salt.states.boto_iam

Manage IAM objects

New in version 2015.8.0.

This module uses boto, which can be installed via package, or pip.

This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here.

It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config:

delete-user:
  boto_iam.user_absent:
    - name: myuser
    - delete_keys: true
delete-keys:
  boto_iam.keys_absent:
    - access_keys:
      - 'AKIAJHTMIQ2ASDFLASDF'
      - 'PQIAJHTMIQ2ASRTLASFR'
    - user_name: myuser
create-user:
  boto_iam.user_present:
    - name: myuser
    - policies:
        mypolicy: |
            {
                "Version": "2012-10-17",
                "Statement": [{
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*"}]
            }
    - password: NewPassword$$1
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'
create-group:
  boto_iam.group_present:
    - name: mygroup
    - users:
      - myuser
      - myuser1
    - policies:
        mypolicy: |
            {
                "Version": "2012-10-17",
                "Statement": [{
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*"}]
            }
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'safsdfsal;fdkjsafkljsASSADFalkfj'
change-policy:
  boto_iam.account_policy:
    - change_password: True
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'safsdfsal;fdkjsafkljsASSADFalkfj'
create server certificate:
  boto_iam.server_cert_present:
    - name: mycert
    - public_key: salt://base/mycert.crt
    - private_key: salt://base/mycert.key
    - cert_chain: salt://base/mycert_chain.crt
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'
delete server certificate:
  boto_iam.server_cert_absent:
    - name: mycert
create keys for user:
  boto_iam.keys_present:
    - name: myusername
    - number: 2
    - save_dir: /root
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'
create policy:
  boto_iam.policy_present:
    - name: myname
    - policy_document: '{"MyPolicy": "Statement": [{"Action": ["sqs:*"], "Effect": "Allow", "Resource": ["arn:aws:sqs:*:*:*"], "Sid": "MyPolicySqs1"}]}'
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'
add-saml-provider:
  boto_iam.saml_provider_present:
    - name: my_saml_provider
    - saml_metadata_document: salt://base/files/provider.xml
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'safsdfsal;fdkjsafkljsASSADFalkfj'
salt.states.boto_iam.account_policy(name=None, allow_users_to_change_password=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None, region=None, key=None, keyid=None, profile=None)

Change account policy.

New in version 2015.8.0.

name (string)
The name of the account policy
allow_users_to_change_password (bool)
Allows all IAM users in your account to use the AWS Management Console to change their own passwords.
hard_expiry (bool)
Prevents IAM users from setting a new password after their password has expired.
max_password_age (int)
The number of days that an IAM user password is valid.
minimum_password_length (int)
The minimum number of characters allowed in an IAM user password.
password_reuse_prevention (int)
Specifies the number of previous passwords that IAM users are prevented from reusing.
require_lowercase_characters (bool)
Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z).
require_numbers (bool)
Specifies whether IAM user passwords must contain at least one numeric character (0 to 9).
require_symbols (bool)
Specifies whether IAM user passwords must contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
require_uppercase_characters (bool)
Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string)
salt.states.boto_iam.group_absent(name, region=None, key=None, keyid=None, profile=None)

New in version 2015.8.0.

Ensure the IAM group is absent.

name (string)
The name of the group.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.group_present(name, policies=None, policies_from_pillars=None, managed_policies=None, users=None, path='/', region=None, key=None, keyid=None, profile=None, delete_policies=True)

New in version 2015.8.0.

Ensure the IAM group is present

name (string)
The name of the new group.
path (string)
The path for the group, defaults to '/'
policies (dict)
A dict of IAM group policy documents.
policies_from_pillars (list)
A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars.
managed_policies (list)
A list of policy names or ARNs that should be attached to this group.
users (list)
A list of users to be added to the group.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
delete_policies (boolean)
Delete or detach existing policies that are not in the given list of policies. Default value is True. If False is specified, existing policies will not be deleted or detached allowing manual modifications on the IAM group to be persistent.
salt.states.boto_iam.keys_absent(access_keys, user_name, region=None, key=None, keyid=None, profile=None)

New in version 2015.8.0.

