account_wrapper.py - AWS Code Sample

account_wrapper.py

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """ Purpose Shows how to use AWS Identity and Access Management (IAM) accounts. """ import logging import pprint import sys import time import boto3 from botocore.exceptions import ClientError logger = logging.getLogger(__name__) iam = boto3.resource('iam') def create_alias(alias): """ Creates an alias for the current account. The alias can be used in place of the account ID in the sign-in URL. An account can have only one alias. When a new alias is created, it replaces any existing alias. :param alias: The alias to assign to the account. """ try: iam.create_account_alias(AccountAlias=alias) logger.info("Created an alias '%s' for your account.", alias) except ClientError: logger.exception("Couldn't create alias '%s' for your account.", alias) raise def delete_alias(alias): """ Removes the alias from the current account. :param alias: The alias to remove. """ try: iam.meta.client.delete_account_alias(AccountAlias=alias) logger.info("Removed alias '%s' from your account.", alias) except ClientError: logger.exception("Couldn't remove alias '%s' from your account.", alias) raise def list_aliases(): """ Gets the list aliases for the current account. An account has at most one alias. :return: The list of aliases for the account. """ try: response = iam.meta.client.list_account_aliases() aliases = response['AccountAliases'] if len(aliases) > 0: logger.info("Got aliases for your account: %s.", ','.join(aliases)) else: logger.info("Got no aliases for your account.") except ClientError: logger.exception("Coudn't list aliases for your account.") raise else: return response['AccountAliases'] def get_authorization_details(response_filter): """ Gets an authorization detail report for the current account. :param response_filter: A list of resource types to include in the report, such as users or roles. When not specified, all resources are included. :return: The authorization detail report. """ try: account_details = iam.meta.client.get_account_authorization_details( Filter=response_filter ) logger.debug(account_details) except ClientError: logger.exception("Couldn't get details for your account.") raise else: return account_details def get_summary(): """ Gets a summary of account usage. :return: The summary of account usage. """ try: summary = iam.AccountSummary() logger.debug(summary.summary_map) except ClientError: logger.exception("Couldn't get a summary for your account.") raise else: return summary.summary_map def generate_credential_report(): """ Starts generation of a credentials report about the current account. After calling this function to generate the report, call get_credential_report to get the latest report. A new report can be generated a minimum of four hours after the last one was generated. """ try: response = iam.meta.client.generate_credential_report() logger.info("Generating credentials report for your account. " "Current state is %s.", response['State']) except ClientError: logger.exception("Couldn't generate a credentials report for your account.") raise else: return response def get_credential_report(): """ Gets the most recently generated credentials report about the current account. :return: The credentials report. """ try: response = iam.meta.client.get_credential_report() logger.debug(response['Content']) except ClientError: logger.exception("Couldn't get credentials report.") raise else: return response['Content'] def usage_demo(): """Shows how to use the account functions.""" logging.basicConfig(level=logging.INFO, format='%(levelname)s: %(message)s') print('-'*88) print("Welcome to the AWS Identity and Account Management account demo.") print('-'*88) print("Setting an account alias lets you use the alias in your sign-in URL " "instead of your account number.") old_aliases = list_aliases() if len(old_aliases) > 0: print(f"Your account currently uses '{old_aliases[0]}' as its alias.") else: print("Your account currently has no alias.") for index in range(1, 3): new_alias = f'alias-{index}-{time.time_ns()}' print(f"Setting your account alias to {new_alias}") create_alias(new_alias) current_aliases = list_aliases() print(f"Your account alias is now {current_aliases}.") delete_alias(current_aliases[0]) print(f"Your account now has no alias.") if len(old_aliases) > 0: print(f"Restoring your original alias back to {old_aliases[0]}...") create_alias(old_aliases[0]) print('-'*88) print("You can get various reports about your account.") print("Let's generate a credentials report...") report_state = None while report_state != 'COMPLETE': cred_report_response = generate_credential_report() old_report_state = report_state report_state = cred_report_response['State'] if report_state != old_report_state: print(report_state, sep='') else: print('.', sep='') sys.stdout.flush() time.sleep(1) print() cred_report = get_credential_report() col_count = 3 print(f"Got credentials report. Showing only the first {col_count} columns.") cred_lines = [line.split(',')[:col_count] for line in cred_report.decode('utf-8').split('\n')] col_width = max([len(item) for line in cred_lines for item in line]) + 2 for line in cred_report.decode('utf-8').split('\n'): print(''.join(element.ljust(col_width) for element in line.split(',')[:col_count])) print('-'*88) print("Let's get an account summary.") summary = get_summary() print("Here's your summary:") pprint.pprint(summary) print('-'*88) print("Let's get authorization details!") details = get_authorization_details([]) see_details = input("These are pretty long, do you want to see them (y/n)? ") if see_details.lower() == 'y': pprint.pprint(details) print('-'*88) print("Thanks for watching.") if __name__ == '__main__': usage_demo()