return {

"Version": "2008-10-17",

"Statement": [

{

"Sid": "",

"Effect": "Allow",

"Principal": {"Service": serviceprincipal},

"Action": "sts:AssumeRole"

}

]

region_suffix = get_policy_arn_suffix(region)

role_arn = ROLE_ARN_PATTERN.replace("{{region_suffix}}", region_suffix)

role_arn = role_arn.replace("{{policy_name}}", policy_name)

if service == EC2:

return EC2_SERVICE_PRINCIPAL

suffix, region = _get_suffix_and_region_from_endpoint_host(endpoint_host)

if session is None:

session = botocore.session.Session()

if service == EMR_AUTOSCALING_SERVICE_NAME:

if region not in session.get_available_regions('emr', 'aws-cn'):

return EMR_AUTOSCALING_SERVICE_PRINCIPAL

suffix_match = _get_regex_match_from_endpoint_host(endpoint_host)

if suffix_match is not None and suffix_match.lastindex >= 3:

suffix = suffix_match.group(3)

region = suffix_match.group(2)

else:

raise ResolveServicePrincipalError

if endpoint_host is None:

return None

regex_match = re.match("(https?://)([^.]+).elasticmapreduce.([^/]*)",

endpoint_host)

# Supports 'elasticmapreduce.{region}.' and '{region}.elasticmapreduce.'

if regex_match is None:

regex_match = re.match("(https?://elasticmapreduce).([^.]+).([^/]*)",

endpoint_host)

NAME = "create-default-roles"

DESCRIPTION = ('Creates the default IAM role ' +

EC2_ROLE_NAME + ' and ' +

EMR_ROLE_NAME + ' which can be used when creating the'

' cluster using the create-cluster command. The default'

' roles for EMR use managed policies, which are updated'

' automatically to support future EMR functionality.\n'

'\nIf you do not have a Service Role and Instance Profile '

'variable set for your create-cluster command in the AWS '

'CLI config file, create-default-roles will automatically '

'set the values for these variables with these default '

'roles. If you have already set a value for Service Role '

'or Instance Profile, create-default-roles will not '

'automatically set the defaults for these variables in the '

'AWS CLI config file. You can view settings for variables '

'in the config file using the "aws configure get" command.'

'\n')

ARG_TABLE = [

{'name': 'iam-endpoint',

'no_paramfile': True,

'help_text': '<p>The IAM endpoint to call for creating the roles.'

' This is optional and should only be specified when a'

' custom endpoint should be called for IAM operations'

'.</p>'}

]

def _run_main_command(self, parsed_args, parsed_globals):

self.iam_endpoint_url = parsed_args.iam_endpoint

self._check_for_iam_endpoint(self.region, self.iam_endpoint_url)

self.emr_endpoint_url = \

self._session.create_client(

'emr',

region_name=self.region,

endpoint_url=parsed_globals.endpoint_url,

verify=parsed_globals.verify_ssl).meta.endpoint_url

LOG.debug('elasticmapreduce endpoint used for resolving'

' service principal: ' + self.emr_endpoint_url)

# Create default EC2 Role for EMR if it does not exist.

ec2_result, ec2_policy = self._create_role_if_not_exists(parsed_globals, EC2_ROLE_NAME,

EC2_ROLE_POLICY_NAME, [EC2])

# Create default EC2 Instance Profile for EMR if it does not exist.

instance_profile_name = EC2_ROLE_NAME

if self.check_if_instance_profile_exists(instance_profile_name,

parsed_globals):

LOG.debug('Instance Profile ' + instance_profile_name + ' exists.')

else:

LOG.debug('Instance Profile ' + instance_profile_name +

'does not exist. Creating default Instance Profile ' +

instance_profile_name)

self._create_instance_profile_with_role(instance_profile_name,

instance_profile_name,

parsed_globals)

# Create default EMR Role if it does not exist.

emr_result, emr_policy = self._create_role_if_not_exists(parsed_globals, EMR_ROLE_NAME,

EMR_ROLE_POLICY_NAME, [EMR])

# Create default EMR AutoScaling Role if it does not exist.

emr_autoscaling_result, emr_autoscaling_policy = \

self._create_role_if_not_exists(parsed_globals, EMR_AUTOSCALING_ROLE_NAME,

EMR_AUTOSCALING_ROLE_POLICY_NAME, [EMR, APPLICATION_AUTOSCALING])

configutils.update_roles(self._session)

emrutils.display_response(

self._session,

'create_role',

self._construct_result(ec2_result, ec2_policy,

emr_result, emr_policy,

emr_autoscaling_result, emr_autoscaling_policy),

parsed_globals)

return 0

def _create_role_if_not_exists(self, parsed_globals, role_name, policy_name, service_names):

result = None

policy = None

if self.check_if_role_exists(role_name, parsed_globals):

LOG.debug('Role ' + role_name + ' exists.')

else:

LOG.debug('Role ' + role_name + ' does not exist.'

