{"id":42588104,"url":"https://github.com/keikoproj/iam-manager","last_synced_at":"2026-01-28T23:07:13.372Z","repository":{"id":40373137,"uuid":"228707094","full_name":"keikoproj/iam-manager","owner":"keikoproj","description":"AWS IAM role management for K8s cluster using kube builder \"Operator\" framework","archived":false,"fork":false,"pushed_at":"2026-01-13T00:02:06.000Z","size":988,"stargazers_count":46,"open_issues_count":31,"forks_count":23,"subscribers_count":13,"default_branch":"master","last_synced_at":"2026-01-13T03:15:22.625Z","etag":null,"topics":["aws","crd-controller","iam","iam-manager","iam-roles","irsa","kubebuilder","kubernetes","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/keikoproj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-12-17T21:45:48.000Z","updated_at":"2026-01-02T13:17:15.000Z","dependencies_parsed_at":"2023-02-17T13:15:36.891Z","dependency_job_id":"ffabfd55-aab2-4638-ad9d-f7ca182cb456","html_url":"https://github.com/keikoproj/iam-manager","commit_stats":null,"previous_names":[],"tags_count":21,"template":false,"template_full_name":null,"purl":"pkg:github/keikoproj/iam-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fiam-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fiam-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fiam-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fiam-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/keikoproj","download_url":"https://codeload.github.com/keikoproj/iam-manager/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fiam-manager/sbom","scorecard":{"id":553877,"data":{"date":"2025-08-11","repo":{"name":"github.com/keikoproj/iam-manager","commit":"bb28308fdb875506e77d11ca30a74fbe443db493"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.3,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":3,"reason":"Found 3/8 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/Release.yaml:1","Warn: no topLevel permission defined: .github/workflows/unit_test.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/Release.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/Release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/Release.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/Release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/Release.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/Release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/Release.yaml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/Release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/Release.yaml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/Release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/Release.yaml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/Release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_test.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/unit_test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_test.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/unit_test.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit_test.yaml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/unit_test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_test.yaml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/unit_test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_test.yaml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/unit_test.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit_test.yaml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/iam-manager/unit_test.yaml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:2","Warn: containerImage not pinned by hash: Dockerfile:22: pin your Docker image by updating gcr.io/distroless/static:nonroot to gcr.io/distroless/static:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   7 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/Release.yaml:10"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-20T11:46:59.041Z","repository_id":40373137,"created_at":"2025-08-20T11:46:59.042Z","updated_at":"2025-08-20T11:46:59.042Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28854538,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-28T22:56:21.783Z","status":"ssl_error","status_checked_at":"2026-01-28T22:56:00.861Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","crd-controller","iam","iam-manager","iam-roles","irsa","kubebuilder","kubernetes","security"],"created_at":"2026-01-28T23:07:12.592Z","updated_at":"2026-01-28T23:07:13.364Z","avatar_url":"https://github.com/keikoproj.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# iam-manager\n\n[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)][GithubMaintainedUrl]\n[![PR](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)][GithubPrsUrl]\n[![slack](https://img.shields.io/badge/slack-join%20the%20conversation-ff69b4.svg)][SlackUrl]\n\n[![Release][ReleaseImg]][ReleaseUrl]\n[![Build Status][BuildStatusImg]][BuildMasterUrl]\n[![codecov][CodecovImg]][CodecovUrl]\n[![Go Report Card][GoReportImg]][GoReportUrl]\n\nA Kubernetes operator that manages AWS IAM roles for namespaces and service accounts using custom resources.\n\n## Table of Contents\n- [Overview](#overview)\n- [Requirements](#requirements)\n- [Features](#features)\n- [Architecture](#architecture)\n- [Quick Start](#quick-start)\n- [Usage](#usage)\n- [Documentation](#documentation)\n- [Version Compatibility](#version-compatibility)\n- [Contributing](#contributing)\n\n## Overview\n\niam-manager simplifies AWS IAM role management within Kubernetes clusters by providing a declarative approach through custom resources. It enables namespace-scoped IAM role creation, enforces security best practices, and integrates with AWS IAM Role for Service Accounts (IRSA).\n\nOriginally developed at Intuit to manage IAM roles across 200+ clusters and 8000+ namespaces, iam-manager allows application teams to create and update IAM roles as part of their GitOps deployment pipelines, eliminating manual IAM policy management. This enables a \"single manifest\" approach where teams can manage both Kubernetes resources and IAM permissions together. For more details on the design principles and origin story, see the [Managing IAM Roles as K8s Resources](https://medium.com/keikoproj/managing-iam-roles-as-k8s-resources-aa00c5c4447f) article.