@cloud-copilot/iam-lens 0.1.8 → 0.1.9

package/README.md

@@ -4,7 +4,7 @@
 
 ## iam-lens
 
-Get visibility into the actual IAM policies that apply in your AWS organizations and accounts. This will use your existing AWS IAM policies (downloaded via [iam-collect](https://github.com/cloud-copilot/iam-collect)) and evaluate the effective permissions.
+Get visibility into the actual IAM permissions in your AWS organizations and accounts. Use your actual AWS IAM policies (downloaded via [iam-collect](https://github.com/cloud-copilot/iam-collect)) and evaluate the effective permissions.
 
 ## Quick Start
 
@@ -12,7 +12,7 @@ Get visibility into the actual IAM policies that apply in your AWS organizations
 # Install
 npm install -g @cloud-copilot/iam-collect @cloud-copilot/iam-lens
 
-# Download all IAM policies in your accounts
+# Download all IAM policies in your account using default credentials, run download once per account
 iam-collect init
 iam-collect download
 
@@ -20,27 +20,27 @@ iam-collect download
 iam-lens simulate --principal arn:aws:iam::123456789012:role/ExampleRole --resource arn:aws:s3:::example-bucket/secret-file.txt --action s3:GetObject
 
 # Find out who can do something
-iam-lens who-can --resource arn:aws:s3:::example-bucket --actions s3:GetObject
+iam-lens who-can --resource arn:aws:s3:::example-bucket --actions s3:ListBucket
 
 # Find out who can do all actions on a resource
-iam-lens who-can --resource arn:aws:iam::123456789012:role/ExampleRole
+iam-lens who-can --resource arn:aws:s3:::example-bucket
 ```
 
 ## What is iam-lens?
 
-iam-lens uses real IAM data from your AWS accounts (collected via [iam-collect](https://github.com/cloud-copilot/iam-collect)) and allows you to quickly simulate requests and discover the actual effective permissions that apply to a principal or resource.
+iam-lens uses real IAM data from your AWS accounts (collected via [iam-collect](https://github.com/cloud-copilot/iam-collect)) to quickly simulate requests and discover the real effective permissions that apply to a principal or resource.
 
 ## Why use it?
 
-1. **Understand** what permissions are actually in place and why. See the policies that determine the outcome of a given request.
-2. **Verify** specific actions are allowed or not allowed for a principal or resource.
+1. **Understand** what permissions are actually in place and why. See the policies that determine the outcome of a request.
+2. **Verify** what's allowed or not after everything is deployed.
 3. **Discover** who can take action on a sensitive resource with a single command.
 4. **Audit** your IAM policies and ensure they are configured correctly.
 5. **Debug** permissions by simulating requests locally and iterate quickly without needing to deploy changes to your AWS environment.
 
 ## Getting Started
 
-1. **Download Your Policies** Use [iam-collect](https://github.com/cloud-copilot/iam-collect) to download all your policies from all your AWS accounts. iam-collect is highly configurable and can be customized to collect the policies you need. It only downloads information to your file system or an S3 bucket, so you're in full control of your data.
+1. **Download Your Policies** with [iam-collect](https://github.com/cloud-copilot/iam-collect) to get all your policies from all your AWS accounts. iam-collect is highly configurable and can be customized to collect the policies you need. It only downloads information to your file system or an S3 bucket, so you're in full control of your data.
 
 ```bash
 npm install -g @cloud-copilot/iam-collect
@@ -48,7 +48,9 @@ iam-collect init
 iam-collect download
 ```
 
-To see the effect of SCPs and RCPs, you should download data from your management account; or an account with permissions do download organization information. Download data for member accounts you want to analyze. `iam-lens` will analyze cross-account and cross-organization requests if you have the data available.
+To see the effect of SCPs and RCPs, you should download data from your management account; or an account with permissions to download organization information. Download data for member accounts you want to analyze. `iam-lens` will analyze cross-account and cross-organization requests if you have the data available.
+
+You can download information for as many accounts, organizations, and regions as you like. The more data you have, the more accurate your simulations will be.
 
 2. **Install iam-lens**
 
@@ -80,19 +82,19 @@ iam-lens who-can --resource arn:aws:iam::111111111111:role/ImportantRole --actio
 iam-lens simulate [options]
 ```
 
-Evaluates whether a given principal can perform a specified action on a resource (or wildcard). Returns a decision (Allowed/ImplicitlyDenied/ExplicitlyDenied), and exits nonzero if you provided an `--expect` that doesn’t match the result.
+Evaluates whether a principal can perform a specified action on a resource (or wildcard). Returns a decision (Allowed/ImplicitlyDenied/ExplicitlyDenied), and exits nonzero if you provided an `--expect` that doesn’t match the result.
 
