Expand description
Provides a Serde-enabled model for AWS Identity and Access Management (IAM) policies.
This implementation only provides a convenient API to construct and consume IAM policy resources using Serde to serialize and deserialize into the AWS-defined JSON representation.
Policy Grammar
The following is taken from the latest AWS IAM User Guide. Note that this is a logical grammar, the serialization in JSON has some specifics documented in the notes below.
policy = {
<version_block?>
<id_block?>
<statement_block>
}
<version_block> = "Version" : ("2008-10-17" | "2012-10-17")
<id_block> = "Id" : <policy_id_string>
<statement_block> = "Statement" : [ <statement>, <statement>, ... ]
<statement> = {
<sid_block?>,
<principal_block?>,
<effect_block>,
<action_block>,
<resource_block>,
<condition_block?>
}
<sid_block> = "Sid" : <sid_string>
<effect_block> = "Effect" : ("Allow" | "Deny")
<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>)
<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }
<principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") :
[<principal_id_string>, <principal_id_string>, ...]
<action_block> = ("Action" | "NotAction") :
("*" | [<action_string>, <action_string>, ...])
<resource_block> = ("Resource" | "NotResource") :
("*" | [<resource_string>, <resource_string>, ...])
<condition_block> = "Condition" : { <condition_map> }
<condition_map> = {
<condition_type_string> : { <condition_key_string> : <condition_value_list> },
<condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")
Grammar Notes
- For those blocks that appear to take a list of strings, i.e.
principal_map_entry
contains a list ofprincipal_id_string
,action_block
,resource_block
, andcondition_value_list
these may be serialized as a JSON array of values, or as simply a single string if there is only one value. This is implemented by using enums that construct aOne
variant orAll
/AnyOf
variant. - For thse blocks which accept a wild card,
principal_block
,action_block
, andresource_block
theQualified
enum has anAny
variant. - The grammar for
condition_map
appears to suggest that there is only one value forcondition_key_string
, this is not the case, the right-hand side of thecondition_map
is itself a map. - The constraint that _The
id_block
is allowed in resource-based policies, but not in identity-based policies.` is ignored in this implementation. - The constraint that For IAM policies, basic alphanumeric characters (A-Z,a-z,0-9)
are the only allowed characters in the
Sid
value. Other AWS services that support resource policies may have other requirements for theSid
value. is ignored in this implementation. - The value of
principal_id_string
must be an Amazon Resource Name (ARN), and the value ofresource_string
is most likely an ARN. This is not validated in this implementation. - While most values for
condition_type_string
defined in IAM JSON Policy Elements: Condition Operators are provided, the prefixesForAllValues
andForAnyValue
are not supported. - The value of
condition_key_string
is in effect an open-set enumeration, and while some values are described within AWS Global Condition Context Keys these are not validated in this implementation.
Example
The example below implements a simple policy described in the IAM User Guide Access Policies section.
use aws_iam::model::*;
let policy = Policy {
version: Some(Version::V2012),
id: Some("test_simple_access_policy".to_string()),
statement: OneOrAll::One(Statement {
sid: None,
principal: None,
effect: Effect::Allow,
action: Action::Action(OneOrAny::One("s3:ListBucket".parse().unwrap())),
resource: Resource::this("arn:aws:s3:::example_bucket".to_string()),
condition: None,
}),
};
let json = serde_json::to_string(&policy);
assert!(json.is_ok());
println!("JSON: {:#?}", json);
Alternatively using the builder
module we can accomplish the same result with the following.
use aws_iam::model::*;
use aws_iam::model::builder::*;
let policy: Policy = PolicyBuilder::new()
.named("test_simple_access_policy")
.evaluate_statement(
StatementBuilder::new()
.allows()
.may_perform_action("s3:ListBucket")
.on_resource("arn:aws:s3:::example_bucket")
)
.into();
let json = serde_json::to_string(&policy);
assert!(json.is_ok());
println!("JSON: {:#?}", json);
Re-exports
pub use containers::OneOrAll;
pub use containers::OneOrAny;
pub use impls::*;
pub use qstring::QString;
pub use types::*;
Modules
Provides a convenient and fluent builder interface for constructing policies.
Provides some basic container enums that are used by the Policy model.
Provides implementations for the types in crate::model::types
.
Provides a namespace-qualified string.
Provides the structures and enumerations that define the IAM Rust model.