Manage IAM roles
New in version 2014.7.0.
This module uses boto
, which can be installed via package, or pip.
This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here.
If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file:
iam.keyid: GKTADJGHEIQSXMKKRBJ08H
iam.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
It's also possible to specify key
, keyid
and region
via a profile, either
passed in as a dict, or as a string to pull from pillars or minion config:
myprofile:
keyid: GKTADJGHEIQSXMKKRBJ08H
key: askjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
region: us-east-1
Creating a role will automatically create an instance profile and associate it with the role. This is the default behavior of the AWS console.
myrole:
boto_iam_role.present:
- region: us-east-1
- key: GKTADJGHEIQSXMKKRBJ08H
- keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
- policies_from_pillars:
- shared_iam_bootstrap_policy
- policies:
MySQSPolicy:
Statement:
- Action:
- sqs:*
Effect: Allow
Resource:
- arn:aws:sqs:*:*:*
Sid: MyPolicySQS1
MyS3Policy:
Statement:
- Action:
- s3:GetObject
Effect: Allow
Resource:
- arn:aws:s3:*:*:mybucket/*
# Using a credentials profile from pillars
myrole:
boto_iam_role.present:
- region: us-east-1
- profile: myiamprofile
# Passing in a credentials profile
myrole:
boto_iam_role.present:
- region: us-east-1
- profile:
key: GKTADJGHEIQSXMKKRBJ08H
keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
If delete_policies: False
is specified, existing policies that are not in
the given list of policies will not be deleted. This allows manual modifications
on the IAM role to be persistent. This functionality was added in Beryllium.
salt.states.boto_iam_role.
absent
(name, region=None, key=None, keyid=None, profile=None)¶Ensure the IAM role is deleted.
salt.states.boto_iam_role.
present
(name, policy_document=None, path=None, policies=None, policies_from_pillars=None, create_instance_profile=True, region=None, key=None, keyid=None, profile=None, delete_policies=True)¶Ensure the IAM role exists.
Deletes existing policies that are not in the given list of policies. Default
value is True
. If False
is specified, existing policies will not be deleted
allowing manual modifications on the IAM role to be persistent.
New in version Beryllium.