Security News
Maven Central Adds Sigstore Signature Validation
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
By Sarah Gooding - Feb 06, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
subiam
- 1.3.2
- Rubygems
Subiam
Subiam is a tool to manage IAM.
It defines the state of IAM using DSL, and updates IAM according to DSL.
It's forked from Miam. Miam is designed to manage all IAM entities in the AWS account. Subiam is not so. Subiam is designed to manage sub part of IAM entities in the AWS account. For example around MySQL instances / around web servers / around lambda functions / around monitoring systems.
Notice
-
>= 1.3.0- Specify default region:
ap-northeast-1. User does't have to specify region unless using isolated AWS region like GovCloud.
- Specify default region:
-
>= 1.2.0- Add helper methods:
arn_policy_by_aws,arn_policy_by_current_account
- Add helper methods:
-
>= 1.1.0- Rename
requireDSL command toimportto avoid override Kernel#require - Allow Symbols alternative to Strings at Hash keys. It's a bit easy to write!
- Rename
-
>= 1.0.0- Forked from miam
- Required to specify
targetin DSL or json instance_profilealso follow target (bug fix)- don't delete top level entity (user, group, role, instance_profile) by default. Use the
--enable-deleteoption.
Installation
Add this line to your application's Gemfile:
gem 'subiam'
And then execute:
$ bundle
Or install it yourself as:
$ gem install subiam
Usage
export AWS_ACCESS_KEY_ID='...'
export AWS_SECRET_ACCESS_KEY='...'
vi subiam-xxx.rb
subiam -a --dry-run -f subiam-xxx.rb
subiam -a -f subiam-xxx.rb
Help
Usage: subiam [options]
-p, --profile PROFILE_NAME
--credentials-path PATH
-k, --access-key ACCESS_KEY
-s, --secret-key SECRET_KEY
-r, --region REGION default: ap-northeast-1
-a, --apply
-f, --file FILE Specify the file path to apply.
--dry-run
--account-output FILE
-e, --export
-o, --output FILE Specify the file path to export current IAM settings.
--split
--split-more
--format FORMAT
ruby or json. (default: ruby)
--export-concurrency N
--ignore-login-profile
--no-color
--no-progress
--debug
--enable-delete
Enable to delete top level elements. (default: false)
IAM definition files example
subiam_mytool.rb
import 'subiam_ec2_assume_role_attrs.rb'
target /^mytool/ # required!!!
role 'mytool', path: '/' do
context.version = '2012-10-17'
include_template 'ec2-assume-role-attrs'
instance_profiles(
'mytool'
)
policy 'mytool-role-policy' do
{
Version: context.version,
Statement: [
{
Effect: "Allow",
Action: [
"ec2:DescribeInstances",
"ec2:DescribeVpcs"
],
Resource: [
"*"
]
},
{
Effect: "Allow",
Action: [
"route53:Get*",
"route53:List*",
"route53:ChangeResourceRecordSets*"
],
Resource: [
"*"
]
},
],
}
end
end
instance_profile 'mytool', path: '/'
subiam_ec2_assume_role_attrs.rb
template "ec2-assume-role-attrs" do
assume_role_policy_document do
{
Version: context.version,
Statement: [
{
Sid: "",
Effect: "Allow",
Principal: {Service: "ec2.amazonaws.com"},
Action: "sts:AssumeRole",
},
],
}
end
end
General example (User / Group / Role)
import 'other/iamfile'
target /.*/ # managing IAMs whole account
user "monitoring-bob", path: "/monitoring-user/" do
login_profile password_reset_required: true
groups(
"Admin"
)
policy "bob-policy" do
{Version: "2012-10-17",
Statement:
[{Action:
["s3:Get*",
"s3:List*"],
Effect: "Allow",
Resource: "*"}]}
end
attached_managed_policies(
# attached_managed_policy
)
end
user "mary", path: "/staff/" do
# login_profile password_reset_required: true
groups(
# no group
)
policy "s3-readonly" do
{Version: "2012-10-17",
Statement:
[{Action:
["s3:Get*",
"s3:List*"],
Effect: "Allow",
Resource: "*"}]}
end
policy "route53-readonly" do
{Version: "2012-10-17",
Statement:
[{Action:
["route53:Get*",
"route53:List*"],
Effect: "Allow",
Resource: "*"}]}
end
attached_managed_policies(
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::123456789012:policy/my_policy"
)
end
group "Admin", path: "/admin/" do
policy "Admin" do
{Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
end
end
role "S3", path: "/" do
instance_profiles(
"S3"
)
assume_role_policy_document do
{Version: "2012-10-17",
Statement:
[{Sid: "",
Effect: "Allow",
Principal: {Service: "ec2.amazonaws.com"},
Action: "sts:AssumeRole"}]}
end
policy "S3-role-policy" do
{Version: "2012-10-17",
Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
end
end
instance_profile "S3", path: "/"
