#!/usr/bin/env python # -*- coding: utf-8 -*- """ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: MIT-0 * * Permission is hereby granted, free of charge, to any person obtaining a copy of this * software and associated documentation files (the "Software"), to deal in the Software * without restriction, including without limitation the rights to use, copy, modify, * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. """ from functools import lru_cache from typing import Optional, Dict, TYPE_CHECKING import boto3 if TYPE_CHECKING: from mypy_boto3_iam import IAMClient __all__ = ["IAM"] AWS_SSO_ROLE_PREFIX = "AWSReservedSSO_" class IAM: def __init__(self, session: Optional[boto3.Session] = None) -> None: if not session: session = boto3._get_default_session() self.client: IAMClient = session.client("iam") self._roles: Dict[str, str] = {} def get_sso_roles(self) -> Dict[str, str]: """ Get the list of AWS SSO permission set role ARNs organized by the permission set name """ if self._roles: return self._roles roles = {} paginator = self.client.get_paginator("list_roles") page_iterator = paginator.paginate(PaginationConfig={"PageSize": 1000}) for page in page_iterator: for role in page.get("Roles", []): if role["RoleName"].startswith(AWS_SSO_ROLE_PREFIX): # AWSReservedSSO_AWSAdministratorAccess_a1ff75f56dfb0e2f -> AWSAdministratorAccess permission_set_name = role["RoleName"].rsplit("_", 1)[0].replace(AWS_SSO_ROLE_PREFIX, "") roles[permission_set_name] = role["Arn"] self._roles = roles return roles @lru_cache def get_role_arn(self, permission_set_name: str) -> Optional[str]: roles = self.get_sso_roles() return roles.get(permission_set_name)