thinkinglabs / aws-iam-policy Goto Github PK

For example, AmazonS3FullAccess has this document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:*", "s3-object-lambda:*"],
      "Resource": "*"
    }
  ]
}

Trying to parse that document with this library throws:

error: Uncaught (in promise) Error: Unsupported type: expecting an array
      throw new Error('Unsupported type: expecting an array');
            ^
    at parseArray (aws-iam-policy/src/statement/deserialiser.ts:26:13)
    at Function.fromJSON (aws-iam-policy/src/statement/deserialiser.ts:12:18)
    at Function.fromJSON (aws-iam-policy/src/statement/statement.ts:49:38)
    at aws-iam-policy/src/policy/policy.ts:44:74
    at Array.map (<anonymous>)
    at Function.fromJson (aws-iam-policy/src/policy/policy.ts:44:40)

It seems is not possible to parse a valid Resource Policy on a S3 bucket, such as

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFront",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/some-cloud-front-user"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}

using PolicyDocument.fromJson, because an 'Unsupported AWS principal value "arn:aws:iam::cloudfront:user/some-cloud-front-user"' Error is thrown

At the moment, the Condition element accepts any JSON object, valid or not.

The StatementArgs should be extended as follows:

interface StatementArgs {
  readonly sid?: string;
  readonly effect?: Effect;
  readonly principals?: Principal[];
  readonly actions?: string[];
  readonly resources?: string[];
  readonly conditions?: Condition[];
}

interface Condition {
  readonly operator: string;
  readonly key: string;
  readonly values: string[];
}

This is a breaking compatibility change => results in v2.0.

According to the AWS IAM documentation, a Sid only accepts alphanumerical characters [a-zA-Z0-9].

But I see that resource-based Policies for some services accept spaces for Sids. AWS does not document this. Although the documentation for S3 Bucket Policies and KMS Key Policies clearly show examples with spaces for Sids.

An IAM Policy statement with the following principal:

{
   "Principal": {
      "AWS": [
          "arn:aws:iam::123456789012:root"
      ]
   }
}

returns an ArnPrincipal object instead of a RootAccountPrincipal although the tests/principals/deserialiser.spec.ts tests all pass. This is because the deep.equal only checks on properties but not on type names.

At the moment, the library only supports single element arrays for single-valued principals.

"Principal": { 
  "AWS": [
    "arn:aws:iam::123456789012:root",
  ],
}

The grammar however also supports a string for a single-valued principal.

"Principal": { "AWS": "arn:aws:iam::123456789012:root" }

See: AWS JSON policy elements: Principal

Possibility to create an AWS type principal using new RolePrincipal(accountId, roleName) that inherits from ArnPrincipal.
This adds syntactic sugar on top of the ArnPrincipal to easily build an IAM Role ARN based on an accountId and roleName.

• add path

• add validation

  • validate roleName: accepted characters, max length, ...
  • validate path: accepted characters, max length, paths need to start and end with a slash (/), ...
  • validate accountId

  following the quotas defined for IAM

I don't think there's currently a way to specify Principal: * (please correct me if that's incorrect).

The existing AnonymousUserPrincipal renders to "Principal": {"AWS": ["*"]}, which is not exactly the same as Principal: *.

See Amazon S3 > Security > IAM > Bucket policies and user policies > Policies and permissions > Principals > Grant anonymous permissions
See IAM > Reference > Policy Reference > JSON element reference > Principal > All principals

At this moment, the library only supports Condition key values to be an array of strings. But the grammar also allows single-valued Condition key as a string.

"Condition" :  {
      "DateGreaterThan" : {
         "aws:CurrentTime" : "2019-07-16T12:00:00Z"
       },
      "DateLessThan": {
         "aws:CurrentTime" : "2019-07-16T15:00:00Z"
       },
       "IpAddress" : {
          "aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]
      }
}

See IAM JSON policy elements: Condition.

Possibility to create an AWS type principal using new UserPrincipal(accountId, userName) that inherits from ArnPrincipal.
This adds syntactic sugar on top of the ArnPrincipal to easily build an IAM User ARN based on an accountId and userName.

• add path

• add validation:

  • validate userName: accepted characters, max length, ...
  • validate path: accepted characters, max length, paths need to start and end with a slash (/), ...
  • validate accountId

  following the quotas defined for IAM

IAM Policy documents:

The size of each managed policy cannot exceed 6,144 characters.
From the IAM and AWS STS quotas > IAM and STS character limits

KMS key policy:

The key policy size limit is 32 kilobytes (32768 bytes).
From KMS - Boto3 docs > create_key

S3 bucket policy:

Bucket policies are limited to 20 KB in size.
From Adding a bucket policy by using the Amazon S3 console

Secrets Manager secret policy:

20,480
From AWS Secrets Manager quotas

Add a GitHub action that publishes the NPM package when a new tag is created.