awslabs.iam-mcp-server 1.0.1__tar.gz → 1.0.2__tar.gz

{awslabs_iam_mcp_server-1.0.1 → awslabs_iam_mcp_server-1.0.2}/CHANGELOG.md

@@ -5,6 +5,32 @@ All notable changes to the AWS IAM MCP Server will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.0] - 2025-06-23
+
+### Added
+- **Inline Policy Management**: Full CRUD operations for user and role inline policies
+  - `put_user_policy` - Create or update inline policies for IAM users
+  - `get_user_policy` - Retrieve inline policy documents for users
+  - `delete_user_policy` - Delete inline policies from users
+  - `list_user_policies` - List all inline policies for a user
+  - `put_role_policy` - Create or update inline policies for IAM roles
+  - `get_role_policy` - Retrieve inline policy documents for roles
+  - `delete_role_policy` - Delete inline policies from roles
+  - `list_role_policies` - List all inline policies for a role
+- New data models for inline policy operations:
+  - `InlinePolicy` - Model for inline policy data
+  - `InlinePolicyResponse` - Response model for inline policy operations
+  - `InlinePolicyListResponse` - Response model for listing inline policies
+- Comprehensive test coverage for all inline policy operations
+- Enhanced documentation with usage examples and best practices
+- Demo script showing inline policy management capabilities
+
+### Enhanced
+- Updated server instructions to include inline policy management guidance
+- Added security best practices for inline policy usage
+- Enhanced error handling and validation for policy documents
+- Updated required IAM permissions documentation
+
 ## [1.0.0] - 2025-06-18
 
 ### Added

{awslabs_iam_mcp_server-1.0.1 → awslabs_iam_mcp_server-1.0.2}/Dockerfile

@@ -35,7 +35,7 @@ COPY . /app
 
 # Install uv and sync dependencies
 RUN --mount=type=cache,target=/root/.cache/uv \
-    pip install uv==0.7.11 && \
+    pip install --require-hashes --requirement uv-requirements.txt && \
     uv sync --frozen --no-dev --no-editable
 
 # Make the directory just in case it doesn't exist

{awslabs_iam_mcp_server-1.0.1 → awslabs_iam_mcp_server-1.0.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: awslabs.iam-mcp-server
-Version: 1.0.1
+Version: 1.0.2
 Summary: An AWS Labs Model Context Protocol (MCP) server for managing AWS IAM resources including users, roles, policies, and permissions
 Project-URL: homepage, https://awslabs.github.io/mcp/
 Project-URL: docs, https://awslabs.github.io/mcp/servers/iam-mcp-server/
@@ -37,7 +37,9 @@ A Model Context Protocol (MCP) server for comprehensive AWS Identity and Access
 ### Core IAM Management
 - **User Management**: Create, list, retrieve, and delete IAM users
 - **Role Management**: Create, list, and manage IAM roles with trust policies
+- **Group Management**: Create, list, retrieve, and delete IAM groups with member management
 - **Policy Management**: List and manage IAM policies (managed and inline)
+- **Inline Policy Management**: Full CRUD operations for user and role inline policies
 - **Permission Management**: Attach/detach policies to users and roles
 - **Access Key Management**: Create and delete access keys for users
 - **Security Simulation**: Test policy permissions before applying them
@@ -104,6 +106,16 @@ The AWS credentials used by this server need the following IAM permissions:
                 "iam:GetRole",
                 "iam:CreateRole",
                 "iam:DeleteRole",
+                "iam:ListGroups",
+                "iam:GetGroup",
+                "iam:CreateGroup",
+                "iam:DeleteGroup",
+                "iam:AddUserToGroup",
+                "iam:RemoveUserFromGroup",
+                "iam:AttachGroupPolicy",
+                "iam:DetachGroupPolicy",
+                "iam:ListAttachedGroupPolicies",
+                "iam:ListGroupPolicies",
                 "iam:ListPolicies",
                 "iam:GetPolicy",
                 "iam:CreatePolicy",
@@ -116,13 +128,18 @@ The AWS credentials used by this server need the following IAM permissions:
                 "iam:ListAttachedRolePolicies",
                 "iam:ListUserPolicies",
                 "iam:ListRolePolicies",
+                "iam:GetUserPolicy",
+                "iam:GetRolePolicy",
+                "iam:PutUserPolicy",
+                "iam:PutRolePolicy",
                 "iam:GetGroupsForUser",
                 "iam:ListAccessKeys",
                 "iam:CreateAccessKey",
                 "iam:DeleteAccessKey",
                 "iam:SimulatePrincipalPolicy",
                 "iam:RemoveUserFromGroup",
-                "iam:DeleteUserPolicy"
+                "iam:DeleteUserPolicy",
+                "iam:DeleteRolePolicy"
             ],
             "Resource": "*"
         }
@@ -304,6 +321,63 @@ Create a new IAM role with a trust policy.
 - `max_session_duration` (optional): Maximum session duration in seconds (default: 3600)
 - `permissions_boundary` (optional): ARN of the permissions boundary policy
 
