IAMy is a tool for dumping and loading your AWS IAM configuration into YAML files.
This allows you to use an Infrastructure as Code model to manage your IAM configuration. For example, you might use a github repo with a pull request model for changes to IAM config.
IAMy has two subcommands.
pull will sync IAM users, groups and policies from AWS to YAML files
push will sync IAM users, groups and policies from YAML files to AWS
push command, IAMy will output an execution plan as a series of
aws cli commands which can be optionally executed. This turns out to be a very direct and understandable way to display the changes to be made, and means you can pick and choose exactly what commands get actioned.
You can install IAMy on macOS with
brew install iamy, or with the go toolchain
go get -u github.com/99designs/iamy.
Because IAMy uses the aws cli tool, you'll want to install it first.
$ iamy pull $ find . ./myaccount-123456789/iam/user/joe.yml $ mkdir -p myaccount-123456789/iam/user/foo $ touch myaccount-123456789/iam/user/foo/bar.baz $ cat << EOD > myaccount-123456789/iam/user/billy.blogs Policies: - arn:aws:iam::aws:policy/ReadOnly EOD $ iamy push Commands to push changes to AWS: aws iam create-user --path /foo --user-name bar.baz aws iam create-user --user-name billy.blogs aws iam attach-user-policy --user-name billy.blogs --policy-arn arn:aws:iam::aws:policy/ReadOnly Exec all aws commands? (y/N) y > aws iam create-user --path /foo --user-name bar.baz > aws iam create-user --user-name billy.blogs > aws iam attach-user-policy --user-name billy.blogs --policy-arn arn:aws:iam::aws:policy/ReadOnly
By default, iamy will use a simple heuristic (does it end with an ID, eg -ABCDEF1234) to determine if a given resource is managed by cloudformation.
This behaviour is good enough for some cases, but if you want slower but more accurate matching pass
to enumerate all cloudformation stacks and resources to determine exactly which resources are managed.