' Creating default role: ' + role_name)

role_arn = get_role_policy_arn(self.region, policy_name)

result = self._create_role_with_role_policy(

role_name, service_names, role_arn, parsed_globals)

policy = self._get_role_policy(role_arn, parsed_globals)

return result, policy

def _check_for_iam_endpoint(self, region, iam_endpoint):

try:

self._session.create_client('emr', region)

except botocore.exceptions.UnknownEndpointError:

if iam_endpoint is None:

raise exceptions.UnknownIamEndpointError(region=region)

def _construct_result(self, ec2_response, ec2_policy,

emr_response, emr_policy,

emr_autoscaling_response, emr_autoscaling_policy):

result = []

self._construct_role_and_role_policy_structure(

result, ec2_response, ec2_policy)

self._construct_role_and_role_policy_structure(

result, emr_response, emr_policy)

self._construct_role_and_role_policy_structure(

result, emr_autoscaling_response, emr_autoscaling_policy)

return result

def _construct_role_and_role_policy_structure(

self, list, response, policy):

if response is not None and response['Role'] is not None:

list.append({'Role': response['Role'], 'RolePolicy': policy})

return list

def check_if_role_exists(self, role_name, parsed_globals):

parameters = {'RoleName': role_name}

try:

self._call_iam_operation('GetRole', parameters, parsed_globals)

except botocore.exceptions.ClientError as e:

role_not_found_code = "NoSuchEntity"

error_code = e.response.get('Error', {}).get('Code', '')

if role_not_found_code == error_code:

# No role error.

return False

else:

# Some other error. raise.

raise e

return True

def check_if_instance_profile_exists(self, instance_profile_name,

parsed_globals):

parameters = {'InstanceProfileName': instance_profile_name}

try:

self._call_iam_operation('GetInstanceProfile', parameters,

parsed_globals)

except botocore.exceptions.ClientError as e:

profile_not_found_code = 'NoSuchEntity'

error_code = e.response.get('Error', {}).get('Code')

if profile_not_found_code == error_code:

# No instance profile error.

return False

else:

# Some other error. raise.

raise e

return True

def _get_role_policy(self, arn, parsed_globals):

parameters = {}

parameters['PolicyArn'] = arn

policy_details = self._call_iam_operation('GetPolicy', parameters,

parsed_globals)

parameters["VersionId"] = policy_details["Policy"]["DefaultVersionId"]

policy_version_details = self._call_iam_operation('GetPolicyVersion',

parameters,

parsed_globals)

return policy_version_details["PolicyVersion"]["Document"]

def _create_role_with_role_policy(

self, role_name, service_names, role_arn, parsed_globals):

if len(service_names) == 1:

service_principal = get_service_principal(

service_names[0], self.emr_endpoint_url, self._session)

else:

service_principal = []

for service in service_names:

service_principal.append(get_service_principal(

service, self.emr_endpoint_url, self._session))

LOG.debug(f'Adding service principal(s) to trust policy: {service_principal}')

parameters = {'RoleName': role_name}

_assume_role_policy = \

emrutils.dict_to_string(assume_role_policy(service_principal))

parameters['AssumeRolePolicyDocument'] = _assume_role_policy

create_role_response = self._call_iam_operation('CreateRole',

parameters,

parsed_globals)

parameters = {}

parameters['PolicyArn'] = role_arn

parameters['RoleName'] = role_name

self._call_iam_operation('AttachRolePolicy',

parameters, parsed_globals)

return create_role_response

def _create_instance_profile_with_role(self, instance_profile_name,

role_name, parsed_globals):

# Creating an Instance Profile

parameters = {'InstanceProfileName': instance_profile_name}

self._call_iam_operation('CreateInstanceProfile', parameters,

parsed_globals)

# Adding the role to the Instance Profile

parameters = {}

parameters['InstanceProfileName'] = instance_profile_name

parameters['RoleName'] = role_name

self._call_iam_operation('AddRoleToInstanceProfile', parameters,

parsed_globals)

def _call_iam_operation(self, operation_name, parameters, parsed_globals):

client = self._session.create_client(

'iam', region_name=self.region, endpoint_url=self.iam_endpoint_url,

verify=parsed_globals.verify_ssl)