Explain the IAM policy magic

[garnaat]

There is some pretty cool stuff going on with IAM policies but it's not explained anywhere. It's kind of cool that it just happens automatically but you definitely need a section on how it works.

Also, for the S3 example I noticed the policy just wildcards the resource. Is there anyway to figure out the actual bucket name being used and restrict the policy to just that resource?

Also, what are the limitations? What things aren't really detectable using this approach? For example, if my Lambda function has an SNS event source, I think it would be very difficult if not impossible to figure that out from the code.

[lstroud]

I agree. It would be nice if the policy generator could read a list of policy arns from the config file and append those to what it generates. That would enable incremental improvement in the generator while allowing folks to fulfill their needs until it's ready.

[dg-nvm]

Resources are just always wildcard, this feature is not usable at that state. Could ask developer about this, getting parameters for function calls is not impossible.

                    # Probably impossible, but it would be nice
                    # to even keep track of what resources are used
                    # so we can create ARNs and further restrict the policies.
'Resource': ['*'],