+### Group Management
+
+#### `list_groups`
+List IAM groups in the account with optional filtering.
+
+**Parameters:**
+- `path_prefix` (optional): Path prefix to filter groups (e.g., "/division_abc/")
+- `max_items` (optional): Maximum number of groups to return (default: 100)
+
+#### `get_group`
+Get detailed information about a specific IAM group including members, attached policies, and inline policies.
+
+**Parameters:**
+- `group_name`: The name of the IAM group to retrieve
+
+#### `create_group`
+Create a new IAM group.
+
+**Parameters:**
+- `group_name`: The name of the new IAM group
+- `path` (optional): The path for the group (default: "/")
+
+#### `delete_group`
+Delete an IAM group with optional force cleanup.
+
+**Parameters:**
+- `group_name`: The name of the IAM group to delete
+- `force` (optional): Force delete by removing all members and policies first (default: false)
+
+#### `add_user_to_group`
+Add a user to an IAM group.
+
+**Parameters:**
+- `group_name`: The name of the IAM group
+- `user_name`: The name of the IAM user
+
+#### `remove_user_from_group`
+Remove a user from an IAM group.
+
+**Parameters:**
+- `group_name`: The name of the IAM group
+- `user_name`: The name of the IAM user
+
+#### `attach_group_policy`
+Attach a managed policy to an IAM group.
+
+**Parameters:**
+- `group_name`: The name of the IAM group
+- `policy_arn`: The ARN of the policy to attach
+
+#### `detach_group_policy`
+Detach a managed policy from an IAM group.
+
+**Parameters:**
+- `group_name`: The name of the IAM group
+- `policy_arn`: The ARN of the policy to detach
+
 ### Policy Management
 
 #### `list_policies`
@@ -357,6 +431,64 @@ Simulate IAM policy evaluation for a principal to test permissions.
 - `resource_arns` (optional): List of resource ARNs to test against
 - `context_entries` (optional): Context entries for the simulation
 
+### Inline Policy Management
+
+#### `put_user_policy`
+Create or update an inline policy for an IAM user.
+
+**Parameters:**
+- `user_name`: The name of the IAM user
+- `policy_name`: The name of the inline policy
+- `policy_document`: The policy document in JSON format (string or dict)
+
+#### `get_user_policy`
+Retrieve an inline policy for an IAM user.
+
+**Parameters:**
+- `user_name`: The name of the IAM user
+- `policy_name`: The name of the inline policy
+
+#### `delete_user_policy`
+Delete an inline policy from an IAM user.
+
+**Parameters:**
+- `user_name`: The name of the IAM user
+- `policy_name`: The name of the inline policy to delete
+
+#### `list_user_policies`
+List all inline policies for an IAM user.
+
+**Parameters:**
+- `user_name`: The name of the IAM user
+
+#### `put_role_policy`
+Create or update an inline policy for an IAM role.
+
+**Parameters:**
+- `role_name`: The name of the IAM role
+- `policy_name`: The name of the inline policy
+- `policy_document`: The policy document in JSON format (string or dict)
+
+#### `get_role_policy`
+Retrieve an inline policy for an IAM role.
+
+**Parameters:**
+- `role_name`: The name of the IAM role
+- `policy_name`: The name of the inline policy
+
+#### `delete_role_policy`
+Delete an inline policy from an IAM role.
+
+**Parameters:**
+- `role_name`: The name of the IAM role
+- `policy_name`: The name of the inline policy to delete
+
+#### `list_role_policies`
+List all inline policies for an IAM role.
+
+**Parameters:**
+- `role_name`: The name of the IAM role
+
 ## Usage Examples
 
