Skip to content
This repository has been archived by the owner on Sep 18, 2023. It is now read-only.

Extend the group role map builder account alias function to accommodate other data producers #251

Open
gene1wood opened this issue Sep 2, 2022 · 0 comments
Open

Extend the group role map builder account alias function to accommodate other data producers #251

gene1wood opened this issue Sep 2, 2022 · 0 comments
Labels
Priority: low Type: enhancement New feature or request

Comments

@gene1wood
Copy link
Contributor

Extend the group role map builder account alias function to accommodate other data producers by only updating records in the alias map instead of overwriting the map.

This will allow another tool that connects to AWS Organizations to fetch account ID and alias information to also run to get a more comprehensive alias map (including AWS Accounts that aren't using mozilla-aws-cli)

Modify this section

mozilla-aws-cli/cloudformation/group_role_map_builder/functions/group_role_map_builder.py

Lines 440 to 452 in a6e8152

alias_map = {}
for assumed_role_arn in assumed_role_arns:
aws_account_id = assumed_role_arn.split(':')[4]
logger.debug('Fetching policies from {}'.format(aws_account_id))
client_sts = boto3.client('sts')
limiting_policy = {
'Version': '2012-10-17',
'Statement': [
{'Effect': 'Allow',
'Action': ['iam:ListRoles', 'iam:ListAccountAliases'],
'Resource': '*'}
],
}

so that it starts by fetching the existing map file and then updating it.
@gene1wood gene1wood added Type: enhancement New feature or request Priority: low labels Sep 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Priority: low Type: enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gene1wood