1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

/*!
This crate provides a Rust typed model for creating and reading AWS IAM Policy documents.
Whreever possible this crate uses documentation directly from the AWS IAM User Guide.

From [AWS Identity and Access Management Documentation](https://docs.aws.amazon.com/iam/index.html):

> The access management portion of AWS Identity and Access Management (IAM) helps you define
> what a principal entity is allowed to do in an account. A principal entity is a person or
> application that is authenticated using an IAM entity (user or role). Access management is often
> referred to as authorization. You manage access in AWS by creating policies and attaching them
> to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in
> AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates
> these policies when a principal uses an IAM entity (user or role) to make a request. Permissions
> in the policies determine whether the request is allowed or denied. Most policies are stored in
> AWS as JSON documents.

# Overview

This crate provides a set of types that can be used to serialize and deserialize IAM Policy
documents. For a simpler experience creating documents a [`builder`](model/builder/index.html)
module provides a more _fluent_ method for construction. The [`io`](io/index.html) module
provides basic support for reading and writing JSON files.

# Usage

The example JSON below is taken from [Overview of JSON
Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json).

```json
{
  "Version": "2012-10-17",
  "Statement": [
    ...
    {
      "Sid": "ThirdStatement",
      "Effect": "Allow",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::confidential-data",
        "arn:aws:s3:::confidential-data/ *"
      ],
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}
```

This can be constructed with the following code.

```rust
use std::collections::HashMap;
use aws_iam::model::*;
use aws_iam::model::builder::*;
use std::str::FromStr;

let condition = ConditionBuilder::new(GlobalConditionOperator::Bool)
    .right_hand_str("aws:MultiFactorAuthPresent", "true")
    .build_as_condition();
let policy = Policy {
    version: Some(Version::V2012),
    id: Some("test_access_policy_with_condition".to_string()),
    statement: OneOrAll::All(vec![Statement {
        sid: Some("ThirdStatement".to_string()),
        principal: None,
        effect: Effect::Allow,
        action: Action::these(&mut vec![
            "s3:List*".parse().unwrap(),
            "s3:Get*".parse().unwrap(),
        ]),
        resource: Resource::these(&mut vec![
            "arn:aws:s3:::confidential-data".to_string(),
            "arn:aws:s3:::confidential-data/-*".to_string(),
        ]),
        condition: Some(condition),
    }]),
};
println!("{}", policy.to_string());
```

# Features

The following features are supported by this crate and can be included as needed. By default the
crate only provides an in-memory data model with Serde support for reading and writing to the
standard JSON representation.

* `command_line` - provides a command line tool, `policy` that can verify and evaluate existing
  policy documents and create new ones from a set of templates.
* `document` - produces formatted documentation for a policy. This can be in the form of Markdown
  or LaTeX and would usually be used to document a policy template for others to follow.
* `offline_eval` - provides a simple, by which we mean incomplete, evaluation of a policy  using
  a request object to match. This is useful but not sufficient for testing policies.
* `service_config` - adds to the verification of policies by storing service-specific configuration
  on actions, resource formats, and condition keys.

The `default` feature includes none of the above. This documentation was built with the following
features enabled.

*/
#![cfg_attr(feature = "default", doc = "* default")]
#![cfg_attr(feature = "command_line", doc = "* command line tool")]
#![cfg_attr(feature = "document", doc = "* documentation formatters")]
#![cfg_attr(feature = "offline_eval", doc = "* offline evaluation")]
#![cfg_attr(feature = "service_config", doc = "* service-specific configuration")]
// ------------------------------------------------------------------------------------------------
// Preamble
// ------------------------------------------------------------------------------------------------
#![warn(
    missing_debug_implementations,
    missing_docs,
    unused_extern_crates,
    rust_2018_idioms
)]

#[macro_use]
extern crate lazy_static;

// ------------------------------------------------------------------------------------------------
// Modules
// ------------------------------------------------------------------------------------------------

pub mod constants;

pub mod io;

pub mod model;

#[cfg(feature = "document")]
pub mod document;

#[cfg(feature = "offline_eval")]
pub mod offline;

#[cfg(feature = "service_config")]
pub mod service;