wami 0.10.0

Who Am I - Multicloud Identity, IAM, STS, and SSO operations library for Rust
Documentation

WAMI - Who Am I

Multi-cloud Identity and Access Management Library for Rust

GitHub last commit CI Codecov Docs Crates.io

Overview

WAMI (Who Am I) is a pure Rust library for Identity and Access Management (IAM), Security Token Service (STS), and Single Sign-On (SSO) operations across multiple cloud providers. Built with a domain-driven design, WAMI separates business logic from storage, making it flexible, testable, and cloud-agnostic.

Key Features:

  • 🌐 Multi-cloud Support - AWS, GCP, Azure, and custom identity providers
  • 🏗️ Pure Domain Logic - Business logic without storage dependencies
  • 💾 Pluggable Storage - In-memory, SQL, NoSQL, or custom backends
  • 🏢 Multi-tenant Architecture - Built-in hierarchical tenant isolation
  • 🔐 Complete IAM Suite - Users, groups, roles, policies, credentials
  • 🔑 Temporary Credentials - STS sessions and role assumption
  • 📊 SSO Administration - Permission sets, assignments, and federation
  • 🦀 100% Rust - Type-safe, async-first, zero-cost abstractions
  • Well-tested - 402 unit tests with high coverage (all passing)

📚 Documentation

Getting Started

Core Concepts

Feature Guides

Advanced Topics

Project Information

Quick Start

Installation

Add this to your Cargo.toml:

[dependencies]
wami = "0.8.0"
tokio = { version = "1.0", features = ["full"] }

Your First Example

use wami::wami::identity::user::builder;
use wami::store::memory::InMemoryWamiStore;
use wami::store::traits::UserStore;
use wami::provider::aws::AwsProvider;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Initialize storage
    let mut store = InMemoryWamiStore::new();
    let provider = AwsProvider::new();
    
    // Build a user (pure function)
    let user = builder::build_user(
        "alice".to_string(),
        Some("/engineering/".to_string()),
        &provider,
        "123456789012"
    );
    
    // Store it
    let created = store.create_user(user).await?;
    println!("✅ Created user: {}", created.arn);
    
    // Retrieve it
    let retrieved = store.get_user("alice").await?;
    println!("✅ Retrieved: {:?}", retrieved.unwrap().user_name);
    
    Ok(())
}

Output:

✅ Created user: arn:aws:iam::123456789012:user/engineering/alice
✅ Retrieved: "alice"

See Getting Started Guide for more examples.

🎯 Example Programs

WAMI includes 23 runnable examples demonstrating all major features:

Category Examples Status
Getting Started 01-03: Hello World, CRUD, Service Layer ✅ All Working
Multi-Tenancy 04-08: Tenants, Hierarchy, Quotas, Cross-Tenant Access, Migration ✅ All Working
Multi-Cloud 09-13: User Sync, Provider Switching, Hybrid Cloud, DR ✅ All Working
Policies & RBAC 14-17, 23: Policy Basics, Evaluation, RBAC, ABAC, Boundaries ✅ All Working
STS & Federation 18-20: Session Tokens, Role Assumption, Federation ✅ All Working
SSO & Federation 21-22: SSO Setup, Identity Providers ✅ All Working

Run any example with:

cargo run --example 01_hello_wami

See examples/README.md for complete documentation.

Architecture Overview

WAMI follows a clean 3-layer architecture:

┌─────────────────────────────────────────────────┐
│         Application Layer (Your Code)           │
└────────────────────┬────────────────────────────┘
                     │
┌────────────────────┼────────────────────────────┐
│    Domain Layer    │  Pure Functions            │
│                    │  (wami::*)                 │
│  • Identity        │  No storage dependencies   │
│  • Credentials     │  Pure business logic       │
│  • Policies        │  Builders & validators     │
│  • STS Sessions    │                            │
│  • Tenants         │                            │
└────────────────────┬────────────────────────────┘
                     │
┌────────────────────┼────────────────────────────┐
│    Storage Layer   │  Traits & Implementations  │
│  WamiStore         │  In-memory, SQL, custom    │
│  StsStore          │  Pluggable backends        │
│  TenantStore       │                            │
└─────────────────────────────────────────────────┘

Key Benefits:

  • Separation of Concerns - Domain logic independent from storage
  • Testability - Pure functions are easy to test
  • Flexibility - Use any storage backend (memory, SQL, NoSQL)
  • Type Safety - Rust's type system prevents common errors

Read more in Architecture Guide.

