in awscli/customizations/emrcontainers/update_role_trust_policy.py [0:0]
def _update_role_trust_policy(self, parsed_globals):
"""Method to update trust policy if not done already"""
base36 = Base36()
eks_client = EKS(self._session.create_client(
'eks',
region_name=self._region,
verify=parsed_globals.verify_ssl
))
account_id = eks_client.get_account_id(self._cluster_name)
oidc_provider = eks_client.get_oidc_issuer_id(self._cluster_name)
base36_encoded_role_name = base36.encode(self._role_name)
LOG.debug('Base36 encoded role name: %s', base36_encoded_role_name)
trust_policy_statement = json.loads(TRUST_POLICY_STATEMENT_FORMAT % {
"AWS_ACCOUNT_ID": account_id,
"OIDC_PROVIDER": oidc_provider,
"NAMESPACE": self._namespace,
"BASE36_ENCODED_ROLE_NAME": base36_encoded_role_name,
"AWS_PARTITION": get_policy_arn_suffix(self._region)
})
LOG.debug('Computed Trust Policy Statement:\n%s', json.dumps(
trust_policy_statement, indent=2))
iam_client = IAM(self._session.create_client(
'iam',
region_name=self._region,
endpoint_url=self._endpoint_url,
verify=parsed_globals.verify_ssl
))
assume_role_document = iam_client.get_assume_role_policy(
self._role_name)
matches = check_if_statement_exists(trust_policy_statement,
assume_role_document)
if not matches:
LOG.debug('Role %s does not have the required trust policy ',
self._role_name)
existing_statements = assume_role_document.get("Statement")
if existing_statements is None:
assume_role_document["Statement"] = [trust_policy_statement]
else:
existing_statements.append(trust_policy_statement)
if self._dry_run:
return json.dumps(assume_role_document, indent=2)
else:
LOG.debug('Updating trust policy of role %s', self._role_name)
iam_client.update_assume_role_policy(self._role_name,
assume_role_document)
return TRUST_POLICY_UPDATE_SUCCESSFUL % self._role_name
else:
return TRUST_POLICY_STATEMENT_ALREADY_EXISTS % self._role_name