in infrastructure-provisioning/src/general/lib/aws/actions_lib.py [0:0]
def create_iam_role(role_name, role_profile, region, permissions_boundary='', service='ec2', tag=None, user_tag=None):
conn = boto3.client('iam')
try:
if region == 'cn-north-1':
conn.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=
'{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["' + service +
'.amazonaws.com.cn"]},"Action":["sts:AssumeRole"]}]}')
elif permissions_boundary != '':
conn.create_role(
RoleName=role_name, PermissionsBoundary=permissions_boundary, AssumeRolePolicyDocument=
'{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["' + service +
'.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}')
else:
conn.create_role(
RoleName=role_name, AssumeRolePolicyDocument=
'{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["' + service +
'.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}')
if tag:
conn.tag_role(RoleName=role_name, Tags=[tag])
conn.tag_role(RoleName=role_name, Tags=[{"Key": "Name", "Value": role_name}])
if user_tag:
conn.tag_role(RoleName=role_name, Tags=[user_tag])
if 'conf_billing_tag_key' in os.environ and 'conf_billing_tag_value' in os.environ:
conn.tag_role(RoleName=role_name, Tags=[{'Key': os.environ['conf_billing_tag_key'],
'Value': os.environ['conf_billing_tag_value']}])
if 'project_name' in os.environ:
conn.tag_role(RoleName=role_name, Tags=[{'Key': "project_tag",
'Value': os.environ['project_name']}])
if 'endpoint_name' in os.environ:
conn.tag_role(RoleName=role_name, Tags=[{'Key': "endpoint_tag",
'Value': os.environ['endpoint_name']}])
except botocore.exceptions.ClientError as e_role:
if e_role.response['Error']['Code'] == 'EntityAlreadyExists':
print("IAM role already exists. Reusing...")
else:
logging.info("Unable to create IAM role: " + str(e_role.response['Error']['Message']) +
"\n Traceback: " + traceback.print_exc(file=sys.stdout))
append_result(str({"error": "Unable to create IAM role",
"error_message": str(e_role.response['Error']['Message']) + "\n Traceback: " +
traceback.print_exc(file=sys.stdout)}))
traceback.print_exc(file=sys.stdout)
return
if service == 'ec2':
try:
conn.create_instance_profile(InstanceProfileName=role_profile)
waiter = conn.get_waiter('instance_profile_exists')
waiter.wait(InstanceProfileName=role_profile)
except botocore.exceptions.ClientError as e_profile:
if e_profile.response['Error']['Code'] == 'EntityAlreadyExists':
print("Instance profile already exists. Reusing...")
else:
logging.info("Unable to create Instance Profile: " + str(e_profile.response['Error']['Message']) +
"\n Traceback: " + traceback.print_exc(file=sys.stdout))
append_result(str({"error": "Unable to create Instance Profile",
"error_message": str(e_profile.response['Error']['Message']) + "\n Traceback: " +
traceback.print_exc(file=sys.stdout)}))
traceback.print_exc(file=sys.stdout)
return
try:
conn.add_role_to_instance_profile(InstanceProfileName=role_profile, RoleName=role_name)
time.sleep(30)
except botocore.exceptions.ClientError as err:
logging.info("Unable to add IAM role to instance profile: " + str(err.response['Error']['Message']) +
"\n Traceback: " + traceback.print_exc(file=sys.stdout))
append_result(str({"error": "Unable to add IAM role to instance profile",
"error_message": str(err.response['Error']['Message']) + "\n Traceback: " +
traceback.print_exc(file=sys.stdout)}))
traceback.print_exc(file=sys.stdout)