public async Task EnsureEc2ServiceRoleExistsAsync(string excuteApiUriForPolicy = "")
{
if (await RoleAlreadyExistsAsync())
{
loggerProvider.GetLogger()
.Debug("Role with roleName {roleName} already exists", configurationProvider.ShortApplicationName);
return;
}
using (
var iamClient = new AmazonIdentityManagementServiceClient(credentials,
configurationProvider.RegionEndpoint))
{
var createRoleResponse = await iamClient.CreateRoleAsync(new CreateRoleRequest
{
RoleName = configurationProvider.ShortApplicationName,
AssumeRolePolicyDocument =
"{\"Version\": \"2012-10-17\", \"Statement\": {\"Effect\": \"Allow\", \"Principal\": { \"Service\": \"ec2.amazonaws.com\"}, \"Action\": \"sts:AssumeRole\"}}"
});
loggerProvider.GetLogger().Debug("The IAM Uri is " + excuteApiUriForPolicy);
if (!string.IsNullOrWhiteSpace(excuteApiUriForPolicy))
{
var policyDocument =
"{\"Version\": \"2012-10-17\", \"Statement\": [{\"Effect\": \"Allow\",\"Action\": [\"execute-api:Invoke\"],\"Resource\": \"arn:aws:execute-api:*:*:" +
excuteApiUriForPolicy + "\"}]}";
loggerProvider.GetLogger().Debug("The new Policy Reads : " + policyDocument);
var newPolicy = await iamClient.CreatePolicyAsync(new CreatePolicyRequest
{
Description =
"Policy to demonstrate that I have permission that is limited to a specific resource in ApiGateway ",
PolicyDocument = policyDocument,
PolicyName = "ResourceInvocation"
});
loggerProvider.GetLogger().Debug("Policy Created: " + newPolicy.Policy.Arn);
await iamClient.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
RoleName = configurationProvider.ShortApplicationName,
PolicyArn = newPolicy.Policy.Arn
});
loggerProvider.GetLogger().Debug("Policy Attach to Role: " + newPolicy.Policy.Arn);
}
loggerProvider.GetLogger().Debug("Created role: {@createRoleResponse}", createRoleResponse);
var createInstanceProfileResponse = iamClient.CreateInstanceProfile(new CreateInstanceProfileRequest
{
InstanceProfileName = configurationProvider.ShortApplicationName
});
loggerProvider.GetLogger()
.Debug("Created instance profile: {@createInstanceProfileResponse}", createInstanceProfileResponse);
var addRoleToInstanceProfileResponse =
iamClient.AddRoleToInstanceProfile(new AddRoleToInstanceProfileRequest
{
InstanceProfileName = configurationProvider.ShortApplicationName,
RoleName = configurationProvider.ShortApplicationName
});
loggerProvider.GetLogger()
.Debug("Added role to instance profile: {@addRoleToInstanceProfileResponse}",
addRoleToInstanceProfileResponse);
}
}