTEMS INC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# ******************************************************************************
import argparse
from dlab.actions_lib import *
from dlab.meta_lib import *
import sys
import boto3, botocore
parser = argparse.ArgumentParser()
parser.add_argument('--bucket_name', type=str, default='')
parser.add_argument('--ssn_bucket_name', type=str, default='')
parser.add_argument('--shared_bucket_name', type=str, default='')
parser.add_argument('--service_base_name', type=str, default='')
parser.add_argument('--username', type=str, default='')
parser.add_argument('--edge_role_name', type=str, default='')
parser.add_argument('--notebook_role_name', type=str, default='')
parser.add_argument('--region', type=str, default='')
parser.add_argument('--user_predefined_s3_policies', type=str, default='')
args = parser.parse_args()
if __name__ == "__main__":
if args.bucket_name:
try:
handler = open('/root/templates/edge_s3_policy.json', 'r')
policy = handler.read()
policy = policy.replace('BUCKET_NAME', args.bucket_name)
policy = policy.replace('SSN_BUCK', args.ssn_bucket_name)
policy = policy.replace('SHARED_BUCK', args.shared_bucket_name)
if args.region == 'cn-north-1':
policy = policy.replace('aws', 'aws-cn')
except OSError:
print("Failed to open policy template")
sys.exit(1)
list_policies_arn = []
if args.user_predefined_s3_policies != 'None':
list_predefined_policies = args.user_predefined_s3_policies.split(',')
try:
iam = boto3.client('iam')
try:
if args.user_predefined_s3_policies != 'None':
list = iam.list_policies().get('Policies')
for i in list:
if i.get('PolicyName') in list_predefined_policies:
list_policies_arn.append(i.get('Arn'))
response = iam.create_policy(PolicyName='{}-{}-strict_to_S3-Policy'.
format(args.service_base_name, args.username), PolicyDocument=policy)
time.sleep(10)
list_policies_arn.append(response.get('Policy').get('Arn'))
except botocore.exceptions.ClientError as cle:
if cle.response['Error']['Code'] == 'EntityAlreadyExists':
print("Policy {}-{}-strict_to_S3-Policy already exists. Reusing it.".
format(args.service_base_name, args.username))
list = iam.list_policies().get('Policies')
for i in list:
if '{}-{}-strict_to_S3-Policy'.format(
args.service_base_name, args.username) == i.get('PolicyName') or (
args.user_predefined_s3_policies != 'None' and i.get('PolicyName') in
list_predefined_policies):
list_policies_arn.append(i.get('Arn'))
try:
for arn in list_policies_arn:
iam.attach_role_policy(RoleName=args.edge_role_name, PolicyArn=arn)
print('POLICY "{0}" has been attached to role "{1}"'.format(arn, args.edge_role_name))
time.sleep(5)
iam.attach_role_policy(RoleName=args.notebook_role_name, PolicyArn=arn)
print('POLICY "{0}" has been attached to role "{1}"'.format(arn, args.notebook_role_name))
time.sleep(5)
except botocore.exceptions.ClientError as e:
print(e.response['Error']['Message'])
sys.exit(1)
except Exception as err:
print('Error: {0}'.format(err))
sys.exit(1)
else:
parser.print_help()
sys.exit(2)