Generates an IAM policy for the CloudFormation base describe-type's schema
Project description
cfn-giam
Automatically generate the required IAM policies from your Cloudformation file
Manual procedure
- Open AWS Cloudshell or any terminal configured with aws cli.
- Install cfn-giam
pip3 install cfngiam
- Check the IAM Policy required to execute the cloudformation file or folder
cfn-giam -i $yourcfn -o $exportfolder
cli options
| CLI option | Description | Require |
|---|---|---|
| -i, --input-path | Cloudformation file, folder or url path having Cloudformation files. Supported yaml and json. If this path is a folder, it will be detected recursively. | yes or -l |
| -l, --input-resouce-type-list | AWS Resouce type name list of comma-separated strings. e.g. "AWS::IAM::Role,AWS::VPC::EC2" | yes or -i |
| -o, --output-folderpath | Output IAM policy files root folder.If not specified, it matches the input-path. Moreover, if input-path is not specified, it will be output to the current directory. | no |
| -p, --policy | Set the name of the IAM Policy to be created on AWS. | no |
| -r, --role | Set the name of the IAM Role to be created on AWS. | no |
| -v, --version | Show version information and quit. | no |
| -V, --verbose | give more detailed output | no |
| --help | Show a help synopsis and quit. | no |
cli examples
Cloudformation file
cfn-giam -i ./CFn/example.yml
cfn-giam generates to "./CFn/example.json"
Cloudformation folder
cfn-giam -i ./CFn -o ./dist
cfn-giam generates to "./dist/CFn/example.json" cfn-giam generates to "./dist/MasterPolicy.json"
Cloudformation url file
cfn-giam -i https://s3.ap-northeast-1.amazonaws.com/cloudformation-templates-ap-northeast-1/Windows_Single_Server_SharePoint_Foundation.template
cfn-giam generates to "./Windows_Single_Server_SharePoint_Foundation.json"
Cloudformation resouce type list
cfn-giam -l AWS::EC2::Instance,AWS::EC2::SecurityGroup,AWS::EC2::Instance
cfn-giam generates to "./Windows_Single_Server_SharePoint_Foundation.json"
Automatical procedure
1. Fork to your Github account from this repository
2. Create IAM Role and IAM ID Provider for Github Actions
- Open Cloudformation on your AWS Account.
- Create stack from GithubOIDCRole-ReadOnly.yml.
- Make a note the Roke-Arn created from stack and region's name having stack.
3. Register Role-Arn and region name to Github sercrets
- View Github Actions page on your repository.
- Register following list to Github secrets.
- NAME: AWS_REGION, VALUE: your region's name having stack
- NAME: ROLE_ARN, VALUE: your Roke-Arn created from stack
4. Commit and Push your Cloudformation file
- Add your Cloudformation file in CFn folder.
- Commit and Push your repository.
5. Check artifacts on Github Actions
- View Github Actions page on your repository.
- Make sure the latest "Check the IAM Policy workflow" is successful.
- Open the latest workflow.
- Download artifact on the latest workflow.
Others
Github Actions thumbprint
Github Actions thumbprint changes from time to time.
e.g. Changelog
In that case, Update to GithubOIDCRole-ReadOnly.yml after get new thumbprint with GetGithubOIDCThumbprint.sh.
sh GetGithubOIDCThumbprint.sh
Not support Resouce types
| Not support Resource types |
|---|
| AWS::AmazonMQ::Broker |
| AWS::AmazonMQ::Configuration |
| AWS::AmazonMQ::ConfigurationAssociation |
| AWS::ApiGateway::DocumentationPart |
| AWS::ApiGateway::RestApi |
| AWS::ApiGateway::VpcLink |
| AWS::ApiGatewayV2::Api |
| AWS::ApiGatewayV2::ApiGatewayManagedOverrides |
| AWS::ApiGatewayV2::ApiMapping |
| AWS::ApiGatewayV2::Authorizer |
| AWS::ApiGatewayV2::Deployment |
| AWS::ApiGatewayV2::DomainName |
| AWS::ApiGatewayV2::Integration |
| AWS::ApiGatewayV2::IntegrationResponse |
| AWS::ApiGatewayV2::Model |