Core Features

🔐 Identity Management

use wami::wami::identity::{user, group, role};

// Create user
let user = user::builder::build_user("alice".into(), None, &provider, account);
store.create_user(user).await?;

// Create group and add user
let group = group::builder::build_group("admins".into(), None, &provider, account);
store.create_group(group).await?;
store.add_user_to_group("admins", "alice").await?;

// Create role with trust policy
let role = role::builder::build_role(
    "AdminRole".into(),
    trust_policy,
    None, None, None,
    &provider, account
);
store.create_role(role).await?;

🔑 Credentials & STS

use wami::wami::credentials::access_key;
use wami::wami::sts::session;

// Create access keys
let key = access_key::builder::build_access_key("alice".into(), &provider, account);
store.create_access_key(key).await?;

// Create temporary session
let session = session::builder::build_session(
    "session-123".into(),
    "AKIA...".into(),
    "secret".into(),
    3600, // 1 hour
    Some(role_arn),
    &provider, account
);
store.create_session(session).await?;

🏢 Multi-tenant Support

use wami::wami::tenant::{Tenant, TenantId};

// Create parent tenant
let parent_id = TenantId::root("acme-corp");
let parent = Tenant { id: parent_id.clone(), /* ... */ };
store.create_tenant(parent).await?;

// Create child tenant
let child_id = parent_id.child("engineering");
let child = Tenant { id: child_id.clone(), parent_id: Some(parent_id), /* ... */ };
store.create_tenant(child).await?;

// Query hierarchy
let descendants = store.get_descendants(&parent_id).await?;

Project Structure

wami/
├── src/
│   ├── wami/              # Domain layer (pure functions)
│   │   ├── identity/      # Users, groups, roles
│   │   ├── credentials/   # Access keys, MFA, certificates
│   │   ├── policies/      # IAM policies
│   │   ├── sts/          # Sessions, temporary credentials
│   │   ├── sso_admin/    # SSO configuration
│   │   └── tenant/       # Multi-tenant models
│   │
│   ├── store/            # Storage layer
│   │   ├── traits/       # Storage trait definitions
│   │   └── memory/       # In-memory implementations
│   │
│   ├── provider/         # Cloud provider abstractions
│   │   ├── aws.rs
│   │   ├── gcp.rs
│   │   └── azure.rs
│   │
│   └── error.rs          # Error types
│
├── docs/                 # 📚 All documentation
├── examples/             # Working code examples
└── tests/                # Integration tests

Testing

Run the full test suite:

cargo test

WAMI has 376 tests (all passing ✅) covering:

  • ✅ Domain logic (pure functions)
  • ✅ Store implementations (CRUD, queries, concurrency)
  • ✅ Multi-tenant isolation
  • ✅ Resource enumeration and downcasting

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Add tests for your changes
  4. Ensure all tests pass (cargo test)
  5. Run cargo clippy and cargo fmt
  6. Submit a pull request

See Contributing Guide for more details.

Roadmap

In Planning

Future Enhancements

  • SQL store implementations (PostgreSQL, MySQL)
  • Advanced policy evaluation engine
  • Identity Provider Support - SAML and OIDC federation (✅ Completed in v0.8.0)
  • Audit logging and compliance
  • Service/orchestration layer

See Issues Tracker for details.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Security

Found a security issue? Please see Security Policy for reporting guidelines.

Links