Some Fun With Groovy and AWS Identity and Access Management

I’m currently playing with the all new AWS identity and access management, and wanted to share some groovy magic to play with users and groups …

@Grapes([
  @Grab(group='com.amazonaws', module='aws-java-sdk', version='1.0.11')
])

import com.amazonaws.auth.BasicAWSCredentials
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient
import com.amazonaws.services.identitymanagement.model.*

AWS_ACCESS_KEY='MY AWESOME KEY'
AWS_SECRET_KEY='MY EVEN MORE AWESOME KEY'

def cred = new BasicAWSCredentials(AWS_ACCESS_KEY,AWS_SECRET_KEY)

def ami = new AmazonIdentityManagementClient(cred)

println "Group 'Administrators' ?"

def admins = null
try {
 admins = ami.getGroup(new GetGroupRequest().withGroupName('Administrators'))?.group
} catch (NoSuchEntityException e) {
  println "Didn't find group 'Administrators' : creating it ..."
  admins = ami.createGroup(new CreateGroupRequest().withGroupName('Administrators')).group
}
println admins

println "User 'erwan' ?"
def erwan = null

try {
  erwan = ami.getUser(new GetUserRequest().withUserName('erwan'))?.user
} catch (NoSuchEntityException e) {
  println "Didn't find user 'erwan' : creating it ..."
  erwan = ami.createUser(new CreateUserRequest().withUserName('erwan')).user
}

println erwan

if (erwan) {
  println "Listing erwan's groups ..."
  java.util.List groups = ami.listGroupsForUser(new ListGroupsForUserRequest().withUserName(erwan.userName)).getGroups().collect {
    it.groupName
  }
  println groups

  if (!groups.contains('Administrators')) {
    println "Adding user 'erwan' to 'Administrators'"
    ami.addUserToGroup (new AddUserToGroupRequest().withUserName(erwan.userName).withGroupName(admins.groupName))
  }
  println "done !"
}

Even with some groove in it, java is still way too verbose to my taste, but i guess, i’ll have to live with it … And this is the output of the awesome script:

    Group 'Administrators' ?
    4 oct. 2010 19:05:50 com.amazonaws.http.HttpClient execute
    INFO: Sending Request: POST https://iam.amazonaws.com / Parameters: (Action: GetGroup, GroupName: Administrators, SignatureMethod: HmacSHA256, AWSAccessKeyId: MY AWESOME KEY, Version: 2010-05-08, SignatureVersion: 2, Timestamp: 2010-10-04T17:05:50.839Z, Signature: 3V3lEJzcqXXXXXXXXXXXXBeyMx9DzwFXA=, )
    4 oct. 2010 19:05:51 com.amazonaws.http.HttpClient handleResponse
    INFO: Received successful response: 200, AWS Request ID: a40b6fd5-cfd9-11df-8b03-8bc9f2ff0492
    {Path: /, GroupName: Administrators, GroupId: AGPAJZSRVEMSLHZEOKMI6, Arn: arn:aws:iam::XXXXXXXXXXXXX:group/Administrators, }
    User 'erwan' ?
    4 oct. 2010 19:05:51 com.amazonaws.http.HttpClient execute
    INFO: Sending Request: POST https://iam.amazonaws.com / Parameters: (Action: GetUser, SignatureMethod: HmacSHA256, UserName: erwan, AWSAccessKeyId: MY AWESOME KEY, Version: 2010-05-08, SignatureVersion: 2, Timestamp: 2010-10-04T17:05:51.222Z, Signature: XXXXXXXXXXXXXXXXXXXXXXXXXXXX, )
    4 oct. 2010 19:05:51 com.amazonaws.http.HttpClient handleResponse
    INFO: Received successful response: 200, AWS Request ID: a422f04a-cfd9-11df-b738-6709d34e9585
    {Path: /, UserName: erwan, UserId: XXXXXXXXXXXXXXXXXXXXXXX, Arn: arn:aws:iam::XXXXXXXXXXXXXX:user/erwan, }
    Listing erwan's groups ...
    4 oct. 2010 19:05:51 com.amazonaws.http.HttpClient execute
    INFO: Sending Request: POST https://iam.amazonaws.com / Parameters: (Action: ListGroupsForUser, SignatureMethod: HmacSHA256, UserName: erwan, AWSAccessKeyId: MY AWESOME KEY, Version: 2010-05-08, SignatureVersion: 2, Timestamp: 2010-10-04T17:05:51.388Z, Signature: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX, )
    4 oct. 2010 19:05:51 com.amazonaws.http.HttpClient handleResponse
    INFO: Received successful response: 200, AWS Request ID: a43bf67d-cfd9-11df-a1ef-f7061c8dca90
    []
    Adding user 'erwan' to 'Administrators'
    4 oct. 2010 19:05:51 com.amazonaws.http.HttpClient execute
    INFO: Sending Request: POST https://iam.amazonaws.com / Parameters: (Action: AddUserToGroup, GroupName: Administrators, SignatureMethod: HmacSHA256, UserName: erwan, AWSAccessKeyId: MY AWESOME KEY, Version: 2010-05-08, SignatureVersion: 2, Timestamp: 2010-10-04T17:05:51.569Z, Signature: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX )
    4 oct. 2010 19:05:51 com.amazonaws.http.HttpClient handleResponse
    INFO: Received successful response: 200, AWS Request ID: a457e216-cfd9-11df-a356-3d1e141e353d
    done !

AWESOME !! \o/

Next, I’ll make something useful out of it, like unix’s adduser/addgroup script that will create individual developers and admins access keys, play with policies in order to restrict usage based on group appartenance, try to reduce groovy’s startup time by preloading the interpreter, etc …

Zuzur’s wobleg

technology, Internet, and a bit of this and that (with some dyslexia inside)

Some Fun With Groovy and AWS Identity and Access Management

Comments