Created
September 11, 2023 22:36
-
-
Save nogara/3bff21fe54a5f106c665780a7401a47d to your computer and use it in GitHub Desktop.
Script to remove roles that were created by other scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| import json | |
| from concurrent.futures import ThreadPoolExecutor | |
| # Initialize a session using Amazon IAM | |
| client = boto3.client('iam') | |
| # The trusted entity policy string | |
| trusted_entity_policy = '''{ | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": [ | |
| "lambda.amazonaws.com", | |
| "edgelambda.amazonaws.com" | |
| ] | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| }''' | |
| # The trusted entity policy string | |
| trusted_entity_policy_alternative = '''{ | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": [ | |
| "edgelambda.amazonaws.com", | |
| "lambda.amazonaws.com" | |
| ] | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| }''' | |
| def delete_role_policies(role_name): | |
| try: | |
| # Get the associated policies and detach them before deleting the role | |
| for attached_policy in client.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']: | |
| client.detach_role_policy( | |
| RoleName=role_name, | |
| PolicyArn=attached_policy['PolicyArn'] | |
| ) | |
| # Get the inline policies and delete them before deleting the role | |
| for inline_policy in client.list_role_policies(RoleName=role_name)['PolicyNames']: | |
| client.delete_role_policy( | |
| RoleName=role_name, | |
| PolicyName=inline_policy | |
| ) | |
| # Delete the role | |
| client.delete_role(RoleName=role_name) | |
| print(f"Deleted role: {role_name}") | |
| except Exception as e: | |
| print(f"Failed to delete role: {role_name}. Error: {e}") | |
| # Create a paginator to paginate through the roles | |
| paginator = client.get_paginator('list_roles') | |
| page_iterator = paginator.paginate() | |
| with ThreadPoolExecutor(max_workers=5) as executor: | |
| for page in page_iterator: | |
| for role in page['Roles']: | |
| role_name = role['RoleName'] | |
| assume_role_policy_document = role['AssumeRolePolicyDocument'] | |
| print(json.dumps(assume_role_policy_document, sort_keys=True)) | |
| print(json.dumps(json.loads(trusted_entity_policy), sort_keys=True)) | |
| print("-------") | |
| # Check if the role has the specific Trusted Entity | |
| if (json.dumps(assume_role_policy_document, sort_keys=True) == json.dumps(json.loads(trusted_entity_policy), sort_keys=True)) or (json.dumps(assume_role_policy_document, sort_keys=True) == json.dumps(json.loads(trusted_entity_policy_alternative), sort_keys=True)): | |
| # Check if the role has empty "Last activity" | |
| if 'RoleLastUsed' not in role or not role['RoleLastUsed'].get('LastUsedDate'): | |
| executor.submit(delete_role_policies, role_name) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment