Skip to content

Instantly share code, notes, and snippets.

@juliedavila

juliedavila/gen-iam.js

Last active November 8, 2018 19:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save juliedavila/78f0af12081fdb9e865b187114c1213b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save juliedavila/78f0af12081fdb9e865b187114c1213b to your computer and use it in GitHub Desktop.
Download ZIP
IAM role perms ip
Raw
gen-iam.js
function getTableResources (tableNames, accountNumber) {
let tableResources = []
tableNames.forEach(name => {
const resources = [
`arn:aws:dynamodb:*:${accountNumber}:table/${name}`,
`arn:aws:dynamodb:*:${accountNumber}:table/${name}/stream/*`,
`arn:aws:dynamodb:*:${accountNumber}:table/${name}/index/*`
]
tableResources = tableResources.concat(resources)
})
return tableResources
}
function getLogResources (fnNames, accountNumber) {
let logResources = []
fnNames.forEach(name => {
logResources.push(`arn:aws:logs:*:${accountNumber}:log-group:/aws/lambda/${name}:*`)
})
return logResources
}
function getQResources (qNames, accountNumber) {
let qResources = []
qNames.forEach(name => {
qResources.push(`arn:aws:sqs:*:${accountNumber}:${name}`)
})
return qResources
}
function getStatements ({ accountNumber, fnNames, qNames, tableNames }) {
return [{
Sid: 'coreActions',
Effect: 'Allow',
Action: [
// logs
'logs:CreateLogStream',
// sqs
'sqs:DeleteMessage',
'sqs:ReceiveMessage',
'sqs:GetQueueAttributes',
// lambda
'lambda:InvokeAsync',
'lambda:InvokeFunction',
// dynamo
'dynamodb:UpdateGlobalTable',
'dynamodb:DeleteItem',
'dynamodb:DescribeTable',
'dynamodb:GetItem',
'dynamodb:CreateGlobalTable',
'dynamodb:BatchGetItem',
'dynamodb:BatchWriteItem',
'dynamodb:UpdateTimeToLive',
'dynamodb:PutItem',
'dynamodb:Scan',
'dynamodb:Query',
'dynamodb:DescribeStream',
'dynamodb:UpdateItem',
'dynamodb:CreateTable',
'dynamodb:UpdateTable',
'dynamodb:GetRecords'
],
Resource: getTableResources(tableNames, accountNumber).concat(
getLogResources(fnNames, accountNumber),
getQResources(qNames, accountNumber)
)
},
{
Sid: 'putLogs',
Effect: 'Allow',
Action: 'logs:PutLogEvents',
Resource: getLogResources(fnNames, accountNumber)
},
{
Sid: 'globals',
Effect: 'Allow',
Action: [
// STS
'sts:GetFederationToken',
'sts:GetCallerIdentity',
'sts:AssumeRole',
// SQS
'sqs:SendMessageBatch',
'sqs:DeleteMessage',
'sqs:ReceiveMessage',
'sqs:SendMessage',
// Dynamo
'dynamodb:ListTables',
'dynamodb:ListTagsOfResource',
'dynamodb:DescribeTimeToLive',
'dynamodb:ListStreams',
'dynamodb:ListGlobalTables',
'dynamodb:DescribeLimits'
],
Resource: '*'
}]
}
module.exports = ({ accountNumber, fnNames, qNames, tableNames }) => {
return JSON.stringify({
Version: '2012-10-17',
Statement: getStatements({ accountNumber, fnNames, qNames, tableNames })
})
}
Raw
iam.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"dynamodb:DeleteItem",
"sqs:ReceiveMessage",
"dynamodb:UpdateGlobalTable",
"lambda:InvokeAsync",
"logs:CreateLogStream",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:CreateGlobalTable",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:UpdateTimeToLive",
"dynamodb:PutItem",
"lambda:InvokeFunction",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:DescribeStream",
"dynamodb:UpdateItem",
"sqs:GetQueueAttributes",
"dynamodb:CreateTable",
"dynamodb:UpdateGlobalTableSettings",
"dynamodb:DescribeGlobalTableSettings",
"dynamodb:GetShardIterator",
"dynamodb:DescribeGlobalTable",
"dynamodb:UpdateTable",
"dynamodb:GetRecords"
],
"Resource": [
"arn:aws:dynamodb:*:*:table/*/index/*",
"arn:aws:dynamodb:*:*:table/*/stream/*",
"arn:aws:dynamodb:*:416614707792:table/sources",
"arn:aws:dynamodb:*:416614707792:table/credentials",
"arn:aws:dynamodb:*:416614707792:table/repos",
"arn:aws:dynamodb:*:416614707792:table/baselines",
"arn:aws:dynamodb::*:global-table/*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-postConfirmation:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-import_status:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-verify_id:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-tagger:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-copy:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-copy_status:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-attrs:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-delete:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-import:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-source:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-sources:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-buckets:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-objects:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-region:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-regions:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-credentials_set:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-credentials_list:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-credentials_delete:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-credentials_verify:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-launch:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-launch-complete:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-bake:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-check-bake-status:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-get-user-repo:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-init-repo-worker:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-upload-user-repo:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-set-repo-status:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-get-repo-status:*",
"arn:aws:logs:*:*:log-group:*",
"arn:aws:lambda:us-east-1:416614707792:function:aws-dev-check-bake-status",
"arn:aws:lambda:us-east-1:416614707792:function:aws-dev-import",
"arn:aws:sqs:us-east-1:416614707792:CheckImportStatus"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*",
"arn:aws:sqs:us-east-1:416614707792:Bake"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*:*:*",
"arn:aws:sqs:us-east-1:416614707792:CheckBakeStatus"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "logs:PutLogEvents",
"Resource": [
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-postConfirmation:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-import_status:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-verify_id:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-tagger:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-copy:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-copy_status:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-attrs:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-delete:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-import:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-source:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-sources:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-buckets:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-objects:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-region:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-regions:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-credentials_set:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-credentials_list:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-credentials_delete:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-credentials_verify:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-launch:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-launch-complete:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-bake:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-check-bake-status:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-get-user-repo:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-init-repo-worker:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-upload-user-repo:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-set-repo-status:*:*",
"arn:aws:logs:us-east-1:416614707792:log-group:/aws/lambda/aws-dev-get-repo-status:*:*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sts:GetFederationToken",
"dynamodb:ListTables",
"sqs:SendMessageBatch",
"sqs:ReceiveMessage",
"dynamodb:PurchaseReservedCapacityOfferings",
"sqs:SendMessage",
"dynamodb:ListTagsOfResource",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListStreams",
"sts:AssumeRole",
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:ListGlobalTables",
"sqs:DeleteMessageBatch",
"dynamodb:DescribeReservedCapacity",
"sts:GetCallerIdentity",
"dynamodb:DescribeLimits"
],
"Resource": "*"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment