@cloud-copilot/iam-lens/dist/cjs/whoCan/untrustingActions.js

Visibility in IAM in and across AWS accounts

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.actionsThatDoNotAutomaticallyTrustTheCurrentAccount = actionsThatDoNotAutomaticallyTrustTheCurrentAccount;
const iam_data_1 = require("@cloud-copilot/iam-data");
const kms = 'kms';
const kmsKey = 'key';
const stsAssumeRole = 'sts:AssumeRole';
let cachedActions = undefined;
/**
 * Get a set of actions that do not automatically trust the current account, in all lower case.
 *
 * @returns the set of actions that do not automatically trust the current account in all lower case
 */
async function actionsThatDoNotAutomaticallyTrustTheCurrentAccount() {
    if (cachedActions) {
        return cachedActions;
    }
    const kmsActions = await (0, iam_data_1.iamActionsForService)(kms);
    const allActions = new Set([stsAssumeRole.toLowerCase()]);
    for (const action of kmsActions) {
        const details = await (0, iam_data_1.iamActionDetails)(kms, action);
        if (details.resourceTypes.length === 1 &&
            details.resourceTypes.some((rt) => rt.name === kmsKey)) {
            allActions.add(`${kms}:${action.toLowerCase()}`);
        }
    }
    cachedActions = allActions;
    return allActions;
}
//# sourceMappingURL=untrustingActions.js.map