Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
aws-automated-saml-provider/lambda_handler.py
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
119 lines (107 sloc)
4.65 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import boto3 | |
| from botocore.exceptions import ClientError | |
| from botocore.vendored import requests | |
| sts = boto3.client("sts") | |
| s3 = boto3.resource("s3") | |
| SUCCESS = "SUCCESS" | |
| FAILED = "FAILED" | |
| def create_provider(name, doc, LambdaRole): | |
| assumedRoleObject = sts.assume_role(RoleArn=LambdaRole,RoleSessionName="AssumeRoleSession1") | |
| credentials = assumedRoleObject['Credentials'] | |
| session = boto3.Session( | |
| aws_access_key_id = credentials['AccessKeyId'], | |
| aws_secret_access_key = credentials['SecretAccessKey'], | |
| aws_session_token = credentials['SessionToken'], | |
| ) | |
| iam = session.client("iam") | |
| try: | |
| resp = iam.create_saml_provider(SAMLMetadataDocument=doc,Name=name) | |
| return("SUCCESS", "SAML provider with ARN " + resp['SAMLProviderArn'] + " created") | |
| except Exception as e: | |
| return ("FAILED", "Cannot create SAML provider: " + str(e)) | |
| def delete_provider(arn, LambdaRole): | |
| assumedRoleObject = sts.assume_role(RoleArn=LambdaRole,RoleSessionName="AssumeRoleSession1") | |
| credentials = assumedRoleObject['Credentials'] | |
| session = boto3.Session( | |
| aws_access_key_id = credentials['AccessKeyId'], | |
| aws_secret_access_key = credentials['SecretAccessKey'], | |
| aws_session_token = credentials['SessionToken'], | |
| ) | |
| iam = session.client("iam") | |
| try: | |
| resp = iam.delete_saml_provider(SAMLProviderArn=arn) | |
| return ("SUCCESS", "SAML provider with ARN " + arn + " deleted") | |
| except ClientError as e: | |
| if e.response['Error']['Code'] == "NoSuchEntity": | |
| # no need to delete a thing that doesn't exist | |
| return ("SUCCESS", "SAML provider with ARN " + arn + " does not exist, deletion succeeded") | |
| else: | |
| return ("FAILED", "Cannot delete SAML provider with ARN " + arn + ": " + str(e)) | |
| except Exception as e: | |
| return ("FAILED", "Cannot delete SAML provider with ARN " + arn + ": " + str(e)) | |
| def update_provider(arn, doc, LambdaRole): | |
| assumedRoleObject = sts.assume_role(RoleArn=LambdaRole,RoleSessionName="AssumeRoleSession1") | |
| credentials = assumedRoleObject['Credentials'] | |
| session = boto3.Session( | |
| aws_access_key_id = credentials['AccessKeyId'], | |
| aws_secret_access_key = credentials['SecretAccessKey'], | |
| aws_session_token = credentials['SessionToken'], | |
| ) | |
| iam = session.client("iam") | |
| try: | |
| resp = iam.update_saml_provider(SAMLMetadataDocument=doc, SAMLProviderArn=arn) | |
| return ("SUCCESS", "SAML provider " + arn + " updated") | |
| except Exception as e: | |
| return ("FAILED", "Cannot update SAML provider " + arn + ": " + str(e)) | |
| def send(responseUrl, responseBody): | |
| json_responseBody = json.dumps(responseBody) | |
| headers = { | |
| 'content-type' : '', | |
| 'content-length' : str(len(json_responseBody)) | |
| } | |
| try: | |
| response = requests.put(responseUrl, | |
| data=json_responseBody, | |
| headers=headers) | |
| print "Status code: " + response.reason | |
| except Exception as e: | |
| print "send(..) failed executing requests.put(..): " + str(e) | |
| def lambda_handler(event, context): | |
| messageString = event['Records'][0]['Sns']['Message'] | |
| messageObject = json.loads(messageString) | |
| RequestType = messageObject['RequestType'] | |
| responseUrl = messageObject['ResponseURL'] | |
| StackId = messageObject['StackId'] | |
| RequestId = messageObject['RequestId'] | |
| LogicalResourceId = messageObject['LogicalResourceId'] | |
| ResourceType = messageObject['ResourceType'] | |
| ServiceToken = messageObject['ResourceProperties']['ServiceToken'] | |
| AWSAccount = messageObject['ResourceProperties']['AWSAccount'] | |
| LambdaRole = messageObject['ResourceProperties']['LambdaRole'] | |
| bucketName = "<Cental Account S3 Bucket>" | |
| objectKey = "metadata/metadata.xml" <---This Can be Changed to fit your needs! | |
| samlName = "<SAML Provider Name>" | |
| fileObject = s3.Object(bucketName,objectKey) | |
| fileContents = fileObject.get()['Body'].read().decode('utf-8') | |
| provider_arn = "arn:aws:iam::" + str(AWSAccount) + ":saml-provider/" + samlName | |
| if RequestType == 'Create': | |
| res, provider_arn = create_provider(samlName, fileContents, LambdaRole) | |
| reason = "Creation succeeded" | |
| elif RequestType == 'Update': | |
| res, reason = update_provider(provider_arn, fileContents, LambdaRole) | |
| elif RequestType == 'Delete': | |
| res, reason = delete_provider(provider_arn, LambdaRole) | |
| else: | |
| res = "FAILED" | |
| reason = "Unknown operation: " + str(RequestType) | |
| responseBody = {} | |
| responseBody['Status'] = res | |
| responseBody['Reason'] = reason | |
| responseBody['PhysicalResourceId'] = "None" | |
| responseBody['StackId'] = StackId | |
| responseBody['RequestId'] = RequestId | |
| responseBody['LogicalResourceId'] = LogicalResourceId | |
| responseBody['NoEcho'] = "False" | |
| responseBody['Data'] = {} | |
| send(responseUrl, responseBody) |