 ### Basic User Management
@@ -398,6 +530,30 @@ role = await create_role(
 )
 ```
 
+### Group Management
+```python
+# Create a new group
+group = await create_group(
+    group_name="Developers",
+    path="/teams/"
+)
+
+# Add users to the group
+await add_user_to_group(
+    group_name="Developers",
+    user_name="john.doe"
+)
+
+# Attach a policy to the group
+await attach_group_policy(
+    group_name="Developers",
+    policy_arn="arn:aws:iam::123456789012:policy/DeveloperPolicy"
+)
+
+# Get group details including members
+group_details = await get_group(group_name="Developers")
+```
+
 ### Policy Management
 ```python
 # List customer managed policies
@@ -420,6 +576,58 @@ simulation = await simulate_principal_policy(
 )
 ```
 
+### Inline Policy Management
+```python
+# Create an inline policy for a user
+policy_document = {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": ["s3:GetObject", "s3:PutObject"],
+            "Resource": "arn:aws:s3:::my-bucket/*"
+        }
+    ]
+}
+
+await put_user_policy(
+    user_name="developer",
+    policy_name="S3AccessPolicy",
+    policy_document=policy_document
+)
+
+# Retrieve an inline policy
+policy = await get_user_policy(
+    user_name="developer",
+    policy_name="S3AccessPolicy"
+)
+
+# List all inline policies for a user
+policies = await list_user_policies(user_name="developer")
+
+# Create an inline policy for a role
+await put_role_policy(
+    role_name="EC2-S3-Access-Role",
+    policy_name="S3ReadOnlyPolicy",
+    policy_document={
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": "s3:GetObject",
+                "Resource": "*"
+            }
+        ]
+    }
+)
+
+# Delete an inline policy
+await delete_user_policy(
+    user_name="developer",
+    policy_name="S3AccessPolicy"
+)
+```
+
 ## Security Best Practices
 
 1. **Principle of Least Privilege**: Always grant the minimum permissions necessary
@@ -429,6 +637,8 @@ simulation = await simulate_principal_policy(
 5. **Enable MFA**: Use multi-factor authentication where possible
 6. **Permissions Boundaries**: Use permissions boundaries to set maximum permissions
 7. **Policy Simulation**: Test policies before applying them to production
+8. **Prefer Managed Policies**: Use managed policies over inline policies for reusable permissions
+9. **Inline Policy Guidelines**: Use inline policies only for permissions unique to a single identity
 
 ## Error Handling
 

{awslabs_iam_mcp_server-1.0.1 → awslabs_iam_mcp_server-1.0.2}/README.md

@@ -7,7 +7,9 @@ A Model Context Protocol (MCP) server for comprehensive AWS Identity and Access
 ### Core IAM Management
 - **User Management**: Create, list, retrieve, and delete IAM users
 - **Role Management**: Create, list, and manage IAM roles with trust policies
+- **Group Management**: Create, list, retrieve, and delete IAM groups with member management
 - **Policy Management**: List and manage IAM policies (managed and inline)
+- **Inline Policy Management**: Full CRUD operations for user and role inline policies
 - **Permission Management**: Attach/detach policies to users and roles
 - **Access Key Management**: Create and delete access keys for users
 - **Security Simulation**: Test policy permissions before applying them
@@ -74,6 +76,16 @@ The AWS credentials used by this server need the following IAM permissions:
                 "iam:GetRole",
                 "iam:CreateRole",
                 "iam:DeleteRole",
+                "iam:ListGroups",
+                "iam:GetGroup",
+                "iam:CreateGroup",
+                "iam:DeleteGroup",
+                "iam:AddUserToGroup",
+                "iam:RemoveUserFromGroup",
+                "iam:AttachGroupPolicy",
+                "iam:DetachGroupPolicy",
+                "iam:ListAttachedGroupPolicies",
+                "iam:ListGroupPolicies",
                 "iam:ListPolicies",
                 "iam:GetPolicy",
                 "iam:CreatePolicy",
@@ -86,13 +98,18 @@ The AWS credentials used by this server need the following IAM permissions:
                 "iam:ListAttachedRolePolicies",
                 "iam:ListUserPolicies",
                 "iam:ListRolePolicies",
+                "iam:GetUserPolicy",
+                "iam:GetRolePolicy",
