Hugging Face's logo

Spaces:
Jing997
/
Chaptive
Sleeping

App Files Community
Chaptive / scripts /create_iam_role.py
Jing997's picture
Jing997
change app name
497bf08
raw
history blame contribute delete
4.59 kB
"""Utility script to provision S3 read-only credentials for the Streamlit app.
This helper creates (or reuses) an IAM user and optional role that have
`s3:ListBucket` / `s3:GetObject` access to the `chaptive-rag` bucket. It then
prints the access key and secret so they can be set as environment variables for the Streamlit app.
Usage:
```bash
python streamlit/scripts/create_iam_role.py \
 --entity-name streamlit-cache-reader \
 --bucket chaptive-rag
```
The AWS account credentials used to run this script must already have IAM
permissions to create users/roles, attach policies, and create access keys.
"""
from __future__ import annotations
import argparse
import json
import sys
from typing import Any, Dict, Optional
import boto3
from botocore.exceptions import ClientError
S3_POLICY_NAME = "StreamlitS3ReadOnly"
DEFAULT_ENTITY_NAME = "streamlit-cache-reader"
DEFAULT_BUCKET = "chaptly-rag"
def _build_policy(bucket: str) -> Dict[str, Any]:
 resource_arn = f"arn:aws:s3:::{bucket}"
 object_arn = f"{resource_arn}/*"
 return {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": ["s3:ListBucket"],
 "Resource": resource_arn,
 },
 {
 "Effect": "Allow",
 "Action": ["s3:GetObject"],
 "Resource": object_arn,
 },
 ],
 }
def ensure_user(iam, user_name: str) -> None:
 try:
 iam.get_user(UserName=user_name)
 print(f"Reusing IAM user '{user_name}'.")
 except ClientError as exc:
 if exc.response["Error"]["Code"] == "NoSuchEntity":
 iam.create_user(UserName=user_name)
 print(f"Created IAM user '{user_name}'.")
 else:
 raise
def attach_inline_policy(iam, user_name: str, bucket: str) -> None:
 policy_doc = json.dumps(_build_policy(bucket))
 iam.put_user_policy(UserName=user_name, PolicyName=S3_POLICY_NAME, PolicyDocument=policy_doc)
 print(f"Attached inline S3 read policy '{S3_POLICY_NAME}' to user '{user_name}'.")
def create_access_key(iam, user_name: str) -> Dict[str, str]:
 response = iam.create_access_key(UserName=user_name)
 access_key = response["AccessKey"]
 return {
 "AWS_ACCESS_KEY_ID": access_key["AccessKeyId"],
 "AWS_SECRET_ACCESS_KEY": access_key["SecretAccessKey"],
 }
def ensure_role(iam, role_name: str, bucket: str, assume_policy: Dict[str, Any]) -> None:
 try:
 iam.get_role(RoleName=role_name)
 print(f"Reusing IAM role '{role_name}'.")
 except ClientError as exc:
 if exc.response["Error"]["Code"] == "NoSuchEntity":
 iam.create_role(RoleName=role_name, AssumeRolePolicyDocument=json.dumps(assume_policy))
 print(f"Created IAM role '{role_name}'.")
 else:
 raise
 policy_doc = json.dumps(_build_policy(bucket))
 iam.put_role_policy(RoleName=role_name, PolicyName=S3_POLICY_NAME, PolicyDocument=policy_doc)
 print(f"Attached inline S3 read policy '{S3_POLICY_NAME}' to role '{role_name}'.")
def parse_args() -> argparse.Namespace:
 parser = argparse.ArgumentParser(description="Provision S3 read-only IAM credentials for Streamlit.")
 parser.add_argument("--entity-name", default=DEFAULT_ENTITY_NAME, help="IAM user/role name to create or reuse.")
 parser.add_argument("--bucket", default=DEFAULT_BUCKET, help="S3 bucket name (default: chaptive-rag).")
 parser.add_argument(
 "--create-role",
 action="store_true",
 help="Also create an IAM role with the same name and inline policy (optional).",
 )
 parser.add_argument(
 "--role-trust",
 default=None,
 help="Path to a JSON file describing the assume-role trust policy (required if --create-role).",
 )
 return parser.parse_args()
def main() -> None:
 args = parse_args()
 iam = boto3.client("iam")
 ensure_user(iam, args.entity_name)
 attach_inline_policy(iam, args.entity_name, args.bucket)
 credentials = create_access_key(iam, args.entity_name)
 print("\nAdd the following values to your Streamlit secrets:")
 for key, value in credentials.items():
 print(f"{key} = {value}")
 print("AWS_REGION = ap-southeast-1")
 print(f"CHAPTIVE_S3_BUCKET = {args.bucket}")
if args.create_role:
 if not args.role_trust:
 raise SystemExit("--role-trust JSON file is required when --create-role is set.")
 with open(args.role_trust, "r", encoding="utf-8") as handle:
 assume_policy = json.load(handle)
 ensure_role(iam, args.entity_name, args.bucket, assume_policy)
 print(
 "\nIAM role created. Attach this role to an EC2/Lambda/Streamlit Cloud runner and expose temporary credentials via environment variables."
 )
if __name__ == "__main__":
 try:
 main()
 except ClientError as exc:
 print(f"AWS error: {exc}")
 sys.exit(1)
 except KeyboardInterrupt:
 print("Aborted by user.")
 sys.exit(130)