{"id":13602629,"url":"https://github.com/thinkinglabs/aws-iam-policy","last_synced_at":"2025-06-26T03:34:17.462Z","repository":{"id":39989035,"uuid":"339411398","full_name":"thinkinglabs/aws-iam-policy","owner":"thinkinglabs","description":"A TypeScript Node.js module to manipulate AWS IAM Policy documents","archived":false,"fork":false,"pushed_at":"2024-09-07T20:41:42.000Z","size":487,"stargazers_count":17,"open_issues_count":0,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-09-20T09:07:53.602Z","etag":null,"topics":["aws","iam-policy","javascript","nodejs","typescript"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thinkinglabs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-16T13:42:42.000Z","updated_at":"2024-09-12T07:47:35.000Z","dependencies_parsed_at":"2024-06-21T02:36:39.916Z","dependency_job_id":"d41420f0-0198-470e-8c3f-e838b39838de","html_url":"https://github.com/thinkinglabs/aws-iam-policy","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thinkinglabs%2Faws-iam-policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thinkinglabs%2Faws-iam-policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thinkinglabs%2Faws-iam-policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thinkinglabs%2Faws-iam-policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thinkinglabs","download_url":"https://codeload.github.com/thinkinglabs/aws-iam-policy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230575851,"owners_count":18247484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","iam-policy","javascript","nodejs","typescript"],"created_at":"2024-08-01T18:01:32.174Z","updated_at":"2024-12-20T11:07:54.320Z","avatar_url":"https://github.com/thinkinglabs.png","language":"TypeScript","funding_links":[],"categories":["aws"],"sub_categories":[],"readme":"# aws-iam-policy [![Build Status](https://travis-ci.org/thinkinglabs/aws-iam-policy.svg?branch=main)](https://travis-ci.org/thinkinglabs/aws-iam-policy)\n\nA Node.js package for working with AWS IAM Policy documents.\n\nThe primary reasons for creating the library were:\n\n- simplify the declaration of IAM identity policies as well as resource\n  policies for S3 Bucket, KMS Keys or Secrets Manager secrets via coding that\n  are created with the [Pulumi](https://www.pulumi.com/) provisioning tool.\n- simplify the unit testing of those policies and more specifically testing of\n  single policy statements.\n\n## Requirements\n\nNode.js lts/gallium (16.x)\n\n## Features\n\n- Reading/writing AWS IAM Policy JSON documents.\n- An object model for building an IAM Policy document.\n- Validating an IAM Policy document for identity- or resource-based policies.\n- Validating the uniqueness of `Sid` within the scope of an IAM Policy document\n  when adding Statements.\n- Retrieval of Policy Statements by `Sid`.\n\n## Documentation\n\nInstall the package.\n\n```bash\nnpm install --save-dev @thinkinglabs/aws-iam-policy\n```\n\nCreate a policy document.\n\n```typescript\nimport * as iam from '@thinkinglabs/aws-iam-policy';\n\nfunction kmsKeyPolicy(accountId: string, keyAdminArns: string[], keyUserArns: string[]) {\n  return new iam.PolicyDocument([\n    new iam.Statement({\n      sid: 'Enable IAM User Permissions',\n      effect: 'Allow',\n      principals: [new iam.RootAccountPrincipal(accountId)],\n      actions: ['kms:*'],\n      resources: ['*'],\n    }),\n    new iam.Statement({\n      sid: 'Allow access for Key Administrators',\n      effect: 'Allow',\n      principals: keyAdminArns.map((arn) =\u003e new iam.ArnPrincipal(arn)),\n      actions: ['kms:*'],\n      resources: ['*'],\n    }),\n    new iam.Statement({\n      sid: 'Allow use of the key',\n      effect: 'Allow',\n      principals: keyUserArns.map((arn) =\u003e new iam.ArnPrincipal(arn)),\n      actions: [\n        'kms:Encrypt',\n        'kms:Decrypt',\n        'kms:ReEncrypt*',\n        'kms:GenerateDataKey*',\n        'kms:DescribeKey',\n      ],\n      resources: ['*'],\n    }),\n  ]).json;\n});\n```\n\nAdd a `Statement` to an existing policy document.