+                "iam:PutUserPolicy",
+                "iam:PutRolePolicy",
                 "iam:GetGroupsForUser",
                 "iam:ListAccessKeys",
                 "iam:CreateAccessKey",
                 "iam:DeleteAccessKey",
                 "iam:SimulatePrincipalPolicy",
                 "iam:RemoveUserFromGroup",
-                "iam:DeleteUserPolicy"
+                "iam:DeleteUserPolicy",
+                "iam:DeleteRolePolicy"
             ],
             "Resource": "*"
         }
@@ -274,6 +291,63 @@ Create a new IAM role with a trust policy.
 - `max_session_duration` (optional): Maximum session duration in seconds (default: 3600)
 - `permissions_boundary` (optional): ARN of the permissions boundary policy
 
+### Group Management
+
+#### `list_groups`
+List IAM groups in the account with optional filtering.
+
+**Parameters:**
+- `path_prefix` (optional): Path prefix to filter groups (e.g., "/division_abc/")
+- `max_items` (optional): Maximum number of groups to return (default: 100)
+
+#### `get_group`
+Get detailed information about a specific IAM group including members, attached policies, and inline policies.
+
+**Parameters:**
+- `group_name`: The name of the IAM group to retrieve
+
+#### `create_group`
+Create a new IAM group.
+
+**Parameters:**
+- `group_name`: The name of the new IAM group
+- `path` (optional): The path for the group (default: "/")
+
+#### `delete_group`
+Delete an IAM group with optional force cleanup.
+
+**Parameters:**
+- `group_name`: The name of the IAM group to delete
+- `force` (optional): Force delete by removing all members and policies first (default: false)
+
+#### `add_user_to_group`
+Add a user to an IAM group.
+
+**Parameters:**
+- `group_name`: The name of the IAM group
+- `user_name`: The name of the IAM user
+
+#### `remove_user_from_group`
+Remove a user from an IAM group.
+
+**Parameters:**
+- `group_name`: The name of the IAM group
+- `user_name`: The name of the IAM user
+
+#### `attach_group_policy`
+Attach a managed policy to an IAM group.
+
+**Parameters:**
+- `group_name`: The name of the IAM group
+- `policy_arn`: The ARN of the policy to attach
+
+#### `detach_group_policy`
+Detach a managed policy from an IAM group.
+
+**Parameters:**
+- `group_name`: The name of the IAM group
+- `policy_arn`: The ARN of the policy to detach
+
 ### Policy Management
 
 #### `list_policies`
@@ -327,6 +401,64 @@ Simulate IAM policy evaluation for a principal to test permissions.
 - `resource_arns` (optional): List of resource ARNs to test against
 - `context_entries` (optional): Context entries for the simulation
 
+### Inline Policy Management
+
+#### `put_user_policy`
+Create or update an inline policy for an IAM user.
+
+**Parameters:**
+- `user_name`: The name of the IAM user
+- `policy_name`: The name of the inline policy
+- `policy_document`: The policy document in JSON format (string or dict)
+
+#### `get_user_policy`
+Retrieve an inline policy for an IAM user.
+
+**Parameters:**
+- `user_name`: The name of the IAM user
+- `policy_name`: The name of the inline policy
+
+#### `delete_user_policy`
+Delete an inline policy from an IAM user.
+
+**Parameters:**
+- `user_name`: The name of the IAM user
+- `policy_name`: The name of the inline policy to delete
+
+#### `list_user_policies`
+List all inline policies for an IAM user.
+
+**Parameters:**
+- `user_name`: The name of the IAM user
+
+#### `put_role_policy`
+Create or update an inline policy for an IAM role.
+
+**Parameters:**
+- `role_name`: The name of the IAM role
+- `policy_name`: The name of the inline policy
+- `policy_document`: The policy document in JSON format (string or dict)
+
+#### `get_role_policy`
+Retrieve an inline policy for an IAM role.
+
+**Parameters:**
+- `role_name`: The name of the IAM role
+- `policy_name`: The name of the inline policy
+
+#### `delete_role_policy`
+Delete an inline policy from an IAM role.
+
+**Parameters:**
+- `role_name`: The name of the IAM role
+- `policy_name`: The name of the inline policy to delete
+
+#### `list_role_policies`
+List all inline policies for an IAM role.
+
+**Parameters:**
+- `role_name`: The name of the IAM role
+
 ## Usage Examples
 
 ### Basic User Management
@@ -368,6 +500,30 @@ role = await create_role(
 )
 ```
 
