Manage IAM objects
This module uses boto
, which can be installed via package, or pip.
This module accepts explicit IAM credentials but can also utilize
IAM roles assigned to the instance through Instance Profiles. Dynamic
credentials are then automatically obtained from AWS API and no further
configuration is necessary. More information available here.
It's also possible to specify key
, keyid
and region
via a profile, either
passed in as a dict, or as a string to pull from pillars or minion config:
delete-user:
boto_iam.user_absent:
- name: myuser
- delete_keys: true
delete-keys:
boto_iam.keys_absent:
- access_keys:
- 'AKIAJHTMIQ2ASDFLASDF'
- 'PQIAJHTMIQ2ASRTLASFR'
- user_name: myuser
create-user:
boto_iam.user_present:
- name: myuser
- policies:
mypolicy: |
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"}]
}
- password: NewPassword$$1
- region: eu-west-1
- keyid: 'AKIAJHTMIQ2ASDFLASDF'
- key: 'fdkjsafkljsASSADFalkfjasdf'
create-group:
boto_iam.group_present:
- name: mygroup
- users:
- myuser
- myuser1
- policies:
mypolicy: |
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"}]
}
- region: eu-west-1
- keyid: 'AKIAJHTMIQ2ASDFLASDF'
- key: 'safsdfsal;fdkjsafkljsASSADFalkfj'
change-policy:
boto_iam.account_policy:
- change_password: True
- region: eu-west-1
- keyid: 'AKIAJHTMIQ2ASDFLASDF'
- key: 'safsdfsal;fdkjsafkljsASSADFalkfj'
create server certificate:
boto_iam.server_cert_present:
- name: mycert
- public_key: salt://base/mycert.crt
- private_key: salt://base/mycert.key
- cert_chain: salt://base/mycert_chain.crt
- region: eu-west-1
- keyid: 'AKIAJHTMIQ2ASDFLASDF'
- key: 'fdkjsafkljsASSADFalkfjasdf'
delete server certificate:
boto_iam.server_cert_absent:
- name: mycert
create keys for user:
boto_iam.keys_present:
- name: myusername
- number: 2
- save_dir: /root
- region: eu-west-1
- keyid: 'AKIAJHTMIQ2ASDFLASDF'
- key: 'fdkjsafkljsASSADFalkfjasdf'
-
salt.states.boto_iam.
account_policy
(allow_users_to_change_password=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None, region=None, key=None, keyid=None, profile=None)
Change account policy.
- allow_users_to_change_password (bool)
- Allows all IAM users in your account to
use the AWS Management Console to change their own passwords.
- hard_expiry (bool)
- Prevents IAM users from setting a new password after their
password has expired.
- max_password_age (int)
- The number of days that an IAM user password is valid.
- minimum_password_length (int)
- The minimum number of characters allowed in an IAM user password.
- password_reuse_prevention (int)
- Specifies the number of previous passwords
that IAM users are prevented from reusing.
- require_lowercase_characters (bool)
- Specifies whether IAM user passwords
must contain at least one lowercase character from the ISO basic Latin alphabet (a to z).
- require_numbers (bool)
- Specifies whether IAM user passwords must contain at
least one numeric character (0 to 9).
- require_symbols (bool)
- Specifies whether IAM user passwords must contain at
least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
- require_uppercase_characters (bool)
- Specifies whether IAM user passwords must
contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
- region (string)
- Region to connect to.
- key (string)
- Secret key to be used.
- keyid (string)
- Access key to be used.
- profile (dict)
- A dict with region, key and keyid, or a pillar key (string)
-
salt.states.boto_iam.
group_present
(name, policies=None, policies_from_pillars=None, users=None, region=None, key=None, keyid=None, profile=None, path='/')
Ensure the IAM group is present
- name (string)
- The name of the new group.
- path (string)
- The path for the group, defaults to '/'
- policies (dict)
- A dict of IAM group policy documents.
- policies_from_pillars (list)
- A list of pillars that contain role policy dicts. Policies in the
pillars will be merged in the order defined in the list and key
conflicts will be handled by later defined keys overriding earlier
defined keys. The policies defined here will be merged with the
policies defined in the policies argument. If keys conflict, the keys
in the policies argument will override the keys defined in
policies_from_pillars.
