in pyqldbsamples/export_journal.py [0:0]
def create_export_role(role_name, key_arn, role_policy_name, s3_bucket):
"""
Create a new export rule and a new managed policy for the current AWS account.
:type role_name: str
:param role_name: The name of the role to be created.
:type key_arn: str
:param key_arn: The optional KMS Key ARN used to configure the role policy statement.
:type role_policy_name: str
:param role_policy_name: Name of the role policy to be created.
:type s3_bucket: str
:param s3_bucket: If key_arn is None, create a new ARN using the given bucket name.
:rtype: str
:return: The ARN of the newly created export role.
"""
iam_client = client('iam')
logger.info('Trying to retrieve role with name: {}.'.format(role_name))
try:
new_role_arn = iam_client.get_role(RoleName=role_name).get('Role').get('Arn')
logger.info('The role called {} already exists.'.format(role_name))
except iam_client.exceptions.NoSuchEntityException:
logger.info('The role called {} does not exist. Creating it now.'.format(role_name))
role = iam_client.create_role(RoleName=role_name, AssumeRolePolicyDocument=ASSUME_ROLE_POLICY)
new_role_arn = role.get('Role').get('Arn')
role_policy_statement = EXPORT_ROLE_S3_STATEMENT_TEMPLATE.replace('{bucket_name}', s3_bucket)
if key_arn is not None:
role_policy_statement = "{}, {}".format(role_policy_statement,
EXPORT_ROLE_KMS_STATEMENT_TEMPLATE.replace('{kms_arn}', key_arn))
role_policy = POLICY_TEMPLATE.replace('{statements}', role_policy_statement)
create_policy_result = iam_client.create_policy(PolicyName=role_policy_name, PolicyDocument=role_policy)
iam_client.attach_role_policy(RoleName=role_name, PolicyArn=create_policy_result.get('Policy').get('Arn'))
logger.info('Role {} created with ARN: {} and policy: {}.'.format(role_name, new_role_arn, role_policy))
return new_role_arn