`boto3_iam`¶

Manage IAM objects using boto3.¶

Renamed from boto_iam to boto3_iam and updated to call the refactored boto3_iam execution module.

Create and destroy IAM objects. Be aware that this interacts with Amazon’s

depends:

boto3 >= 1.28.0
botocore >= 1.31.0

This module uses boto3, which can be installed via package, or pip.

Create and destroy IAM objects. Be aware that this interacts with Amazon’s services, and so may incur charges.

This module uses boto3, which can be installed via package, or pip.

This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

If IAM roles are not used you need to specify them either in the minion’s config file or as a profile. For example, to specify them in the minion’s config file:

iam.keyid: GKTADJGHEIQSXMKKRBJ08H
iam.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

It’s also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config:

myprofile:
    keyid: GKTADJGHEIQSXMKKRBJ08H
    key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
    region: us-east-1

delete-user:
  boto3_iam.user_absent:
    - name: myuser
    - delete_keys: true

delete-keys:
  boto3_iam.keys_absent:
    - access_keys:
      - 'AKIAJHTMIQ2ASDFLASDF'
      - 'PQIAJHTMIQ2ASRTLASFR'
    - user_name: myuser

create-user:
  boto3_iam.user_present:
    - name: myuser
    - policies:
        mypolicy: |
            {
                "Version": "2012-10-17",
                "Statement": [{
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*"}]
            }
    - password: NewPassword$$1
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'

create-group:
  boto3_iam.group_present:
    - name: mygroup
    - users:
      - myuser
      - myuser1
    - policies:
        mypolicy: |
            {
                "Version": "2012-10-17",
                "Statement": [{
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*"}]
            }
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'safsdfsal;fdkjsafkljsASSADFalkfj'

change-policy:
  boto3_iam.account_policy:
    - change_password: True
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'safsdfsal;fdkjsafkljsASSADFalkfj'

create server certificate:
  boto3_iam.server_cert_present:
    - name: mycert
    - public_key: salt://base/mycert.crt
    - private_key: salt://base/mycert.key
    - cert_chain: salt://base/mycert_chain.crt
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'

delete server certificate:
  boto3_iam.server_cert_absent:
    - name: mycert

create keys for user:
  boto3_iam.keys_present:
    - name: myusername
    - number: 2
    - save_dir: /root
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'

create policy:
  boto3_iam.policy_present:
    - name: myname
    - policy_document: '{"MyPolicy": "Statement": [{"Action": ["sqs:*"], "Effect": "Allow", "Resource": ["arn:aws:sqs:*:*:*"], "Sid": "MyPolicySqs1"}]}'
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'

add-saml-provider:
  boto3_iam.saml_provider_present:
    - name: my_saml_provider
    - saml_metadata_document: salt://base/files/provider.xml
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'safsdfsal;fdkjsafkljsASSADFalkfj'

Added in version 1.0.0.

saltext.boto3.states.boto3_iam.__virtual__()[source]¶: Only load if elementtree xml library and boto are available.

saltext.boto3.states.boto3_iam.user_absent(name, delete_keys=True, delete_mfa_devices=True, delete_profile=True, region=None, key=None, keyid=None, profile=None)[source]¶

Ensure the IAM user is absent. User cannot be deleted if it has keys.

name (string): The name of the new user.
delete_keys (bool): Delete all keys from user.
delete_mfa_devices (bool): Delete all mfa devices from user.
delete_profile (bool): Delete profile from user.
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

Example:

ensure-user-absent:
  boto3_iam.user_absent:
    - name: example

saltext.boto3.states.boto3_iam.keys_present(name, number, save_dir, region=None, key=None, keyid=None, profile=None, save_format='{2}\n{0}\n{3}\n{1}\n')[source]¶

Ensure the IAM access keys are present.

name (string): The name of the new user.
number (int): Number of keys that user should have.
save_dir (string): The directory that the key/keys will be saved. Keys are saved to a file named according to the username privided.
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
save_format (dict): Save format is repeated for each key. Default format is “{2}n{0}n{3}n{1}n”, where {0} and {1} are placeholders for new key_id and key respectively, whereas {2} and {3} are “key_id-{number}” and ‘key-{number}’ strings kept for compatibility.

Example:

ensure-keys-present:
  boto3_iam.keys_present:
    - name: example

saltext.boto3.states.boto3_iam.keys_absent(access_keys, user_name, region=None, key=None, keyid=None, profile=None)[source]¶

Ensure the IAM user access_key_id is absent.

access_key_id (list): A list of access key ids
user_name (string): The username of the user
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

Example:

ensure-keys-absent:
  boto3_iam.keys_absent:
    - name: example

saltext.boto3.states.boto3_iam.user_present(name, policies=None, policies_from_pillars=None, managed_policies=None, password=None, path=None, region=None, key=None, keyid=None, profile=None)[source]¶

Ensure the IAM user is present

name (string): The name of the new user.
policies (dict): A dict of IAM group policy documents.
policies_from_pillars (list): A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars.
managed_policies (list): A list of managed policy names or ARNs that should be attached to this user.
password (string): The password for the new user. Must comply with account policy.
path (string): The path of the user. Default is ‘/’.
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

