Miam
Miam is a tool to manage IAM.
It defines the state of IAM using DSL, and updates IAM according to DSL.
Notice
>= 0.2.0
>= 0.2.1
- Support Managed Policy attach/detach
- Support JSON format
>= 0.2.2
- Improve update (show diff)
- Support Template
- Add
--ignore-login-profile
option - Sort policy array
>= 0.2.3
- Support Custom Managed Policy
>= 0.2.4
Installation
Add this line to your application’s Gemfile:
ruby
gem 'miam'
And then execute:
$ bundle
Or install it yourself as:
$ gem install miam
Usage
sh
export AWS_ACCESS_KEY_ID='...'
export AWS_SECRET_ACCESS_KEY='...'
export AWS_REGION='us-east-1'
miam -e -o IAMfile # export IAM
vi IAMfile
miam -a --dry-run
miam -a # apply `IAMfile`
Help
Usage: miam [options]
-p, --profile PROFILE_NAME
--credentials-path PATH
-k, --access-key ACCESS_KEY
-s, --secret-key SECRET_KEY
-r, --region REGION
-a, --apply
-f, --file FILE
--dry-run
--account-output FILE
-e, --export
-o, --output FILE
--split
--split-more
--format=FORMAT
--export-concurrency N
--target REGEXP
--exclude REGEXP
--ignore-login-profile
--no-color
--no-progress
--debug
IAMfile example
```ruby require ‘other/iamfile’
user “bob”, :path => “/developer/” do login_profile :password_reset_required=>true
groups( “Admin” )
policy “bob-policy” do “Statement”=> [{“Action”=> [“s3:Get”, “s3:List”], “Effect”=>”Allow”, “Resource”=>”*”]} end
attached_managed_policies( # attached_managed_policy ) end
user “mary”, :path => “/staff/” do # login_profile :password_reset_required=>true
groups( # no group )
policy “s3-readonly” do “Statement”=> [{“Action”=> [“s3:Get”, “s3:List”], “Effect”=>”Allow”, “Resource”=>”*”]} end
policy “route53-readonly” do “Statement”=> [{“Action”=> [“route53:Get”, “route53:List”], “Effect”=>”Allow”, “Resource”=>”*”]} end
attached_managed_policies( “arn:aws:iam::aws:policy/AdministratorAccess”, “arn:aws:iam::123456789012:policy/my_policy” ) end
group “Admin”, :path => “/admin/” do policy “Admin” do “Action”=>””, “Resource”=>””]} end end
role “S3”, :path => “/” do instance_profiles( “S3” )
assume_role_policy_document do “Statement”=> [{“Sid”=>””, “Effect”=>”Allow”, “Principal”=>{“Service”=>”ec2.amazonaws.com”, “Action”=>”sts:AssumeRole”}]} end
policy “S3-role-policy” do “Statement”=>[{“Effect”=>”Allow”, “Action”=>””, “Resource”=>””]} end end
instance_profile “S3”, :path => “/” ```
Rename
```ruby require ‘other/iamfile’
user “bob2”, :path => “/developer/”, :renamed_from => “bob” do # … end
group “Admin2”, :path => “/admin/”. :renamed_from => “Admin” do # … end ```
Managed Policy attach/detach
```ruby user “bob”, :path => “/developer/” do login_profile :password_reset_required=>true
groups( “Admin” )
policy “bob-policy” do # … end
attached_managed_policies( “arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess” ) end ```
Custom Managed Policy
```ruby managed_policy “my-policy”, :path=>”/” do “Statement”=> [{“Effect”=>”Allow”, “Action”=>”directconnect:Describe”, “Resource”=>””]} end
user “bob”, :path => “/developer/” do login_profile :password_reset_required=>true
groups( “Admin” )
policy “bob-policy” do # … end
attached_managed_policies( “arn:aws:iam::123456789012:policy/my-policy” ) end ```
Use JSON
```sh
$ miam -e -o iam.json
ᗧ 100%
Export IAM to iam.json
$ cat iam.json { “users”: { “bob”: { “path”: “/”, “groups”: [ “Admin” ], “policies”: { …
$ miam -a -f iam.json –dry-run
Apply iam.json
to IAM (dry-run)
ᗧ 100%
No change
```
Use Template
```ruby template “common-policy” do policy “my-policy” do “Statement”=> [{“Action”=> [“s3:Get”, “s3:List”], “Effect”=>”Allow”, “Resource”=>”*”]} end end
template “common-role-attrs” do assume_role_policy_document do “Statement”=> [{“Sid”=>””, “Effect”=>”Allow”, “Principal”=>{“Service”=>”ec2.amazonaws.com”, “Action”=>”sts:AssumeRole”}]} end end
user “bob”, :path => “/developer/” do login_profile :password_reset_required=>true
groups( “Admin” )
include_template “common-policy”, version: “2012-10-17” end
user “mary”, :path => “/staff/” do # login_profile :password_reset_required=>true
groups( # no group )
context.version = “2012-10-17” include_template “common-policy”
attached_managed_policies( “arn:aws:iam::aws:policy/AdministratorAccess”, “arn:aws:iam::123456789012:policy/my_policy” ) end
role “S3”, :path => “/” do instance_profiles( “S3” )
include_template “common-role-attrs”
policy “S3-role-policy” do “Statement”=>[{“Effect”=>”Allow”, “Action”=>””, “Resource”=>””]} end end ```