A Rust crate for dealing with AWS IAM Policy resources.
For the most part importing aws_iam::model
provides the core types necessary to programmatically create
Policy documents. You can also import aws_iam::model::builder
to use a more fluent interface to construct
Policies. The aws_iam::io
module provides simple read and write functions, the write functions producing
pretty printed JSON output.
The aws_iam::report
module provides a set of traits that allow for visiting a Policy model, and implementations
of these that write formatted versions of a Policy as documentation.
use aws_iam::model::*;
use aws_iam::io::write_to_writer;
use std::io::stdout;
let policy: Policy = PolicyBuilder::new()
.named("confidential-data-access")
.evaluate_statement(
StatementBuilder::new()
.auto_named()
.allows()
.unspecified_principals()
.may_perform_actions(vec!["s3:List*", "s3:Get*"])
.on_resources(vec![
"arn:aws:s3:::confidential-data",
"arn:aws:s3:::confidential-data/*",
])
.if_condition(
ConditionBuilder::new_bool()
.right_hand_bool("aws:MultiFactorAuthPresent", true)
.if_exists(),
),
)
.into();
write_to_writer(stdout(), &policy);
Results in the following JSON.
{
"Id": "confidential-data-access",
"Statement": {
"Sid": "sid_e4d7f2d3-cfed-4346-9c5e-a8e9e38ef44f",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::confidential-data",
"arn:aws:s3:::confidential-data/*"
],
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
}
The policy
tool provides some very basic policy resource operations. The most valuable of these is verify
which
will read a file, parse it and produce a formatted output. This output can be a documentation form which is useful
for describing common policies.
$ policy -h
policy 0.2.0
USAGE:
policy [FLAGS] <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
-v, --verbose The level of logging to perform, from off to trace
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
new Create a new default policy document
verify Verify an existing policy document
For example, given the following JSON policy:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllUsersNotUsingMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}
}]
}
the command policy verify -f markdown
will produce the output between the following lines.
IAM Policy Version: 2012-10-17
Statement ID: DenyAllUsersNotUsingMFA
DENY IF
Action
NOT
= "iam:*"
Resource = "*"
Condition
IF EXISTS
aws:MultiFactorAuthPresent
THEN
aws:MultiFactorAuthPresent
Bool
"false"
Version 0.3.0
- Update model API:
- ...
Version 0.2.2
- Added implementations of common equality, ordering, and hashing traits (See Issue #19).
Version 0.2.1
- Fixing
missing_docs
warnings. - Removed
any_of()
,condition_one()
, andone()
from builder, replaced with functions on Action, Principal, and Resource.
Version 0.2.0
- First commit to Crates.io.
- Completed markdown support for
policy
tool verification. - Completed changes to the model to support
NotAction
,NotPrincipal
, andNotResource
. - Filled obvious gaps in documentation.
Version 0.1.0
- Initial commit stream to Github from private project.
- Goal was to complete the existing model, documentation and add the
policy
tool.
- Add Latex output to
policy
.