| AWS::ApiGatewayV2::Route |
| AWS::ApiGatewayV2::RouteResponse |
| AWS::ApiGatewayV2::Stage |
| AWS::ApiGatewayV2::VpcLink |
| AWS::AppConfig::Application |
| AWS::AppConfig::ConfigurationProfile |
| AWS::AppConfig::Deployment |
| AWS::AppConfig::DeploymentStrategy |
| AWS::AppConfig::Environment |
| AWS::AppConfig::HostedConfigurationVersion |
| AWS::AppMesh::GatewayRoute |
| AWS::AppMesh::Mesh |
| AWS::AppMesh::Route |
| AWS::AppMesh::VirtualGateway |
| AWS::AppMesh::VirtualNode |
| AWS::AppMesh::VirtualRouter |
| AWS::AppMesh::VirtualService |
| AWS::AppStream::DirectoryConfig |
| AWS::AppStream::Fleet |
| AWS::AppStream::ImageBuilder |
| AWS::AppStream::Stack |
| AWS::AppStream::StackFleetAssociation |
| AWS::AppStream::StackUserAssociation |
| AWS::AppStream::User |
| AWS::AppSync::ApiCache |
| AWS::AppSync::ApiKey |
| AWS::AppSync::DataSource |
| AWS::AppSync::FunctionConfiguration |
| AWS::AppSync::GraphQLApi |
| AWS::AppSync::GraphQLSchema |
| AWS::AppSync::Resolver |
| AWS::ApplicationAutoScaling::ScalableTarget |
| AWS::ApplicationAutoScaling::ScalingPolicy |
| AWS::AutoScaling::AutoScalingGroup |
| AWS::AutoScaling::ScalingPolicy |
| AWS::AutoScaling::ScheduledAction |
| AWS::AutoScalingPlans::ScalingPlan |
| AWS::Batch::JobDefinition |
| AWS::Budgets::Budget |
| AWS::CertificateManager::Certificate |
| AWS::Cloud9::EnvironmentEC2 |
| AWS::CloudFormation::CustomResource |
| AWS::CloudFormation::Macro |
| AWS::CloudFormation::Stack |
| AWS::CloudFormation::WaitCondition |
| AWS::CloudFormation::WaitConditionHandle |
| AWS::CloudFront::StreamingDistribution |
| AWS::CloudWatch::Alarm |
| AWS::CloudWatch::AnomalyDetector |
| AWS::CloudWatch::Dashboard |
| AWS::CloudWatch::InsightRule |
| AWS::CodeStar::GitHubRepository |
| AWS::Cognito::IdentityPool |
| AWS::Cognito::IdentityPoolRoleAttachment |
| AWS::Cognito::UserPool |
| AWS::Cognito::UserPoolClient |
| AWS::Cognito::UserPoolDomain |
| AWS::Cognito::UserPoolGroup |
| AWS::Cognito::UserPoolIdentityProvider |
| AWS::Cognito::UserPoolResourceServer |
| AWS::Cognito::UserPoolRiskConfigurationAttachment |
| AWS::Cognito::UserPoolUICustomizationAttachment |
| AWS::Cognito::UserPoolUser |
| AWS::Cognito::UserPoolUserToGroupAttachment |
| AWS::Config::ConfigRule |
| AWS::Config::ConfigurationRecorder |
| AWS::Config::DeliveryChannel |
| AWS::Config::OrganizationConfigRule |
| AWS::Config::RemediationConfiguration |
| AWS::DAX::Cluster |
| AWS::DAX::ParameterGroup |
| AWS::DAX::SubnetGroup |
| AWS::DLM::LifecyclePolicy |
| AWS::DMS::Certificate |
| AWS::DMS::Endpoint |
| AWS::DMS::EventSubscription |
| AWS::DMS::ReplicationInstance |
| AWS::DMS::ReplicationSubnetGroup |
| AWS::DMS::ReplicationTask |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
cfngiam-0.4.5.tar.gz
(11.9 kB
view details)
Built Distribution
cfngiam-0.4.5-py3-none-any.whl
(11.9 kB
view details)
File details
Details for the file cfngiam-0.4.5.tar.gz.
File metadata
- Download URL: cfngiam-0.4.5.tar.gz
- Upload date:
- Size: 11.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.8.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ac4afca4ce29c2fcaaeb6c049a8f55ea10afe6514cad9c808191deb3af5394c6 |
|
| MD5 | f265b1737046c4ac30e8ba96ddb8f40f |
|
| BLAKE2b-256 | 2d0ef4a654d9b5772db977882b4a02cda0db01ce534626738ca863b4a3f59da0 |
File details
Details for the file cfngiam-0.4.5-py3-none-any.whl.
File metadata
- Download URL: cfngiam-0.4.5-py3-none-any.whl
- Upload date:
- Size: 11.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.8.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ce78728424850a3332e6f27d9d8fcb0c60d52c9f7a14bd805169406fbc2b8026 |
|
| MD5 | fe04085831d7be0a6c067688b50577fc |
|
| BLAKE2b-256 | f7eec40de726078822ac68c5dff80e3be9d7f8826be19ad4c781fdfb23180997 |