 **Options:**
 
-| Flag                        | Description                                                                                                                                                                                         |
-| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `--principal <arn>`         | The principal the request is from. Can be a user, role, session, or AWS service.                                                                                                                    |
-| `--resource <arn>`          | The ARN of the resource to simulate access to. Ignore for wildcard-only actions (e.g. `s3:ListAllMyBuckets`).                                                                                       |
-| `--resourceAccountId <id>`  | The account ID of the resource, only required if it cannot be determined from the resource ARN.                                                                                                     |
-| `--action <service:action>` | The action to simulate; must be a valid IAM service and action such as `s3:ListBucket`.                                                                                                             |
-| `--context <key=value>`     | One or more context keys to use for the simulation. Keys are formatted as `key=value1,value2`. Multiple values can be separated by commas.                                                          |
-| `-v, --verbose`             | Enable verbose output for the simulation (prints evaluation steps and policy checks).                                                                                                               |
-| `--expect <result>`         | The expected outcome of the simulation. Valid values: `Allowed`, `ImplicitlyDenied`, `ExplicitlyDenied`, `AnyDeny`. If the result does not match the expect value, a non-zero exit code is returned |
+| Flag                        | Description                                                                                                                                                                                                                                                          |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--principal <arn>`         | The principal the request is from. Can be a user, role, session, or AWS service.                                                                                                                                                                                     |
+| `--resource <arn>`          | The ARN of the resource to simulate access to. Ignore for wildcard-only actions such as `s3:ListAllMyBuckets`.                                                                                                                                                       |
+| `--resource-account <id>`   | The account ID of the resource, only required if it cannot be determined from the resource ARN.                                                                                                                                                                      |
+| `--action <service:action>` | The action to simulate; must be a valid IAM service and action such as `s3:ListBucket`.                                                                                                                                                                              |
+| `--context <key=value>`     | One or more context keys to use for the simulation. Keys are formatted as `keyA=value1,value2 keyB=value1,value2`. Multiple keys are separated by spaces. Multiple values separated by commas. See [Context Keys](#context-keys) for what keys are set automatically |
+| `-v, --verbose`             | Enable verbose output for the simulation (exactly what statements applied or not and why).                                                                                                                                                                           |
+| `--expect <result>`         | Optional expected outcome of the simulation. Valid values are `Allowed`, `ImplicitlyDenied`, `ExplicitlyDenied`, `AnyDeny`. If the result does not match the expected value, a non-zero exit code is returned                                                        |
 
 **Examples:**
 
@@ -103,19 +105,17 @@ iam-lens simulate \
   --resource arn:aws:s3:::my-bucket \
   --action s3:ListBucket
 
-# Simulate a wildcard action (ListAllMyBuckets) – must supply resourceAccountId
+# Simulate a wildcard action (ListAllMyBuckets) – this will assume the principals account
 iam-lens simulate \
   --principal arn:aws:iam::222222222222:user/Alice \
   --action s3:ListAllMyBuckets \
-  --resourceAccountId 222222222222
 
-# Include context keys (e.g. resource tags or org IDs)
+# Include custom context keys
 iam-lens simulate \
   --principal arn:aws:iam::333333333333:role/DevRole \
   --resource arn:aws:sqs:us-east-1:333333333333:my-queue \
   --action sqs:SendMessage \
-  --context aws:PrincipalOrgID=o-aaaaaaaaaa \
-  --context aws:ResourceTag/Env=prod,staging \
+  --context aws:SourceVpc=vpc-1234567890abcdef0 \
   --verbose
 
 # Assert the result must be “Allowed”; exit code will be nonzero if not
@@ -136,31 +136,34 @@ Lists all principals in your IAM data who are allowed to perform one or more spe
 
 **Options:**
 
-| Flag                         | Description                                                                                                                                                                                                          |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `--resource <arn>`           | The ARN of the resource to check permissions for. Ignore for wildcard-only actions (`iam:ListRoles`, etc.).                                                                                                          |
-| `--resourceAccount <id>`     | The account ID of the resource, only required if it cannot be determined from the resource ARN. Required for wildcard actions such as `s3:ListAllMyBuckets`                                                          |
-| `--actions <service:action>` | One or more actions to check, e.g. `s3:GetObject`. Specify as many actions as you want. If omitted it will analyze all valid actions for the resource. If no `--resource` is specified then actions must be entered. |
+| Flag                         | Description                                                                                                                                                                                                            |
+| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--resource <arn>`           | The ARN of the resource to check permissions for. Ignore for wildcard-only actions such as `iam:ListRoles`                                                                                                             |
+| `--resource-account <id>`    | The account ID of the resource, only required if it cannot be determined from the resource ARN. Required for wildcard actions such as `ec2:DescribeInstances`                                                          |
+| `--actions <service:action>` | One or more actions to check such as `s3:GetObject`. Specify as many actions as you want. If omitted it will analyze all valid actions for the resource. If no `--resource` is specified then actions must be entered. |
 
