feat: add IAM service with all 60 operations#14
Merged
Conversation
Add AWS IAM (Identity and Access Management) support to RustStack with ~60 operations across 4 phases covering users, roles, groups, policies, instance profiles, access keys, tagging, and service-linked roles. Phase 0 - Core CRUD (~25 operations): - User/Role/Policy CRUD (Create/Get/Delete/List/Update) - Policy attachment (Attach/Detach/ListAttached for users and roles) - Access key management (Create/Delete/List/Update/GetLastUsed) Phase 1 - Groups + Instance Profiles (~17 operations): - Group CRUD and membership (AddUserToGroup, RemoveUserFromGroup) - Group policy attachment - Instance profile CRUD (Create/Get/Delete/List) - Role-to-instance-profile management Phase 2 - Policy Versions + Inline Policies (~17 operations): - Managed policy versioning (Create/Get/Delete/List/SetDefault) - Inline policies for users, roles, and groups (Put/Get/Delete/List) Phase 3 - Advanced (~12 operations): - Tag management for users and roles - Service-linked roles (Create/Delete/GetDeletionStatus) - UpdateAssumeRolePolicy - SimulatePrincipalPolicy/SimulateCustomPolicy (stubs) - ListEntitiesForPolicy, GetAccountAuthorizationDetails Architecture: - Uses Smithy codegen for model types (ruststack-iam-model) - awsQuery protocol (same as SNS) with XML responses - Gateway routing via SigV4 credential scope (service=iam) - In-memory storage with DashMap (6 entity stores) - IAM is a global service (no region in ARNs) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix critical and high-severity issues found during code review: - Use DashMap::entry() API for atomic check-and-insert in all create operations (create_user, create_role, create_policy, etc.) to prevent TOCTOU race conditions - Fix potential deadlocks in attach/detach operations by dropping entity guards before acquiring policy locks - Clone data out of DashMap guards before querying other maps in list_attached_*_policies, get_group, and list_groups_for_user - Fix nested lock patterns in get_account_authorization_details by pre-fetching all needed data before XML generation - Fix delete_user/delete_role to drop guards before checking other maps - Fix tag_user/tag_role to validate tag limits BEFORE applying mutations - Add pagination support to list_entities_for_policy - Change write_instance_profile_xml to accept pre-fetched role data instead of acquiring nested DashMap locks - Replace expect() with unwrap_or_else() in response builders Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add comprehensive CI workflow testing all 4 IAM phases with AWS CLI: - Phase 0: User/Role/Policy CRUD, access keys, delete conflicts - Phase 1: Groups, membership, instance profiles - Phase 2: Inline policies, policy versions - Phase 3: Tags, service-linked roles, UpdateAssumeRolePolicy - Rust integration tests (aws-sdk-iam) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
service=iam)Phase 0 - Core CRUD (~25 operations)
Phase 1 - Groups + Instance Profiles (~17 operations)
Phase 2 - Policy Versions + Inline Policies (~17 operations)
Phase 3 - Advanced (~12 operations)
Architecture
ruststack-iam-model(codegen),ruststack-iam-http(protocol),ruststack-iam-core(business logic)Test plan
cargo buildsucceedscargo test -p ruststack-iam-model -p ruststack-iam-core -p ruststack-iam-http(56 tests pass)cargo clippy --all-targets --all-features -- -D warnings(clean)cargo +nightly fmt(clean)iam-test.yml) runs all 4 phases with AWS CLI🤖 Generated with Claude Code