16_role_based_access_control/
16_role_based_access_control.rs1use std::sync::{Arc, RwLock};
13use wami::provider::AwsProvider;
14use wami::service::{PolicyService, RoleService, UserService};
15use wami::store::memory::InMemoryWamiStore;
16use wami::wami::identity::role::requests::CreateRoleRequest;
17use wami::wami::identity::user::requests::CreateUserRequest;
18use wami::wami::policies::policy::requests::CreatePolicyRequest;
19
20#[tokio::main]
21async fn main() -> Result<(), Box<dyn std::error::Error>> {
22 println!("=== Role-Based Access Control (RBAC) ===\n");
23
24 let store = Arc::new(RwLock::new(InMemoryWamiStore::default()));
25 let _provider = Arc::new(AwsProvider::new());
26 let account_id = "123456789012";
27
28 let user_service = UserService::new(store.clone(), account_id.to_string());
29 let role_service = RoleService::new(store.clone(), account_id.to_string());
30 let policy_service = PolicyService::new(store.clone(), account_id.to_string());
31
32 println!("Step 1: Creating role policies...\n");
34
35 let _admin_policy = policy_service.create_policy(CreatePolicyRequest {
36 policy_name: "AdminPolicy".to_string(),
37 path: Some("/rbac/".to_string()),
38 policy_document: r#"{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}"#.to_string(),
39 description: Some("Full admin access".to_string()),
40 tags: None,
41 }).await?;
42 println!("✓ Created AdminPolicy");
43
44 let _dev_policy = policy_service.create_policy(CreatePolicyRequest {
45 policy_name: "DeveloperPolicy".to_string(),
46 path: Some("/rbac/".to_string()),
47 policy_document: r#"{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:*","lambda:*"],"Resource":"*"}]}"#.to_string(),
48 description: Some("Developer access to S3 and Lambda".to_string()),
49 tags: None,
50 }).await?;
51 println!("✓ Created DeveloperPolicy");
52
53 let _viewer_policy = policy_service.create_policy(CreatePolicyRequest {
54 policy_name: "ViewerPolicy".to_string(),
55 path: Some("/rbac/".to_string()),
56 policy_document: r#"{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:Get*","s3:List*"],"Resource":"*"}]}"#.to_string(),
57 description: Some("Read-only access".to_string()),
58 tags: None,
59 }).await?;
60 println!("✓ Created ViewerPolicy");
61
62 println!("\n\nStep 2: Creating roles...\n");
64
65 let trust_policy = r#"{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"sts:AssumeRole"}]}"#;
66
67 let admin_role = role_service
68 .create_role(CreateRoleRequest {
69 role_name: "Admin".to_string(),
70 path: Some("/rbac/".to_string()),
71 assume_role_policy_document: trust_policy.to_string(),
72 description: Some("Administrator role".to_string()),
73 max_session_duration: Some(3600),
74 permissions_boundary: None,
75 tags: None,
76 })
77 .await?;
78 println!("✓ Created Admin role: {}", admin_role.arn);
79
80 let dev_role = role_service
81 .create_role(CreateRoleRequest {
82 role_name: "Developer".to_string(),
83 path: Some("/rbac/".to_string()),
84 assume_role_policy_document: trust_policy.to_string(),
85 description: Some("Developer role".to_string()),
86 max_session_duration: Some(7200),
87 permissions_boundary: None,
88 tags: None,
89 })
90 .await?;
91 println!("✓ Created Developer role: {}", dev_role.arn);
92
93 let viewer_role = role_service
94 .create_role(CreateRoleRequest {
95 role_name: "Viewer".to_string(),
96 path: Some("/rbac/".to_string()),
97 assume_role_policy_document: trust_policy.to_string(),
98 description: Some("Viewer role".to_string()),
99 max_session_duration: Some(3600),
100 permissions_boundary: None,
101 tags: None,
102 })
103 .await?;
104 println!("✓ Created Viewer role: {}", viewer_role.arn);
105
106 println!("\n\nStep 3: Creating users...\n");
108
109 user_service
110 .create_user(CreateUserRequest {
111 user_name: "alice".to_string(),
112 path: Some("/team/".to_string()),
113 permissions_boundary: None,
114 tags: Some(vec![wami::types::Tag {
115 key: "Role".to_string(),
116 value: "Admin".to_string(),
117 }]),
118 })
119 .await?;
120 println!("✓ Created alice (will be assigned Admin role)");
121
122 user_service
123 .create_user(CreateUserRequest {
124 user_name: "bob".to_string(),
125 path: Some("/team/".to_string()),
126 permissions_boundary: None,
127 tags: Some(vec![wami::types::Tag {
128 key: "Role".to_string(),
129 value: "Developer".to_string(),
130 }]),
131 })
132 .await?;
133 println!("✓ Created bob (will be assigned Developer role)");
134
135 user_service
136 .create_user(CreateUserRequest {
137 user_name: "charlie".to_string(),
138 path: Some("/team/".to_string()),
139 permissions_boundary: None,
140 tags: Some(vec![wami::types::Tag {
141 key: "Role".to_string(),
142 value: "Viewer".to_string(),
143 }]),
144 })
145 .await?;
146 println!("✓ Created charlie (will be assigned Viewer role)");
147
148 println!("\n\nStep 4: Understanding RBAC pattern...\n");
150
151 println!("RBAC structure created:");
152 println!();
153 println!("Roles → Policies:");
154 println!(" Admin → AdminPolicy (full access)");
155 println!(" Developer → DeveloperPolicy (S3 + Lambda)");
156 println!(" Viewer → ViewerPolicy (read-only)");
157 println!();
158 println!("Users → Roles (via AssumeRole):");
159 println!(" alice → Admin");
160 println!(" bob → Developer");
161 println!(" charlie → Viewer");
162 println!();
163 println!("Benefits of RBAC:");
164 println!("- Centralized permission management");
165 println!("- Easy to add/remove users from roles");
166 println!("- Consistent permissions across teams");
167 println!("- Simplified auditing");
168
169 println!("\n✅ Example completed successfully!");
170
171 Ok(())
172}