\n\n```typescript\nconst policy = new iam.PolicyDocument();\npolicy.addStatements(new iam.Statement({\n    sid: 'Enable IAM User Permissions',\n    effect: 'Allow',\n    principals: [new iam.RootAccountPrincipal(accountId)],\n    actions: ['kms:*'],\n    resources: ['*'],\n  });\n```\n\nUnit testing a statement from a policy document. You can retrieve a single\nstatement using the Sid of that statement.\n\n```typescript\nimport {expect} from 'chai';\nimport * as iam from '@thinkinglabs/aws-iam-policy';\n\ndescribe('kms key policy', function() {\nconst accountId = '123456789012';\n  const keyAdminArns = [\n    `arn:aws:iam::${accountId}:role/admin1`,\n    `arn:aws:iam::${accountId}:role/admin2`,\n  ];\n  const keyUsers = [\n    `arn:aws:iam::${accountId}:role/user1`,\n  ];\n  const policy = sut.kmsKeyPolicy(accountId, keyAdminArns, keyUserArns);\n\n  it('should enable IAM User permissions', function() {\n    const statement = policy.getStatement('Enable IAM User Permissions');\n\n    expect(statement).to.deep.equal(new iam.Statement({\n      actions: ['kms:*'],\n      effect: 'Allow',\n      principals: [new iam.RootAccountPrincipal('123456789012')],\n      resources: ['*'],\n      sid: 'Enable IAM User Permissions',\n    }));\n  });\n}\n```\n\nSerialising to and from JSON.\n\n```typescript\n  const policy = new iam.PolicyDocument();\n  const json = policy.json;\n  const newPolicy = iam.PolicyDocument.fromJson(json);\n```\n\nSupports different principals.\n\n```typescript\n  // \"Principal\": {\"Service\": [\"ec2.amazonaws.com\"]}\n  const servicePrincipal = new iam.ServicePrincipal('ec2.amazonaws.com');\n\n  // \"Principal\": {\"AWS\": [\"arn:aws:iam::123456789012:user/a/path/user-name\"]}\n  const userPrincipal = new iam.UserPrincipal('123456789012', 'user-name', '/a/path/')\n\n    // \"Principal\": {\"AWS\": [\"arn:aws:iam::123456789012:role/a/path/role-name\"]}\n  const rolePrincipal = new iam.RolePrincipal('123456789012', 'role-name', '/a/path/')\n\n  // \"Principal\": {\"AWS\": [\"arn:aws:iam::123456789012:role/role-name\"]}\n  const arnPrincipal = new iam.ArnPrincipal('arn:aws:iam::123456789012:role/role-name');\n\n  // \"Principal\": {\"AWS\": [\"arn:aws:iam::123456789012:root\"]}\n  const rootAccountPrincipal = new iam.RootAccountPrincipal('123456789012');\n\n  // \"Principal\": {\"AWS\": [\"123456789012\"]}\n  const accountPrincipal = new iam.AccountPrincipal('123456789012');\n\n  // \"Principal\": {\"AWS\": [\"*\"]}\n  const anonymousUserPrincipal = new iam.AnonymousUserPrincipal();\n\n  // \"Principal\" : \"*\"\n  const wildcardPrincipal = new iam.WildcardPrincipal();\n```\n\nValidate a policy document.\n\n```typescript\n  // validate any policy\n  // when valid returns an empty list\n  // when invalid returns a list of errors\n  const errors = policy.validate();\n  if (errors) {\n    throw errors;\n  }\n\n  // validate an IAM policy document\n  const errors = policy.validate(PolicyType.IAM);\n  if (errors) {\n    throw errors;\n  }\n\n  //validate a KMS key policy document.\n  const errors = policy.validate(PolicyType.KMS);\n  if (errors) {\n    throw errors;\n  }\n\n  //validate an S3 bucket policy document.\n  const errors = policy.validate(PolicyType.S3);\n  if (errors) {\n    throw errors;\n  }\n\n  //validate a SecretsManager secret policy document.\n  const errors = policy.validate(PolicyType.SecretsManager);\n  if (errors) {\n    throw errors;\n  }\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthinkinglabs%2Faws-iam-policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthinkinglabs%2Faws-iam-policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthinkinglabs%2Faws-iam-policy/lists"}