\n\n## Requirements\n\n- Kubernetes cluster 1.16+\n- AWS IAM permissions to create/update/delete roles\n- AWS account with permission boundary policy configured\n- Cert-manager (for webhook validation, optional)\n\n## Features\n\niam-manager provides a comprehensive set of features for IAM role management:\n\n- [IAM Roles Management](docs/features.md#iam-roles-management) - Create, update, and delete IAM roles through Kubernetes resources\n- [IAM Role for Service Accounts (IRSA)](docs/features.md#iam-role-for-service-accounts-irsa) - Integration with AWS IAM Roles for Service Accounts\n- [AWS Service-Linked Roles](docs/features.md#aws-service-linked-roles) - Support for service-linked roles\n- [Default Trust Policy for All Roles](docs/features.md#default-trust-policy-for-all-roles) - Enforce consistent trust policies\n- [Maximum Number of Roles per Namespace](docs/features.md#maximum-number-of-roles-per-namespace) - Governance controls\n- [Attaching Managed IAM Policies for All Roles](docs/features.md#attaching-managed-iam-policies-for-all-roles) - Simplified policy management\n- [Multiple Trust policies](docs/features.md#multiple-trust-policies) - Flexible trust relationship configuration\n\n## Architecture\n\niam-manager follows a Kubernetes operator pattern that watches for Iamrole custom resources and manages the corresponding IAM roles in AWS.\n\n![IAM Manager Architecture](docs/images/iam-manager-architecture.png)\n\nThe controller reconciles Kubernetes resources with AWS IAM roles, ensuring that:\n- Each valid Iamrole CR has a corresponding IAM role in AWS\n- Changes to Iamrole CRs are reflected in the AWS IAM roles\n- Deleted Iamrole CRs result in cleanup of the corresponding AWS resources\n\nFor a more detailed view of the architecture including component interactions and workflows, see the [Architecture Documentation](docs/architecture.md).\n\n## Quick Start\n\nThe fastest way to install iam-manager is to use the provided installation script:\n\n```bash\ngit clone https://github.com/keikoproj/iam-manager.git\ncd iam-manager\n./hack/install.sh [cluster_name] [aws_region] [aws_profile]\n```\n\nFor detailed installation instructions, configuration options, and prerequisites, see the [Installation Guide](docs/install.md).\n\n## Usage\n\nHere's a minimal example of an IAM role for accessing S3:\n\n```yaml\napiVersion: iammanager.keikoproj.io/v1alpha1\nkind: Iamrole\nmetadata:\n  name: s3-reader-role\n  namespace: default\nspec:\n  PolicyDocument:\n    Statement:\n      - Effect: \"Allow\"\n        Action:\n          - \"s3:GetObject\"\n          - \"s3:ListBucket\"\n        Resource:\n          - \"arn:aws:s3:::your-bucket-name/*\"\n          - \"arn:aws:s3:::your-bucket-name\"\n        Sid: \"AllowS3Access\"\n```\n\nFor IRSA (IAM Roles for Service Accounts) integration:\n\n```yaml\napiVersion: iammanager.keikoproj.io/v1alpha1\nkind: Iamrole\nmetadata:\n  name: app-role\n  namespace: default\n  annotations:\n    iam.amazonaws.com/irsa-service-account: app-service-account\nspec:\n  PolicyDocument:\n    Statement:\n      - Effect: \"Allow\"\n        Action: [\"s3:GetObject\"]\n        Resource: [\"arn:aws:s3:::your-bucket-name/*\"]\n```\n\nFor detailed examples and usage patterns, see the [examples directory](examples/) and the [CRD Reference](docs/crd-reference.md).\n\n## Documentation\n\nComprehensive documentation is available:\n\n- [Architecture Documentation](docs/architecture.md)\n- [Quick Start Guide](docs/quickstart.md)\n- [Design Documentation](docs/design.md)\n- [Configuration Options](docs/configmap-properties.md)\n- [Developer Guide](docs/developer-guide.md)\n- [AWS Integration](docs/aws-integration.md)\n- [AWS Security](docs/aws-security.md)\n- [Features](docs/features.md)\n- [Installation Guide](docs/install.md)\n- [CRD Reference](docs/crd-reference.md)\n- [Troubleshooting Guide](docs/troubleshooting.md)\n\n## Version Compatibility\n\n| iam-manager Version | Kubernetes Version | Go Version | Key Features |\n|---------------------|-------------------|------------|--------------|\n| current | 1.16 - 1.27 | 1.24+ | Upgrade to Go 1.24 |\n| v0.22.0 | 1.16 - 1.25 | 1.19+ | IRSA regional endpoint configuration |\n| v0.21.0 | 1.16 - 1.24 | 1.18+ | Enhanced security features |\n| v0.20.0 | 1.16 - 1.23 | 1.17+ | Improved reconciliation controller |\n| v0.19.0 | 1.16 - 1.22 | 1.16+ | IRSA support improvements |\n| v0.18.0 | 1.16 - 1.21 | 1.15+ | Custom role naming |\n\nFor detailed information about each release, see the [GitHub Releases page](https://github.com/keikoproj/iam-manager/releases).\n\n## Contributing\n\nPlease check [CONTRIBUTING.md](CONTRIBUTING.md) before contributing.\n\n\u003c!-- Markdown link --\u003e\n[GithubMaintainedUrl]: https://github.com/keikoproj/iam-manager/graphs/commit-activity\n[GithubPrsUrl]: https://github.com/keikoproj/iam-manager/pulls\n[SlackUrl]: https://keikoproj.slack.com/app_redirect?channel=iam-manager\n\n[ReleaseImg]: https://img.shields.io/github/release/keikoproj/iam-manager.svg\n[ReleaseUrl]: https://github.com/keikoproj/iam-manager/releases\n\n[BuildStatusImg]: https://github.com/keikoproj/iam-manager/actions/workflows/unit_test.yaml/badge.svg\n[BuildMasterUrl]: https://github.com/keikoproj/iam-manager/actions/workflows/unit_test.yaml\n\n[CodecovImg]: https://codecov.io/gh/keikoproj/iam-manager/branch/master/graph/badge.svg\n[CodecovUrl]: https://codecov.io/gh/keikoproj/iam-manager\n\n[GoReportImg]: https://goreportcard.com/badge/github.com/keikoproj/iam-manager\n[GoReportUrl]: https://goreportcard.com/report/github.com/keikoproj/iam-manager","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeikoproj%2Fiam-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeikoproj%2Fiam-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeikoproj%2Fiam-manager/lists"}