Security News
The Unpaid Backbone of Open Source: Solo Maintainers Face Increasing Security Demands
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
A python script to generate an IAM policy based on a yaml or json configuration.
To install:
# Most stable
pip install iam-builder
# OR directly from github
pip install git+git://github.com/moj-analytical-services/iam_builder.git#egg=iam_builder
To use the command line interface:
iam_builder -c examples/iam_config.yaml -o examples/iam_policy.json
-c
is the path to your iam configuration (either a yaml or json file).-o
is the path to your output iam policy (needs to be a json file).Or to do the same thing in python:
import yaml
import json
from iam_builder.iam_builder import build_iam_policy
with open('examples/iam_config.yaml') as f:
config = yaml.load(f, Loader=yaml.FullLoader)
iam_policy = build_iam_policy(config)
with open('examples/iam_policy.json', "w+") as f:
json.dump(iam_policy, f, indent=4, separators=(',', ': '))
Both scripts will create the output iam_policy seen in the examples folder. You can also see more example configs by looking in the unit tests.
Your config file can be either a yaml or json file.
The example yaml (iam_config.yaml
) looks this:
iam_role_name: iam_role_name
athena:
write: false
glue_job: true
secrets: true
s3:
read_only:
- test_bucket_read_only/*
write_only:
- test_bucket_write_only/*
- test_bucket_read_only/write_only_folder/*
read_write:
- test_bucket_read_write/*
- test_bucket_read_only/write_folder/*
deny:
- test_bucket_read_write/sensitive_table/*
kms:
- test_kms_key_arn
bedrock: true
Whilst the example json (iam_config.json
) looks like this:
{
"iam_role_name": "iam_role_name",
"athena": {
"write": false
},
"glue_job": true,
"secrets": true,
"s3": {
"read_only": [
"test_bucket_read_only/*"
],
"write_only": [
"test_bucket_write_only/*",
"test_bucket_read_only/write_only_folder/*"
],
"read_write": [
"test_bucket_read_write/*",
"test_bucket_read_only/write_folder/*"
]
},
"kms": ["test_kms_key_arn"],
"bedrock": true
}
iam_role_name: The role name of your airflow job; required if you want to run glue jobs or access secrets.
athena: Can have two keys.
true
or false
. If false
then only read access to Athena (cannot create, delete or alter tables, databases and partitions). If true
then the role will also have the ability to do stuff like CTAS queries, DROP TABLE
, CREATE DATABASE
, etc.mojap-athena-query-dump
and should not normally need changing.glue_job: Boolean; must be set to true
to allow role to run glue jobs. If false
or absent role will not be able to run glue jobs.
secrets: Boolean or string; must be set to true
or "read"
to allow role to access secrets from AWS Parameter Store, and readwrite
to provide read/write access. If false
or absent role will not be able to access secrets.
s3: Can have up to 4 keys: read_only
, write_only
, read_write
, and deny
. Each key describes the level of access you want your iam policy to have with each s3 path. More details below:
read_only: A list of s3 paths that the iam_role should be able to access (read only). Each item in the list should either be a path to a object or finish with /*
to denote that it can access everything within that directory. Note the S3 paths don't start with s3://
in the config.
write_only: A list of s3 paths that the iam_role should be able to access (write only). Each item in the list should either be a path to a object or finish with /*
to denote that it can access everything within that directory. Note the S3 paths don't start with s3://
in the config.
read_write: A list of s3 paths that the iam_role should be able to access (read and write). Each item in the list should either be a path to a object or finish with /*
to denote that it can access everything within that directory. Note the S3 paths don't start with s3://
in the config.
deny: A list of s3 paths that the iam_role should not be able to access. This should be used to add exceptions to wildcarded access to folders, for example excluding sensitive tables in order to provide basic access to a database. Each item in the list should either be a path to a object or finish with /*
to denote that it can access everything within that directory. Note the S3 paths don't start with s3://
in the config.
kms: A list of kms arns that the iam_role should be able to access. Can call the DescribeKey, GenerateDataKey, Decrypt, Encrypt and ReEncrypt operations.
bedrock: Boolean; must be set to true
to allow role to interact with Amazon Bedrock. If false
or absent role will not be able to interact with Amazon Bedrock.
When updating IAM builder, make sure to change the version number in pyproject.toml
and describe the change in CHANGELOG.md
.
If you have changed any dependencies in pyproject.yaml
, run poetry update
to update poetry.lock
.
Once you have created a release in GitHub, a Github Action will run to publish the release on PyPI automatically.
FAQs
A lil python package to generate iam policies
We found that iam-builder demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.
Security News
A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.