@cloud-copilot/iam-lens
Version:
Visibility in IAM in and across AWS accounts
99 lines • 4.41 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.getAllPoliciesForUser = getAllPoliciesForUser;
exports.getAllPoliciesForRole = getAllPoliciesForRole;
exports.getAllPoliciesForPrincipal = getAllPoliciesForPrincipal;
exports.isArnPrincipal = isArnPrincipal;
exports.isServicePrincipal = isServicePrincipal;
exports.isServiceLinkedRole = isServiceLinkedRole;
const iam_utils_1 = require("@cloud-copilot/iam-utils");
/**
* Get all the IAM policies for a user, including managed and inline policies, permission boundaries, and group policies.
*
* @param collectClient the IAM collect client to use for retrieving policies
* @param principalArn the ARN of the user to get policies for
* @returns an object containing the managed policies, inline policies, permission boundary, and group policies
*/
async function getAllPoliciesForUser(collectClient, principalArn) {
const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId;
const managedPolicies = await collectClient.getManagedPoliciesForUser(principalArn);
const inlinePolicies = await collectClient.getInlinePoliciesForUser(principalArn);
const permissionBoundary = await collectClient.getPermissionsBoundaryForUser(principalArn);
const groups = await collectClient.getGroupsForUser(principalArn);
const scps = await collectClient.getScpHierarchyForAccount(accountId);
const rcps = await collectClient.getRcpHierarchyForAccount(accountId);
const groupPolicies = [];
for (const group of groups) {
const groupManagedPolicies = await collectClient.getManagedPoliciesForGroup(group);
const groupInlinePolicies = await collectClient.getInlinePoliciesForGroup(group);
groupPolicies.push({
group,
managedPolicies: groupManagedPolicies,
inlinePolicies: groupInlinePolicies
});
}
return {
scps,
rcps,
managedPolicies,
inlinePolicies,
permissionBoundary,
groupPolicies
};
}
/**
* Get all the IAM policies for a role, including managed and inline policies and permission boundaries.
*
* @param collectClient the IAM collect client to use for retrieving policies
* @param principalArn the ARN of the role to get policies for
* @returns an object containing the managed policies, inline policies, and permission boundary
*/
async function getAllPoliciesForRole(collectClient, principalArn) {
const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId;
const managedPolicies = await collectClient.getManagedPoliciesForRole(principalArn);
const inlinePolicies = await collectClient.getInlinePoliciesForRole(principalArn);
const permissionBoundary = await collectClient.getPermissionsBoundaryForRole(principalArn);
const scps = await collectClient.getScpHierarchyForAccount(accountId);
const rcps = await collectClient.getRcpHierarchyForAccount(accountId);
return {
scps,
rcps,
managedPolicies,
inlinePolicies,
permissionBoundary
};
}
async function getAllPoliciesForPrincipal(collectClient, principalArn) {
if (isServicePrincipal(principalArn)) {
return {
scps: [],
rcps: [],
managedPolicies: [],
inlinePolicies: [],
permissionBoundary: undefined,
groupPolicies: []
};
}
if ((0, iam_utils_1.isIamUserArn)(principalArn)) {
return getAllPoliciesForUser(collectClient, principalArn);
}
else if ((0, iam_utils_1.isIamRoleArn)(principalArn)) {
return getAllPoliciesForRole(collectClient, principalArn);
}
else if ((0, iam_utils_1.isAssumedRoleArn)(principalArn)) {
const roleArn = (0, iam_utils_1.convertAssumedRoleArnToRoleArn)(principalArn);
return getAllPoliciesForRole(collectClient, roleArn);
}
throw new Error(`Unsupported principal type: ${principalArn}`);
}
function isArnPrincipal(principal) {
return principal.startsWith('arn:');
}
function isServicePrincipal(principal) {
return !isArnPrincipal(principal) && principal.endsWith('amazonaws.com');
}
function isServiceLinkedRole(principal) {
const arnParts = (0, iam_utils_1.splitArnParts)(principal);
return isArnPrincipal(principal) && !!arnParts.resourcePath?.startsWith('aws-service-role/');
}
//# sourceMappingURL=principals.js.map