How to use the awacs.aws.Statement function in awacs
To help you get started, we’ve selected a few awacs examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
remind101 / stacker_blueprints / stacker_blueprints / aws_lambda.py View on Github 
Arg:
stream_arn (str): A kinesis or dynamodb stream arn.
Returns:
list: A list of statements.
"""
action_type = get_stream_action_type(stream_arn)
arn_parts = stream_arn.split("/")
# Cut off the last bit and replace it with a wildcard
wildcard_arn_parts = arn_parts[:-1]
wildcard_arn_parts.append("*")
wildcard_arn = "/".join(wildcard_arn_parts)
return [
Statement(
Effect=Allow,
Resource=[stream_arn],
Action=[
action_type("DescribeStream"),
action_type("GetRecords"),
action_type("GetShardIterator"),
]
),
Statement(
Effect=Allow,
Resource=[wildcard_arn],
Action=[action_type("ListStreams")]
)ActionTypeId = troposphere.codepipeline.ActionTypeId(
Category = 'Deploy',
Owner = 'AWS',
Version = '1',
Provider = 'ECS'
),
Configuration = {
'ClusterName': troposphere.Ref(ecs_cluster_name_param),
'ServiceName': troposphere.Ref(ecs_service_name_param)
},
InputArtifacts=input_artifact_name,
RoleArn = troposphere.Ref(ecs_tools_delegate_role_arn_param),
Region = deploy_region,
RunOrder = troposphere.If('ManualApprovalIsEnabled', 2, 1)
)
ecs_deploy_assume_role_statement = Statement(
Sid='ECSAssumeRole',
Effect=Allow,
Action=[
Action('sts', 'AssumeRole'),
],
Resource=[ troposphere.Ref(ecs_tools_delegate_role_arn_param) ]
)
deploy_stage_actions.append(ecs_deploy_action)
deploy_stage = troposphere.codepipeline.Stages(
Name="Deploy",
Actions = deploy_stage_actions
)
return [deploy_stage, s3_deploy_assume_role_statement, codedeploy_deploy_assume_role_statement, ecs_deploy_assume_role_statement])
)
if self.codecommit_source_enabled:
# Add Statements to allow CodeCommit if a CodeCommit.Source is enabled
pipeline_policy_statement_list.append(
Statement(
Sid='CodeCommitAssumeRole',
Effect=Allow,
Action=[
Action('sts', 'AssumeRole'),
],
Resource=[ troposphere.Ref(self.codecommit_role_arn_param) ]
)
)
pipeline_policy_statement_list.append(
Statement(
Sid='CodeCommitAccess',
Effect=Allow,
Action=[
Action('codecommit', 'List*'),
Action('codecommit', 'Get*'),
Action('codecommit', 'GitPull'),
Action('codecommit', 'UploadArchive'),
Action('codecommit', 'CancelUploadArchive'),
],
Resource=[
troposphere.Ref(self.codecommit_repo_arn_param),
]
)
)
if self.github_source_enabled:
# Add Statement to allow GitHub if a GitHub.Source is enableddef kms_key_statements(key_arn, bucket_arn, bucket_prefix):
s3_endpoint = Join(
'',
[
"s3.", REGION, "amazonaws.com"
]
)
return [
Statement(
Effect=Allow,
Action=[
awacs.kms.Decrypt,
awacs.kms.GenerateDataKey,
],
Resource=[key_arn],
Condition=Condition(
[
StringEquals(
"kms:ViaService", s3_endpoint
),
StringLike(
"kms:EncryptionContext:aws:s3:arn",
Join('', [bucket_arn, bucket_prefix, "*"])
)def make_simple_assume_statement(*principals):
return Statement(
Principal=Principal('Service', principals),
Effect=Allow,
Action=[sts.AssumeRole]
)def add_pipeline_service_role(self):
"Create a CodePipeline Service Role resource and add it to the template"
self.pipeline_service_role_name = self.create_iam_resource_name(
name_list=[self.res_name_prefix, 'CodePipeline-Service'],
filter_id='IAM.Role.RoleName'
)
