How to use the awacs.aws.Principal function in awacs
To help you get started, we’ve selected a few awacs examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
waterbear-cloud / paco / src / paco / cftemplates / codebuild.py View on Github 
value=user_ref + '.policy.arn',
)
managed_policy_arns.append(troposphere.Ref(codecommit_user_policy_param))
project_role_res = troposphere.iam.Role(
title='CodeBuildProjectRole',
template=template,
RoleName=self.project_role_name,
ManagedPolicyArns=managed_policy_arns,
AssumeRolePolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[ AssumeRole ],
Principal=Principal("Service", ['codebuild.amazonaws.com']),
)
]
)
)
project_policy_name = self.create_iam_resource_name(
name_list=[self.res_name_prefix, 'CodeBuild-Project'],
filter_id='IAM.Policy.PolicyName'
)
# Project Policy
policy_statements = [
Statement(
Sid='S3Access',
Effect=Allow,
Action=[# NOTE: By default CodeBuild manages the policies for this role. If you delete a CFN stack and try to recreate the project
# or make changes to it when the Codebuild managed Policy still exists, you'll see an error in the UI:
# `The policy is attached to 0 entities but it must be attached to a single role`. (CFN fails with fail to update)
# Orphaned policies created by CodeBuild will have CodeBuildBasePolicy prepended to them; search for policies with this
# name and no role and delete to clear the error.
# TODO: Get a CloudFormation feature request to turn this off for project creation- let CFN manage the policy.
role_id = template.add_resource(
Role(
project_name,
Path='/',
AssumeRolePolicyDocument=PolicyDocument(
Statement=[
Statement(
Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["codebuild.amazonaws.com"])
)
]
)
)
)
template.add_output([Output(project_name, Value=Ref(role_id))])
return Ref(role_id)Action="lambda:InvokeFunction",
FunctionName=Ref(function),
Principal="sns.amazonaws.com",
SourceAccount=Ref("AWS::AccountId"),
SourceArn=Ref(cloudtrail_topic)
))
t.add_resource(TopicPolicy(
"CloudtrailTopicPolicy",
Topics=[Ref(cloudtrail_topic)],
PolicyDocument=Policy(
Statement=[
Statement(
Sid="AWSCloudTrailSNSPolicy",
Effect=Allow,
Principal=Principal(
"Service", ["cloudtrail.amazonaws.com"]
),
Action=[Action("sns", "publish")],
Resource=[Ref(cloudtrail_topic)]
)
]
)
))
cloudtrail = t.add_resource(Trail(
"CloudTrail",
IncludeGlobalServiceEvents=True,
IsLogging=True,
IsMultiRegionTrail=True,
S3BucketName=Ref(bucket),
SnsTopicName=Ref(cloudtrail_topic),def make_simple_assume_statement(*principals):
return Statement(
Principal=Principal('Service', principals),
Effect=Allow,
Action=[sts.AssumeRole]
)t.add_output(Output(
"WebsiteSnsTopic",
Description="sns_topic_arn",
Value=Ref(website_sns_topic),
))
# The IAM Role and Policy the website will assume to publish to SNS
website_role = t.add_resource(iam.Role(
"WebsiteRole",
Path="/",
AssumeRolePolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[Action("sts", "AssumeRoleWithWebIdentity")],
Principal=Principal("Federated", "accounts.google.com"),
Condition=Condition(
StringEquals(
"accounts.google.com:aud",
Ref(google_oauth_client_id)
)
),
),
],
),
))
t.add_resource(iam.PolicyType(
"WebsitePolicy",
PolicyName="lambda-chat-website-policy",
Roles=[Ref(website_role)],
PolicyDocument=Policy(
Version="2012-10-17",This only needs to be called manually if for some reason the monkey patching doesn't work.
"""
if LAMBDA_ROLE not in template.resources:
template.add_resource(
iam.Role(
LAMBDA_ROLE,
AssumeRolePolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[Action('sts', 'AssumeRole')],
Principal=Principal('Service', 'lambda.amazonaws.com'),
)
],
),
ManagedPolicyArns=[
'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
'arn:aws:iam::aws:policy/service-role/AWSLambdaRole',
],
Policies=[
iam.Policy(
PolicyName=Sub('${AWS::StackName}CustomAcmCertificateLambdaExecutionPolicy'),
PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[bucket (dict): The bucket resource to place the policy
Returns:
dict: The Bucket Policy Resource
"""
return self.template.add_resource(
s3.BucketPolicy(
'BucketPolicy',
Bucket=bucket.ref(),
PolicyDocument=Policy(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Principal=Principal('*'),
Action=[Action('s3', 'getObject')],
Resource=[
Join('', [bucket.get_att('Arn'), '/*'])
],target_name,
Arn=troposphere.Ref(self.target_params[target_name + 'Arn']),
Id=troposphere.Ref(self.target_params[target_name]),
)
)
# IAM Role Resources to allow Event to invoke Target
target_invocation_role_resource = troposphere.iam.Role(
'TargetInvocationRole',
AssumeRolePolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal('Service',['events.amazonaws.com'])
)
],
),
Policies=[
troposphere.iam.Policy(
PolicyName="TargetInvocation",
PolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.awslambda.InvokeFunction],
Resource=[troposphere.Ref(self.target_params[target_name + 'Arn'])],
)
]
)'EC2Principal': 'ec2.amazonaws.com',
'OpsWorksPrincipal': 'opsworks.amazonaws.com'},
'us-west-2': {
'EC2Principal': 'ec2.amazonaws.com',
'OpsWorksPrincipal': 'opsworks.amazonaws.com'}
}
)
web_server_role = Role(
"WebServerRole",
template=template,
AssumeRolePolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow, Action=[AssumeRole],
Principal=Principal(
"Service", [
FindInMap(
"Region2Principal",
Ref("AWS::Region"), "EC2Principal")
]
)
)
]
),
Path="/",
Policies=[
assets_management_policy,
logging_policy,
iam.Policy(
PolicyName="EBBucketAccess",
PolicyDocument=dict(awacs
AWS Access Policy Language creation library
Package Health Score
74 / 100Popular awacs functions
- awacs.aws.Action
- awacs.aws.Allow
- awacs.aws.Policy
- awacs.aws.Principal
- awacs.aws.Statement
- awacs.chime.Action
- awacs.cognito_idp.Action
- awacs.ec2.Action
- awacs.glue.Action
- awacs.greengrass.Action
- awacs.iam.Action
- awacs.iot.Action
- awacs.lightsail.Action
- awacs.mobiletargeting.Action
- awacs.rds.Action
- awacs.redshift.Action
- awacs.s3.Action
- awacs.servicecatalog.Action
- awacs.ssm.Action
- awacs.workmail.Action