1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
|
# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"). You
# may not use this file except in compliance with the License. A copy of
# the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "license" file accompanying this file. This file is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
# ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.
require 'aws/core'
require 'aws/iam/config'
module AWS
# This class is the starting point for working with
# AWS Identity and Access Management (IAM).
#
# For more information about IAM:
#
# * [AWS Identity and Access Management](http://aws.amazon.com/iam/)
# * [AWS Identity and Access Management Documentation](http://aws.amazon.com/documentation/iam/)
#
# # Credentials
#
# You can setup default credentials for all AWS services via
# AWS.config:
#
# AWS.config(
# :access_key_id => 'YOUR_ACCESS_KEY_ID',
# :secret_access_key => 'YOUR_SECRET_ACCESS_KEY')
#
# Or you can set them directly on the IAM interface:
#
# iam = AWS::IAM.new(
# :access_key_id => 'YOUR_ACCESS_KEY_ID',
# :secret_access_key => 'YOUR_SECRET_ACCESS_KEY')
#
# # Account Summary
#
# You can get account level information about entity usage and IAM quotas
# directly from an IAM interface object.
#
# summary = iam.account_summary
#
# puts "Num users: #{summary[:users]}"
# puts "Num user quota: #{summary[:users_quota]}"
#
# For a complete list of summary attributes see the {#account_summary} method.
#
# # Account Aliases
#
# Currently IAM only supports a single account alias for each AWS account.
# You can set the account alias on the IAM interface.
#
# iam.account_alias = 'myaccountalias'
# iam.account_alias
# #=> 'myaccountalias'
#
# You can also remove your account alias:
#
# iam.remove_account_alias
# iam.account_alias
# #=> nil
#
# # Access Keys
#
# You can create up to 2 access for your account and 2 for each user.
# This makes it easy to rotate keys if you need to. You can also
# deactivate/activate access keys.
#
# # get your current access key
# old_access_key = iam.access_keys.first
#
# # create a new access key
# new_access_key = iam.access_keys.create
# new_access_key.credentials
# #=> { :access_key_id => 'ID', :secret_access_key => 'SECRET' }
#
# # go rotate your keys/credentials ...
#
# # now disable the old access key
# old_access_key.deactivate!
#
# # go make sure everything still works ...
#
# # all done, lets clean up
# old_access_key.delete
#
# Users can also have access keys:
#
# u = iam.users['someuser']
# access_key = u.access_keys.create
# access_key.credentials
# #=> { :access_key_id => 'ID', :secret_access_key => 'SECRET' }
#
# See {AccessKeyCollection} and {AccessKey} for more information about
# working with access keys.
#
# # Users & Groups
#
# Each AWS account can have multiple users. Users can be used to easily
# manage permissions. Users can also be organized into groups.
#
# user = iam.users.create('JohnDoe')
# group = iam.groups.create('Developers')
#
# # add a user to a group
# user.groups.add(group)
#
# # remove a user from a group
# user.groups.remove(group)
#
# # add a user to a group
# group.users.add(user)
#
# # remove a user from a group
# group.users.remove(user)
#
# See {User}, {UserCollection}, {Group} and {GroupCollection} for more
# information on how to work with users and groups.
#
# # Other Interfaces
#
# Other useful IAM interfaces:
# * User Login Profiles ({LoginProfile})
# * Policies ({Policy})
# * Server Certificates ({ServerCertificateCollection}, {ServerCertificate})
# * Signing Certificates ({SigningCertificateCollection}, {SigningCertificate})
# * Multifactor Authentication Devices ({MFADeviceCollection}, {MFADevice})
#
# @!attribute [r] client
# @return [Client] the low-level IAM client object
class IAM
autoload :AccessKey, 'aws/iam/access_key'
autoload :AccessKeyCollection, 'aws/iam/access_key_collection'
autoload :AccountAliasCollection, 'aws/iam/account_alias_collection'
autoload :Client, 'aws/iam/client'
autoload :Collection, 'aws/iam/collection'
autoload :Errors, 'aws/iam/errors'
autoload :Group, 'aws/iam/group'
