Skip to content

iamomerm/python-iam-policy-builder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
iam_policy
iam_policy
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

IAM Policy Builder

Build valid IAM policies for Google Cloud (GCP) and Amazon Web Services (AWS)

Features

Fluent chaining for clean code
Output standard JSON-compatible dictionaries
Avoid error-prone string manipulation

Installation

You can install this package via PIP: pip install python-iam-policy-builder

Usage

GCP 

from iam_policy.gcp.gcp_iam_policy_builder import GCPIAMPolicyBuilder, Condition

iam_policy = GCPIAMPolicyBuilder(version=3)

iam_policy.add_binding(
    role='roles/viewer',
    members=[
        'user:alice@example.com',
        'serviceAccount:compute@example.com'
    ],
    condition=Condition(
        title='TimeBoundAccess',
        expression='request.time < timestamp("2024-12-31T23:59:59Z")',
        description='Temporary access until end of year'
    )._asdict()
)

print(iam_policy.build())

# [Output]
# {
#     "bindings": [
#         {
#             "role": "roles/viewer",
#             "members": [
#                 "user:alice@example.com",
#                 "serviceAccount:compute@example.com"
#             ],
#             "condition": {
#                 "title": "TimeBoundAccess",
#                 "expression": "request.time < timestamp(\"2024-12-31T23:59:59Z\")",
#                 "description": "Temporary access until end of year"
#             }
#         }
#     ],
#     "version": 3
# }

AWS 

from iam_policy.aws.aws_iam_policy_builder import AWSIAMPolicyBuilder, Statement, Effect

iam_policy = AWSIAMPolicyBuilder(version='2012-10-17')

iam_policy.add_statement(
    Statement(
        Effect=Effect.Allow.value,
        Action=['iam:ListUsers'],
        Resource=['arn:aws:s3:::my-bucket/*'],
        Sid='AllowListUsers',
        Condition={
            'StringEquals': {
                'aws:username': 'alice'
            }
        },
        Principal={'AWS': 'arn:aws:iam::123456789012:user/alice'},
    )._asdict()
)

print(iam_policy.build())

# [Output]
# {
#     "Version": "2012-10-17",
#     "Statement": [
#         {
#             "Effect": "Allow",
#             "Action": [
#                 "iam:ListUsers"
#             ],
#             "Resource": [
#                 "arn:aws:s3:::my-bucket/*"
#             ],
#             "Condition": {
#                 "StringEquals": {
#                     "aws:username": "alice"
#                 }
#             },
#             "Sid": "AllowListUsers",
#             "Principal": {'AWS': 'arn:aws:iam::123456789012:user/alice'}
#         }
#     ]
# }

Notes

GCP

  • Multiple conditions per binding are not supported, as GCP IAM currently allows only one condition per binding (as of May 2025)
  • auditConfigs (Used for configuring audit logging) are not supported
  • Role names, member identifiers, and condition expressions are not validated

AWS

  • No validation is performed on ARNs, actions, or conditions

About

No description, website, or topics provided.

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages