New in version 2014.7.0.
This module uses boto
, which can be installed via package, or pip.
This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here.
If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file:
iam.keyid: GKTADJGHEIQSXMKKRBJ08H
iam.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
It's also possible to specify key
, keyid
and region
via a profile, either
passed in as a dict, or as a string to pull from pillars or minion config:
myprofile:
keyid: GKTADJGHEIQSXMKKRBJ08H
key: askjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
region: us-east-1
Creating a role will automatically create an instance profile and associate it with the role. This is the default behavior of the AWS console.
myrole:
boto_iam_role.present:
- region: us-east-1
- key: GKTADJGHEIQSXMKKRBJ08H
- keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
- policies_from_pillars:
- shared_iam_bootstrap_policy
- policies:
MySQSPolicy:
Statement:
- Action:
- sqs:*
Effect: Allow
Resource:
- arn:aws:sqs:*:*:*
Sid: MyPolicySQS1
MyS3Policy:
Statement:
- Action:
- s3:GetObject
Effect: Allow
Resource:
- arn:aws:s3:*:*:mybucket/*
# Using a credentials profile from pillars
myrole:
boto_iam_role.present:
- profile: myiamprofile
# Passing in a credentials profile
myrole:
boto_iam_role.present:
- profile:
key: GKTADJGHEIQSXMKKRBJ08H
keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
region: us-east-1
If delete_policies: False
is specified, existing policies that are not in
the given list of policies will not be deleted. This allows manual modifications
on the IAM role to be persistent. This functionality was added in 2015.8.0.
Note
When using the profile
parameter and region
is set outside of
the profile group, region is ignored and a default region will be used.
If region
is missing from the profile
data set, us-east-1
will be used as the default region.
salt.states.boto_iam_role.
absent
(name, region=None, key=None, keyid=None, profile=None)¶Ensure the IAM role is deleted.
Name of the IAM role.
Region to connect to.
Secret key to be used.
Access key to be used.
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam_role.
present
(name, policy_document=None, policy_document_from_pillars=None, path=None, policies=None, policies_from_pillars=None, managed_policies=None, create_instance_profile=True, region=None, key=None, keyid=None, profile=None, delete_policies=True)¶Ensure the IAM role exists.
Name of the IAM role.
The policy that grants an entity permission to assume the role. (See https://boto.readthedocs.io/en/latest/ref/iam.html#boto.iam.connection.IAMConnection.create_role)
A pillar key that contains a role policy document. The statements defined here will be appended with the policy document statements defined in the policy_document argument.
New in version 2017.7.0.
The path to the role/instance profile. (See https://boto.readthedocs.io/en/latest/ref/iam.html#boto.iam.connection.IAMConnection.create_role)
A dict of IAM role policies.
A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars.
A list of (AWS or Customer) managed policies to be attached to the role.
A boolean of whether or not to create an instance profile and associate it with this role.
Region to connect to.
Secret key to be used.
Access key to be used.
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
Deletes existing policies that are not in the given list of policies. Default
value is True
. If False
is specified, existing policies will not be deleted
allowing manual modifications on the IAM role to be persistent.
New in version 2015.8.0.