 **Examples:**
 
 ```bash
-# Who can get objects from this bucket?
+# Who can get this object?
 iam-lens who-can \
-  --resource arn:aws:s3:::my-bucket \
+  --resource arn:aws:s3:::my-bucket/secret-file.txt \
   --actions s3:GetObject
 
 # Who can list all IAM roles in any account? (wildcard action – no resource)
 iam-lens who-can \
+  --resource-account 555555555555 \
   --actions iam:ListRoles
 
 # Check multiple actions at once
 iam-lens who-can \
   --resource arn:aws:dynamodb:us-east-1:555555555555:table/Books \
-  --actions dynamodb:Query,dynamodb:UpdateItem
+  --actions dynamodb:Query dynamodb:UpdateItem
 ```
 
-**Global Options:**
+### Global Options:
+
+These options are available for all commands:
 
 | Flag                       | Description                                                           | Default             |
 | -------------------------- | --------------------------------------------------------------------- | ------------------- |
@@ -182,10 +185,10 @@ Below are the context keys that iam-lens populates by default during simulation.
 - **`aws:EpochTime`**
   Unix epoch time in seconds (e.g., `1717290896`).
 
-#### Principal Context (if principal is an ARN)
+#### IAM Principal Context
 
 - **`aws:PrincipalArn`**
-  The full ARN of the principal (user, role, federated user, or service) being simulated.
+  The full ARN of the principal (user, role, role session, or federated user) being simulated.
 
 - **`aws:PrincipalAccount`**
   The AWS account ID extracted from the principal ARN.
@@ -200,7 +203,7 @@ Below are the context keys that iam-lens populates by default during simulation.
   For each tag on the IAM principal, a context key of the form `aws:PrincipalTag/<TagKey>` with its tag value.
 
 - **`aws:PrincipalIsAWSService`**
-  Set to `true` if the principal is an AWS service principal (e.g. `lambda.amazonaws.com`), otherwise `false`.
+  Set to `false` for all IAM principals (users, roles, federated users).
 
 - **`aws:PrincipalType`**
   One of: `Account`, `User`, `FederatedUser`, `AssumedRole`, indicating the type of principal.
@@ -213,34 +216,43 @@ Below are the context keys that iam-lens populates by default during simulation.
   - For a federated user: `<AccountId>:<FederatedName>`
   - For an assumed role: `<RoleUniqueId>:<SessionName>`
 
+  Setting `role-id:ec2-instance-id` for EC2 instances is not supported at this time.
+
 - **`aws:username`** _(only for IAM users)_
   The IAM username portion of the principal ARN (e.g. `Alice`).
 
-- **`aws:PrincipalServiceName`** _(only for AWS service principals)_
+#### Service Principal Context
+
+The following context keys are set when the principal is an AWS service (e.g., `lambda.amazonaws.com`, `ec2.amazonaws.com`):
+
+- **`aws:PrincipalServiceName`**
   The service principal string (e.g. `lambda.amazonaws.com`).
 
-- **`aws:SourceAccount`** _(only for AWS service principals)_
-  The account ID of the simulated resource, used when interpreting a service principal’s context.
+- **`aws:SourceAccount`**
+  The account ID of the resource.
 
-- **`aws:SourceOrgID`** _(only for AWS service principals)_
-  The organization ID of the simulated resource’s account (if any).
+- **`aws:SourceOrgID`**
+  The organization ID of the resource’s account (if part of an organization).
 
-- **`aws:SourceOrgPaths`** _(only for AWS service principals)_
-  The OU hierarchy path for the simulated resource’s account (if any).
+- **`aws:SourceOrgPaths`**
+  The OU hierarchy path for the resource’s account (if part of an organization).
+
+- **`aws:PrincipalIsAWSService`**
+  Set to `true` for all service principals. Set to `false` for all IAM principals (users, roles, federated users).
 
-#### Resource Context (unless action is excluded)
+#### Resource Context ([unless action is excluded](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount))
 
 - **`aws:ResourceAccount`**
-  The AWS account ID of the simulated resource.
+  The AWS account ID of the resource.
 
