This utility helps manage AWS IAM Roles, and their associated Policies via a simple model.
This utility is distributed as a python module, ready to be installed with pip.This app requires python 3
To install into a virtual environment, and muck about with the code, cd to the top folder and run:
> pip intall --editable .
This will install the app, called manage, and it's dependencies.
If you pull this from the git repo, you will have two folders in the top level folder that contain the actual model, and it's templates:
-
json: This folder contains the primary model file:
model.json
, as well as theproperties.json
file, used for processing the model. More on this later. -
policy_templates: This folder contains the current set of policy templates. The templates use jinja2, and get passed the region, env, role, and service variables from the model.
Thus, we have roles named things like:
- us-west-2-prod-api_nginx
- us-west-2-corp-kibana
- us-west-2-infra-jenkins
You get the idea.
Policies follow a similar naming pattern, with a slight twist. Policy names
follow the pattern <region>-<env>-<service>
due to the fact that a single role
may have multiple services, and require multiple policies.
[
{
"<region>":{
"<env>":{
"<role>":{
"<service>":["<template>"]
}
}
}
}
]
Along with the data in the properties.json file, the instantiated CSMContext
object is also available in the ctx
attribute. So, for instance, the orgId
attribute in the runtime CSMContext
is available to jinja as ctx.orgId
.
Each service listing in the model contains a set of 1 or more templates. These
identify the template files in the policy_templates
folder (and are named
the same, but without the .template
extension).
Each template file is processed by jinja2. Along with the standard properties, and CSMContext, the values of the relevant region, env, and service are made available to jinja2.
The processed output becomes the policy document that is given to AWS IAM. Because of the ease with which this model allows you to specify policies, this enables you to have very fine grained policies, rather than monolithic policies per role.
The manage app has three primary commands:-
policies: Creates, compares, and updates policies based on the model
-
roles: Creates, compares, and updates AWS roles based on the model. Including attaching policies.
-
model: Show the processed model. This will show you exactly what the final policies look like once processed. If you want to see the raw json model (after processing) use the
model json
command