in createBrokerEndpointsDDBReadOnyRole.py [0:0]
def create_read_only_policy (resource_arn):
mskBrokerEndpointsDDBReadOnlyPolicy = {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Describe*",
"dynamodb:GetItem",
"dynamodb:List*",
"dynamodb:Query",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": resource_arn,
"Sid": "BrokerEndpointsDynamodb"
},
{
"Sid": "VPCEndpointServices",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcEndpointServices"
],
"Resource": "*"
}
]
}
policy_name="MSKBrokerEndpointsDDBReadOnlyPolicy"
try:
response = iam.create_policy(
PolicyName=policy_name,
PolicyDocument=json.dumps(mskBrokerEndpointsDDBReadOnlyPolicy)
)
policy_arn = response['Policy']['Arn']
except ClientError as err:
if err.response['Error']['Code'] == 'EntityAlreadyExists':
print('Policy already exists... Retrieving policy arn')
account_id = session.client('sts').get_caller_identity()['Account']
policy_arn = 'arn:aws:iam::' + account_id + ':policy/' + policy_name
else:
raise err
return policy_arn