{"id":23092294,"url":"https://github.com/sourcefrog/iamthat","last_synced_at":"2025-04-03T18:27:47.120Z","repository":{"id":142466024,"uuid":"595923359","full_name":"sourcefrog/iamthat","owner":"sourcefrog","description":null,"archived":false,"fork":false,"pushed_at":"2023-10-24T16:44:48.000Z","size":185,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-09T06:43:37.671Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sourcefrog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-01T04:41:09.000Z","updated_at":"2023-06-13T16:56:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"5944f82d-b1e3-4582-ab9d-3373eb1843ea","html_url":"https://github.com/sourcefrog/iamthat","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcefrog%2Fiamthat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcefrog%2Fiamthat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcefrog%2Fiamthat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcefrog%2Fiamthat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sourcefrog","download_url":"https://codeload.github.com/sourcefrog/iamthat/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247055118,"owners_count":20876136,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-16T21:32:03.897Z","updated_at":"2025-04-03T18:27:47.103Z","avatar_url":"https://github.com/sourcefrog.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# iamthat - a partial reimplementation of AWS IAM policy evaluation\n\nThe goal of this crate is to reimplement AWS IAM policy evaluation logic in a\nself-contained Rust crate that can run offline without talking to AWS. On that\ncore, we can build tools that, for example, run unit tests for IAM policies,\nasserting that some actions are allowed and others are denied.\n\nThis crate builds both a Rust library and a command-line tool.\n\n## Command-line usage\n\nCheck one request against some resource policies:\n\n    iamthat eval --request-file \u003crequest.json\u003e --resource-policy-file \u003cpolicy.json\u003e\n\n## Features\n\nPolicy types:\n\n- [x] Parse AWS IAM policy JSON.\n- [x] Resource policies.\n- [ ] Attach policies to resources.\n- [ ] Inline role policies.\n- [ ] Attached role policies.\n- [ ] Service control policies.\n- [ ] Session policies.\n- [x] JSON scenario files to the tree containing all the policies and resources\n  relevant to a test.\n\nTesting of iamthat:\n\n- [x] Test a request against a scenario and assert that it is allowed or denied.\n- [ ] Automatically test against access analyzer, for cases that are supported\n  by both.\n\nPolicy evaluation:\n\n- [x] Check a single action name, with no parameters, against a policy.\n- [ ] Attachment of policies to resources: find the policies for the resource\n      affected by the request.\n- [ ] Check resource name.\n- [ ] Check condition keys.\n- [ ] NotAction, NotResource, etc.\n- [ ] Lint a policy for common errors.\n- [ ] If the action is denied, say which policy and statement caused the\n  denial.\n\nAWS API integration:\n\n- [ ] Download relevant policies from AWS?\n\nQuality of life:\n\n- [ ] Switch to using [json5] for policy files, to allow comments and trailing\n  commas?\n- [x] JSON schemas.\n\n[json5]: https://json5.org/\n\n## IAM Policy Simulator\n\nThe function and purpose of this crate significantly overlaps with\n[AWS IAM Policy Simulator][policy_sim]. The main differences are:\n\nPolicy Simulator is much more complete and backed by AWS. It requires online\naccess to AWS, and has some limitations on which policies it can evaluate.\n\nThis crate is open source and can be run offline, but is currently extremely\nincomplete.\n\n[policy_sim]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html\n\n## Status\n\nThis crate is very incomplete and experimental. It is not ready for use.\n\nThe AWS IAM policy evaluation logic is very complicated and not perfectly clearly\ndocumented. Even for features that are marked as implemented there is a\nsignificant likelihood that some evaluations will be inconsistent with AWS's\nbehavior.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsourcefrog%2Fiamthat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsourcefrog%2Fiamthat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsourcefrog%2Fiamthat/lists"}