Example:

ensure-user-present:
  boto3_iam.user_present:
    - name: example

saltext.boto3.states.boto3_iam.group_absent(name, region=None, key=None, keyid=None, profile=None)[source]¶

Ensure the IAM group is absent.

name (string): The name of the group.
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

Example:

ensure-group-absent:
  boto3_iam.group_absent:
    - name: example

saltext.boto3.states.boto3_iam.group_present(name, policies=None, policies_from_pillars=None, managed_policies=None, users=None, path='/', region=None, key=None, keyid=None, profile=None, delete_policies=True)[source]¶

Ensure the IAM group is present

name (string): The name of the new group.
path (string): The path for the group, defaults to ‘/’
policies (dict): A dict of IAM group policy documents.
policies_from_pillars (list): A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars.
managed_policies (list): A list of policy names or ARNs that should be attached to this group.
users (list): A list of users to be added to the group.
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
delete_policies (boolean): Delete or detach existing policies that are not in the given list of policies. Default value is True. If False is specified, existing policies will not be deleted or detached allowing manual modifications on the IAM group to be persistent.

Example:

ensure-group-present:
  boto3_iam.group_present:
    - name: example

saltext.boto3.states.boto3_iam.account_policy(name=None, allow_users_to_change_password=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None, region=None, key=None, keyid=None, profile=None)[source]¶

Change account policy.

name (string): The name of the account policy
allow_users_to_change_password (bool): Allows all IAM users in your account to use the AWS Management Console to change their own passwords.
hard_expiry (bool): Prevents IAM users from setting a new password after their password has expired.
max_password_age (int): The number of days that an IAM user password is valid.
minimum_password_length (int): The minimum number of characters allowed in an IAM user password.
password_reuse_prevention (int): Specifies the number of previous passwords that IAM users are prevented from reusing.
require_lowercase_characters (bool): Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z).
require_numbers (bool): Specifies whether IAM user passwords must contain at least one numeric character (0 to 9).
require_symbols (bool): Specifies whether IAM user passwords must contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ‘
require_uppercase_characters (bool): Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string)

Example:

ensure-account-policy:
  boto3_iam.account_policy:
    - name: example

saltext.boto3.states.boto3_iam.server_cert_absent(name, region=None, key=None, keyid=None, profile=None)[source]¶

Deletes a server certificate.

name (string): The name for the server certificate. Do not include the path in this value.
region (string): The name of the region to connect to.
key (string): The key to be used in order to connect
keyid (string): The keyid to be used in order to connect
profile (string): The profile that contains a dict of region, key, keyid

Example:

ensure-server-cert-absent:
  boto3_iam.server_cert_absent:
    - name: example

saltext.boto3.states.boto3_iam.server_cert_present(name, public_key, private_key, cert_chain=None, path=None, region=None, key=None, keyid=None, profile=None)[source]¶

Crete server certificate.

name (string): The name for the server certificate. Do not include the path in this value.
public_key (string): The contents of the public key certificate in PEM-encoded format.
private_key (string): The contents of the private key in PEM-encoded format.
cert_chain (string): The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.
path (string): The path for the server certificate.
region (string): The name of the region to connect to.
key (string): The key to be used in order to connect
keyid (string): The keyid to be used in order to connect
profile (string): The profile that contains a dict of region, key, keyid

Example:

ensure-server-cert-present:
  boto3_iam.server_cert_present:
    - name: example

saltext.boto3.states.boto3_iam.policy_present(name, policy_document, path=None, description=None, region=None, key=None, keyid=None, profile=None)[source]¶

Ensure the IAM managed policy is present

name (string): The name of the new policy.
policy_document (dict): The document of the new policy
path (string): The path in which the policy will be created. Default is ‘/’.
description (string): Description
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

Example:

ensure-policy-present:
  boto3_iam.policy_present:
    - name: example

saltext.boto3.states.boto3_iam.policy_absent(name, region=None, key=None, keyid=None, profile=None)[source]¶

Ensure the IAM managed policy with the specified name is absent

name (string): The name of the new policy.
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

Example:

ensure-policy-absent:
  boto3_iam.policy_absent:
    - name: example

saltext.boto3.states.boto3_iam.saml_provider_present(name, saml_metadata_document, region=None, key=None, keyid=None, profile=None)[source]¶

Ensure the SAML provider with the specified name is present.

name (string): The name of the SAML provider.
saml_metadata_document (string): The xml document of the SAML provider.
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

Example:

ensure-saml-provider-present:
  boto3_iam.saml_provider_present:
    - name: example

saltext.boto3.states.boto3_iam.saml_provider_absent(name, region=None, key=None, keyid=None, profile=None)[source]¶

Ensure the SAML provider with the specified name is absent.

name (string): The name of the SAML provider.
saml_metadata_document (string): The xml document of the SAML provider.
region (string): Region to connect to.
key (string): Secret key to be used.
keyid (string): Access key to be used.
profile (dict): A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

Example:

ensure-saml-provider-absent:
  boto3_iam.saml_provider_absent:
    - name: example

boto3_iam¶

Manage IAM objects using boto3.¶

`boto3_iam`¶