From 455c82675bdaa9457afca47bc78580950d127891 Mon Sep 17 00:00:00 2001 From: lalithanagarur Date: Thu, 18 Apr 2024 12:21:24 +0100 Subject: [PATCH 1/4] added kms functionality --- CHANGELOG.md | 4 ++++ README.md | 10 +++++++++- examples/iam_config.json | 6 +++++- examples/iam_config.yaml | 4 ++++ examples/iam_policy.json | 15 +++++++++++++++ iam_builder/iam_builder.py | 6 ++++++ iam_builder/schemas/iam_schema.json | 7 +++++++ iam_builder/templates.py | 15 +++++++++++++++ pyproject.toml | 2 +- tests/expected_policy/all_config.json | 15 +++++++++++++++ tests/test_config/all_config.yaml | 4 ++++ 11 files changed, 85 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad33e77..67a39b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## v4.2.3 + +- added kms permissions + ## v4.2.2 - updated pypi action for trusted publisher diff --git a/README.md b/README.md index 15c9a25..b7d982b 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,9 @@ s3: deny: - test_bucket_read_write/sensitive_table/* + +kms: + - test_kms_key_arn ``` Whilst the example json (`iam_config.json`) looks like this: @@ -93,7 +96,8 @@ Whilst the example json (`iam_config.json`) looks like this: "test_bucket_read_write/*", "test_bucket_read_only/write_folder/*" ] - } + }, + "kms": ["test_kms_key_arn"] } ``` - **iam_role_name:** The role name of your airflow job; required if you want to run glue jobs or access secrets. @@ -115,6 +119,10 @@ Whilst the example json (`iam_config.json`) looks like this: - **read_write:** A list of s3 paths that the iam_role should be able to access (read and write). Each item in the list should either be a path to a object or finish with `/*` to denote that it can access everything within that directory. _Note the S3 paths don't start with `s3://` in the config._ - **deny:** A list of s3 paths that the iam_role should _not_ be able to access. This should be used to add exceptions to wildcarded access to folders, for example excluding sensitive tables in order to provide basic access to a database. Each item in the list should either be a path to a object or finish with `/*` to denote that it can access everything within that directory. _Note the S3 paths don't start with `s3://` in the config._ + +- **kms:**: A list of kms arns that the iam_role should be able to access. Can call the DescribeKey, GenerateDataKey, Decrypt, Encrypt and ReEncrypt + operations. + ## How to update When updating IAM builder, make sure to change the version number in `pyproject.toml` and describe the change in `CHANGELOG.md`. diff --git a/examples/iam_config.json b/examples/iam_config.json index cde8640..626557c 100644 --- a/examples/iam_config.json +++ b/examples/iam_config.json @@ -21,5 +21,9 @@ "deny": [ "test_bucket_read_write/sensitive_table/*" ] - } + }, + "kms": [ + "arn:aws:kms:test_region:test_account:key/test_key", + "arn:aws:kms:test_region_2:test_account:key/test_key_2" + ] } diff --git a/examples/iam_config.yaml b/examples/iam_config.yaml index fa9d56b..5b48ba9 100644 --- a/examples/iam_config.yaml +++ b/examples/iam_config.yaml @@ -23,3 +23,7 @@ s3: deny: - test_bucket_read_write/sensitive_table/* + +kms: + - arn:aws:kms:test_region:test_account:key/test_key + - arn:aws:kms:test_region_2:test_account:key/test_key_2 \ No newline at end of file diff --git a/examples/iam_policy.json b/examples/iam_policy.json index 366870b..b85da93 100644 --- a/examples/iam_policy.json +++ b/examples/iam_policy.json @@ -271,6 +271,21 @@ "Resource": [ "arn:aws:kms:::key/*" ] + }, + { + "Sid": "kmsPermissions", + "Action": [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:kms:test_region:test_account:key/test_key", + "arn:aws:kms:test_region_2:test_account:key/test_key_2" + ] } ] } \ No newline at end of file diff --git a/iam_builder/iam_builder.py b/iam_builder/iam_builder.py index b05748c..2d7e497 100644 --- a/iam_builder/iam_builder.py +++ b/iam_builder/iam_builder.py @@ -11,6 +11,7 @@ get_deny_policy, get_s3_list_bucket_policy, get_secrets, + get_kms_permissions ) from iam_builder.iam_schema import validate_iam @@ -90,4 +91,9 @@ def build_iam_policy(config: dict) -> dict: # noqa: C901 iam["Statement"].append(secrets_statement) iam["Statement"].extend(iam_lookup["decrypt_statement"]) + if "kms" in config: + kms_arns = config["kms"] + kms_permissions = get_kms_permissions(kms_arns) + iam["Statement"].append(kms_permissions) + return iam diff --git a/iam_builder/schemas/iam_schema.json b/iam_builder/schemas/iam_schema.json index f87a261..c6662a3 100644 --- a/iam_builder/schemas/iam_schema.json +++ b/iam_builder/schemas/iam_schema.json @@ -74,6 +74,13 @@ } } }, + "kms": { + "description": "A list of kms key arns that the iam_role should be able to acces.", + "type": "array", + "items": { + "type": "string" + } + }, "role_duration_seconds":{ "description": "Max duration role can be assumed for in seconds", "type": "integer" diff --git a/iam_builder/templates.py b/iam_builder/templates.py index f8c32f3..f57cacd 100755 --- a/iam_builder/templates.py +++ b/iam_builder/templates.py @@ -372,3 +372,18 @@ def get_secrets(iam_role: str, write=False) -> dict: ] } return statement + +def get_kms_permissions(kms_arns: list) -> dict: + policy = { + "Sid": "kmsPermissions", + "Action": [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ], + "Effect": "Allow", + "Resource": kms_arns, + } + return policy \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index ab3d1b3..7bd4e71 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "iam_builder" -version = "4.2.2" +version = "4.2.3" description = "A lil python package to generate iam policies" authors = ["Karik Isichei "] license = "MIT" diff --git a/tests/expected_policy/all_config.json b/tests/expected_policy/all_config.json index dc0a398..80b4407 100644 --- a/tests/expected_policy/all_config.json +++ b/tests/expected_policy/all_config.json @@ -255,6 +255,21 @@ "arn:aws:s3:::test_bucket_read_write", "arn:aws:s3:::test_bucket_write_only" ] + }, + { + "Sid": "kmsPermissions", + "Action": [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:kms:test_region:test_account:key/test_key", + "arn:aws:kms:test_region_2:test_account:key/test_key_2" + ] } ] } \ No newline at end of file diff --git a/tests/test_config/all_config.yaml b/tests/test_config/all_config.yaml index 9d76bab..4d2474b 100644 --- a/tests/test_config/all_config.yaml +++ b/tests/test_config/all_config.yaml @@ -16,3 +16,7 @@ s3: read_write: - test_bucket_read_write/* - test_bucket_read_only/write_folder/* + +kms: + - arn:aws:kms:test_region:test_account:key/test_key + - arn:aws:kms:test_region_2:test_account:key/test_key_2 From 2b4d724f074510772c2c77487fefc89c9527f3a4 Mon Sep 17 00:00:00 2001 From: lalithanagarur Date: Thu, 18 Apr 2024 12:24:37 +0100 Subject: [PATCH 2/4] yamllint update --- .gitignore | 1 + examples/iam_config.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index f0dbb41..e5e0808 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ dist __pycache__/ +venv diff --git a/examples/iam_config.yaml b/examples/iam_config.yaml index 5b48ba9..3183fc3 100644 --- a/examples/iam_config.yaml +++ b/examples/iam_config.yaml @@ -26,4 +26,4 @@ s3: kms: - arn:aws:kms:test_region:test_account:key/test_key - - arn:aws:kms:test_region_2:test_account:key/test_key_2 \ No newline at end of file + - arn:aws:kms:test_region_2:test_account:key/test_key_2 From 473d65525d3b33c3bc7e1b28d7a0db1ac981c812 Mon Sep 17 00:00:00 2001 From: lalithanagarur <123457715+lalithanagarur@users.noreply.github.com> Date: Thu, 18 Apr 2024 12:37:11 +0100 Subject: [PATCH 3/4] Update CHANGELOG.md Co-authored-by: Matthew Price --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67a39b6..2955d07 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## v4.2.3 +## v4.3.0 - added kms permissions From fca82ae9e3d46c1891396f3213b77a2d48fb24f1 Mon Sep 17 00:00:00 2001 From: lalithanagarur Date: Thu, 18 Apr 2024 12:38:07 +0100 Subject: [PATCH 4/4] updated version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 7bd4e71..13ffd36 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "iam_builder" -version = "4.2.3" +version = "4.3.0" description = "A lil python package to generate iam policies" authors = ["Karik Isichei "] license = "MIT"