class Awscli::Iam::User

Public Class Methods

new(connection) click to toggle source
# File lib/awscli/iam.rb, line 7
def initialize(connection)
  @conn = connection
end

Public Instance Methods

add_user_to_group(username, groupname) click to toggle source
# File lib/awscli/iam.rb, line 122
def add_user_to_group(username, groupname)
  @conn.add_user_to_group(groupname, username)
  puts "Added user: #{username}, to group: #{groupname}"
rescue Fog::AWS::IAM::NotFound
  puts "[Error]: #{$!}"
end
assign_password(username, password) click to toggle source
# File lib/awscli/iam.rb, line 143
def assign_password(username, password)
  @conn.create_login_profile(username, password)
  puts "Assigned user #{username} password: #{password}"
rescue Fog::AWS::IAM::NotFound, Fog::AWS::IAM::ValidationError
  puts "[Error]: #{$!}"
rescue Fog::AWS::IAM::Error
  puts "[Error]: #{$!}"
  if $!.to_s =~ /PasswordPolicyViolation/
    #TODO: show password policy, this is not available in fog
    puts 'Password policy is violated, please revisit your password policies'
  end
end
create(options) click to toggle source
# File lib/awscli/iam.rb, line 18
def create(options)
  username = options[:user_name]
  @conn.create_user(username, options[:path] ||= '/')
  puts "Created User: #{username}"
  if options[:password]
    #Assign a password for the user
    generate_password username
  end
  if options[:group]
    #add user to the group
    add_user_to_group username, options[:group]
  end
  if options[:access_key]
    #create a access_key for the user
    create_user_access_key username
  end
  if options[:policy]
    #upload the policy document
    document = options[:policy_doc]
    policy_name = "User-#{username}-Custom"
    #validate json document
    doc_path = File.expand_path(document)
    abort "Invalid file path: #{document}" unless File.exist?(doc_path)
    json_string = File.read(doc_path)
    abort "Invalid JSON format found in the document: #{document}" unless valid_json?(json_string)
    @conn.put_user_policy(username,
                          policy_name,
                          JSON.parse(json_string)   #json parsed to hash
    )
    puts "Added policy: #{policy_name} to user: #{username}"
    puts "Added Policy #{policy_name} from #{document}"
  else
    #create set of basic policy to the user created
    user_arn = @conn.users.get(username).arn
    @conn.put_user_policy(
      username,
      "User#{username}Policy",
      {
        'Statement' => [
          {
            'Effect' => 'Allow',
            'Action' => 'iam:*AccessKey*',
            'Resource' => user_arn
          },
          {
            'Effect' => 'Allow',
            'Action' => ['ec2:Describe*', 's3:Get*', 's3:List*'],
            'Resource' => '*'
          }
        ]
      }
    )
    puts 'User policy for accessing/managing keys of their own and read-access is in place'
  end
rescue Fog::AWS::IAM::ValidationError
  puts "ValidationError: #{$!}"
rescue Fog::AWS::IAM::EntityAlreadyExists
  puts "[Error] User Exists: #{$!}"
rescue Fog::AWS::IAM::NotFound, Fog::AWS::IAM::Error
  puts "[Error]: #{$!}"
end
create_user_access_key(username) click to toggle source
# File lib/awscli/iam.rb, line 80
def create_user_access_key(username)
  data = @conn.create_access_key('UserName' => username)
  access_key_id = data.body['AccessKey']['AccessKeyId']
  secret_access_key = data.body['AccessKey']['SecretAccessKey']
  #keystatus = data.body['AccessKey']['Status']
  puts 'Store the following access id and secret key:'
  puts "AccessKey: #{access_key_id}"
  puts "SecretAccessKey: #{secret_access_key}"
rescue Fog::AWS::IAM::NotFound
  puts "[Error]: #{$!}"
end
delete(options) click to toggle source
# File lib/awscli/iam.rb, line 181
def delete(options)
  username = options[:user_name]
  user = @conn.users.get(username)
  if user
    if options[:force]
      #ask user to confirm deletion
      if agree('Are you sure you want to delete user and users associated login_profile, access_keys, policies ? ')
        #check if user has login profile
        begin
          @conn.get_login_profile(username)
          user_profile = true
        rescue Fog::AWS::IAM::NotFound
          user_profile = false
        end
        remove_password username if user_profile
        #check if user has access_keys
        access_keys = user.access_keys.map { |access_key| access_key.id }
        unless access_keys.empty?
          #delete access_keys
          access_keys.each do |access_key|
            delete_user_access_key username, access_key
          end
        end
        #check if user belongs to a group
        groups =  @conn.list_groups_for_user(username).body['GroupsForUser'].map { |k| k['GroupName'] }
        unless groups.empty?
          #delete user_groups
          groups.each do |group|
            remove_user_from_group username, group
          end
        end
        #check if user has policies
        policies = user.policies.map { |policy| policy.id }
        unless policies.empty?
          policies.each do |policy|
            @conn.delete_user_policy username, policy
          end
        end
      end
    end
    @conn.delete_user(username)
  else
    abort "No such user: #{username}"
  end
rescue Fog::AWS::IAM::NotFound, Fog::AWS::IAM::Error
  puts "[Error]: #{$!}"
else
  puts "Deleted User: #{username}"
end
delete_user_access_key(username, access_key_id) click to toggle source
# File lib/awscli/iam.rb, line 98
def delete_user_access_key(username, access_key_id)
  @conn.delete_access_key(access_key_id, 'UserName' => username)
  puts "Deleted AccessKey for user: #{username}"
rescue Fog::AWS::IAM::NotFound
 puts "[Error]: #{$!}"
end
generate_password(username) click to toggle source
# File lib/awscli/iam.rb, line 156
def generate_password(username)
  tries ||= 3
  password = ((33..126).map { |i| i.chr }).to_a.shuffle[0..14].join
  @conn.create_login_profile(username, password)
rescue Fog::AWS::IAM::NotFound, Fog::AWS::IAM::ValidationError
  puts "[Error]: #{$!}"
rescue Fog::AWS::IAM::Error
  puts "[Error]: #{$!}"
  if $!.to_s =~ /PasswordPolicyViolation/
    #TODO: show password policy, this is not available in fog
    #if password policy is violated, then our generated password might be weak, retry 3 times before failing
    retry if (tries -= 1) > 0
  end
else
  puts "Assigned password: '#{password}' for user #{username}"
  puts 'Store this password, this cannot be retrieved again'
end
list(path) click to toggle source
# File lib/awscli/iam.rb, line 11
def list(path)
  users = @conn.list_users('PathPrefix' => path).body['Users']
  Formatador.display_table(users)
rescue Fog::AWS::IAM::ValidationError
  puts "ValidationError: #{$!}"
end
list_groups_for_user(username) click to toggle source
# File lib/awscli/iam.rb, line 136
def list_groups_for_user(username)
  groups = @conn.list_groups_for_user(username).body['GroupsForUser']
  Formatador.display_table(groups)
rescue Fog::AWS::IAM::NotFound
  puts "[Error]: #{$!}"
end
list_user_access_keys(username) click to toggle source
# File lib/awscli/iam.rb, line 92
def list_user_access_keys(username)
  @conn.access_keys(:username => username).table
rescue Fog::AWS::IAM::NotFound
 puts "[Error]: #{$!}"
end
remove_password(username) click to toggle source
# File lib/awscli/iam.rb, line 174
def remove_password(username)
  @conn.delete_login_profile(username)
  puts "Deleted login profile for user: #{username}"
rescue Fog::AWS::IAM::Error, Fog::AWS::IAM::NotFound
  puts "[Error]: #{$!}"
end
remove_user_from_group(username, groupname) click to toggle source
# File lib/awscli/iam.rb, line 129
def remove_user_from_group(username, groupname)
  @conn.remove_user_from_group(groupname, username)
  puts "Removed user: #{username}, from group: #{groupname}"
rescue Fog::AWS::IAM::NotFound
  puts "[Error]: #{$!}"
end
update_user(options) click to toggle source
# File lib/awscli/iam.rb, line 105
def update_user(options)
  opts = Marshal.load(Marshal.dump(options))
  opts.reject! { |k| k == 'user_name' }
  if new_user_name = opts.delete(:new_user_name)
    opts.merge!('NewUserName' => new_user_name)
  end
  if new_path = opts.delete(:new_path)
    opts.merge!('NewPath' => new_path)
  end
  @conn.update_user(options[:user_name], opts)
  puts 'Updated user details'
rescue Fog::AWS::IAM::EntityAlreadyExists
  puts '[Error] User already exists, pass in a different username'
rescue Fog::AWS::IAM::ValidationError
  puts "ValidationError: #{$!}"
end