-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.go
115 lines (101 loc) · 3.22 KB
/
iam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package iam
import (
"encoding/json"
"fmt"
"github.com/YaleSpinup/s3-api/common"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/iam/iamiface"
log "github.com/sirupsen/logrus"
)
// PolicyStatement is an individual IAM Policy statement
type PolicyStatement struct {
Effect string
Principal string `json:",omitempty"`
Action []string
Resource []string
}
// PolicyDoc collects the policy statements
type PolicyDoc struct {
Version string
Statement []PolicyStatement
}
// IAM is a wrapper around the aws IAM service with some default config info
type IAM struct {
Service iamiface.IAMAPI
DefaultS3BucketActions []string
DefaultS3ObjectActions []string
}
// NewSession creates a new IAM session
func NewSession(account common.Account) IAM {
i := IAM{}
log.Infof("creating new aws session for IAM with key id %s in region %s", account.Akid, account.Region)
sess := session.Must(session.NewSession(&aws.Config{
Credentials: credentials.NewStaticCredentials(account.Akid, account.Secret, ""),
Region: aws.String(account.Region),
}))
i.Service = iam.New(sess)
i.DefaultS3BucketActions = account.DefaultS3BucketActions
i.DefaultS3ObjectActions = account.DefaultS3ObjectActions
return i
}
// DefaultBucketAdminPolicy generates the default policy statement for s3 buckets
func (i *IAM) DefaultBucketAdminPolicy(bucket *string) ([]byte, error) {
b := aws.StringValue(bucket)
log.Debugf("generating default bucket admin policy for %s", b)
policyDoc, err := json.Marshal(PolicyDoc{
Version: "2012-10-17",
Statement: []PolicyStatement{
PolicyStatement{
Effect: "Allow",
Action: i.DefaultS3BucketActions,
Resource: []string{fmt.Sprintf("arn:aws:s3:::%s", b)},
},
PolicyStatement{
Effect: "Allow",
Action: i.DefaultS3ObjectActions,
Resource: []string{fmt.Sprintf("arn:aws:s3:::%s/*", b)},
},
},
})
if err != nil {
log.Errorf("failed to generate default bucket admin policy for %s: %s", b, err)
return []byte{}, err
}
log.Debugf("creating policy with document %s", string(policyDoc))
return policyDoc, nil
}
// DefaultWebsiteAccessPolicy generated the default website access policy statement for s3 websites
// {
// "Version":"2012-10-17",
// "Statement":[{
// "Sid":"PublicReadGetObject",
// "Effect":"Allow",
// "Principal": "*",
// "Action":["s3:GetObject"],
// "Resource":["arn:aws:s3:::example-bucket/*"]
// }]
// }
func (i *IAM) DefaultWebsiteAccessPolicy(bucket *string) ([]byte, error) {
b := aws.StringValue(bucket)
log.Debugf("generating default bucket website policy for %s", b)
policyDoc, err := json.Marshal(PolicyDoc{
Version: "2012-10-17",
Statement: []PolicyStatement{
PolicyStatement{
Effect: "Allow",
Principal: "*",
Action: []string{"s3:GetObject"},
Resource: []string{fmt.Sprintf("arn:aws:s3:::%s/*", b)},
},
},
})
if err != nil {
log.Errorf("failed to generate default bucket website policy for %s: %s", b, err)
return []byte{}, err
}
log.Debugf("creating policy with document %s", string(policyDoc))
return policyDoc, nil
}