Amazon Web Services (AWS) Utilities SDK

AWS Identity and Access Management (IAM)

The scripts contained in this project are work in progress.

Introduction

The identity script adds roles, groups and associated access policies. The script uses the AWS SDK to create relationships between a named group and/or role and it's stated policy file or a pre-existing policy ARN.

Each policy file, associated to a role or group requires a valid AWS account ID to create identities against. The AWS account ID must be added directly to policy file prior to executing the script.

For context, a group can consist of a collection of users and also be used to cascade relevant access policies to those users. Users can also assume a role that can temporarily extend their access policies, to include access to new services, or restrict their access. AWS services, e.g., EC2 or Lambda, can also assume roles to perform specific actions stated as part of role specific access policies, e.g., a Lambda script that is allowed to read data from DynamoDB, etc.

Key

Key of the scripted terms.

policy_name - the policy name associated to the statically derived policy file, e.g., RolesPolicyAdmin.
policy_path - the policy file path, e.g., /path/to/data/files/groups/policy-admin.json.
policy_arn - the pre-existing policy ARN, e.g., arn:aws:iam::aws:policy/AdministratorAccess.

Configuration

Project specific group and role identities can be extended to include more roles, groups and policies.

src/iam/groups.json - Role identities.
src/iam/roles.json - Group identities.

Scripts

Tested with Python 2.7.14.

Generate IAM identities.

creates role or group policies using python AWS SDK.

$ pip install boto3 argparse inflect # install required support modules
$ chmod +x ./iam/generate_identities.py
$ python ./iam/generate_identities.py --group --role

Generate IAM policy JSON.

Creates some very basic JSON to base role or group policies on.

$ pip install awacs argparse namedtupled # install required support modules
$ chmod +x ./iam/generate_policy.py
$ python ./iam/generate_policy.py --policy [assumed-role, default-role, default-group] # select one option

Documentation

You can generate documentation for the modules included in this project using the following commands.

$ pip install sphinx # install required support modules
$ cd ./docs
$ # sphinx-apidoc -f -o source/ ../iam # used to create associated *.rst files, already done :)
$ make clean && make html # make module documentation
$ open build/html/index.html # MacOS X

Versioning

This project uses Semantic Versioning.

License

This gem is licensed under the MIT LICENSE.

Author

Author: dataday

dataday / aws-utilities-sdk