salt.states.boto_iam

Manage IAM roles.

New in version Beryllium.

This module uses boto, which can be installed via package, or pip.

This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here.

It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config:

delete-user:
  boto_iam.user_absent:
    - name: myuser
    - delete_keys: true
delete-keys:
  boto_iam.keys_absent:
    - access_keys:
      - 'AKIAJHTMIQ2ASDFLASDF'
      - 'PQIAJHTMIQ2ASRTLASFR'
    - user_name: myuser
create-user:
  boto_iam.user_present:
    - name: myuser
    - policies:
        mypolicy: |
            {
                "Version": "2012-10-17",
                "Statement": [{
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*"}]
            }
    - password: NewPassword$$1
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'
create-group:
  boto_iam.group_present:
    - name: mygroup
    - users:
      - myuser
      - myuser1
    - policies:
        mypolicy: |
            {
                "Version": "2012-10-17",
                "Statement": [{
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*"}]
            }
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'safsdfsal;fdkjsafkljsASSADFalkfj'
change-policy:
  boto_iam.account_policy:
    - change_password: True
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'safsdfsal;fdkjsafkljsASSADFalkfj'
create server certificate:
  boto_iam.server_cert_present:
    - name: mycert
    - public_key: salt://base/mycert.crt
    - private_key: salt://base/mycert.key
    - cert_chain: salt://base/mycert_chain.crt
    - region: eu-west-1
    - keyid: 'AKIAJHTMIQ2ASDFLASDF'
    - key: 'fdkjsafkljsASSADFalkfjasdf'
delete server certificate:
  boto_iam.server_cert_absent:
    - name: mycert
. code-block:: yaml
create keys for user:
boto_iam.keys_present:
  • name: myusername
  • number: 2
  • save_dir: /root
  • region: eu-west-1
  • keyid: 'AKIAJHTMIQ2ASDFLASDF'
  • key: 'fdkjsafkljsASSADFalkfjasdf'
salt.states.boto_iam.account_policy(allow_users_to_change_password=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None, region=None, key=None, keyid=None, profile=None)

Change account policy

New in version Beryllium.

allow_users_to_change_password (bool)
Allows all IAM users in your account to use the AWS Management Console to change their own passwords.
hard_expiry (bool)
Prevents IAM users from setting a new password after their password has expired.
max_password_age (int)
The number of days that an IAM user password is valid.
minimum_password_length (int)
The minimum number of characters allowed in an IAM user password.
password_reuse_prevention (int)
Specifies the number of previous passwords that IAM users are prevented from reusing.
require_lowercase_characters (bool)
Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z).
require_numbers (bool)
Specifies whether IAM user passwords must contain at least one numeric character (0 to 9).
require_symbols (bool)
Specifies whether IAM user passwords must contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
require_uppercase_characters (bool)
Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string)
salt.states.boto_iam.group_present(name, policies=None, policies_from_pillars=None, users=None, region=None, key=None, keyid=None, profile=None)

New in version Beryllium.

Ensure the IAM group is present

name (string)
The name of the new group.
policies (dict)
A dict of IAM group policy documents.
policies_from_pillars (list)
A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars.
users (list)
A list of users to be added to the group.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.keys_absent(access_keys, user_name, region=None, key=None, keyid=None, profile=None)

New in version Beryllium.

Ensure the IAM user access_key_id is absent.

access_key_id (list)
A list of access key ids
user_name (string)
The username of the user
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.keys_present(name, number, save_dir, region=None, key=None, keyid=None, profile=None)

New in version Beryllium.

Ensure the IAM access keys are present.

name (string)
The name of the new user.
number (int)
Number of keys that user should have.
save_dir (string)
The directory that the key/keys will be saved. Keys are saved to a file named according to the username privided.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.server_cert_absent(name, region=None, key=None, keyid=None, profile=None)

Deletes a server certificate

New in version Beryllium.

name (string)
The name for the server certificate. Do not include the path in this value.
region (string)
The name of the region to connect to.
key (string)
The key to be used in order to connect
keyid (string)
The keyid to be used in order to connect
profile (string)
The profile that contains a dict of region, key, keyid
salt.states.boto_iam.server_cert_present(name, public_key, private_key, cert_chain=None, path=None, region=None, key=None, keyid=None, profile=None)

Crete server certificate.

New in version Beryllium.

name (string)
The name for the server certificate. Do not include the path in this value.
public_key (string)
The contents of the public key certificate in PEM-encoded format.
private_key (string)
The contents of the private key in PEM-encoded format.
cert_chain (string)
The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.
path (string)
The path for the server certificate.
region (string)
The name of the region to connect to.
key (string)
The key to be used in order to connect
keyid (string)
The keyid to be used in order to connect
profile (string)
The profile that contains a dict of region, key, keyid
salt.states.boto_iam.user_absent(name, delete_keys=None, region=None, key=None, keyid=None, profile=None)

New in version Beryllium.

Ensure the IAM user is absent. User cannot be deleted if it has keys.

name (string)
The name of the new user.
delete_keys (bool)
Delete all keys from user.
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.
salt.states.boto_iam.user_present(name, policies=None, policies_from_pillars=None, password=None, path=None, region=None, key=None, keyid=None, profile=None)

New in version Beryllium.

Ensure the IAM user is present

name (string)
The name of the new user.
policies (dict)
A dict of IAM group policy documents.
policies_from_pillars (list)
A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars.
password (string)
The password for the new user. Must comply with account policy.
path (string)
The path of the user. Default is '/'
region (string)
Region to connect to.
key (string)
Secret key to be used.
keyid (string)
Access key to be used.
profile (dict)
A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.