-- **`aws:ResourceOrgID`** _(if the resource account is in an organization)_
-  The Organization ID for the resource’s account.
+- **`aws:ResourceOrgID`**
+  The Organization ID for the resource’s account (if part of an organization).
 
 - **`aws:ResourceOrgPaths`** _(if the resource account is in an organization)_
-  A list containing a single string of the form `<OrgId>/<OU1>/<OU2>/…/` for the resource’s account.
+  A list containing a single string of the form `<OrgId>/<OU1>/<OU2>/…/` for the resource’s account (if part of an organization).
 
 - **`aws:ResourceTag/<TagKey>`**
-  For each tag on the resource ARN, a context key `aws:ResourceTag/TagKey` with its tag value. **This is only for resources that are stored in your `iam-collect` data**, such as Roles, S3 Buckets, DynamoDB Tables, etc. For resources not stored in `iam-collect`, this key will not be set.
+  For each tag on the resource ARN, a context key `aws:ResourceTag/TagKey` with its tag value. **This is only for resources that are stored in your `iam-collect` data**, such as Roles, S3 Buckets, DynamoDB Tables, etc. For resources not stored in `iam-collect`, this key should be set manually.
 
 ### Overriding Default Context Keys
 

package/dist/cjs/cli.js

@@ -22,7 +22,7 @@ const main = async () => {
                     values: 'single',
                     description: 'The ARN of the resource to simulate access to. Ignore for wildcard actions'
                 },
-                resourceAccountId: {
+                resourceAccount: {
                     type: 'string',
                     values: 'single',
                     description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN.'
@@ -94,12 +94,12 @@ const main = async () => {
     const collectConfigs = await (0, collect_js_1.loadCollectConfigs)(cli.args.collectConfigs);
     const collectClient = (0, collect_js_1.getCollectClient)(collectConfigs, thePartition);
     if (cli.subcommand === 'simulate') {
-        const { principal, resource, resourceAccountId, action, context } = cli.args;
+        const { principal, resource, resourceAccount, action, context } = cli.args;
         const contextKeys = convertContextKeysToMap(context);
         const result = await (0, simulate_js_1.simulateRequest)({
             principal: principal,
             resourceArn: resource,
-            resourceAccount: resourceAccountId,
+            resourceAccount: resourceAccount,
             action: action,
             customContextKeys: contextKeys
         }, collectClient);

package/dist/cjs/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,4CAAsD;AACtD,qDAA2E;AAE3E,wDAAkF;AAClF,iEAA0D;AAC1D,kDAA2C;AAE3C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAc,GAAE,CAAA;IACtC,MAAM,GAAG,GAAG,IAAA,uBAAiB,EAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,iBAAiB,EAAE;oBACjB,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,iGAAiG;iBACpG;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,wFAAwF;iBAC3F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,MAAM;oBACZ,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,CAAC,SAAS,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,SAAS,CAAC;oBAC3E,WAAW,EACT,iIAAiI;iBACpI;aACF;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,8CAA8C;YAC3D,OAAO,EAAE;gBACP,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+EAA+E;iBAClF;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+HAA+H;iBAClI;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oGAAoG;iBACvG;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,OAAO;KACR,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAChD,MAAM,cAAc,GAAG,MAAM,IAAA,+BAAkB,EAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,YAAY,CAAC,CAAA;IAEpE,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC5E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAe,EAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAQ;YACrB,eAAe,EAAE,iBAAiB;YAClC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC,IAAA,sCAAwB,EAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAO,CAAC,EAAE,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QACvD,IAAI,CAAC,eAAe,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAC,KAAK,CACX,qGAAqG,CACtG,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,kBAAM,EAAC,aAAa,EAAE;YAC1C,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,QAAS;YAC5B,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,OAAQ;YAC1B,eAAe,EAAE,GAAG,CAAC,IAAI,CAAC,eAAe;SAC1C,CAAC,CAAA;QAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,4CAAsD;AACtD,qDAA2E;AAE3E,wDAAkF;AAClF,iEAA0D;AAC1D,kDAA2C;AAE3C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAc,GAAE,CAAA;IACtC,MAAM,GAAG,GAAG,IAAA,uBAAiB,EAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,iGAAiG;iBACpG;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,wFAAwF;iBAC3F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,MAAM;oBACZ,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,CAAC,SAAS,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,SAAS,CAAC;oBAC3E,WAAW,EACT,iIAAiI;iBACpI;aACF;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,8CAA8C;YAC3D,OAAO,EAAE;gBACP,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+EAA+E;iBAClF;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+HAA+H;iBAClI;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oGAAoG;iBACvG;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,OAAO;KACR,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAChD,MAAM,cAAc,GAAG,MAAM,IAAA,+BAAkB,EAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,YAAY,CAAC,CAAA;IAEpE,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC1E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAe,EAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAQ;YACrB,eAAe,EAAE,eAAe;YAChC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC,IAAA,sCAAwB,EAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAO,CAAC,EAAE,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QACvD,IAAI,CAAC,eAAe,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAC,KAAK,CACX,qGAAqG,CACtG,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,kBAAM,EAAC,aAAa,EAAE;YAC1C,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,QAAS;YAC5B,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,OAAQ;YAC1B,eAAe,EAAE,GAAG,CAAC,IAAI,CAAC,eAAe;SAC1C,CAAC,CAAA;QAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}

