Skip to content

serkanh/iamlive-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Dockerfile
Dockerfile
 
 
Dockerfile.aws-sdk
Dockerfile.aws-sdk
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
test_aws.py
test_aws.py
 
 

Repository files navigation

iamlive Docker Compose Demo

This repository demonstrates how to use iamlive in Docker to capture AWS IAM policies from SDK and CLI calls. It provides a ready-to-use docker-compose.yml setup with two containers:

  • iamlive: Runs in proxy mode to intercept and log AWS API calls, generating a least-privilege IAM policy.
  • aws-sdk-test: A test container with AWS CLI and boto3 installed, configured to route all AWS calls through the iamlive proxy.

Features

  • Proxy Mode: Captures all AWS API calls via HTTP/HTTPS proxy.
  • Automatic Certificate Sharing: Uses a shared Docker volume so both containers trust the iamlive proxy's CA certificate.
  • Interactive Testing: Easily run AWS CLI or Python SDK commands interactively.

Getting Started

Prerequisites

Build and Start the Containers

docker-compose up --build

This will build and start both containers. The iamlive container will generate a CA certificate and start the proxy on port 10080. The aws-sdk-test container will run in an infinite loop, ready for you to exec into it.

Using the AWS SDK Test Container

Open an interactive shell in the test container:

docker-compose exec aws-sdk-test bash

Example: Using AWS CLI

# List S3 buckets (this will be captured by iamlive)
aws s3 ls

# Get caller identity
aws sts get-caller-identity

You should see the following output on iamlive container:

iamlive-1       | {
iamlive-1       |     "Version": "2012-10-17",
iamlive-1       |     "Statement": [
iamlive-1       |         {
iamlive-1       |             "Effect": "Allow",
iamlive-1       |             "Action": [
iamlive-1       |                 "sts:GetCallerIdentity"
iamlive-1       |             ],
iamlive-1       |             "Resource": "*"
iamlive-1       |         }
iamlive-1       |     ]
iamlive-1       | }

Example: Using Python SDK (boto3)

python
>>> import boto3
>>> s3 = boto3.client('s3')
>>> s3.list_buckets()

Viewing the Generated Policy

The generated policy is written to /tmp/policy.json inside the iamlive container. To view it:

docker-compose exec iamlive cat /tmp/policy.json | less

How It Works

  • All AWS CLI/SDK calls from the test container are routed through the iamlive proxy.
  • iamlive intercepts these calls and updates the policy file in real time.
  • The CA certificate is shared between containers so SSL validation works out of the box.

Switching Modes

  • Proxy Mode (default in this setup): Captures all HTTP(S) AWS calls. No SDK environment variables needed, but proxy and CA bundle must be set.
  • CSM Mode: To use CSM mode, update the docker-compose.yml to set --mode csm and the appropriate environment variables.

Cleaning Up

To stop and remove the containers and shared volume:

docker-compose down -v

Troubleshooting

  • If you see SSL errors, ensure the CA certificate is present in /root/.iamlive/ca.pem in both containers.
  • Wait a few seconds after starting iamlive before making AWS calls, to allow certificate generation.

Credits

Feel free to modify the test container or add your own scripts to experiment with different AWS calls!

About

No description or website provided.

Topics

aws iam iamlive

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages