Module model

aws_iam

Module model 

Source
Expand description

Provides a Serde-enabled model for AWS Identity and Access Management (IAM) policies.

This implementation only provides a convenient API to construct and consume IAM policy resources using Serde to serialize and deserialize into the AWS-defined JSON representation.

§Policy Grammar

The following is taken from the latest AWS IAM User Guide. Note that this is a logical grammar, the serialization in JSON has some specifics documented in the notes below.

policy  = {
     <version_block?>
     <id_block?>
     <statement_block>
}

<version_block> = "Version" : ("2008-10-17" | "2012-10-17")

<id_block> = "Id" : <policy_id_string>

<statement_block> = "Statement" : [ <statement>, <statement>, ... ]

<statement> = {
    <sid_block?>,
    <principal_block?>,
    <effect_block>,
    <action_block>,
    <resource_block>,
    <condition_block?>
}

<sid_block> = "Sid" : <sid_string>

<effect_block> = "Effect" : ("Allow" | "Deny")

<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>)

<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }

<principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") :
    [<principal_id_string>, <principal_id_string>, ...]

<action_block> = ("Action" | "NotAction") :
    ("*" | [<action_string>, <action_string>, ...])

<resource_block> = ("Resource" | "NotResource") :
    ("*" | [<resource_string>, <resource_string>, ...])

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = {
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")

§Grammar Notes

  1. For those blocks that appear to take a list of strings, i.e. principal_map_entry contains a list of principal_id_string, action_block, resource_block, and condition_value_list these may be serialized as a JSON array of values, or as simply a single string if there is only one value. This is implemented by using enums that construct a One variant or All/AnyOf variant.
  2. For thse blocks which accept a wild card, principal_block, action_block, and resource_block the Qualified enum has an Any variant.
  3. The grammar for condition_map appears to suggest that there is only one value for condition_key_string, this is not the case, the right-hand side of the condition_map is itself a map.
  4. The constraint that _The id_block is allowed in resource-based policies, but not in identity-based policies.` is ignored in this implementation.
  5. The constraint that For IAM policies, basic alphanumeric characters (A-Z,a-z,0-9) are the only allowed characters in the Sid value. Other AWS services that support resource policies may have other requirements for the Sid value. is ignored in this implementation.
  6. The value of principal_id_string must be an Amazon Resource Name (ARN), and the value of resource_string is most likely an ARN. This is not validated in this implementation.
  7. While most values for condition_type_string defined in IAM JSON Policy Elements: Condition Operators are provided, the prefixes ForAllValues and ForAnyValue are not supported.
  8. The value of condition_key_string is in effect an open-set enumeration, and while some values are described within AWS Global Condition Context Keys these are not validated in this implementation.

§Example

The example below implements a simple policy described in the IAM User Guide Access Policies section.

use aws_iam::model::*;

let policy = Policy {
    version: Some(Version::V2012),
    id: Some("test_simple_access_policy".to_string()),
    statement: OneOrAll::One(Statement {
        sid: None,
        principal: None,
        effect: Effect::Allow,
        action: Action::Action(OneOrAny::One("s3:ListBucket".parse().unwrap())),
        resource: Resource::this("arn:aws:s3:::example_bucket".to_string()),
        condition: None,
    }),
};
let json = serde_json::to_string(&policy);
assert!(json.is_ok());
println!("JSON: {:#?}", json);

Alternatively using the builder module we can accomplish the same result with the following.

use aws_iam::model::*;
use aws_iam::model::builder::*;

let policy: Policy = PolicyBuilder::new()
    .named("test_simple_access_policy")
    .evaluate_statement(
        StatementBuilder::new()
            .allows()
            .may_perform_action("s3:ListBucket")
            .on_resource("arn:aws:s3:::example_bucket")
    )
    .into();
let json = serde_json::to_string(&policy);
assert!(json.is_ok());
println!("JSON: {:#?}", json);

Re-exports§

pub use containers::OneOrAll;
pub use containers::OneOrAny;
pub use qstring::QString;
pub use impls::*;
pub use types::*;

Modules§

builder
Provides a convenient and fluent builder interface for constructing policies.
containers
Provides some basic container enums that are used by the Policy model.
impls
Provides implementations for the types in crate::model::types.
qstring
Provides a namespace-qualified string.
types
Provides the structures and enumerations that define the IAM Rust model.