Our great sponsors
-
iamlive
Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
I wrote a small tool called Pike. It looks at your TF code and determines and create the IAM policy/Tf resource required to build it. To help you stick to least privilege in your build process. It currently supports a small but growing sub-set of AWS resources, it will support other providers. Use it or ?, but would welcome feedback https://github.com/JamesWoolfenden/pike . Its open source and always will be.
Thanks! Permissions are determined per resource or datasource. There's no easy way that I had found, especially if you want this done statically, https://github.com/iann0036/iamlive does it by inspecting your api calls but there's always a look up somewhere. Hopefully ill manage to get a few community contributions and get the ball rolling, i've made it as easy as I could to add support for other resources without you even really having to know golang.
Related posts
- Show HN: Slauth.io (YC S22) – IAM Policy Auto-Generation
- Can I generate permissions needed to run a TF script on AWS, GCP or Azure?
- Can I auto-generate AWS IAM policy document based on directory of existing Terraform code so that CI has limited access to what it can deploy?
- Open Source Terraform projects - azure focused (open to other providers as well)
- A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons