forked from cevoaustralia/cfn-identity-provider
-
Notifications
You must be signed in to change notification settings - Fork 0
/
provider.yml
119 lines (108 loc) · 4.32 KB
/
provider.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
AWSTemplateFormatVersion: 2010-09-09
Description: Create a SAML identity provider
Parameters:
MetadataDocument:
Type: String
Description: The XML metadata document to use when trusting the Identity Provider
SamlProviderName:
Type: String
Description: The name for your SAML provider in IAM
Default: MyProvider
Resources:
IdentityProvider:
Type: Custom::IdentityProvider
Properties:
ServiceToken: !GetAtt ProviderCreator.Arn
Region: !Ref "AWS::Region"
Metadata: !Ref MetadataDocument
Name: !Ref SamlProviderName
ProviderCreator:
Type: AWS::Lambda::Function
Properties:
Runtime: python2.7
Handler: index.lambda_handler
MemorySize: 128
Role: !GetAtt LambdaExecutionRole.Arn
Timeout: 30
Code:
ZipFile: !Sub |
import boto3
from botocore.exceptions import ClientError
import json
import cfnresponse
iam = boto3.client("iam")
def create_provider(name, doc):
try:
resp = iam.create_saml_provider(SAMLMetadataDocument=doc,Name=name)
return(True, resp['SAMLProviderArn'])
except Exception as e:
return (False, "Cannot create SAML provider: " + str(e))
def delete_provider(arn):
try:
resp = iam.delete_saml_provider(SAMLProviderArn=arn)
return (True, "SAML provider with ARN " + arn + " deleted")
except ClientError as e:
if e.response['Error']['Code'] == "NoSuchEntity":
# no need to delete a thing that doesn't exist
return (True, "SAML provider with ARN " + arn + " does not exist, deletion succeeded")
else:
return (False, "Cannot delete SAML provider with ARN " + arn + ": " + str(e))
except Exception as e:
return (False, "Cannot delete SAML provider with ARN " + arn + ": " + str(e))
def update_provider(arn, doc):
# Need to create the ARN from the name
arn = "arn:aws:iam::" + str(${AWS::AccountId}) + ":saml-provider/" + name
try:
resp = iam.update_saml_provider(SAMLMetadataDocument=doc, SAMLProviderArn=arn)
return (True, "SAML provider " + arn + " updated")
except Exception as e:
return (False, "Cannot update SAML provider " + arn + ": " + str(e))
def lambda_handler(event, context):
provider_xml = event['ResourceProperties']['Metadata']
provider_name = event['ResourceProperties']['Name']
# create a default ARN from the name; will be overwritten if we are creating
provider_arn = "arn:aws:iam::" + str(${AWS::AccountId}) + ":saml-provider/" + provider_name
if event['RequestType'] == 'Create':
res, provider_arn = create_provider(provider_name, provider_xml)
reason = "Creation succeeded"
elif event['RequestType'] == 'Update':
res, reason = update_provider(provider_arn, provider_xml)
elif event['RequestType'] == 'Delete':
res, reason = delete_provider(provider_arn)
else:
res = False
resp = "Unknown operation: " + event['RequestType']
responseData = {}
responseData['Reason'] = reason
if res:
cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData, provider_arn)
else:
cfnresponse.send(event, context, cfnresponse.FAILED, responseData, provider_arn)
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- iam:*SamlProvider
Resource: "*"
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"