search

peterknife / boto

Automatically exported from code.google.com/p/boto
0 stars 0 forks source link

instance_profile very hard to retrieve from Instance object #592

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Note: this is an enhancement request, the code itself has no bug but is very 
hard to use for end users.

What steps will reproduce the problem?
1. Create/get an EC2 Instance object that has an IAM role set (and so a 
non-None instance_profile)
2. Read the object.instance_profile dictionary. It would look like: dict{u'id': 
u'AIPA126679EF3454', u'arn': 
u'arn:aws:iam::567994624645:instance-profile/YOUR_IAM_ROLE'}
3. Try to use this dictionary to do any operation on the profile/IAM role. 
Realize no method use the profile "id" and that the "name" needs to be 
extracted from the complex "arn" string. 

What is the expected output? What do you see instead?
Since all IAM method (from boto/iam/connection.py) access the profiles from 
their names, it would be expected to have an easy way to extract the profile 
name from an instance_profile. It is, however, a very complex operation (see 
code example below).

What version of the product are you using? On what operating system?
boto 2.31.1 on Linux CentOS 6 (python 2.6.6)

Please provide any additional information below.
The instance_profile field of ec2.Instance object contains a dictionnary like 
the following:
dict{u'id': u'AIPA126679EF3454', u'arn': 
u'arn:aws:iam::567994624645:instance-profile/YOUR_IAM_ROLE'}

So this dictionary give us an easy access to the profile "id".

However, while looking at "boto/iam/connection.py", we can see that most (all?) 
profile methods use "name", not "id". 

To (safely, without unsafe string matching or regexp) extract the actual name 
from the "arn" string above, users need to do complex operations like the 
following:
   # Assuming instanceObj is a valid ec2.Instance object
   myProfile = instanceObj.instance_profile
   myArn = myProfile.get(u'arn')
   profileName = None

   for profileResponse in IAMConnection().list_instance_profiles():
      actualContentForInstanceProfiles = profileResponse['list_instance_profiles_response']['list_instance_profiles_result']['instance_profiles']

      for instanceProfile in actualContentForInstanceProfiles:
          if (instanceProfile[u'arn'] == myArn):
             profileName = instanceProfile['instance_profile_name']
             break

      if (profileName is not None):
         break

In consequence, using linking "instance_profile" to what an ec2.Instance 
actually uses is very hard for the user. 
It could be enhanced by having an utility method like 
"get_instance_profile_name_from_id()" or by adding method using "name" in 
"boto/iam/connection.py" also accept an "id" (and then perform the actual 
conversion internally).

Original issue reported on code.google.com by wbour...@secureops.com on 16 Jul 2014 at 4:48