{"id":17798948,"url":"https://github.com/icy/s3zip","last_synced_at":"2026-01-21T14:09:25.823Z","repository":{"id":139397816,"uuid":"144829727","full_name":"icy/s3zip","owner":"icy","description":"Compress AWS S3 policies and make them maintainable for human being. Compress 1200 lines of Json files into 120 lines of configuration.","archived":false,"fork":false,"pushed_at":"2018-10-17T01:17:53.000Z","size":33,"stargazers_count":4,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-07T13:47:46.309Z","etag":null,"topics":["aws","json","s3","yaml"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/icy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-15T08:54:25.000Z","updated_at":"2019-01-09T01:32:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"768cdb05-b3b0-49cc-a11c-825206ccb8c9","html_url":"https://github.com/icy/s3zip","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/icy/s3zip","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icy%2Fs3zip","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icy%2Fs3zip/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icy%2Fs3zip/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icy%2Fs3zip/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/icy","download_url":"https://codeload.github.com/icy/s3zip/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icy%2Fs3zip/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28634791,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T04:47:28.174Z","status":"ssl_error","status_checked_at":"2026-01-21T04:47:22.943Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","json","s3","yaml"],"created_at":"2024-10-27T12:03:40.346Z","updated_at":"2026-01-21T14:09:25.807Z","avatar_url":"https://github.com/icy.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/icy/s3zip.svg?branch=master)](https://travis-ci.org/icy/s3zip)\n\n## TOC\n\n* [Description](#description)\n* [Examples](#examples)\n* [Installation](#installation)\n* [Syntax](#syntax)\n* [Why-s3zip](#why-s3zip)\n* [Specification](#specification)\n\n## Description\n\nCompress AWS S3 policies and make them maintainable for human being.\n\nCompress 1200 lines of Json files into 120 lines of configuration.\n\nOutput in JSON and/or Terraform.\nSee input examples in `input/` and the output in `output/`.\n\nPlease don't use this tool if you are not a human.\n\n## Examples\n\nSee more in [Examples](examples/) directory.\n\nInput policy:\n\n```\n- user: \"arn:aws:iam::${var.example_production_account_id}:root\"\n  env: [dev]\n  do:\n  - perm: ALL\n    bucket: [\"${aws_s3_bucket.some_bucket_for_production.id}\"]\n```\n\nOutput `Terraform` files\n\n```\n# ENVS: AUTO_GENERATED/{dev}\n# FILE: dev___aws_s3_bucket_some_bucket_for_production_id__override.tf\n# WARNING: Don't change this file manually\nresource \"aws_s3_bucket_policy\" \"s3_bucket_policy_dev___aws_s3_bucket_some_bucket_for_production_id_\" {\n  bucket = \"${aws_s3_bucket.some_bucket_for_production.id}\"\n  policy = \u003c\u003cAUTO_GENERATED\n{\n  \"Version\": \"2008-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"sid_333688ecda60fc955939b673acb26913\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::${var.example_production_account_id}:root\"\n        ]\n      },\n      \"Resource\": [\n        \"arn:aws:s3:::${aws_s3_bucket.some_bucket_for_production.id}\"\n      ],\n      \"Action\": [\n        \"s3:ListBucket\",\n        \"s3:GetBucketLocation\"\n      ]\n    },\n    {\n      \"Sid\": \"sid_2bc1a7835a0e262abb3009a8d3e5518c\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::${var.example_production_account_id}:root\"\n        ]\n      },\n      \"Resource\": [\n        \"arn:aws:s3:::${aws_s3_bucket.some_bucket_for_production.id}/*\"\n      ],\n      \"Action\": [\n        \"s3:*\"\n      ]\n    }\n  ]\n}\nAUTO_GENERATED\n}\n\n```\n\n## Installation\n\nA standard `Ruby` installation is required.\n\nMake the script `s3zip` executable and put them to your search path.\nWe may have `gem` support in the future.\n\n## Syntax\n\nWrite Terraform files\n\n```\n$ cat input/*.tf.in \\\n  | D_OUTPUT=\"./output/\" ruby s3zip.rb --tf\n```\n\nor simple the json files\n\n```\n$ cat input/*.tf.in \\\n  | D_OUTPUT=\"./output/\" ruby s3zip.rb\n```\n\n## Why s3zip\n\nIt's because number of users of your `s3` bucket(s) is\noften higher than number of buckets.\nThis is clear: Every bucket needs at least one user.\n\nLet's say you have two buckets `s31` and `s32`, and you have several users:\n\n* Two developers in your company (`u1`, `u2`)\n* Two applications need to write to those buckets (`a1`, `a2`)\n* A backup application to read from those buckets (`b1`)\n\nTo prepare `s3` policies for this setup, you often do as below\n\n* Prepare configuration for `s31` bucket: You need `IAM` information of\n  5 users (`u1`, `u2`, `a1`, `a2`, `b1`) and write policies for them.\n  In the policy you have to provide `IAM` information for each action\n  that would happen on the bucket. There are many code duplication.\n* Prepare configuration for `s32` bucket. You almost repeat what you\n  have done for `s31` with a few updates.\n\nOne day your audit guy comes and asks you a list of buckets that\nthe developer `u1` may have access. The only option you can think of\nis to rescan all your policies. That's a nightmare.\n\n\n`S3zip` helps you from the point of view of an audit guy. Instead of\nwriting policies for each bucket, we will write policies for each user.\nFor each `IAM` user on your system (maybe that's a human, or an application)\nyou describe some basic rules for them.\n\nTake a look at `input/` directory for some examples.\n\nProblem solved. Code duplication is reduced quickly, policies are very\nclean and your audit guy will be happy.\n\n## Specification\n\nSpecification is found [here](./SPECIFICATION.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ficy%2Fs3zip","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ficy%2Fs3zip","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ficy%2Fs3zip/lists"}