Rename
user "bob2", path: "/developer/", renamed_from: "bob" do
# ...
end
group "Admin2", path: "/admin/", renamed_from: "Admin" do
# ...
end
Managed Policy attach/detach
user "bob", path: "/developer/" do
login_profile password_reset_required: true
groups(
"Admin"
)
policy "bob-policy" do
# ...
end
attached_managed_policies(
"arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
)
end
Custom Managed Policy
managed_policy "my-policy", path: "/" do
{Version: "2012-10-17",
Statement:
[{Effect: "Allow", Action: "directconnect:Describe*", Resource: "*"}]}
end
user "bob", path: "/developer/" do
login_profile password_reset_required: true
groups(
"Admin"
)
policy "bob-policy" do
# ...
end
attached_managed_policies(
"arn:aws:iam::123456789012:policy/my-policy"
)
end
Use JSON
$ subiam -e -o iam.json
ᗧ 100%
Export IAM to `iam.json`
$ cat iam.json
{
"users": {
"bob": {
"path": "/",
"groups": [
"Admin"
],
"policies": {
...
$ vi iam.json # add target
$ subiam -a -f iam.json --dry-run
Apply `iam.json` to IAM (dry-run)
ᗧ 100%
No change
Use Template
template "common-policy" do
policy "my-policy" do
{Version: context.version,
Statement:
[{Action:
["s3:Get*",
"s3:List*"],
Effect: "Allow",
Resource: "*"}]}
end
end
template "common-role-attrs" do
assume_role_policy_document do
{Version: context.version,
Statement:
[{Sid: "",
Effect: "Allow",
Principal: {Service: "ec2.amazonaws.com"},
Action: "sts:AssumeRole"}]}
end
end
user "bob", path: "/developer/" do
login_profile password_reset_required: true
groups(
"Admin"
)
include_template "common-policy", version: "2012-10-17"
end
user "mary", path: "/staff/" do
# login_profile password_reset_required: true
groups(
# no group
)
context.version = "2012-10-17"
include_template "common-policy"
attached_managed_policies(
"arn:aws:iam::aws:policy/AdministratorAccess",
"arn:aws:iam::123456789012:policy/my_policy"
)
end
role "S3", path: "/" do
instance_profiles(
"S3"
)
include_template "common-role-attrs"
policy "S3-role-policy" do
{Version: "2012-10-17",
Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
end
end
Use management policy
user "foo", path: '/' do
attached_managed_policies(
'arn:aws:iam::0123456789:policy/MyPolicy',
arn_policy_by_current_account("MyPolicy2"),
# == "arn:aws:iam::0123456789:policy/MyPolicy2'
arn_policy_by_aws("AdministratorAccess")
# == 'arn:aws:iam::aws:policy/AdministratorAccess'
)
end
Similar tools
FAQs
Unknown package
We found that subiam demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 30 Aug 2016
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
38% of CISOs Fear They’re Not Moving Fast Enough on AI
CISOs are racing to adopt AI for cybersecurity, but hurdles in budgets and governance may leave some falling behind in the fight against cyber threats.
By Sarah Gooding - Feb 04, 2025
Research
Security News
Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.
By Kirill Boychenko - Feb 04, 2025