+### Group Management
+```python
+# Create a new group
+group = await create_group(
+    group_name="Developers",
+    path="/teams/"
+)
+
+# Add users to the group
+await add_user_to_group(
+    group_name="Developers",
+    user_name="john.doe"
+)
+
+# Attach a policy to the group
+await attach_group_policy(
+    group_name="Developers",
+    policy_arn="arn:aws:iam::123456789012:policy/DeveloperPolicy"
+)
+
+# Get group details including members
+group_details = await get_group(group_name="Developers")
+```
+
 ### Policy Management
 ```python
 # List customer managed policies
@@ -390,6 +546,58 @@ simulation = await simulate_principal_policy(
 )
 ```
 
+### Inline Policy Management
+```python
+# Create an inline policy for a user
+policy_document = {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": ["s3:GetObject", "s3:PutObject"],
+            "Resource": "arn:aws:s3:::my-bucket/*"
+        }
+    ]
+}
+
+await put_user_policy(
+    user_name="developer",
+    policy_name="S3AccessPolicy",
+    policy_document=policy_document
+)
+
+# Retrieve an inline policy
+policy = await get_user_policy(
+    user_name="developer",
+    policy_name="S3AccessPolicy"
+)
+
+# List all inline policies for a user
+policies = await list_user_policies(user_name="developer")
+
+# Create an inline policy for a role
+await put_role_policy(
+    role_name="EC2-S3-Access-Role",
+    policy_name="S3ReadOnlyPolicy",
+    policy_document={
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": "s3:GetObject",
+                "Resource": "*"
+            }
+        ]
+    }
+)
+
+# Delete an inline policy
+await delete_user_policy(
+    user_name="developer",
+    policy_name="S3AccessPolicy"
+)
+```
+
 ## Security Best Practices
 
 1. **Principle of Least Privilege**: Always grant the minimum permissions necessary
@@ -399,6 +607,8 @@ simulation = await simulate_principal_policy(
 5. **Enable MFA**: Use multi-factor authentication where possible
 6. **Permissions Boundaries**: Use permissions boundaries to set maximum permissions
 7. **Policy Simulation**: Test policies before applying them to production
+8. **Prefer Managed Policies**: Use managed policies over inline policies for reusable permissions
+9. **Inline Policy Guidelines**: Use inline policies only for permissions unique to a single identity
 
 ## Error Handling
 

{awslabs_iam_mcp_server-1.0.1 → awslabs_iam_mcp_server-1.0.2}/awslabs/iam_mcp_server/__init__.py

@@ -12,6 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""AWS IAM MCP Server."""
+"""AWS IAM MCP Server package."""
 
 __version__ = '1.0.0'

{awslabs_iam_mcp_server-1.0.1 → awslabs_iam_mcp_server-1.0.2}/awslabs/iam_mcp_server/context.py

@@ -48,3 +48,8 @@ class Context:
     def set_region(cls, region: str):
         """Set the AWS region."""
         cls._region = region
+
+    @classmethod
+    def set_readonly(cls, readonly: bool):
+        """Set the read-only mode."""
+        cls._readonly = readonly