[−][src]Module aws_iam::model
Provides a Serde-enabled model for AWS Identity and Access Management (IAM) policies.
This implementation only provides a convenient API to construct and consume IAM policy resources using Serde to serialize and deserialize into the AWS-defined JSON representation.
Policy Grammar
The following is taken from the latest AWS IAM User Guide. Note that this is a logical grammar, the serialization in JSON has some specifics documented in the notes below.
policy = {
<version_block?>
<id_block?>
<statement_block>
}
<version_block> = "Version" : ("2008-10-17" | "2012-10-17")
<id_block> = "Id" : <policy_id_string>
<statement_block> = "Statement" : [ <statement>, <statement>, ... ]
<statement> = {
<sid_block?>,
<principal_block?>,
<effect_block>,
<action_block>,
<resource_block>,
<condition_block?>
}
<sid_block> = "Sid" : <sid_string>
<effect_block> = "Effect" : ("Allow" | "Deny")
<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>)
<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }
<principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") :
[<principal_id_string>, <principal_id_string>, ...]
<action_block> = ("Action" | "NotAction") :
("*" | [<action_string>, <action_string>, ...])
<resource_block> = ("Resource" | "NotResource") :
("*" | [<resource_string>, <resource_string>, ...])
<condition_block> = "Condition" : { <condition_map> }
<condition_map> = {
<condition_type_string> : { <condition_key_string> : <condition_value_list> },
<condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")
Grammar Notes
- For those blocks that appear to take a list of strings, i.e.
principal_map_entry
contains a list ofprincipal_id_string
,action_block
,resource_block
, andcondition_value_list
these may be serialized as a JSON array of values, or as simply a single string if there is only one value. This is implemented by using enums that construct aOne
variant orAll
/AnyOf
variant. - For thse blocks which accept a wild card,
principal_block
,action_block
, andresource_block
theQualified
enum has anAny
variant. - The grammar for
condition_map
appears to suggest that there is only one value forcondition_key_string
, this is not the case, the right-hand side of thecondition_map
is itself a map. - The constraint that _The
id_block
is allowed in resource-based policies, but not in identity-based policies.` is ignored in this implementation. - The constraint that For IAM policies, basic alphanumeric characters (A-Z,a-z,0-9)
are the only allowed characters in the
Sid
value. Other AWS services that support resource policies may have other requirements for theSid
value. is ignored in this implementation. - The value of
principal_id_string
must be an Amazon Resource Name (ARN), and the value ofresource_string
is most likely an ARN. This is not validated in this implementation. - While most values for
condition_type_string
defined in IAM JSON Policy Elements: Condition Operators are provided, the prefixesForAllValues
andForAnyValue
are not supported. - The value of
condition_key_string
is in effect an open-set enumeration, and while some values are described within AWS Global Condition Context Keys these are not validated in this implementation.
Example
The example below implements a simple policy described in the IAM User Guide Access Policies section.
use aws_iam::model::*; use aws_iam::model::builder::*; let policy = Policy { version: Some(Version::V2012), id: Some("test_simple_access_policy".to_string()), statement: OneOrAll::One(Statement { sid: None, principal: None, effect: Effect::Allow, action: Action::Action(OneOrAny::One("s3:ListBucket".parse().unwrap())), resource: Resource::this("arn:aws:s3:::example_bucket".to_string()), condition: None, }), }; let json = serde_json::to_string(&policy); assert!(json.is_ok()); println!("JSON: {:#?}", json);
Re-exports
pub use containers::OneOrAll; |
pub use containers::OneOrAny; |
pub use impls::*; |
pub use qstring::QString; |
pub use types::*; |
Modules
arn | Provides bare bones support for ARN values. |
builder | Provides a convenient and fluent builder interface for constructing policies. |
containers | Provides some basic container enums that are used by the Policy model. |
impls | Provides implementations for the types in |
qstring | Provides a namespace-qualified string. |
types | Provides the structures and enumerations that define the IAM Rust model. |