policyglass

Understand the effective permissions of your policies

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Project description

https://user-images.githubusercontent.com/803607/146429306-b132f7b2-79b9-44a0-a38d-f46127746c46.png

Documentation: policyglass.cloudwanderer.io

GitHub: https://github.com/CloudWanderer-io/PolicyGlass

PolicyGlass allows you to combine multiple AWS IAM policies/statements into their ‘effective permissions’, deduplicating permissions, and eliminating denied permissions along the way.

PolicyGlass will always result in only allow PolicyShard objects, no matter how complex the policy. This makes understanding the effect of your policies programmatically a breeze.

Installation

pip install policyglass

Usage

Let’s take two policies, a and b and pit them against each other.

>>> from policyglass import Policy, policy_shards_effect
>>> policy_a = Policy(**{
...     "Version": "2012-10-17",
...     "Statement": [
...         {
...             "Effect": "Allow",
...             "Action": [
...                 "s3:*"
...             ],
...             "Resource": "*"
...         }
...     ]
... })
>>> policy_b = Policy(**{
...     "Version": "2012-10-17",
...     "Statement": [
...         {
...             "Effect": "Deny",
...             "Action": [
...                 "s3:*"
...             ],
...             "Resource": "arn:aws:s3:::examplebucket/*"
...         }
...     ]
... })
>>> policy_shards = [*policy_a.policy_shards, *policy_b.policy_shards]
>>> effect = policy_shards_effect(policy_shards)
>>> effect
[PolicyShard(effect='Allow',
   effective_action=EffectiveAction(inclusion=Action('s3:*'),
      exclusions=frozenset()),
   effective_resource=EffectiveResource(inclusion=Resource('*'),
      exclusions=frozenset({Resource('arn:aws:s3:::examplebucket/*')})),
   effective_principal=EffectivePrincipal(inclusion=Principal(type='AWS', value='*'),
      exclusions=frozenset()),
   conditions=frozenset(),
   not_conditions=frozenset())]

Two policies, two statements, resulting in a single allow PolicyShard. More complex policies will result in multiple shards, but they will always be allows, no matter how complex the policy.

You can also make them human readable!

>>> from policyglass import explain_policy_shards
>>> explain_policy_shards(effect)
['Allow action s3:* on resource * (except for arn:aws:s3:::examplebucket/*) with principal AWS *.']

Project details

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

0.8.0

Jan 9, 2022

0.7.0

Jan 6, 2022

This version

0.6.0

Jan 5, 2022

0.5.0

Jan 3, 2022

0.4.7

Dec 24, 2021

0.4.6

Dec 23, 2021

0.4.5

Dec 23, 2021

0.4.4

Dec 23, 2021

0.4.3

Dec 22, 2021

0.4.2

Dec 20, 2021

0.4.1

Dec 20, 2021

0.4.0

Dec 20, 2021

0.3.0

Dec 17, 2021

0.2.1

Dec 16, 2021

0.2.0

Dec 16, 2021

0.1.0

Dec 12, 2021

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

policyglass-0.6.0.tar.gz (16.5 kB view hashes)

Uploaded Jan 5, 2022 Source

Built Distribution

policyglass-0.6.0-py3-none-any.whl (21.4 kB view hashes)

Uploaded Jan 5, 2022 Python 3

Hashes for policyglass-0.6.0.tar.gz

Hashes for policyglass-0.6.0.tar.gz
Algorithm	Hash digest
SHA256	`2fb460c2771878ea726026e99a5d69751dab7b204239f01049c642fb74db6a34`
MD5	`d208291284ebe1e32387481b9636936e`
BLAKE2b-256	`a632fc5f214a747c3691b9ec0e4b51f8a1b080765a97426e768c4a4107603bf8`

Hashes for policyglass-0.6.0-py3-none-any.whl

Hashes for policyglass-0.6.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`c96a58337e4f6be01a09533395077864a37fbe8b41e758986863bd974ef0c283`
MD5	`a403d07a5928de94175dbc4c0ef26909`
BLAKE2b-256	`f5603a7dbfbfd96c33cdd11fb7f868e2d4b41674a299c32dbcd32ec031d2d1b9`