Skip to main content

A lil python package to generate iam policies

Project description

IAM Builder

Actions Status

A python script to generate an IAM policy based on an yaml or json configuration.

To install:

# Most stable
pip install iam-builder

# OR directly from github
pip install git+git://github.com/moj-analytical-services/iam_builder.git#egg=iam_builder

To use the command line interface:

iam_builder -c examples/iam_config.yaml -o examples/iam_policy.json
  • -c is the path to your iam configuration (either a yaml or json file).
  • -o is the path to your output iam policy (needs to be a json file).

Or to do the same thing in python:

import yaml
import json
from iam_builder.iam_builder import build_iam_policy

with open('examples/iam_config.yaml') as f:
  config = yaml.load(f, Loader=yaml.FullLoader)

iam_policy = build_iam_policy(config)

with open('examples/iam_policy.json', "w+") as f:
  json.dump(iam_policy, f, indent=4, separators=(',', ': '))

Both scripts will create the output iam_policy seen in the examples folder. You can also see more example configs by looking in the unit tests.

Your config file can be either a yaml or json file.

The example yaml (iam_config.yaml) looks this:

iam_role_name: iam_role_name

athena:
  write: false

glue_job: true

secrets: true

s3: 
  read_only:
    - test_bucket_read_only/*

  write_only:
    - test_bucket_write_only/*
    - test_bucket_read_only/write_only_folder/*

  read_write:
    - test_bucket_read_write/*
    - test_bucket_read_only/write_folder/*

Whilst the example json (iam_config.json) looks like this:

{
  "iam_role_name": "iam_role_name",
  "athena": {
    "write": false
  },
  "glue_job": true,
  "secrets": true,
  "s3": {
    "read_only": [
      "test_bucket_read_only/*"
    ],
    "write_only": [
      "test_bucket_write_only/*",
      "test_bucket_read_only/write_only_folder/*"
    ],
    "read_write": [
      "test_bucket_read_write/*",
      "test_bucket_read_only/write_folder/*"
    ]
  }
}
  • iam_role_name: The role name of your airflow job; required if you want to run glue jobs or access secrets.

  • athena: Only has one key value pair. write which is either true or false. If false then only read access to Athena (cannot create, delete or alter tables, databases and partitions). If true then the role will also have the ability to do stuff like CTAS queries, DROP TABLE, CREATE DATABASE, etc.

  • glue_job: Boolean; must be set to true to allow role to run glue jobs. If false or absent role will not be able to run glue jobs.

  • secrets: Boolean; must be set to true to allow role to access secrets from AWS Parameter Store. If false or absent role will not be able to access secrets.

  • s3: Can have up to 3 keys: read_only, write_only and read_write. Each key describes the level of access you want your iam policy to have with each s3 path. More details below:

    • read_only: A list of s3 paths that the iam_role should be able to access (read only). Each item in the list should either be a path to a object or finish with /* to denote that it can access everything within that directory. Note the S3 paths don't start with s3:// in the config.

    • write_only: A list of s3 paths that the iam_role should be able to access (write only). Each item in the list should either be a path to a object or finish with /* to denote that it can access everything within that directory. Note the S3 paths don't start with s3:// in the config.

    • read_write_s3_access: A list of s3 paths that the iam_role should be able to access (read and write). Each item in the list should either be a path to a object or finish with /* to denote that it can access everything within that directory. Note the S3 paths don't start with s3:// in the config.

How to update

When updating IAM builder, make sure to change the version number in pyproject.yaml and describe the change in CHANGELOG.md.

If you have changed any dependencies in pyproject.yaml, run poetry update to update poetry.lock.

Once you have created a release in GitHub, to publish the latest version to PyPI, run:

poetry build
poetry publish -u <username>

Here, you should substitute <username> for your PyPI username. In order to publish to PyPI, you must be an owner of the project.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

iam_builder-3.7.0.tar.gz (5.9 kB view details)

Uploaded Source

Built Distribution

iam_builder-3.7.0-py3-none-any.whl (6.1 kB view details)

Uploaded Python 3

File details

Details for the file iam_builder-3.7.0.tar.gz.

File metadata

  • Download URL: iam_builder-3.7.0.tar.gz
  • Upload date:
  • Size: 5.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.5 CPython/3.8.2 Darwin/19.3.0

File hashes

Hashes for iam_builder-3.7.0.tar.gz
Algorithm Hash digest
SHA256 afb0eea3da2ab45a0d0c2ee07d8b2dbd40c37a98baaf93519fe760089af46f6a
MD5 ca31fd1150dee4595cb568ae0bc2792f
BLAKE2b-256 36160121756f303470c592973337894682216bf169cae20743c151ae91c2a5b4

See more details on using hashes here.

File details

Details for the file iam_builder-3.7.0-py3-none-any.whl.

File metadata

  • Download URL: iam_builder-3.7.0-py3-none-any.whl
  • Upload date:
  • Size: 6.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.5 CPython/3.8.2 Darwin/19.3.0

File hashes

Hashes for iam_builder-3.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b4ff9a51afe14fac770859b9b078c03420c0e691af8d6d84c4588b112c047376
MD5 1bc2f25971cd21b9d1e935a6794a0461
BLAKE2b-256 dde8eb059e08d79b5453ed82ef2ac0a0ac6d66dd2948bbd567ff917ae9a555b9

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page