thinkinglabs / aws-iam-policy Goto Github PK
View Code? Open in Web Editor NEWA TypeScript Node.js module to manipulate AWS IAM Policy documents
License: MIT License
A TypeScript Node.js module to manipulate AWS IAM Policy documents
License: MIT License
For example, AmazonS3FullAccess
has this document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*", "s3-object-lambda:*"],
"Resource": "*"
}
]
}
Trying to parse that document with this library throws:
error: Uncaught (in promise) Error: Unsupported type: expecting an array
throw new Error('Unsupported type: expecting an array');
^
at parseArray (aws-iam-policy/src/statement/deserialiser.ts:26:13)
at Function.fromJSON (aws-iam-policy/src/statement/deserialiser.ts:12:18)
at Function.fromJSON (aws-iam-policy/src/statement/statement.ts:49:38)
at aws-iam-policy/src/policy/policy.ts:44:74
at Array.map (<anonymous>)
at Function.fromJson (aws-iam-policy/src/policy/policy.ts:44:40)
It seems is not possible to parse a valid Resource Policy on a S3 bucket, such as
{
"Version": "2012-10-17",
"Id": "PolicyForCloudFront",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/some-cloud-front-user"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
using PolicyDocument.fromJson, because an 'Unsupported AWS principal value "arn:aws:iam::cloudfront:user/some-cloud-front-user"' Error is thrown
At the moment, the Condition
element accepts any JSON object, valid or not.
The StatementArgs
should be extended as follows:
interface StatementArgs {
readonly sid?: string;
readonly effect?: Effect;
readonly principals?: Principal[];
readonly actions?: string[];
readonly resources?: string[];
readonly conditions?: Condition[];
}
interface Condition {
readonly operator: string;
readonly key: string;
readonly values: string[];
}
This is a breaking compatibility change => results in v2.0.
According to the AWS IAM documentation, a Sid
only accepts alphanumerical characters [a-zA-Z0-9].
But I see that resource-based Policies for some services accept spaces for Sid
s. AWS does not document this. Although the documentation for S3 Bucket Policies and KMS Key Policies clearly show examples with spaces for Sids.
An IAM Policy statement with the following principal:
{
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
}
}
returns an ArnPrincipal
object instead of a RootAccountPrincipal
although the tests/principals/deserialiser.spec.ts
tests all pass. This is because the deep.equal
only checks on properties but not on type names.
At the moment, the library only supports single element arrays for single-valued principals.
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root",
],
}
The grammar however also supports a string for a single-valued principal.
"Principal": { "AWS": "arn:aws:iam::123456789012:root" }
Possibility to create an AWS
type principal using new RolePrincipal(accountId, roleName)
that inherits from ArnPrincipal
.
This adds syntactic sugar on top of the ArnPrincipal
to easily build an IAM Role ARN based on an accountId
and roleName
.
add path
add validation
roleName
: accepted characters, max length, ...path
: accepted characters, max length, paths need to start and end with a slash (/
), ...accountId
following the quotas defined for IAM
I don't think there's currently a way to specify Principal: *
(please correct me if that's incorrect).
The existing AnonymousUserPrincipal
renders to "Principal": {"AWS": ["*"]}
, which is not exactly the same as Principal: *
.
See Amazon S3 > Security > IAM > Bucket policies and user policies > Policies and permissions > Principals > Grant anonymous permissions
See IAM > Reference > Policy Reference > JSON element reference > Principal > All principals
At this moment, the library only supports Condition
key values to be an array of strings. But the grammar also allows single-valued Condition
key as a string.
"Condition" : {
"DateGreaterThan" : {
"aws:CurrentTime" : "2019-07-16T12:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime" : "2019-07-16T15:00:00Z"
},
"IpAddress" : {
"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]
}
}
Possibility to create an AWS
type principal using new UserPrincipal(accountId, userName)
that inherits from ArnPrincipal
.
This adds syntactic sugar on top of the ArnPrincipal
to easily build an IAM User ARN based on an accountId
and userName
.
add path
add validation:
userName
: accepted characters, max length, ...path
: accepted characters, max length, paths need to start and end with a slash (/
), ...accountId
following the quotas defined for IAM
IAM Policy documents:
The size of each managed policy cannot exceed 6,144 characters.
From the IAM and AWS STS quotas > IAM and STS character limits
KMS key policy:
The key policy size limit is 32 kilobytes (32768 bytes).
From KMS - Boto3 docs > create_key
S3 bucket policy:
Bucket policies are limited to 20 KB in size.
From Adding a bucket policy by using the Amazon S3 console
Secrets Manager secret policy:
20,480
From AWS Secrets Manager quotas
Add a GitHub action that publishes the NPM package when a new tag is created.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.