How to use the awacs.aws.Policy function in awacs
To help you get started, we’ve selected a few awacs examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
remind101 / stacker_blueprints / stacker_blueprints / elasticsearch.py View on Github 
def create_roles_policy(self):
t = self.template
variables = self.get_variables()
statements = [
Statement(
Effect=Allow,
Action=self.get_allowed_actions(),
Resource=[Join("/", [GetAtt(ES_DOMAIN, "DomainArn"), "*"])])]
t.add_resource(
iam.PolicyType(
POLICY_NAME,
PolicyName=POLICY_NAME,
PolicyDocument=Policy(Statement=statements),
Roles=variables["Roles"]))def ecs_agent_policy():
p = Policy(
Statement=[
Statement(
Effect=Allow,
Resource=["*"],
Action=[ecs.CreateCluster, ecs.RegisterContainerInstance,
ecs.DeregisterContainerInstance,
ecs.DiscoverPollEndpoint, ecs.ECSAction("Submit*"),
ecs.Poll, ecs.ECSAction("StartTelemetrySession")]
)
]
)
return p"LambaRole",
AssumeRolePolicyDocument=aws.Policy(
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[sts.AssumeRole],
Principal=aws.Principal(
"Service", ["lambda.amazonaws.com"]
)
)
]
),
Policies=[
iam.Policy(
PolicyName="LambdaPolicy",
PolicyDocument=aws.Policy(
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[
aws.Action("logs", "CreateLogGroup"),
aws.Action("logs", "CreateLogStream"),
aws.Action("logs", "PutLogEvents"),
],
Resource=["arn:aws:logs:*:*:*"]
)
]
)
)
]
))def sns_to_sqs_policy(topic):
p = Policy(
Statement=[
Statement(
Effect=Allow,
Principal=Principal('*'),
Action=[sqs.SendMessage],
Resource=["*"],
Condition=Condition(ArnEquals(SourceArn, topic)))])
return pEffect=Allow,
Action=[
awacs.s3.AbortMultipartUpload,
awacs.s3.GetBucketLocation,
awacs.s3.GetObject,
awacs.s3.ListBucket,
awacs.s3.ListBucketMultipartUploads,
awacs.s3.PutObject,
],
Resource=[
s3_arn(bucket),
s3_arn(Join("/", [bucket, "*"]))
],
),
]
return Policy(Statement=statements)for resource in self.apigatewayrestapi.resources.values():
if resource.name == method.resource_id:
cfn_export_dict["ResourceId"] = troposphere.Ref(resource.resource)
if 'ResourceId' not in cfn_export_dict:
cfn_export_dict["ResourceId"] = troposphere.GetAtt(restapi_resource, 'RootResourceId')
cfn_export_dict["RestApiId"] = troposphere.Ref(restapi_resource)
uri = troposphere.Join('', ["arn:aws:apigateway:", method.region_name, ":lambda:path/2015-03-31/functions/", method.parameter_arn_ref, "/invocations"])
cfn_export_dict["Integration"]["Uri"] = uri
if method.integration.integration_type == 'AWS_PROXY':
# IAM Role - allows API Gateway to invoke Lambda
# ToDo: enable Api Gateway to invoke things other than Lambda ...
iam_role_resource = troposphere.iam.Role(
self.create_cfn_logical_id('ApiGatewayIamRole' + self.apigatewayrestapi.name + method.name),
Path='/',
AssumeRolePolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal('Service',['apigateway.amazonaws.com'])
)
],
),
Policies=[
troposphere.iam.Policy(
PolicyName=self.create_cfn_logical_id('LambdaAccessApiGateway' + self.apigatewayrestapi.name + method.name),
PolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(target_invocation_role_resource = troposphere.iam.Role(
'TargetInvocationRole',
AssumeRolePolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal('Service',['events.amazonaws.com'])
)
],
),
Policies=[
troposphere.iam.Policy(
PolicyName="TargetInvocation",
PolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.awslambda.InvokeFunction],
Resource=[troposphere.Ref(self.target_params[target_name + 'Arn'])],
)
]
)
)
],
)
self.template.add_resource(target_invocation_role_resource)
# Events Rule Resource
# The Name is needed so that a Lambda can be created and it's Lambda ARN outputAction("kms", "Enable*"),
Action("kms", "List*"),
Action("kms", "Put*"),
Action("kms", "Update*"),
Action("kms", "Revoke*"),
Action("kms", "Disable*"),
Action("kms", "Get*"),
Action("kms", "Delete*"),
Action("kms", "ScheduleKeyDeletion"),
Action("kms", "CancelKeyDeletion"),
],
Resource=["*"],
)
)
return Policy(Version="2012-10-17", Id="key-default-1",
Statement=statements)from awacs.aws import Allow, AWSPrincipal, Condition
from awacs.aws import Policy, Statement
from awacs.aws import DateGreaterThan, DateLessThan, IpAddress
import awacs.sqs as sqs
region = 'us-east-1'
account = '444455556666'
pd = Policy(
Id="Queue1_Policy_UUID",
Statement=[
Statement(
Sid="Queue1_SendMessage",
Effect=Allow,
Principal=AWSPrincipal("111122223333"),
Action=[sqs.SendMessage],
Resource=[sqs.SQS_ARN(region, account, "queue1"), ],
Condition=Condition([
DateGreaterThan("aws:CurrentTime", "2010-08-16T12:00:00Z"),
DateLessThan("aws:CurrentTime", "2010-08-16T15:00:00Z"),
IpAddress("aws:SourceIp", ["192.0.2.0/24", "203.0.113.0/24"]),
]),
),
],
)awacs
AWS Access Policy Language creation library
Package Health Score
79 / 100Popular awacs functions
- awacs.aws.Action
- awacs.aws.Allow
- awacs.aws.Policy
- awacs.aws.Principal
- awacs.aws.Statement
- awacs.chime.Action
- awacs.cognito_idp.Action
- awacs.ec2.Action
- awacs.glue.Action
- awacs.greengrass.Action
- awacs.iam.Action
- awacs.iot.Action
- awacs.lightsail.Action
- awacs.mobiletargeting.Action
- awacs.rds.Action
- awacs.redshift.Action
- awacs.s3.Action
- awacs.servicecatalog.Action
- awacs.ssm.Action
- awacs.workmail.Action