- users (list)
- A list of users to be added to the group.
- region (string)
- Region to connect to.
- key (string)
- Secret key to be used.
- keyid (string)
- Access key to be used.
- profile (dict)
- A dict with region, key and keyid, or a pillar key (string) that
contains a dict with region, key and keyid.
-
salt.states.boto_iam.
keys_absent
(access_keys, user_name, region=None, key=None, keyid=None, profile=None)
Ensure the IAM user access_key_id is absent.
- access_key_id (list)
- A list of access key ids
- user_name (string)
- The username of the user
- region (string)
- Region to connect to.
- key (string)
- Secret key to be used.
- keyid (string)
- Access key to be used.
- profile (dict)
- A dict with region, key and keyid, or a pillar key (string)
that contains a dict with region, key and keyid.
-
salt.states.boto_iam.
keys_present
(name, number, save_dir, region=None, key=None, keyid=None, profile=None)
Ensure the IAM access keys are present.
- name (string)
- The name of the new user.
- number (int)
- Number of keys that user should have.
- save_dir (string)
- The directory that the key/keys will be saved. Keys are saved to a file named according
to the username privided.
- region (string)
- Region to connect to.
- key (string)
- Secret key to be used.
- keyid (string)
- Access key to be used.
- profile (dict)
- A dict with region, key and keyid, or a pillar key (string)
that contains a dict with region, key and keyid.
-
salt.states.boto_iam.
server_cert_absent
(name, region=None, key=None, keyid=None, profile=None)
Deletes a server certificate.
- name (string)
- The name for the server certificate. Do not include the path in this value.
- region (string)
- The name of the region to connect to.
- key (string)
- The key to be used in order to connect
- keyid (string)
- The keyid to be used in order to connect
- profile (string)
- The profile that contains a dict of region, key, keyid
-
salt.states.boto_iam.
server_cert_present
(name, public_key, private_key, cert_chain=None, path=None, region=None, key=None, keyid=None, profile=None)
Crete server certificate.
- name (string)
- The name for the server certificate. Do not include the path in this value.
- public_key (string)
- The contents of the public key certificate in PEM-encoded format.
- private_key (string)
- The contents of the private key in PEM-encoded format.
- cert_chain (string)
- The contents of the certificate chain. This is typically a
concatenation of the PEM-encoded public key certificates of the chain.
- path (string)
- The path for the server certificate.
- region (string)
- The name of the region to connect to.
- key (string)
- The key to be used in order to connect
- keyid (string)
- The keyid to be used in order to connect
- profile (string)
- The profile that contains a dict of region, key, keyid
-
salt.states.boto_iam.
user_absent
(name, delete_keys=None, region=None, key=None, keyid=None, profile=None)
Ensure the IAM user is absent. User cannot be deleted if it has keys.
- name (string)
- The name of the new user.
- delete_keys (bool)
- Delete all keys from user.
- region (string)
- Region to connect to.
- key (string)
- Secret key to be used.
- keyid (string)
- Access key to be used.
- profile (dict)
- A dict with region, key and keyid, or a pillar key (string)
that contains a dict with region, key and keyid.
-
salt.states.boto_iam.
user_present
(name, policies=None, policies_from_pillars=None, password=None, path=None, region=None, key=None, keyid=None, profile=None)
Ensure the IAM user is present
- name (string)
- The name of the new user.
- policies (dict)
- A dict of IAM group policy documents.
- policies_from_pillars (list)
- A list of pillars that contain role policy dicts. Policies in the
pillars will be merged in the order defined in the list and key
conflicts will be handled by later defined keys overriding earlier
defined keys. The policies defined here will be merged with the
policies defined in the policies argument. If keys conflict, the keys
in the policies argument will override the keys defined in
policies_from_pillars.
- password (string)
- The password for the new user. Must comply with account policy.
- path (string)
The path of the user. Default is '/'.
- region (string)
- Region to connect to.
- key (string)
- Secret key to be used.
- keyid (string)
- Access key to be used.
- profile (dict)
- A dict with region, key and keyid, or a pillar key (string)
that contains a dict with region, key and keyid.