UNPKG

@cloud-copilot/iam-lens

Version:

Visibility in IAM in and across AWS accounts

github.com/cloud-copilot/iam-lens

cloud-copilot/iam-lens

121 lines 5.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
import { convertAssumedRoleArnToRoleArn, isAssumedRoleArn, isIamRoleArn, isIamUserArn, splitArnParts } from '@cloud-copilot/iam-utils'; import { IamCollectClient } from './collect/client.js'; /** * Get all the IAM policies for a user, including managed and inline policies, permission boundaries, and group policies. * * @param collectClient the IAM collect client to use for retrieving policies * @param principalArn the ARN of the user to get policies for * @returns an object containing the managed policies, inline policies, permission boundary, and group policies */ export async function getAllPoliciesForUser(collectClient, principalArn) { const accountId = splitArnParts(principalArn).accountId; const managedPolicies = await collectClient.getManagedPoliciesForUser(principalArn); const inlinePolicies = await collectClient.getInlinePoliciesForUser(principalArn); const permissionBoundary = await collectClient.getPermissionsBoundaryForUser(principalArn); const groups = await collectClient.getGroupsForUser(principalArn); const scps = await collectClient.getScpHierarchyForAccount(accountId); const rcps = await collectClient.getRcpHierarchyForAccount(accountId); const groupPolicies = []; for (const group of groups) { const groupManagedPolicies = await collectClient.getManagedPoliciesForGroup(group); const groupInlinePolicies = await collectClient.getInlinePoliciesForGroup(group); groupPolicies.push({ group, managedPolicies: groupManagedPolicies, inlinePolicies: groupInlinePolicies }); } return { scps, rcps, managedPolicies, inlinePolicies, permissionBoundary, groupPolicies }; } /** * Get all the IAM policies for a role, including managed and inline policies and permission boundaries. * * @param collectClient the IAM collect client to use for retrieving policies * @param principalArn the ARN of the role to get policies for * @returns an object containing the managed policies, inline policies, and permission boundary */ export async function getAllPoliciesForRole(collectClient, principalArn) { const accountId = splitArnParts(principalArn).accountId; const managedPolicies = await collectClient.getManagedPoliciesForRole(principalArn); const inlinePolicies = await collectClient.getInlinePoliciesForRole(principalArn); const permissionBoundary = await collectClient.getPermissionsBoundaryForRole(principalArn); const scps = await collectClient.getScpHierarchyForAccount(accountId); const rcps = await collectClient.getRcpHierarchyForAccount(accountId); return { scps, rcps, managedPolicies, inlinePolicies, permissionBoundary }; } export async function getAllPoliciesForPrincipal(collectClient, principalArn) { if (isServicePrincipal(principalArn) || isSamlPrincipal(principalArn) || isOidcPrincipal(principalArn)) { return { scps: [], rcps: [], managedPolicies: [], inlinePolicies: [], permissionBoundary: undefined, groupPolicies: [] }; } if (isIamUserArn(principalArn)) { return getAllPoliciesForUser(collectClient, principalArn); } else if (isIamRoleArn(principalArn)) { return getAllPoliciesForRole(collectClient, principalArn); } else if (isAssumedRoleArn(principalArn)) { const roleArn = convertAssumedRoleArnToRoleArn(principalArn); return getAllPoliciesForRole(collectClient, roleArn); } throw new Error(`Unsupported principal type: ${principalArn}`); } export function isArnPrincipal(principal) { return principal.startsWith('arn:'); } export function isServicePrincipal(principal) { return !isArnPrincipal(principal) && principal.endsWith('amazonaws.com'); } export function isServiceLinkedRole(principal) { const arnParts = splitArnParts(principal); return isArnPrincipal(principal) && !!arnParts.resourcePath?.startsWith('aws-service-role/'); } export function isOidcPrincipal(principal) { if (!isArnPrincipal(principal)) { return false; } const parts = splitArnParts(principal); return parts.service === 'iam' && parts.resourceType === 'oidc-provider'; } export function isSamlPrincipal(principal) { if (!isArnPrincipal(principal)) { return false; } const parts = splitArnParts(principal); return parts.service === 'iam' && parts.resourceType === 'saml-provider'; } /** * Check to see if a principal exists or is an AWS service principal. * * @param principal the principal to check * @param collectClient the IAM collect client to use for checking existence * @returns true if the principal exists or is a service principal, false otherwise */ export async function principalExists(principal, collectClient) { if (isServicePrincipal(principal)) { return true; } return collectClient.principalExists(principal); } //# sourceMappingURL=principals.js.map