pipeline_service_role_res = troposphere.iam.Role(
title='CodePipelineServiceRole',
template = self.template,
RoleName=self.pipeline_service_role_name,
AssumeRolePolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[ AssumeRole ],
Principal=Principal("Service", ['codepipeline.amazonaws.com']),
)
]
)
)
pipeline_policy_statement_list = [
Statement(
Sid='CodePipelineAccess',
Effect=Allow,
Action=[
Action('codepipeline', '*'),
Action('sns', 'Publish'),
Action('s3', 'ListAllMyBuckets'),
Action('s3', 'GetBucketLocation'),AccountId,
':log-group:/aws/lambda/',
StackName,
'-ReplicatedLambdaRemover-*'
])
]
)
]
)
),
iam.Policy(
PolicyName="DeleteLambda",
PolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Action=[awacs.awslambda.DeleteFunction],
Effect=Allow,
Resource=self.get_variables()['function_arns']
)
]
)
)
],
)
)
self.template.add_output(Output(
'ReplicatedLambdaRemoverRole',
Description='The name of the Replicated Lambda Remover Role',
Value=res['role'].ref()
))from troposphere.iam import Role, InstanceProfile
from awacs.aws import Allow, Statement, Principal, PolicyDocument
from awacs.sts import AssumeRole
t = Template()
t.set_description("AWS CloudFormation Sample Template: This template "
"demonstrates the creation of IAM Roles and "
"InstanceProfiles.")
cfnrole = t.add_resource(Role(
"CFNRole",
AssumeRolePolicyDocument=PolicyDocument(
Statement=[
Statement(
Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["ec2.amazonaws.com"])
)
]
)
))
cfninstanceprofile = t.add_resource(InstanceProfile(
"CFNInstanceProfile",
Roles=[Ref(cfnrole)]
))
print(t.to_json())account_id = self.paco_ctx.get_ref(account_ref+'.id')
delegate_role_arn = "arn:aws:iam::{}:role/IAM-User-Account-Delegate-Role-{}".format(
account_id,
self.create_resource_name(iam_user.name, filter_id='IAM.Role.RoleName')
)
assume_role_arn_list.append(delegate_role_arn)
if len(assume_role_arn_list) > 0:
user_policy_dict = {
'ManagedPolicyName': 'IAM-User-AssumeRole-Policy-{}'.format(
self.create_resource_name(iam_user.name, '-').capitalize()
),
'PolicyDocument': PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[AssumeRole],
Resource=assume_role_arn_list
),
Statement(
Sid='AllowViewAccountInfo',
Effect=Allow,
Action=[
Action('iam', 'GetAccountPasswordPolicy'),
Action('iam', 'GetAccountSummary'),
Action('iam', 'ListVirtualMFADevices'),
Action('iam', 'ListUsers'),
],
Resource=['*']
),
Statement(AccountId,
':log-group:/aws/lambda/',
StackName,
'-SelfDestruct-*'
])
]
)
]
)
),
iam.Policy(
PolicyName="DeleteStateMachine",
PolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Action=[awacs.states.DeleteStateMachine],
Effect=Allow,
Resource=[
# StateMachine
Join('', [
'arn:',
Partition,
':states:',
Region,
':',
AccountId,
':stateMachine:StaticSiteCleanup-',
variables['stack_name']
])
]
)awacs
AWS Access Policy Language creation library
Package Health Score
79 / 100Popular awacs functions
- awacs.aws.Action
- awacs.aws.Allow
- awacs.aws.Policy
- awacs.aws.Principal
- awacs.aws.Statement
- awacs.chime.Action
- awacs.cognito_idp.Action
- awacs.ec2.Action
- awacs.glue.Action
- awacs.greengrass.Action
- awacs.iam.Action
- awacs.iot.Action
- awacs.lightsail.Action
- awacs.mobiletargeting.Action
- awacs.rds.Action
- awacs.redshift.Action
- awacs.s3.Action
- awacs.servicecatalog.Action
- awacs.ssm.Action
- awacs.workmail.Action