autoload :GroupCollection, 'aws/iam/group_collection'
autoload :GroupPolicyCollection, 'aws/iam/group_policy_collection'
autoload :GroupUserCollection, 'aws/iam/group_user_collection'
autoload :LoginProfile, 'aws/iam/login_profile'
autoload :MFADevice, 'aws/iam/mfa_device'
autoload :MFADeviceCollection, 'aws/iam/mfa_device_collection'
autoload :Policy, 'aws/iam/policy'
autoload :PolicyCollection, 'aws/iam/policy_collection'
autoload :Resource, 'aws/iam/resource'
autoload :ServerCertificate, 'aws/iam/server_certificate'
autoload :ServerCertificateCollection, 'aws/iam/server_certificate_collection'
autoload :SigningCertificate, 'aws/iam/signing_certificate'
autoload :SigningCertificateCollection, 'aws/iam/signing_certificate_collection'
autoload :User, 'aws/iam/user'
autoload :UserCollection, 'aws/iam/user_collection'
autoload :UserGroupCollection, 'aws/iam/user_group_collection'
autoload :UserPolicy, 'aws/iam/user_policy'
autoload :UserPolicyCollection, 'aws/iam/user_policy_collection'
autoload :VirtualMfaDeviceCollection, 'aws/iam/virtual_mfa_device_collection'
autoload :VirtualMfaDevice, 'aws/iam/virtual_mfa_device'
include Core::ServiceInterface
endpoint_prefix 'iam', :global => true
# Returns a collection that represents all AWS users for this account:
#
# @example Getting a user by name
#
# user = iam.users['username']
#
# @example Enumerating users
#
# iam.users.each do |user|
# puts user.name
# end
#
# @return [UserCollection] Returns a collection that represents all of
# the IAM users for this AWS account.
def users
UserCollection.new(:config => config)
end
# Returns a collection that represents all AWS groups for this account:
#
# @example Getting a group by name
#
# group = iam.groups['groupname']
#
# @example Enumerating groups
#
# iam.groups.each do |group|
# puts group.name
# end
#
# @return [GroupCollection] Returns a collection that represents all of
# the IAM groups for this AWS account.
def groups
GroupCollection.new(:config => config)
end
# Returns a collection that represents the access keys for this
# AWS account.
#
# iam = AWS::IAM.new
# iam.access_keys.each do |access_key|
# puts access_key.id
# end
#
# @return [AccessKeyCollection] Returns a collection that represents all
# access keys for this AWS account.
def access_keys
AccessKeyCollection.new(:config => config)
end
# Returns a collection that represents the signing certificates
# for this AWS account.
#
# iam = AWS::IAM.new
# iam.signing_certificates.each do |cert|
# # ...
# end
#
# If you need to access the signing certificates of a specific user,
# see {User#signing_certificates}.
#
# @return [SigningCertificateCollection] Returns a collection that
# represents signing certificates for this AWS account.
def signing_certificates
SigningCertificateCollection.new(:config => config)
end
# @note Currently, Amazon Elastic Load Balancing is the only
# service to support the use of server certificates with
# IAM. Using server certificates with Amazon Elastic Load
# Balancing is described in the
# {http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_SettingUpLoadBalancerHTTPSIntegrated.html
# Amazon Elastic Load Balancing} Developer Guide.
#
# Returns a collection that represents the server certificates
# for this AWS account.
#
# iam = AWS::IAM.new
# iam.server_certificates.each do |cert|
# # ...
# end
#
# @return [ServerCertificateCollection] Returns a collection that
# represents server certificates for this AWS account.
def server_certificates
ServerCertificateCollection.new(:config => config)
end
# Returns a collection that represents the virtual MFA devices
# that are not assigned to an IAM user.
#
# iam = AWS::IAM.new
# iam.virtual_mfa_devices.each do |cert|
# # ...
# end
#
# @return [VirtualMfaDeviceCollection] Returns a collection that
# represents the virtual MFA devices that are not assigned to an
# IAM user.
def virtual_mfa_devices
VirtualMfaDeviceCollection.new(:config => config)
end
# Sets the account alias for this AWS account.
# @param [String] account_alias
# @return [String] Returns the account alias passed.
def account_alias= account_alias
account_alias.nil? ?
