UNPKG

@cloud-copilot/iam-lens

Version:

Visibility in IAM in and across AWS accounts

github.com/cloud-copilot/iam-lens

cloud-copilot/iam-lens

131 lines 5.58 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.getAllPoliciesForUser = getAllPoliciesForUser; exports.getAllPoliciesForRole = getAllPoliciesForRole; exports.getAllPoliciesForPrincipal = getAllPoliciesForPrincipal; exports.isArnPrincipal = isArnPrincipal; exports.isServicePrincipal = isServicePrincipal; exports.isServiceLinkedRole = isServiceLinkedRole; exports.isOidcPrincipal = isOidcPrincipal; exports.isSamlPrincipal = isSamlPrincipal; exports.principalExists = principalExists; const iam_utils_1 = require("@cloud-copilot/iam-utils"); /** * Get all the IAM policies for a user, including managed and inline policies, permission boundaries, and group policies. * * @param collectClient the IAM collect client to use for retrieving policies * @param principalArn the ARN of the user to get policies for * @returns an object containing the managed policies, inline policies, permission boundary, and group policies */ async function getAllPoliciesForUser(collectClient, principalArn) { const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId; const managedPolicies = await collectClient.getManagedPoliciesForUser(principalArn); const inlinePolicies = await collectClient.getInlinePoliciesForUser(principalArn); const permissionBoundary = await collectClient.getPermissionsBoundaryForUser(principalArn); const groups = await collectClient.getGroupsForUser(principalArn); const scps = await collectClient.getScpHierarchyForAccount(accountId); const rcps = await collectClient.getRcpHierarchyForAccount(accountId); const groupPolicies = []; for (const group of groups) { const groupManagedPolicies = await collectClient.getManagedPoliciesForGroup(group); const groupInlinePolicies = await collectClient.getInlinePoliciesForGroup(group); groupPolicies.push({ group, managedPolicies: groupManagedPolicies, inlinePolicies: groupInlinePolicies }); } return { scps, rcps, managedPolicies, inlinePolicies, permissionBoundary, groupPolicies }; } /** * Get all the IAM policies for a role, including managed and inline policies and permission boundaries. * * @param collectClient the IAM collect client to use for retrieving policies * @param principalArn the ARN of the role to get policies for * @returns an object containing the managed policies, inline policies, and permission boundary */ async function getAllPoliciesForRole(collectClient, principalArn) { const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId; const managedPolicies = await collectClient.getManagedPoliciesForRole(principalArn); const inlinePolicies = await collectClient.getInlinePoliciesForRole(principalArn); const permissionBoundary = await collectClient.getPermissionsBoundaryForRole(principalArn); const scps = await collectClient.getScpHierarchyForAccount(accountId); const rcps = await collectClient.getRcpHierarchyForAccount(accountId); return { scps, rcps, managedPolicies, inlinePolicies, permissionBoundary }; } async function getAllPoliciesForPrincipal(collectClient, principalArn) { if (isServicePrincipal(principalArn) || isSamlPrincipal(principalArn) || isOidcPrincipal(principalArn)) { return { scps: [], rcps: [], managedPolicies: [], inlinePolicies: [], permissionBoundary: undefined, groupPolicies: [] }; } if ((0, iam_utils_1.isIamUserArn)(principalArn)) { return getAllPoliciesForUser(collectClient, principalArn); } else if ((0, iam_utils_1.isIamRoleArn)(principalArn)) { return getAllPoliciesForRole(collectClient, principalArn); } else if ((0, iam_utils_1.isAssumedRoleArn)(principalArn)) { const roleArn = (0, iam_utils_1.convertAssumedRoleArnToRoleArn)(principalArn); return getAllPoliciesForRole(collectClient, roleArn); } throw new Error(`Unsupported principal type: ${principalArn}`); } function isArnPrincipal(principal) { return principal.startsWith('arn:'); } function isServicePrincipal(principal) { return !isArnPrincipal(principal) && principal.endsWith('amazonaws.com'); } function isServiceLinkedRole(principal) { const arnParts = (0, iam_utils_1.splitArnParts)(principal); return isArnPrincipal(principal) && !!arnParts.resourcePath?.startsWith('aws-service-role/'); } function isOidcPrincipal(principal) { if (!isArnPrincipal(principal)) { return false; } const parts = (0, iam_utils_1.splitArnParts)(principal); return parts.service === 'iam' && parts.resourceType === 'oidc-provider'; } function isSamlPrincipal(principal) { if (!isArnPrincipal(principal)) { return false; } const parts = (0, iam_utils_1.splitArnParts)(principal); return parts.service === 'iam' && parts.resourceType === 'saml-provider'; } /** * Check to see if a principal exists or is an AWS service principal. * * @param principal the principal to check * @param collectClient the IAM collect client to use for checking existence * @returns true if the principal exists or is a service principal, false otherwise */ async function principalExists(principal, collectClient) { if (isServicePrincipal(principal)) { return true; } return collectClient.principalExists(principal); } //# sourceMappingURL=principals.js.map