Simple script to lookup IAM resource conditions

iamlookup

#!/bin/bash

set -e
REPO_DIR=~/.iam_lookup/complete-aws-iam-reference
REPO_URL=https://github.com/widdix/complete-aws-iam-reference

if [[ $1 == "update" ]];then
  if [[ -e $REPO_DIR ]];then
    (cd "$REPO_DIR" && git pull)
  else
    git clone "$REPO_URL" "$REPO_DIR"
  fi
  exit
fi

service=$(cut -d ':' -f1 <<<"$1")
action=$(cut -d ':' -f2 <<<"$1")
resource_filter=$2

jq_filter=".[] | select(.service == \"$service\") | select(.action == \"$action\")"
[[ $resource_filter ]] && jq_filter="[$jq_filter | select(.resources[] | contains(\"$resource_filter\"))] | unique"
pushd "$REPO_DIR/tools" > /dev/null
  node ./md2json.js | jq --color-output "$jq_filter" | less
popd > /dev/null

iamlookup

Simple script that uses complete-aws-iam-reference repo to lookup iam resources on the command line.

Basically, it's a CLI version of https://iam.cloudonaut.io/

Requirements

• nodejs
• jq
• git

To download/update the reference use

iamlookup update

To lookup a action:

iamlookup ec2:CreateTags

To lookup an action filtering by resource:

iamlookup ec2:CreateTags :instance/

Example output:

{
  "service": "ec2",
  "action": "CreateTags",
  "doc": "http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html",
  "description": "Adds or overwrites one or more tags for the specified Amazon EC2 resource or resources.",
  "resources": [
    "arn:aws:ec2:$region:$account:instance/*",
    "arn:aws:ec2:$region:$account:instance/$instance-id"
  ],
  "conditions": [
    "ec2:AvailabilityZone",
    "ec2:CreateAction",
    "ec2:EbsOptimized",
    "ec2:InstanceProfile",
    "ec2:InstanceType",
    "ec2:PlacementGroup",
    "ec2:Region",
    "ec2:ResourceTag/$tag-key",
    "ec2:RootDeviceType",
    "ec2:Tenancy",
    "aws:RequestTag/$tag-key",
    "aws:TagKeys"
  ]
}