remove_account_alias :
account_aliases.create(account_alias)
end
# @return [String,nil] Returns the account alias. If this account has
# no alias, then `nil` is returned.
def account_alias
account_aliases.first
end
# Deletes the account alias (if one exists).
# @return [nil]
def remove_account_alias
account_aliases.each do |account_alias|
account_aliases.delete(account_alias)
end
nil
end
# @api private
def account_aliases
AccountAliasCollection.new(:config => config)
end
# Retrieves account level information about account entity usage
# and IAM quotas. The returned hash contains the following keys:
#
# * `:users` - Number of users for the AWS account
# * `:users_quota` - Maximum users allowed for the AWS account
# * `:groups` - Number of Groups for the AWS account
# * `:groups_quota` - Maximum Groups allowed for the AWS account
# * `:server_certificates` - Number of Server Certificates for the
# AWS account
# * `:server_certificates_quota` - Maximum Server Certificates
# allowed for the AWS account
# * `:user_policy_size_quota` - Maximum allowed size for user policy
# documents (in kilobytes)
# * `:group_policy_size_quota` - Maximum allowed size for Group
# policy documents (in kilobyes)
# * `:groups_per_user_quota` - Maximum number of groups a user can
# belong to
# * `:signing_certificates_per_user_quota` - Maximum number of X509
# certificates allowed
# for a user
# * `:access_keys_per_user_quota` - Maximum number of access keys
# that can be created per user
# @return [Hash]
def account_summary
client.get_account_summary.data[:summary_map].inject({}) do |h,(k,v)|
h.merge(Core::Inflection.ruby_name(k).to_sym => v)
end
end
# Changes the web password associated with the current IAM user.
# In order to change your password you must configure the sdk
# to use your IAM user credentials.
#
#
# To change a user password, you must be using credentials from the
# user you want to change:
#
# # pass in a key pair generated for the user you want to change
# # the password for
# iam = AWS::IAM.new(:access_key_id => '...', :secret_access_key => '...)
# iam.change_password('old-password', 'new-password')
#
# @param [String] old_password
#
# @param [String] new_password
#
# @return [nil]
#
def change_password old_password, new_password
client_opts = {}
client_opts[:old_password] = old_password
client_opts[:new_password] = new_password
client.change_password(client_opts)
nil
end
# Updates the account password policy for all IAM accounts.
# @param [Hash] options
# @option options [Integer] :minimum_password_length
# @option options [Boolean] :require_symbols
# @option options [Boolean] :require_numbers
# @option options [Boolean] :require_uppercase_characters
# @option options [Boolean] :require_lowercase_characters
# @return [nil]
def update_account_password_policy options = {}
client.update_account_password_policy(options)
nil
end
# Removes the account password policy.
# @return [nil]
def delete_account_password_policy
client.delete_account_password_policy
nil
end
# Returns the account password policy details as a hash. This method
# returns nil if no password policy has been set for this account.
#
# # set the policy
# iam.update_account_password_policy :minimum_password_length => 8
#
# iam.account_password_policy
# #=> {:require_symbols=>false, :require_numbers=>false, :require_uppercase_characters=>false, :require_lowercase_characters=>false, :minimum_password_length=>8}
#
# @return [Hash,nil]
def account_password_policy
begin
policy = client.get_account_password_policy.password_policy
[
:minimum_password_length,
:require_symbols?,
:require_numbers?,
:require_uppercase_characters?,
:require_lowercase_characters?,
].inject({}) do |hash,method|
key = method.to_s.sub(/\?/, '').to_sym
hash.merge(key => policy.send(method))
end
rescue Errors::NoSuchEntity
nil
end
end
end
end
|
