public static async Task <(DeleteRoleResponse role, DetachRolePolicyResponse[] policies)> DeleteRoleAsync(
this IAMHelper iam, string roleName, bool detachPolicies,
bool deleteInstanceProfiles = false,
StringComparison stringComparison = StringComparison.InvariantCultureIgnoreCase, CancellationToken cancellationToken = default(CancellationToken))
{
if (roleName.IsNullOrEmpty())
{
throw new ArgumentException($"{nameof(roleName)} is null or empty");
}
DetachRolePolicyResponse[] detachRolePolicyResponses = null;
if (detachPolicies)
{
var targets = await iam.ListAttachedRolePoliciesAsync(roleName, cancellationToken : cancellationToken);
detachRolePolicyResponses = await targets.ForEachAsync(policy => iam.DetachRolePolicyAsync(roleName, policy.PolicyArn, cancellationToken)
, maxDegreeOfParallelism : iam._maxDegreeOfParalelism);
}
if (deleteInstanceProfiles)
{
await iam.DeleteRoleInstanceProfiles(roleName : roleName, cancellationToken : cancellationToken);
}
return(await iam.DeleteRoleAsync(roleName, cancellationToken), detachRolePolicyResponses);
}
/*public static async Task<ManagedPolicy> CreatePolicyS3Async(this IAMHelper iam, IEnumerable<string> paths, string name, IEnumerable<S3Helper.Permissions> permissions, string description = null, CancellationToken cancellationToken = default(CancellationToken))
* {
* if (permissions == null)
* throw new ArgumentNullException($"{nameof(permissions)} can't be null");
*
* var actions = permissions.Any(p => p == S3Helper.Permissions.All) ?
* "\"s3:*\"" : permissions.SelectMany(
* p => p.ToStringFlagArray().Select(s => $"s3:{s}"))
* .Distinct().JsonSerialize();
*
* var sub_policies = "";
*
* paths.ForEach((path, i) => {
* sub_policies +=
* $@"
* {{
* ""Sid"": ""AWSHelper{i}"",
* ""Effect"": ""Allow"",
* ""Action"": {(actions.IsNullOrEmpty() ? "[ ]" : actions)},
* ""Resource"": ""arn:aws:s3:::{path}""
* }},";
* });
*
* //this must be present otherwise its not possible to delete objects from the buckt due to some AWS bug
* sub_policies += $"{{ \"Sid\": \"AWSHelper{paths.Count()}\", \"Effect\": \"Allow\", \"Action\": [ \"s3:List*\" ], \"Resource\": \"arn:aws:s3:::*\" }}";
* //sub_policies = sub_policies.TrimEnd(',');
*
* string json =
* $@"{{
* ""Version"": ""2012-10-17"",
* ""Statement"": [{sub_policies}
* ]
* }}";
* return (await iam.CreatePolicyAsync(name: name, description: description, json: json, cancellationToken: cancellationToken)).Policy;
* }*/
public static async Task <ManagedPolicy> CreatePolicyS3Async(this IAMHelper iam, IEnumerable <string> paths, string name, IEnumerable <S3Helper.Permissions> permissions, string description = null, CancellationToken cancellationToken = default(CancellationToken))
{
if (permissions == null)
{
throw new ArgumentNullException($"{nameof(permissions)} can't be null");
}
var actions = permissions.Any(p => p == S3Helper.Permissions.All) ?
"\"s3:*\"" : permissions.SelectMany(
p => p.ToStringFlagArray().Select(s => $"s3:{s}"))
.Distinct().JsonSerialize();
var sidCntr = 0;
var buckets = paths.Select(path => path.SplitByFirst('/').First()).Distinct();
var sub_policies = $"{{\"Sid\": \"AWSHelper{++sidCntr}\", \"Effect\": \"Allow\", \"Action\": [ \"s3:ListAllMyBuckets\", \"s3:GetBucketLocation\" ],\"Resource\": \"arn:aws:s3:::*\"}},";
foreach (var bucket in buckets)
{
var resourcePathPrefixArray = paths.IsNullOrEmpty() ? "[ ]" : paths
.Where(path => path.StartsWith(bucket))
.Select(path => path.TrimStartSingle(bucket).TrimStart("/"))
.Distinct().ToArray().JsonSerialize(Newtonsoft.Json.Formatting.None);
sub_policies +=
$@"
{{
""Sid"": ""AWSHelper{++sidCntr}"",
""Effect"": ""Allow"",
""Action"": [ ""s3:List*"" ],
""Resource"": ""arn:aws:s3:::{bucket}"",
""Condition"": {{ ""StringLike"": {{ ""s3:prefix"": {resourcePathPrefixArray} }} }}
}},";
}
foreach (var path in paths)
{
sub_policies +=
$@"
{{
""Sid"": ""AWSHelper{++sidCntr}"",
""Effect"": ""Allow"",
""Action"": {(actions.IsNullOrEmpty() ? "[ ]" : actions)},
""Resource"": ""arn:aws:s3:::{path}""
}},";
}
;
sub_policies = sub_policies.TrimEnd(",");
string json =
$@"{{
""Version"": ""2012-10-17"",
""Statement"": [{sub_policies}
]
}}";
return((await iam.CreatePolicyAsync(name: name, description: description, json: json, cancellationToken: cancellationToken)).Policy);
}
public static async Task <ManagedPolicy[]> GetPoliciesByNamesAsync(this IAMHelper iam, IEnumerable <string> names, bool onlyAttached = false, StringComparison stringComparison = StringComparison.InvariantCultureIgnoreCase, CancellationToken cancellationToken = default(CancellationToken))
{
var list = await iam.ListPoliciesAsync(onlyAttached : onlyAttached, cancellationToken : cancellationToken);
var results = new List <ManagedPolicy>();
foreach (var name in names)
{
results.Add(list.Single(x => x.Arn.Equals(name, stringComparison) || x.PolicyName.Equals(name, stringComparison)));
}
