How to use the repokid.utils.roledata._get_repoed_policy function in repokid
To help you get started, we’ve selected a few repokid examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Netflix / repokid / repokid / cli / repokid_cli.py View on Github 
hooks,
)
print("Repoable services and permissions")
headers = ["Service", "Action", "Repoable"]
rows = []
for permission in permissions:
service = permission.split(":")[0]
action = permission.split(":")[1]
repoable = permission in repoable_permissions
rows.append([service, action, repoable])
rows = sorted(rows, key=lambda x: (x[2], x[0], x[1]))
print(tabulate(rows, headers=headers) + "\n\n")
repoed_policies, _ = roledata._get_repoed_policy(
role.policies[-1]["Policy"], repoable_permissions
)
if repoed_policies:
print(
"Repo'd Policies: \n{}".format(
json.dumps(repoed_policies, indent=2, sort_keys=True)
)
)
else:
print("All Policies Removed")
# need to check if all policies would be too large
if _inline_policies_size_exceeds_maximum(repoed_policies):
LOGGER.warning(
"Policies would exceed the AWS size limit after repo for role: {}. "config['filter_config']['AgeFilter']['minimum_age'],
hooks)
print "Repoable services:"
headers = ['Service', 'Action', 'Repoable']
rows = []
for permission in permissions:
service = permission.split(':')[0]
action = permission.split(':')[1]
repoable = permission in repoable_permissions
rows.append([service, action, repoable])
rows = sorted(rows, key=lambda x: (x[2], x[0], x[1]))
print tabulate(rows, headers=headers) + '\n\n'
repoed_policies, _ = roledata._get_repoed_policy(role.policies[-1]['Policy'], repoable_permissions)
if repoed_policies:
print('Repo\'d Policies: \n{}'.format(json.dumps(repoed_policies, indent=2, sort_keys=True)))
else:
print('All Policies Removed')
# need to check if all policies would be too large
if len(json.dumps(repoed_policies)) > MAX_AWS_POLICY_SIZE:
LOGGER.warning("Policies would exceed the AWS size limit after repo for role: {}. "
"Please manually minify.".format(role_name))hooks,
commit=False,
):
"""Remove the list of permissions from the provided role.
Args:
account_number (string)
permissions (list)
role (Role object)
role_id (string)
commit (bool)
Returns:
None
"""
repoed_policies, deleted_policy_names = roledata._get_repoed_policy(
role.policies[-1]["Policy"], permissions
)
if _inline_policies_size_exceeds_maximum(repoed_policies):
LOGGER.error(
"Policies would exceed the AWS size limit after repo for role: {} in account {}. "
"Please manually minify.".format(role.role_name, account_number)
)
return
if not commit:
_logprint_deleted_and_repoed_policies(
deleted_policy_names, repoed_policies, role.role_name, account_number
)
returnaccount_number,
role.role_name,
eligible_permissions,
role.aa_data,
role.no_repo_permissions,
config["filter_config"]["AgeFilter"]["minimum_age"],
hooks,
)
# if this is a scheduled repo we need to filter out permissions that weren't previously scheduled
if scheduled:
repoable_permissions = roledata._filter_scheduled_repoable_perms(
repoable_permissions, role.scheduled_perms
)
repoed_policies, deleted_policy_names = roledata._get_repoed_policy(
role.policies[-1]["Policy"], repoable_permissions
)
if _inline_policies_size_exceeds_maximum(repoed_policies):
error = (
"Policies would exceed the AWS size limit after repo for role: {} in account {}. "
"Please manually minify.".format(role_name, account_number)
)
LOGGER.error(error)
errors.append(error)
continuing = False
# if we aren't repoing for some reason, unschedule the role
if not continuing:
set_role_data(
dynamo_table, role.role_id, {"RepoScheduled": 0, "ScheduledPerms": []}for aa_service in role.aa_data:
if(datetime.datetime.strptime(aa_service['lastUpdated'], '%a, %d %b %Y %H:%M:%S %Z') <
datetime.datetime.now() - datetime.timedelta(days=config['repo_requirements']['oldest_aa_data_days'])):
old_aa_data_services.append(aa_service['serviceName'])
if old_aa_data_services:
LOGGER.error('AAData older than threshold for these services: {}'.format(old_aa_data_services))
return
permissions = roledata._get_role_permissions(role)
repoable_permissions = roledata._get_repoable_permissions(role.role_name, permissions, role.aa_data,
role.no_repo_permissions,
config['filter_config']['AgeFilter']['minimum_age'],
hooks)
repoed_policies, deleted_policy_names = roledata._get_repoed_policy(role.policies[-1]['Policy'],
repoable_permissions)
policies_length = len(json.dumps(repoed_policies))
if not commit:
for name in deleted_policy_names:
LOGGER.info('Would delete policy from {} with name {}'.format(role_name, name))
if repoed_policies:
LOGGER.info('Would replace policies for role {} with: \n{}'.format(role_name, json.dumps(repoed_policies,
indent=2, sort_keys=True)))
if policies_length > MAX_AWS_POLICY_SIZE:
LOGGER.error("Policies would exceed the AWS size limit after repo for role: {}. "
"Please manually minify.".format(role_name))
return
from cloudaux import CloudAux
conn = config['connection_iam']repokid
AWS Least Privilege for Distributed, High-Velocity Deployment
Package Health Score
51 / 100Popular repokid functions
- repokid.hooks
- repokid.hooks.call_hooks
- repokid.LOGGER
- repokid.LOGGER.debug
- repokid.LOGGER.error
- repokid.LOGGER.info
- repokid.LOGGER.warn
- repokid.LOGGER.warning
- repokid.role.Role
- repokid.role.Roles
- repokid.utils.dynamo.find_role_in_cache
- repokid.utils.dynamo.get_role_data
- repokid.utils.dynamo.role_ids_for_account
- repokid.utils.dynamo.set_role_data
- repokid.utils.roledata
- repokid.utils.roledata._calculate_repo_scores
- repokid.utils.roledata._get_repoed_policy
- repokid.utils.roledata._get_role_permissions
- repokid.utils.roledata.update_role_data
- repokid.utils.roledata.update_stats