Created
April 26, 2016 21:25
-
-
Save coingraham/3e49c102c6cbadd05a2df40b3836ba76 to your computer and use it in GitHub Desktop.
Python Script to Create User and companion S3 Bucket
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import datetime | |
import random | |
import string | |
import time | |
import argparse | |
import json | |
try: | |
import unicodecsv as csv | |
except ImportError: | |
import csv | |
import boto3 | |
import botocore | |
""" | |
User info from file: | |
alias | |
aws-account | |
username | |
generate-keys | |
generate-login | |
groups | |
bucket | |
""" | |
output_order = [ | |
'login-url', | |
'username', | |
'password', | |
'bucket', | |
'access_key_id', | |
'secret_access_key', | |
] | |
login_template = "https://%s.signin.aws.amazon.com/console" | |
pw_chars = string.ascii_letters + string.digits + string.punctuation | |
parser = argparse.ArgumentParser(description='This is a user add script.') | |
parser.add_argument('-a', '--accountid', help='Account ID', required=True) | |
parser.add_argument('-u', '--username', help='Username', required=True) | |
parser.add_argument('-p', '--prefix', help='Prefix', required=True) | |
parser.add_argument('-A', '--accesskey', help='Account Access Key', required=False) | |
parser.add_argument('-S', '--secretkey', help='Account Secret Key', required=False) | |
args = parser.parse_args() | |
def get_pw(length=12): | |
return ''.join(random.choice(pw_chars) for x in range(length)) | |
def ask_user_info(): | |
user_info = {'path': "/", 'username': args.username} | |
# print "\n\nUser Information:\n" | |
# user_info['generate-keys'] = raw_input("Create access keys? [Y/n]") or "y" | |
# user_info['generate-login'] = raw_input("Create login name and password? [Y/n]") or "y" | |
# user_info['path'] = raw_input("Path for user? [default: /]") or "/" | |
return user_info | |
def create_user(username, accountid, prefix): | |
user_info = {'path': "/"} | |
user_info["username"] = username | |
user_info["aws-account"] = accountid | |
iam_client = boto3.client("iam") | |
if not user_info['path']: | |
user_info['path'] = '/' | |
try: | |
user = iam_client.get_user(UserName=user_info['username']) | |
except botocore.exceptions.ClientError as e: | |
user = None | |
if e.response['Error']['Code'] != "NoSuchEntity": | |
raise | |
if user: | |
print('Username %s already exists' % user_info['username']) | |
user_created = False | |
else: | |
user = iam_client.create_user(UserName=user_info['username'], Path=user_info['path']) | |
user_created = True | |
user_info['arn'] = user['User']['Arn'] | |
# generate login | |
pw = get_pw() | |
try: | |
iam_client.create_login_profile(UserName=user_info['username'], Password=pw) | |
user_info['password'] = pw | |
user_info['login-url'] = login_template % user_info['aws-account'] | |
except botocore.exceptions.ClientError: | |
raise | |
# generate an access key and add the policy | |
if user_created: | |
# TODO future improvement, check for keys, and create for existing | |
# user if not previously created | |
key = iam_client.create_access_key(UserName=user_info['username'])[u'AccessKey'] | |
user_info['access_key_id'] = key[u'AccessKeyId'] | |
user_info['secret_access_key'] = key[u'SecretAccessKey'] | |
policydocument = json.dumps( | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:GetBucketLocation", | |
"s3:ListAllMyBuckets" | |
], | |
"Resource": "arn:aws:s3:::*" | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": ["s3:ListBucket"], | |
"Resource": ["arn:aws:s3:::{}.{}".format(prefix, user_info['username'])] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:PutObject", | |
"s3:GetObject", | |
"s3:DeleteObject" | |
], | |
"Resource": ["arn:aws:s3:::{}.{}/*".format(prefix, user_info['username'])] | |
} | |
] | |
} | |
) | |
policyname = "{}.{}.access".format(prefix, user_info["username"]) | |
policydescription = "{}.{} bucket access policy".format(prefix, user_info["username"]) | |
try: | |
policy = iam_client.create_policy( | |
PolicyName=policyname, | |
Path=user_info["path"], | |
PolicyDocument=policydocument, | |
Description=policydescription | |
)[u'Policy'] | |
except botocore.exceptions.ClientError: | |
raise | |
try: | |
iam_client.attach_user_policy( | |
UserName=user_info["username"], | |
PolicyArn=policy[u'Arn'] | |
) | |
except botocore.exceptions.ClientError: | |
raise | |
try: | |
s3_client = boto3.client("s3") | |
user_info["bucket"] = "{}.{}".format(prefix, user_info["username"]) | |
s3_client.create_bucket(Bucket=user_info["bucket"]) | |
except botocore.exceptions.ClientError: | |
raise | |
# TODO only generate report if user created, not if updated | |
ts = time.time() | |
timestamp = datetime.datetime.fromtimestamp(ts).strftime( | |
'%Y-%m-%d-%H-%M-%S') | |
credfile = '%s-%s.csv' % (user_info['username'], timestamp) | |
with open(credfile, 'wb') as f: | |
writer = csv.DictWriter(f, | |
fieldnames=output_order, | |
restval='N/A', | |
extrasaction='ignore', | |
) | |
writer.writerow(dict([(k, k) for k in output_order])) | |
writer.writerow(user_info) | |
user_info['credfile'] = credfile | |
return user_info | |
if __name__ == '__main__': | |
created_user = create_user(args.username, args.accountid, args.prefix) | |
print(created_user) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment