subiam 1.2.1 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +87 -87
- data/bin/subiam +26 -21
- data/lib/subiam/client.rb +1 -1
- data/lib/subiam/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9e9c53dfa71f2d449b85caa531f6d97915c6413b
|
|
4
|
+
data.tar.gz: c73ef382a5339c7d728ebf2c28a4cfdfe96ef4da
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2e9b69459246c5e88d7980df906f8424069eb6cc40481115d88585e5d771ed988bca742722721c1b6c1caeb0e7708e605788ec469e1407f379ad34fc3f4d2373
|
|
7
|
+
data.tar.gz: bbfcdf2e17ca809dcb682e24074c152c1dc1d9a0d1885ba3cce57f89c3784fe42f80b3acfddf0230b71de2c288e95b5846185625b8764189606f4f39f569e655
|
data/README.md
CHANGED
|
@@ -7,6 +7,9 @@ It defines the state of IAM using DSL, and updates IAM according to DSL.
|
|
|
7
7
|
It's forked from Miam. Miam is designed to manage all IAM entities in the AWS account. Subiam is not so. Subiam is designed to manage sub part of IAM entities in the AWS account. For example around MySQL instances / around web servers / around lambda functions / around monitoring systems.
|
|
8
8
|
|
|
9
9
|
**Notice**
|
|
10
|
+
* `>= 1.3.0`
|
|
11
|
+
* Specify default region: `ap-northeast-1`. User does't have to specify region unless using isolated AWS region like GovCloud.
|
|
12
|
+
|
|
10
13
|
* `>= 1.2.0`
|
|
11
14
|
* Add helper methods: `arn_policy_by_aws`, `arn_policy_by_current_account`
|
|
12
15
|
|
|
@@ -41,7 +44,6 @@ Or install it yourself as:
|
|
|
41
44
|
```sh
|
|
42
45
|
export AWS_ACCESS_KEY_ID='...'
|
|
43
46
|
export AWS_SECRET_ACCESS_KEY='...'
|
|
44
|
-
export AWS_REGION='us-east-1'
|
|
45
47
|
vi subiam-xxx.rb
|
|
46
48
|
subiam -a --dry-run subiam-xxx.rb
|
|
47
49
|
subiam -a subiam-xxx.rb
|
|
@@ -55,22 +57,24 @@ Usage: subiam [options]
|
|
|
55
57
|
--credentials-path PATH
|
|
56
58
|
-k, --access-key ACCESS_KEY
|
|
57
59
|
-s, --secret-key SECRET_KEY
|
|
58
|
-
-r, --region REGION
|
|
60
|
+
-r, --region REGION default: ap-northeast-1
|
|
59
61
|
-a, --apply
|
|
60
|
-
-f, --file FILE
|
|
62
|
+
-f, --file FILE Specify the file path to apply.
|
|
61
63
|
--dry-run
|
|
62
64
|
--account-output FILE
|
|
63
65
|
-e, --export
|
|
64
|
-
-o, --output FILE
|
|
66
|
+
-o, --output FILE Specify the file path to export current IAM settings.
|
|
65
67
|
--split
|
|
66
68
|
--split-more
|
|
67
|
-
--format
|
|
69
|
+
--format FORMAT
|
|
70
|
+
ruby or json. (default: ruby)
|
|
68
71
|
--export-concurrency N
|
|
69
72
|
--ignore-login-profile
|
|
70
73
|
--no-color
|
|
71
74
|
--no-progress
|
|
72
75
|
--debug
|
|
73
76
|
--enable-delete
|
|
77
|
+
Enable to delete top level elements. (default: false)
|
|
74
78
|
```
|
|
75
79
|
|
|
76
80
|
## IAM definition files example
|
|
@@ -144,47 +148,28 @@ template "ec2-assume-role-attrs" do
|
|
|
144
148
|
end
|
|
145
149
|
```
|
|
146
150
|
|
|
147
|
-
|
|
148
|
-
## Use management policy
|
|
149
|
-
|
|
150
|
-
```ruby
|
|
151
|
-
user "foo", path: '/' do
|
|
152
|
-
attached_managed_policies(
|
|
153
|
-
'arn:aws:iam::0123456789:policy/MyPolicy',
|
|
154
|
-
|
|
155
|
-
arn_policy_by_current_account("MyPolicy2"),
|
|
156
|
-
# == "arn:aws:iam::0123456789:policy/MyPolicy2'
|
|
157
|
-
|
|
158
|
-
arn_policy_by_aws("AdministratorAccess")
|
|
159
|
-
# == 'arn:aws:iam::aws:policy/AdministratorAccess'
|
|
160
|
-
)
|
|
161
|
-
end
|
|
162
|
-
```
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
---
|
|
166
|
-
old examples (but works if add `target`)
|
|
151
|
+
## General example (User / Group / Role)
|
|
167
152
|
|
|
168
153
|
```ruby
|
|
169
154
|
import 'other/iamfile'
|
|
170
155
|
|
|
171
|
-
target
|
|
156
|
+
target /.*/ # managing IAMs whole account
|
|
172
157
|
|
|
173
|
-
user "monitoring-bob", :
|
|
174
|
-
login_profile :
|
|
158
|
+
user "monitoring-bob", path: "/monitoring-user/" do
|
|
159
|
+
login_profile password_reset_required: true
|
|
175
160
|
|
|
176
161
|
groups(
|
|
177
162
|
"Admin"
|
|
178
163
|
)
|
|
179
164
|
|
|
180
165
|
policy "bob-policy" do
|
|
181
|
-
{
|
|
182
|
-
|
|
183
|
-
[{
|
|
166
|
+
{Version: "2012-10-17",
|
|
167
|
+
Statement:
|
|
168
|
+
[{Action:
|
|
184
169
|
["s3:Get*",
|
|
185
170
|
"s3:List*"],
|
|
186
|
-
|
|
187
|
-
|
|
171
|
+
Effect: "Allow",
|
|
172
|
+
Resource: "*"}]}
|
|
188
173
|
end
|
|
189
174
|
|
|
190
175
|
attached_managed_policies(
|
|
@@ -192,31 +177,31 @@ user "monitoring-bob", :path => "/monitoring-user/" do
|
|
|
192
177
|
)
|
|
193
178
|
end
|
|
194
179
|
|
|
195
|
-
user "mary", :
|
|
196
|
-
# login_profile :
|
|
180
|
+
user "mary", path: "/staff/" do
|
|
181
|
+
# login_profile password_reset_required: true
|
|
197
182
|
|
|
198
183
|
groups(
|
|
199
184
|
# no group
|
|
200
185
|
)
|
|
201
186
|
|
|
202
187
|
policy "s3-readonly" do
|
|
203
|
-
{
|
|
204
|
-
|
|
205
|
-
[{
|
|
188
|
+
{Version: "2012-10-17",
|
|
189
|
+
Statement:
|
|
190
|
+
[{Action:
|
|
206
191
|
["s3:Get*",
|
|
207
192
|
"s3:List*"],
|
|
208
|
-
|
|
209
|
-
|
|
193
|
+
Effect: "Allow",
|
|
194
|
+
Resource: "*"}]}
|
|
210
195
|
end
|
|
211
196
|
|
|
212
197
|
policy "route53-readonly" do
|
|
213
|
-
{
|
|
214
|
-
|
|
215
|
-
[{
|
|
198
|
+
{Version: "2012-10-17",
|
|
199
|
+
Statement:
|
|
200
|
+
[{Action:
|
|
216
201
|
["route53:Get*",
|
|
217
202
|
"route53:List*"],
|
|
218
|
-
|
|
219
|
-
|
|
203
|
+
Effect: "Allow",
|
|
204
|
+
Resource: "*"}]}
|
|
220
205
|
end
|
|
221
206
|
|
|
222
207
|
attached_managed_policies(
|
|
@@ -225,45 +210,43 @@ user "mary", :path => "/staff/" do
|
|
|
225
210
|
)
|
|
226
211
|
end
|
|
227
212
|
|
|
228
|
-
group "Admin", :
|
|
213
|
+
group "Admin", path: "/admin/" do
|
|
229
214
|
policy "Admin" do
|
|
230
|
-
{
|
|
215
|
+
{Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
|
|
231
216
|
end
|
|
232
217
|
end
|
|
233
218
|
|
|
234
|
-
role "S3", :
|
|
219
|
+
role "S3", path: "/" do
|
|
235
220
|
instance_profiles(
|
|
236
221
|
"S3"
|
|
237
222
|
)
|
|
238
223
|
|
|
239
224
|
assume_role_policy_document do
|
|
240
|
-
{
|
|
241
|
-
|
|
242
|
-
[{
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
225
|
+
{Version: "2012-10-17",
|
|
226
|
+
Statement:
|
|
227
|
+
[{Sid: "",
|
|
228
|
+
Effect: "Allow",
|
|
229
|
+
Principal: {Service: "ec2.amazonaws.com"},
|
|
230
|
+
Action: "sts:AssumeRole"}]}
|
|
246
231
|
end
|
|
247
232
|
|
|
248
233
|
policy "S3-role-policy" do
|
|
249
|
-
{
|
|
250
|
-
|
|
234
|
+
{Version: "2012-10-17",
|
|
235
|
+
Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
|
|
251
236
|
end
|
|
252
237
|
end
|
|
253
238
|
|
|
254
|
-
instance_profile "S3", :
|
|
239
|
+
instance_profile "S3", path: "/"
|
|
255
240
|
```
|
|
256
241
|
|
|
257
242
|
## Rename
|
|
258
243
|
|
|
259
244
|
```ruby
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
user "bob2", :path => "/developer/", :renamed_from => "bob" do
|
|
245
|
+
user "bob2", path: "/developer/", renamed_from: "bob" do
|
|
263
246
|
# ...
|
|
264
247
|
end
|
|
265
248
|
|
|
266
|
-
group "Admin2", :
|
|
249
|
+
group "Admin2", path: "/admin/", renamed_from: "Admin" do
|
|
267
250
|
# ...
|
|
268
251
|
end
|
|
269
252
|
```
|
|
@@ -271,8 +254,8 @@ end
|
|
|
271
254
|
## Managed Policy attach/detach
|
|
272
255
|
|
|
273
256
|
```ruby
|
|
274
|
-
user "bob", :
|
|
275
|
-
login_profile :
|
|
257
|
+
user "bob", path: "/developer/" do
|
|
258
|
+
login_profile password_reset_required: true
|
|
276
259
|
|
|
277
260
|
groups(
|
|
278
261
|
"Admin"
|
|
@@ -291,14 +274,14 @@ end
|
|
|
291
274
|
## Custom Managed Policy
|
|
292
275
|
|
|
293
276
|
```ruby
|
|
294
|
-
managed_policy "my-policy", :
|
|
295
|
-
{
|
|
296
|
-
|
|
297
|
-
[{
|
|
277
|
+
managed_policy "my-policy", path: "/" do
|
|
278
|
+
{Version: "2012-10-17",
|
|
279
|
+
Statement:
|
|
280
|
+
[{Effect: "Allow", Action: "directconnect:Describe*", Resource: "*"}]}
|
|
298
281
|
end
|
|
299
282
|
|
|
300
|
-
user "bob", :
|
|
301
|
-
login_profile :
|
|
283
|
+
user "bob", path: "/developer/" do
|
|
284
|
+
login_profile password_reset_required: true
|
|
302
285
|
|
|
303
286
|
groups(
|
|
304
287
|
"Admin"
|
|
@@ -332,6 +315,7 @@ $ cat iam.json
|
|
|
332
315
|
"policies": {
|
|
333
316
|
...
|
|
334
317
|
|
|
318
|
+
$ vi iam.json # add target
|
|
335
319
|
$ subiam -a -f iam.json --dry-run
|
|
336
320
|
Apply `iam.json` to IAM (dry-run)
|
|
337
321
|
ᗧ 100%
|
|
@@ -343,29 +327,29 @@ No change
|
|
|
343
327
|
```ruby
|
|
344
328
|
template "common-policy" do
|
|
345
329
|
policy "my-policy" do
|
|
346
|
-
{
|
|
347
|
-
|
|
348
|
-
[{
|
|
330
|
+
{Version: context.version,
|
|
331
|
+
Statement:
|
|
332
|
+
[{Action:
|
|
349
333
|
["s3:Get*",
|
|
350
334
|
"s3:List*"],
|
|
351
|
-
|
|
352
|
-
|
|
335
|
+
Effect: "Allow",
|
|
336
|
+
Resource: "*"}]}
|
|
353
337
|
end
|
|
354
338
|
end
|
|
355
339
|
|
|
356
340
|
template "common-role-attrs" do
|
|
357
341
|
assume_role_policy_document do
|
|
358
|
-
{
|
|
359
|
-
|
|
360
|
-
[{
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
|
|
342
|
+
{Version: context.version,
|
|
343
|
+
Statement:
|
|
344
|
+
[{Sid: "",
|
|
345
|
+
Effect: "Allow",
|
|
346
|
+
Principal: {Service: "ec2.amazonaws.com"},
|
|
347
|
+
Action: "sts:AssumeRole"}]}
|
|
364
348
|
end
|
|
365
349
|
end
|
|
366
350
|
|
|
367
|
-
user "bob", :
|
|
368
|
-
login_profile :
|
|
351
|
+
user "bob", path: "/developer/" do
|
|
352
|
+
login_profile password_reset_required: true
|
|
369
353
|
|
|
370
354
|
groups(
|
|
371
355
|
"Admin"
|
|
@@ -374,8 +358,8 @@ user "bob", :path => "/developer/" do
|
|
|
374
358
|
include_template "common-policy", version: "2012-10-17"
|
|
375
359
|
end
|
|
376
360
|
|
|
377
|
-
user "mary", :
|
|
378
|
-
# login_profile :
|
|
361
|
+
user "mary", path: "/staff/" do
|
|
362
|
+
# login_profile password_reset_required: true
|
|
379
363
|
|
|
380
364
|
groups(
|
|
381
365
|
# no group
|
|
@@ -390,7 +374,7 @@ user "mary", :path => "/staff/" do
|
|
|
390
374
|
)
|
|
391
375
|
end
|
|
392
376
|
|
|
393
|
-
role "S3", :
|
|
377
|
+
role "S3", path: "/" do
|
|
394
378
|
instance_profiles(
|
|
395
379
|
"S3"
|
|
396
380
|
)
|
|
@@ -398,11 +382,27 @@ role "S3", :path => "/" do
|
|
|
398
382
|
include_template "common-role-attrs"
|
|
399
383
|
|
|
400
384
|
policy "S3-role-policy" do
|
|
401
|
-
{
|
|
402
|
-
|
|
385
|
+
{Version: "2012-10-17",
|
|
386
|
+
Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
|
|
403
387
|
end
|
|
404
388
|
end
|
|
405
389
|
```
|
|
406
390
|
|
|
391
|
+
## Use management policy
|
|
392
|
+
|
|
393
|
+
```ruby
|
|
394
|
+
user "foo", path: '/' do
|
|
395
|
+
attached_managed_policies(
|
|
396
|
+
'arn:aws:iam::0123456789:policy/MyPolicy',
|
|
397
|
+
|
|
398
|
+
arn_policy_by_current_account("MyPolicy2"),
|
|
399
|
+
# == "arn:aws:iam::0123456789:policy/MyPolicy2'
|
|
400
|
+
|
|
401
|
+
arn_policy_by_aws("AdministratorAccess")
|
|
402
|
+
# == 'arn:aws:iam::aws:policy/AdministratorAccess'
|
|
403
|
+
)
|
|
404
|
+
end
|
|
405
|
+
```
|
|
406
|
+
|
|
407
407
|
## Similar tools
|
|
408
408
|
* [Codenize.tools](http://codenize.tools/)
|
data/bin/subiam
CHANGED
|
@@ -36,26 +36,26 @@ ARGV.options do |opt|
|
|
|
36
36
|
credentials_path = nil
|
|
37
37
|
format_passed = false
|
|
38
38
|
|
|
39
|
-
opt.on('-p', '--profile PROFILE_NAME')
|
|
40
|
-
opt.on(''
|
|
41
|
-
opt.on('-k', '--access-key ACCESS_KEY')
|
|
42
|
-
opt.on('-s', '--secret-key SECRET_KEY')
|
|
43
|
-
opt.on('-r', '--region REGION')
|
|
44
|
-
opt.on('-a', '--apply')
|
|
45
|
-
opt.on('-f', '--file FILE')
|
|
46
|
-
opt.on(''
|
|
47
|
-
opt.on(''
|
|
48
|
-
opt.on('-e', '--export')
|
|
49
|
-
opt.on('-o', '--output FILE')
|
|
50
|
-
opt.on(''
|
|
51
|
-
opt.on(''
|
|
52
|
-
opt.on('',
|
|
53
|
-
opt.on(''
|
|
54
|
-
opt.on(''
|
|
55
|
-
opt.on(''
|
|
56
|
-
opt.on(''
|
|
57
|
-
opt.on(''
|
|
58
|
-
opt.on(''
|
|
39
|
+
opt.on('-p', '--profile PROFILE_NAME') { |v| profile_name = v }
|
|
40
|
+
opt.on('', '--credentials-path PATH') { |v| credentials_path = v }
|
|
41
|
+
opt.on('-k', '--access-key ACCESS_KEY') { |v| access_key = v }
|
|
42
|
+
opt.on('-s', '--secret-key SECRET_KEY') { |v| secret_key = v }
|
|
43
|
+
opt.on('-r', '--region REGION', 'default: ap-northeast-1') { |v| region = v }
|
|
44
|
+
opt.on('-a', '--apply') { mode = :apply }
|
|
45
|
+
opt.on('-f', '--file FILE', 'Specify the file path to apply.') { |v| file = v }
|
|
46
|
+
opt.on('', '--dry-run') { options[:dry_run] = true }
|
|
47
|
+
opt.on('', '--account-output FILE') { |v| options[:password_manager] = Subiam::PasswordManager.new(v, options) }
|
|
48
|
+
opt.on('-e', '--export') { mode = :export }
|
|
49
|
+
opt.on('-o', '--output FILE', 'Specify the file path to export current IAM settings.') { |v| output_file = v }
|
|
50
|
+
opt.on('', '--split') { split = true }
|
|
51
|
+
opt.on('', '--split-more') { split = :more }
|
|
52
|
+
opt.on('', '--format FORMAT', [:ruby, :json], 'ruby or json. (default: ruby)') { |v| format_passed = true; options[:format] = v }
|
|
53
|
+
opt.on('', '--export-concurrency N', Integer) { |v| options[:export_concurrency] = v }
|
|
54
|
+
opt.on('', '--ignore-login-profile') { options[:ignore_login_profile] = true }
|
|
55
|
+
opt.on('', '--no-color') { options[:color] = false }
|
|
56
|
+
opt.on('', '--no-progress') { options[:no_progress] = true }
|
|
57
|
+
opt.on('', '--debug') { options[:debug] = true }
|
|
58
|
+
opt.on('', '--enable-delete', 'Enable to delete top level elements. (default: false)') { options[:enable_delete] = true }
|
|
59
59
|
opt.parse!
|
|
60
60
|
|
|
61
61
|
aws_opts = {}
|
|
@@ -76,7 +76,12 @@ ARGV.options do |opt|
|
|
|
76
76
|
exit 1
|
|
77
77
|
end
|
|
78
78
|
|
|
79
|
-
|
|
79
|
+
if region
|
|
80
|
+
aws_opts[:region] = region
|
|
81
|
+
elsif !ENV['AWS_REGION']
|
|
82
|
+
aws_opts[:region] = 'ap-northeast-1' # default region
|
|
83
|
+
end
|
|
84
|
+
|
|
80
85
|
Aws.config.update(aws_opts)
|
|
81
86
|
|
|
82
87
|
if not format_passed and [file, output_file].any? {|i| i =~ /\.json\z/ }
|
data/lib/subiam/client.rb
CHANGED
data/lib/subiam/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: subiam
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Genki Sugawara
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2016-05-
|
|
12
|
+
date: 2016-05-27 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: aws-sdk-core
|