return(results.ToArray());
}
public static async Task <ManagedPolicy> GetPolicyByNameAsync(this IAMHelper iam, string name, StringComparison stringComparison = StringComparison.InvariantCultureIgnoreCase, bool throwIfNotFound = true, CancellationToken cancellationToken = default(CancellationToken))
{
var list = await iam.ListPoliciesAsync(cancellationToken : cancellationToken);
var policy = list.SingleOrDefault(x => x.Arn.Equals(name, stringComparison) || x.PolicyName.Equals(name, stringComparison));
if (policy == null && throwIfNotFound)
{
throw new Exception($"Policy with name '{name}' was not found.");
}
return(policy);
}
public static async Task <DeleteInstanceProfileResponse[]> DeleteRoleInstanceProfiles(
this IAMHelper iam, string roleName, CancellationToken cancellationToken = default(CancellationToken))
{
var profiles = await iam.ListInstanceProfilesForRoleAsync(roleName : roleName, cancellationToken : cancellationToken);
var responses = await profiles?.ForEachAsync(async profile =>
{
await iam.RemoveRoleFromInstanceProfileAsync(
profileName: profile.InstanceProfileName,
roleName: roleName,
cancellationToken: cancellationToken);
return(await iam.DeleteInstanceProfileAsync(profile.InstanceProfileName, cancellationToken: cancellationToken));
},
maxDegreeOfParallelism : iam._maxDegreeOfParalelism,
cancellationToken : cancellationToken);
return(responses);
}
public static async Task <DeletePolicyResponse> DeletePolicyByNameAsync(this IAMHelper iam, string name, StringComparison stringComparison = StringComparison.InvariantCultureIgnoreCase, bool throwIfNotFound = true, CancellationToken cancellationToken = default(CancellationToken))
{
if (name.IsNullOrEmpty())
{
throw new ArgumentException($"{nameof(name)} is null or empty");
}
var policy = await iam.GetPolicyByNameAsync(name : name, stringComparison : stringComparison, throwIfNotFound : throwIfNotFound, cancellationToken : cancellationToken);
if (policy == null && !throwIfNotFound)
{
return(null);
}
var versions = (await iam.ListPolicyVersionsAsync(policy.Arn, cancellationToken)).Where(v => !v.IsDefaultVersion);
await versions.ForEachAsync(
v => iam.DeletePolicyVersionAsync(arn: policy.Arn, versionId: v.VersionId, cancellationToken: cancellationToken),
maxDegreeOfParallelism : iam._maxDegreeOfParalelism);
return(await iam.DeletePolicyAsync(policy.Arn, cancellationToken));
}
public static async Task <Role> CreateRoleWithPoliciesAsync(
this IAMHelper iam, string roleName,
string[] policies,
string roleDescription = null,
bool createInstanceProfile = false,
StringComparison stringComparison = StringComparison.InvariantCultureIgnoreCase,
CancellationToken cancellationToken = default(CancellationToken))
{
var policyDoc = $@"{{""Version"":""2012-10-17"",""Statement"":[{{""Effect"":""Allow"",""Principal"":{{""Service"":[""ec2.amazonaws.com"",""ecs-tasks.amazonaws.com""]}},""Action"":[""sts:AssumeRole""]}}]}}";
var tR = iam.CreateRoleAsync(roleName: roleName, description: roleDescription, path: null, maxSessionDuration: 12 * 3600, assumeRolePolicyDocument: policyDoc, cancellationToken: cancellationToken);
var list = await iam.ListPoliciesAsync(cancellationToken : cancellationToken);
var mp = new ManagedPolicy[policies.Length];
for (int i = 0; i < policies.Length; i++)
{
var policy = policies[i];
mp[i] = list.Single(x => x.PolicyName.Equals(policy, stringComparison) || x.PolicyName.Equals(policy, stringComparison));
}
var roleResponse = await tR;
await mp.ForEachAsync(p => iam.AttachRolePolicyAsync(roleResponse.Role.RoleName, p.Arn, cancellationToken),
iam._maxDegreeOfParalelism, cancellationToken : cancellationToken);
//https://aws.amazon.com/premiumsupport/knowledge-center/iam-role-not-in-list/
if (createInstanceProfile)
{
await iam.DeleteRoleInstanceProfiles(roleName : roleName, cancellationToken : cancellationToken);
await iam.CreateInstanceProfileAsync(name : roleName, cancellationToken : cancellationToken);
await iam.AddRoleToInstanceProfileAsync(profileName : roleName, roleName : roleName, cancellationToken : cancellationToken);
}
return(roleResponse.Role);
}
public static async Task <AccessKeyMetadata> GetAccessKeyByIdAsync(this IAMHelper iam, string name, StringComparison stringComparison = StringComparison.InvariantCultureIgnoreCase, CancellationToken cancellationToken = default(CancellationToken))
{
var list = await iam.ListAccessKeysAsync(cancellationToken : cancellationToken);
return(list.Single(x => x.AccessKeyId.Equals(name, stringComparison)));
}
public static async Task <Role> GetRoleByNameAsync(this IAMHelper iam, string name, StringComparison stringComparison = StringComparison.InvariantCultureIgnoreCase, CancellationToken cancellationToken = default(CancellationToken))
{
var list = await iam.ListRolesAsync(cancellationToken : cancellationToken);
return(list.Single(x => x.RoleName.Equals(name, stringComparison)));
}
