{"id":13562183,"url":"https://github.com/iann0036/iamlive","last_synced_at":"2025-05-13T15:10:04.814Z","repository":{"id":40615178,"uuid":"335925753","full_name":"iann0036/iamlive","owner":"iann0036","description":"Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy","archived":false,"fork":false,"pushed_at":"2025-03-24T11:25:57.000Z","size":21523,"stargazers_count":3233,"open_issues_count":41,"forks_count":111,"subscribers_count":22,"default_branch":"main","last_synced_at":"2025-04-23T18:55:53.804Z","etag":null,"topics":["aws","aws-iam","aws-iam-policies","azure","azure-rbac","gcp","gcp-iam","iam","least-privilege"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iann0036.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"iann0036"}},"created_at":"2021-02-04T10:57:02.000Z","updated_at":"2025-04-21T19:27:46.000Z","dependencies_parsed_at":"2023-02-18T02:30:53.538Z","dependency_job_id":"92ce78cb-1d9f-435c-975e-1ddb953d0667","html_url":"https://github.com/iann0036/iamlive","commit_stats":{"total_commits":161,"total_committers":11,"mean_commits":"14.636363636363637","dds":"0.36024844720496896","last_synced_commit":"e95134c66c6544db6b972f4aa4bc08717ff71bd6"},"previous_names":[],"tags_count":82,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iann0036%2Fiamlive","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iann0036%2Fiamlive/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iann0036%2Fiamlive/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iann0036%2Fiamlive/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iann0036","download_url":"https://codeload.github.com/iann0036/iamlive/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253969243,"owners_count":21992262,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-iam","aws-iam-policies","azure","azure-rbac","gcp","gcp-iam","iam","least-privilege"],"created_at":"2024-08-01T13:01:05.515Z","updated_at":"2025-05-13T15:09:59.801Z","avatar_url":"https://github.com/iann0036.png","language":"Go","funding_links":["https://github.com/sponsors/iann0036"],"categories":["Go","Identity and access management","Other Awesome Lists","azure","AWS Security","Tools"],"sub_categories":["Hook management tools","Least privilege","IAM"],"readme":"# iamlive\n\n\u003e Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy\n\n![](https://raw.githubusercontent.com/iann0036/iamlive/assets/iamlive.gif)\n\n\u003e [!IMPORTANT]  \n\u003e The Azure and Google Cloud providers are in preview and may produce incorrect outputs at this time\n\n## Installation\n\n### Pre-built binaries\n\nPre-built binaries for Windows, macOS and Linux are available for download in the project [releases](https://github.com/iann0036/iamlive/releases).\n\nOnce downloaded, place the extracted binary in your $PATH (or execute in-place). For macOS users, you may need to allow the application to run via System Preferences.\n\n### Build with Go\n\nTo build and install this application, clone this repository and execute the following from it's base:\n\n```\ngo install\n```\n\nYou must have Go 1.16 or later installed for the build to work.\n\n### Homebrew\n\nYou may also install this application using a Homebrew tap with the following command:\n\n```\nbrew install iann0036/iamlive/iamlive\n```\n\n### Other Methods\n\n* [Lambda Extension](https://github.com/iann0036/iamlive-lambda-extension) _(AWS only)_\n* [Docker](https://meirg.co.il/2021/04/23/determining-aws-iam-policies-according-to-terraform-and-aws-cli/)\n* [GitHub Action (with Terraform)](https://github.com/scott-doyland-burrows/gha-composite-terraform-iamlive)\n* [LocalStack](https://github.com/rulio/iamlive-localstack/)\n\n## Usage\n\nTo start the listener, simply run `iamlive` in a separate window to your CLI / SDK application. You can use Ctrl+C to exit when you are done.\n\n### CLI Arguments\n\nYou can optionally also include the following arguments to the `iamlive` command:\n\n**--provider:** the cloud service provider to intercept calls for (`aws`,`azure`,`gcp`) (_default: aws_)\n\n**--set-ini:** when set, the `.aws/config` file will be updated to use the CSM monitoring or CA bundle and removed when exiting (_default: false_) (_AWS only_)\n\n**--profile:** use the specified profile when combined with `--set-ini` (_default: default_) (_AWS only_)\n\n**--fails-only:** when set, only failed AWS calls will be added to the policy, csm mode only (_default: false_) (_AWS only_)\n\n**--output-file:** specify a file that will be written to on SIGHUP or exit (_default: unset_)\n\n**--refresh-rate:** instead of flushing to console every API call, do it this number of seconds (_default: 0_)\n\n**--sort-alphabetical:** sort actions alphabetically (_default: false for AWS, otherwise true_)\n\n**--host:** host to listen on for CSM (_default: 127.0.0.1_)\n\n**--background:** when set, the process will return the current PID and run in the background without output (_default: false_)\n\n**--force-wildcard-resource:** when set, the Resource will always be a wildcard (_default: false_) (_AWS only_)\n\n**--mode:** the listening mode (`csm`,`proxy`) (_default: csm for aws, otherwise proxy_)\n\n**--bind-addr:** the bind address for proxy mode (_default: 127.0.0.1:10080_)\n\n**--ca-bundle:** the CA certificate bundle (PEM) to use for proxy mode (_default: ~/.iamlive/ca.pem_)\n\n**--ca-key:** the CA certificate key to use for proxy mode (_default: ~/.iamlive/ca.key_)\n\n**--account-id:** the AWS account ID to use in policy outputs within proxy mode (_default: 123456789012 unless detected_) (_AWS only_)\n\n**--override-aws-map:** overrides the embedded AWS mapping JSON file with the filepath provided (_AWS only_)\n\n**--debug:** dumps associated HTTP requests when set in proxy mode (_default: false_)\n\n_Basic Example (CSM Mode)_\n\n```\niamlive --set-ini\n```\n\n_Basic Example (Proxy Mode)_\n\n```\niamlive --set-ini --mode proxy\n```\n\n_Basic Example (Azure)_\n\n```\niamlive --provider azure\n```\n\n_Basic Example (Google Cloud)_\n\n```\niamlive --provider gcp\n```\n\n_Comprehensive Example (CSM Mode)_\n\n```\niamlive --set-ini --profile myprofile --fails-only --output-file policy.json --refresh-rate 1 --sort-alphabetical --host 127.0.0.1 --background\n```\n\n_Comprehensive Example (Proxy Mode)_\n\n```\niamlive --set-ini --mode proxy --profile myprofile --output-file policy.json --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key --account-id 123456789012 --background --force-wildcard-resource\n```\n\nThe arguments may also be specified in an INI file located at `~/.iamlive/config`.\n\n### CSM Mode\n\nClient-side monitoring mode is the default behaviour for AWS and will use [metrics](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/metrics.html) delivered locally via UDP to capture policy statements with the `Action` key only (`Resource` is only available in proxy mode).\n\nCSM mode is only available for the AWS provider.\n\n#### CLI\n\nTo enable CSM in the AWS CLI, you should either use the `--set-ini` option or add the following to the relevant profile in `.aws/config`:\n\n```\ncsm_enabled = true\n```\n\nAlternatively, you can run the following in the window executing your CLI commands:\n\n```\nexport AWS_CSM_ENABLED=true\n```\n\n#### SDKs\n\nTo enable CSM in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:\n\n```\nexport AWS_CSM_ENABLED=true\nexport AWS_CSM_PORT=31000\nexport AWS_CSM_HOST=127.0.0.1\n```\n\n### Proxy Mode\n\nProxy mode will serve a local HTTP(S) server (by default at `http://127.0.0.1:10080`) that will inspect requests sent to the AWS endpoints before forwarding on to generate IAM policy statements. The CA key/certificate pair will be automatically generated and stored within `~/.iamlive/` by default.\n\n#### AWS CLI\n\nTo set the appropriate CA bundle in the AWS CLI, you should either use the `--set-ini` option or add the following to the relevant profile in `.aws/config`:\n\n```\nca_bundle = ~/.iamlive/ca.pem\n```\n\nAlternatively, you can run the following in the window executing your CLI commands:\n\n```\nexport AWS_CA_BUNDLE=~/.iamlive/ca.pem\n```\n\nYou must also set the proxy settings for your session by running the following in the window executing your CLI commands:\n\n```\nexport HTTP_PROXY=http://127.0.0.1:10080\nexport HTTPS_PROXY=http://127.0.0.1:10080\n```\n\n#### AWS SDKs\n\nTo enable proxy mode in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:\n\nFor AWS SDKs:\n\n```\nexport HTTP_PROXY=http://127.0.0.1:10080\nexport HTTPS_PROXY=http://127.0.0.1:10080\nexport AWS_CA_BUNDLE=~/.iamlive/ca.pem\n```\n\nCheck the [official docs](https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-ca_bundle.html) for further details on setting the CA bundle.\n\n#### Azure CLI and SDKs\n\nTo enable proxy mode in the Azure CLI or SDK, you can run the following in the window executing your application prior to it starting:\n\n```\nexport HTTP_PROXY=http://127.0.0.1:10080\nexport HTTPS_PROXY=http://127.0.0.1:10080\nexport REQUESTS_CA_BUNDLE=~/.iamlive/ca.pem\n```\n\n#### Google Cloud CLI and SDKs\n\nTo enable proxy mode in the Google Cloud CLI or SDKs, you can run the following in the window executing your application prior to it starting:\n\n```\ngcloud config set proxy/type http\ngcloud config set proxy/address 127.0.0.1\ngcloud config set proxy/port 10080\ngcloud config set core/custom_ca_certs_file ~/.iamlive/ca.pem\n```\n\n## FAQs\n\n_I get a message \"package embed is not in GOROOT\" when attempting to build myself_\n\nThis project requires Go 1.16 or above to be built correctly (due to embedding feature).\n\n## Acknowledgements\n\nThis project makes use of [Parliament](https://github.com/duo-labs/parliament) and was assisted by Scott Piper's [CSM explainer](https://summitroute.com/blog/2020/05/25/client_side_monitoring/). Thanks also to Noam Dahan's [research](https://ermetic.com/whats-new/blog/auditing-passrole-a-problematic-privilege-escalation-permission/) into missing `iam:PassRole` dependant actions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiann0036%2Fiamlive","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiann0036%2Fiamlive","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiann0036%2Fiamlive/lists"}