AWS IAM Policy generator
Project description
aws-policy-generator
aws-policy-generator is a utility that allows for simple generation of IAM policies.
Features
aws-policy-generator allows you to generate list-only, read-only, read-write or full-access policies for any AWS service via the command-line or a YAML config file.
I wrote it for those instances where you want a simple, non-repetitive way of granting broad-brush permissions to IAM roles. Generally, this tool works best for granting access to roles used by human users, particularly in dev environments, and not application roles. For applications you should write specific least-privilege policies to ensure any compromise of the application does not threaten other AWS resources.
aws-policy-generator
is powered by my aws-iam-utils library, which is a Swiss-army knife for IAM policy generation, analysis and manipulation. If you need a programmatic way of working with policies, I recommend you use the library directly.
Installation
As easy as:
pip install aws-policy-generator
Usage
There are two ways to use this tool: directly via CLI, or via a YAML file. You can freely combine both approaches but when starting out I recommend choosing one or the other.
CLI usage
You can get full help by running aws-policy-generator --help
. Here are some examples to get you started. All of the command-line flags below can be combined or repeated to get the results you need.
To generate a policy granting full access to some services, for example IAM and S3:
# you can use -a instead of --full-access
>>> aws-policy-generator --full-access iam --full-access s3
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"iam:*",
"s3:*"
]
}
]
}
To grant read-only access, use --read
/-r
, list-only access use --list
/-l
and write access is --write
/-w
. Granting write will also grant read and list, and granting read will also grant list.
When using --list
, --read
or --write
you can scope the permissions granted to specific types of resources (or ARN types). For example, suppose you wanted to grant someone access to manipulate IAM instance profiles only, you would do:
# you can use -a instead of --full-access
>>> aws-policy-generator --full-access iam:instance-profile
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"iam:addroletoinstanceprofile",
"iam:createinstanceprofile",
"iam:deleteinstanceprofile",
"iam:getinstanceprofile",
"iam:listinstanceprofiletags",
"iam:listinstanceprofiles",
"iam:removerolefrominstanceprofile",
"iam:taginstanceprofile",
"iam:untaginstanceprofile"
]
}
]
}
You can also add specific actions to a policy:
# you can use -A instead of --action
>>> aws-policy-generator --action s3:ListMyBuckets
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"s3:listmybuckets"
]
}
]
}
Sometimes the policies generated will be quite long. Depending on the type of policy you're trying to create, you may hit the AWS policy length limits. To help mitigate this issue, aws-policy-generator
has support for shortening policies.
>>> aws-policy-generator -w iam -r s3 -w ec2 -w lambda --auto-shorten
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"s3:listmybuckets"
]
}
]
}
YAML usage
Check out the example YAML file.
Licence
MIT
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws-policy-generator-1.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | fb8f8943e540b3507e0c42a78adefd88ebe2daa4401e9cac648e7639022e1f00 |
|
MD5 | d7e85548944e9bcb43dca6fa8f78daad |
|
BLAKE2b-256 | 21c05294e857a2e1be6a7d2228e6a2327caa0c91934bb03511d144d1eb31bd06 |
Hashes for aws_policy_generator-1.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f18580193ae560970975b021946db48447bc856c83ccacd62a5cc2caae6f2fac |
|
MD5 | 4533aee80cbfcf37f4423400aa58146e |
|
BLAKE2b-256 | 49e221627d3d39ef0533c67fc3aa3706d63171d63809c58e2654158eb0c9554d |