IAMer
IAMer dump and load your AWS IAM configuration into text files.
Once dumped, you can version the resulting json
and ini
files to keep track
of changes, and even ask your team mates to do Pull Requests
when they want access to something.
IAMer is idempotent. You can run it as many times as you want, the resulting files will always be the same. This is useful to make sure your files are up to date with what you have in IAM.
To Be Implemented
Once the text files have been modified, you can load the changes into IAM with one command.
Quick Start
# Dump your current IAM database
$ iamer dump
Dumping users...
Dumping groups...
Dumping policies...
# Save it
$ git commit
$ git push
Install
pip install iamer
Configuration
IAMer uses boto so you will need the following to run:
export AWS_ACCESS_KEY_ID="1234567890"
export AWS_SECRET_ACCESS_KEY="bb7075bc63f93d21fb9b8f45c3fa5ad0"
See the boto documention for other ways to configure it.
Usage
There are 2 modes of operation, dump
and load
.
Dump your IAM configuration locally
$ iamer dump
Dumping users...
Dumping groups...
Dumping policies...
You will get 3 things:
users.ini
groups.ini
policies/*.json
users.ini
1. A users.ini
file with the list of users defined in IAM, and the groups and
policies attached to each.
# This user has no group or policy
[bob]
# joe is part of the useless-group group
[joe]
groups = useless-group
# superadmin has multiple groups and policies attached to him
[superadmin]
groups = ec2-rw,
ec2-r53-r
policies = dynamodb-dev-201301121713,
dynamodb-live-201301121713
groups.ini
2. A groups.ini
file with the list of groups defined in IAM, and the policies
attached to each.
# A group with no policy
[useless-group]
# The ec2-rw group has the ec2-read-write policy attached to it
[ec2-rw]
policies = ec2-read-write
# This group has 2 policies attached
[ec2-r53-r]
policies = ec2-read-only,
r53-read-only
policies/*.json
3. And in the policies/
folder, you will find all the policies referenced in the
users.ini
and groups.ini
files as json
files.
For example, the policies/ec2-read-write.json
will contain:
{
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
Update your IAM config based on your local files
TO BE IMPLEMENTED
See Also
ec2-security-groups-dumper to dump your EC2 Security Groups as CSV and JSON text files.