This repository has been archived by the owner on Jun 11, 2024. It is now read-only.
forked from cognitect-labs/aws-api
-
Notifications
You must be signed in to change notification settings - Fork 0
/
assume_role_example.clj
83 lines (65 loc) · 3.33 KB
/
assume_role_example.clj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
;; Copyright (c) Cognitect, Inc.
;; All rights reserved.
(ns assume-role-example
(:require [clojure.data.json :as json]
[cognitect.aws.client.api :as aws]
[cognitect.aws.credentials :as credentials]))
(defn assumed-role-credentials-provider
"make a credentials provider that can assume a role"
[role-arn]
(let [sts (aws/client {:api :sts})]
(credentials/cached-credentials-with-auto-refresh
(reify credentials/CredentialsProvider
(fetch [_]
(when-let [creds (:Credentials
(aws/invoke sts
{:op :AssumeRole
:request {:RoleArn role-arn
:RoleSessionName (str (gensym "example-session-"))}}))]
{:aws/access-key-id (:AccessKeyId creds)
:aws/secret-access-key (:SecretAccessKey creds)
:aws/session-token (:SessionToken creds)
::credentials/ttl (credentials/calculate-ttl creds)}))))))
(comment
(def iam (aws/client {:api :iam}))
(->> (aws/invoke iam {:op :ListRoles}) :Roles (map :RoleName))
;; who am I?
(aws/invoke iam {:op :GetUser})
(def me (:User *1))
;; make a role to use for this example
(aws/invoke iam {:op :CreateRole
:request {:RoleName "aws-api-example-role"
:AssumeRolePolicyDocument
(json/json-str
{"Version" "2012-10-17",
"Statement" [{"Effect" "Allow"
"Principal" {"AWS" [(:Arn me)]}
"Action" ["sts:AssumeRole"]}]})}})
(def new-role (:Role (aws/invoke iam {:op :GetRole
:request {:RoleName "aws-api-example-role"}})))
;; make a policy to use for this example
(aws/invoke iam {:op :CreatePolicy
:request {:PolicyName "IAMGetMe"
:PolicyDocument
(json/json-str
{"Version" "2012-10-17",
"Statement" [{"Effect" "Allow"
"Action" ["iam:GetUser"]
"Resource" [(:Arn me)]}]})}})
(def policy (->> (aws/invoke iam {:op :ListPolicies})
:Policies
(filter #(re-find #"IAMGetMe" (:Arn %)))
first))
;; attach the new policy to the new role
(aws/invoke iam {:op :AttachRolePolicy :request {:RoleName (:RoleName new-role)
:PolicyArn (:Arn policy)}})
(def provider (assumed-role-credentials-provider (:Arn new-role)))
;; make a client using the assumed role credentials provider
(def iam-with-assumed-role (aws/client {:api :iam :credentials-provider provider}))
;; use it!
(aws/invoke iam-with-assumed-role {:op :GetUser :request {:UserName (:UserName me)}})
;; clean up
(aws/invoke iam {:op :DetachRolePolicy :request {:RoleName (:RoleName new-role) :PolicyArn (:Arn policy)}})
(aws/invoke iam {:op :DeletePolicy :request {:PolicyArn (:Arn policy)}})
(aws/invoke iam {:op :DeleteRole :request {:RoleName "aws-api-example-role"}})
)