Awesome Open Source
Awesome Open Source

IAMy

IAMy is a tool for dumping and loading your AWS IAM configuration into YAML files.

This allows you to use an Infrastructure as Code model to manage your IAM configuration. For example, you might use a github repo with a pull request model for changes to IAM config.

How it works

IAMy has two subcommands.

pull will sync IAM users, groups and policies from AWS to YAML files

push will sync IAM users, groups and policies from YAML files to AWS

For the push command, IAMy will output an execution plan as a series of aws cli commands which can be optionally executed. This turns out to be a very direct and understandable way to display the changes to be made, and means you can pick and choose exactly what commands get actioned.

Getting started

You can install IAMy on macOS with brew install iamy, or with the go toolchain go get -u github.com/99designs/iamy.

Because IAMy uses the aws cli tool, you'll want to install it first.

For configuration, IAMy uses the same AWS environment variables as the aws cli. You might find aws-vault an excellent complementary tool for managing AWS credentials.

Example Usage

$ iamy pull

$ find .
./myaccount-123456789/iam/user/joe.yml

$ mkdir -p myaccount-123456789/iam/user/foo

$ touch myaccount-123456789/iam/user/foo/bar.baz

$ cat << EOD > myaccount-123456789/iam/user/billy.blogs
Policies:
- arn:aws:iam::aws:policy/ReadOnly
EOD

$ iamy push
Commands to push changes to AWS:
        aws iam create-user --path /foo --user-name bar.baz
        aws iam create-user --user-name billy.blogs
        aws iam attach-user-policy --user-name billy.blogs --policy-arn arn:aws:iam::aws:policy/ReadOnly

Exec all aws commands? (y/N) y

> aws iam create-user --path /foo --user-name bar.baz
> aws iam create-user --user-name billy.blogs
> aws iam attach-user-policy --user-name billy.blogs --policy-arn arn:aws:iam::aws:policy/ReadOnly

Accurate cloudformation matching

By default, iamy will use a simple heuristic (does it end with an ID, eg -ABCDEF1234) to determine if a given resource is managed by cloudformation.

This behaviour is good enough for some cases, but if you want slower but more accurate matching pass --accurate-cfn to enumerate all cloudformation stacks and resources to determine exactly which resources are managed.

Inspiration and similar tools


Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
go (15,379
cli (1,842
aws (1,131
devops (594
yaml (230
iam (48
aws-cli (34