Ensure the IAM user access_key_id is absent.

access_key_id (list)
A list of access key ids
user_name (string)
The username of the user
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.keys_present(name, number, save_dir, region=None, key=None, keyid=None, profile=None, save_format='{2}\n{0}\n{3}\n{1}\n')

New in version 2015.8.0.

Ensure the IAM access keys are present.

name (string)
The name of the new user.
number (int)
Number of keys that user should have.
save_dir (string)
The directory that the key/keys will be saved. Keys are saved to a file named according to the username privided.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
save_format (dict)
Save format is repeated for each key. Default format is "{2}

{0} {3} {1} ",

where {0} and {1} are placeholders for new key_id and key respectively, whereas {2} and {3} are "key_id-{number}" and 'key-{number}' strings kept for compatibility.
salt.states.boto_iam.policy_absent(name, region=None, key=None, keyid=None, profile=None)

New in version 2015.8.0.

Ensure the IAM managed policy with the specified name is absent

name (string)
The name of the new policy.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.policy_present(name, policy_document, path=None, description=None, region=None, key=None, keyid=None, profile=None)

New in version 2015.8.0.

Ensure the IAM managed policy is present

name (string)
The name of the new policy.
policy_document (dict)
The document of the new policy
path (string)
The path in which the policy will be created. Default is '/'.
description (string)
Description
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.saml_provider_absent(name, region=None, key=None, keyid=None, profile=None)

New in version 2016.11.0.

Ensure the SAML provider with the specified name is absent.

name (string)
The name of the SAML provider.
saml_metadata_document (string)
The xml document of the SAML provider.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.saml_provider_present(name, saml_metadata_document, region=None, key=None, keyid=None, profile=None)

New in version 2016.11.0.

Ensure the SAML provider with the specified name is present.

name (string)
The name of the SAML provider.
saml_metadata_document (string)
The xml document of the SAML provider.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.server_cert_absent(name, region=None, key=None, keyid=None, profile=None)

Deletes a server certificate.

New in version 2015.8.0.

name (string)
The name for the server certificate. Do not include the path in this value.
region (string)
The name of the region to connect to.
key (string)
The key to be used in order to connect
keyid (string)
The keyid to be used in order to connect
profile (string)
The profile that contains a dict of region, key, keyid
salt.states.boto_iam.server_cert_present(name, public_key, private_key, cert_chain=None, path=None, region=None, key=None, keyid=None, profile=None)

Crete server certificate.

New in version 2015.8.0.

name (string)
The name for the server certificate. Do not include the path in this value.
public_key (string)
The contents of the public key certificate in PEM-encoded format.
private_key (string)
The contents of the private key in PEM-encoded format.
cert_chain (string)
The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.
path (string)
The path for the server certificate.
region (string)
The name of the region to connect to.
key (string)
The key to be used in order to connect
keyid (string)
The keyid to be used in order to connect
profile (string)
The profile that contains a dict of region, key, keyid
salt.states.boto_iam.user_absent(name, delete_keys=True, delete_mfa_devices=True, delete_profile=True, region=None, key=None, keyid=None, profile=None)

New in version 2015.8.0.

Ensure the IAM user is absent. User cannot be deleted if it has keys.

name (string)
The name of the new user.
delete_keys (bool)
Delete all keys from user.
delete_mfa_devices (bool)

Delete all mfa devices from user.

New in version 2016.3.0.

delete_profile (bool)

Delete profile from user.

New in version 2016.3.0.

region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.user_present(name, policies=None, policies_from_pillars=None, managed_policies=None, password=None, path=None, region=None, key=None, keyid=None, profile=None)

New in version 2015.8.0.

Ensure the IAM user is present

name (string)
The name of the new user.
policies (dict)
A dict of IAM group policy documents.
policies_from_pillars (list)
A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars.
managed_policies (list)
A list of managed policy names or ARNs that should be attached to this user.
password (string)
The password for the new user. Must comply with account policy.
path (string)

The path of the user. Default is '/'.

New in version 2015.8.2.

region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.