package/dist/esm/cli.js

@@ -20,7 +20,7 @@ const main = async () => {
                     values: 'single',
                     description: 'The ARN of the resource to simulate access to. Ignore for wildcard actions'
                 },
-                resourceAccountId: {
+                resourceAccount: {
                     type: 'string',
                     values: 'single',
                     description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN.'
@@ -92,12 +92,12 @@ const main = async () => {
     const collectConfigs = await loadCollectConfigs(cli.args.collectConfigs);
     const collectClient = getCollectClient(collectConfigs, thePartition);
     if (cli.subcommand === 'simulate') {
-        const { principal, resource, resourceAccountId, action, context } = cli.args;
+        const { principal, resource, resourceAccount, action, context } = cli.args;
         const contextKeys = convertContextKeysToMap(context);
         const result = await simulateRequest({
             principal: principal,
             resourceArn: resource,
-            resourceAccount: resourceAccountId,
+            resourceAccount: resourceAccount,
             action: action,
             customContextKeys: contextKeys
         }, collectClient);

package/dist/esm/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AACtD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAE3E,OAAO,EAAE,wBAAwB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAClF,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAE3C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,OAAO,GAAG,MAAM,cAAc,EAAE,CAAA;IACtC,MAAM,GAAG,GAAG,iBAAiB,CAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,iBAAiB,EAAE;oBACjB,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,iGAAiG;iBACpG;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,wFAAwF;iBAC3F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,MAAM;oBACZ,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,CAAC,SAAS,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,SAAS,CAAC;oBAC3E,WAAW,EACT,iIAAiI;iBACpI;aACF;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,8CAA8C;YAC3D,OAAO,EAAE;gBACP,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+EAA+E;iBAClF;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+HAA+H;iBAClI;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oGAAoG;iBACvG;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,OAAO;KACR,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAChD,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,gBAAgB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAA;IAEpE,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC5E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAQ;YACrB,eAAe,EAAE,iBAAiB;YAClC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAO,CAAC,EAAE,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QACvD,IAAI,CAAC,eAAe,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAC,KAAK,CACX,qGAAqG,CACtG,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,aAAa,EAAE;YAC1C,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,QAAS;YAC5B,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,OAAQ;YAC1B,eAAe,EAAE,GAAG,CAAC,IAAI,CAAC,eAAe;SAC1C,CAAC,CAAA;QAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AACtD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAE3E,OAAO,EAAE,wBAAwB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAClF,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAE3C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,OAAO,GAAG,MAAM,cAAc,EAAE,CAAA;IACtC,MAAM,GAAG,GAAG,iBAAiB,CAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,iGAAiG;iBACpG;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,wFAAwF;iBAC3F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,MAAM;oBACZ,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,CAAC,SAAS,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,SAAS,CAAC;oBAC3E,WAAW,EACT,iIAAiI;iBACpI;aACF;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,8CAA8C;YAC3D,OAAO,EAAE;gBACP,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+EAA+E;iBAClF;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+HAA+H;iBAClI;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oGAAoG;iBACvG;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,OAAO;KACR,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAChD,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,gBAAgB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAA;IAEpE,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC1E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAQ;YACrB,eAAe,EAAE,eAAe;YAChC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAO,CAAC,EAAE,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QACvD,IAAI,CAAC,eAAe,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAC,KAAK,CACX,qGAAqG,CACtG,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,aAAa,EAAE;YAC1C,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,QAAS;YAC5B,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,OAAQ;YAC1B,eAAe,EAAE,GAAG,CAAC,IAAI,CAAC,eAAe;SAC1C,CAAC,CAAA;QAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloud-copilot/iam-lens",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Visibility in IAM in and across AWS accounts",
   "keywords": [
     "aws",