A tool to automatically generate minimal IAM policy to deploy a CloudFormation stack from its template.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for mrlikrsh from gravatar.com mrlikrsh

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License
  • Author: S Murali Krishnan
  • Tags aws , cloudformation , iam , permissions
  • Requires: Python >=3.9
  • Provides-Extra: iam
Classifiers
Report project as malware

Project description

CloudFormation to IAM (cfn2iam)

A tool to automatically generate minimal IAM policy to deploy a CloudFormation stack from its template.

Live tool here - https://mrlikl.github.io/cfn2iam/

PyPI - https://pypi.org/project/cfn2iam/

Overview

This tool analyzes CloudFormation templates to identify all resource types used, then queries the CloudFormation registry GitHub static website ((https://mrlikl.github.io/cfn2iam/backend/schemas/)) to determine the required IAM permissions for each resource type. It can generate IAM policy documents or create IAM roles with the appropriate permissions.

Features

  • (NEW) Added support for SAM
  • Parse CloudFormation templates in JSON or YAML format
  • Extract resource types and determine required permissions
  • Generate IAM policy documents with appropriate permissions
  • Create IAM roles with the generated permissions
  • Option to allow or deny delete permissions
  • Support for permissions boundaries

Installation

pip install cfn2iam

For IAM role creation functionality:

pip install cfn2iam[iam]

Usage

cfn2iam <template_path> [options]

Options

  • -d, --allow-delete: Allow delete permissions instead of denying them (default: False)
  • -c, --create-role: Create an IAM role with the generated permissions (default: False)
  • -r, --role-name: Name for the IAM role (if not specified, uses 'cfn2iam-<random_hash>')
  • -p, --permissions-boundary: ARN of the permissions boundary to attach to the role

Examples

Generate a policy document from a template:

cfn2iam path/to/template.yaml

Create an IAM role with delete permissions allowed:

cfn2iam path/to/template.yaml -d

Create an IAM role with a custom name:

cfn2iam path/to/template.yaml -r MyCustomRole

Create an IAM role with a permissions boundary:

cfn2iam path/to/template.yaml -p arn:aws:iam::123456789012:policy/boundary

How It Works

  1. The tool parses the CloudFormation template to extract all resource types
  2. For each resource type, it fetches the schema from pre-hosted GitHub schemas (https://mrlikl.github.io/cfn2iam/backend/schemas/)
  3. It categorizes permissions into "update" (create/update/read) and "delete-specific" permissions
  4. It generates a policy document with appropriate Allow and Deny statements
  5. It saves the policy document to a file with a unique name
  6. If requested (default), it creates an IAM role with the generated policy

License

This project is licensed under the MIT License - see the LICENSE file for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for mrlikrsh from gravatar.com mrlikrsh

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License
  • Author: S Murali Krishnan
  • Tags aws , cloudformation , iam , permissions
  • Requires: Python >=3.9
  • Provides-Extra: iam
Classifiers

Release history Release notifications | RSS feed

This version

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cfn2iam-0.1.5.tar.gz (22.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cfn2iam-0.1.5-py3-none-any.whl (11.7 kB view details)

Uploaded Python 3

File details

Details for the file cfn2iam-0.1.5.tar.gz.

File metadata

  • Download URL: cfn2iam-0.1.5.tar.gz
  • Upload date:
  • Size: 22.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: uv/0.9.26 {"installer":{"name":"uv","version":"0.9.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for cfn2iam-0.1.5.tar.gz
Algorithm Hash digest
SHA256 d196bc358f31802b6b7d0af879b2bd96830c25a8e7d2842b70b3cdd325484f02
MD5 ee678e57ad2c040e4ca88d4a12b15c83
BLAKE2b-256 3a26ba2990f785eb26083cdd8c20137da88946c24b61b108a44373febad0c25b

See more details on using hashes here.

File details

Details for the file cfn2iam-0.1.5-py3-none-any.whl.

File metadata

  • Download URL: cfn2iam-0.1.5-py3-none-any.whl
  • Upload date:
  • Size: 11.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: uv/0.9.26 {"installer":{"name":"uv","version":"0.9.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for cfn2iam-0.1.5-py3-none-any.whl
Algorithm Hash digest
SHA256 38b4905dc65ca01b5e5d49f2a0bc48df0791e85b18670d38772fe0d51c5a5ddf
MD5 6762d95381996d0e46e6d29f6b98da9b
BLAKE2b-256 8e0d1e5d13079a9cbf81994946faefa8211f6449a0fd84a6eb08292cf9531cc1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page