npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@cloud-copilot/iam-shrink

v0.1.3

Published

Shrink IAM Policies

Downloads

101

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

davidjkerberdavidjkerber

Keywords

AWSIAMIAM Policy SizeIAM Policy Optimization

Readme

Shrink IAM Actions

Built in the Unix philosophy, this is a small tool with two goals:

  1. Shrink IAM actions lists by creating patterns that match only the actions specified and no others.
  2. Do #1 in a way that won't make your coworkers hate you.

Using Action Wildcards is not recommended, sometimes there are IAM Limits you can't get around. This tool helps you stay within those limits.

Getting Small While Staying Sane

IAM Actions are camel cased into a number of words. For example:

  • s3:GetObject -> "Get" "Object"
  • s3:GetObjectTagging -> "Get" "Object" "Tagging"

IAM Shrink will only replace one word at a time and will never replace part of a word. So for instance s3:GetObject will never get shrunk to something like s3:*et*. This is to balance size reduction with readability.

Use in Browser

https://iam.cloudcopilot.io/tools/iam-shrink

Use in CLI

Installation

You can install it globally. This also works in the default AWS CloudShell!

npm install -g @cloud-copilot/iam-shrink

Depending on your configuration sudo may be required to install globally.

Help

iam-shrink --help

Shrink IAM Actions

Pass in Argument

It's unlikely that you will pass in on the CLI a number of actions after the command name, but you can. You'll need a large number of actions for it to be pracitical, so it's mostly for automation.

Usage: iam-shrink s3:GetBucketTagging s3:GetJobTagging s3:GetObjectTagging s3:GetObjectVersionTagging s3:GetStorageLensConfigurationTagging
# Output
s3:Get*Tagging

Read from stdin

If no actions are passed as arguments, the CLI will read from stdin.

cat "s3:GetBucketTagging s3:GetJobTagging s3:GetObjectTagging s3:GetObjectVersionTagging s3:GetStorageLensConfigurationTagging" | iam-shrink
# Output
s3:Get*Tagging

Shrink JSON input

If the input is a valid json document, the CLI will find every instance of Action and NotAction that is an array of strings and shrink them.

Given policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "groundstation:GetAgentConfiguration",
        "groundstation:GetConfig",
        "groundstation:GetDataflowEndpointGroup",
        "groundstation:GetMinuteUsage",
        "groundstation:GetMissionProfile",
        "groundstation:GetSatellite",
        "groundstation:ListConfigs",
        "groundstation:ListContacts",
        "groundstation:ListDataflowEndpointGroups",
        "groundstation:ListEphemerides",
        "groundstation:ListGroundStations",
        "groundstation:ListMissionProfiles",
        "groundstation:ListSatellites",
        "groundstation:ListTagsForResource",
        "s3:GetBucketTagging",
        "s3:GetJobTagging",
        "s3:GetObjectTagging",
        "s3:GetObjectVersionTagging",
        "s3:GetStorageLensConfigurationTagging"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "NotAction": [
        "organizations:DeleteOrganization",
        "organizations:DeleteOrganizationalUnit",
        "organizations:DeletePolicy",
        "organizations:DeleteResourcePolicy",
        "organizations:LeaveOrganization"
      ],
      "Resource": "*"
    }
  ]
}
cat policy.json | iam-shrink > smaller-policy.json

Gives this file in smaller-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "groundstation:List*",
        "groundstation:Get*",
        "s3:Get*Tagging"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "NotAction": [
        "organizations:Delete*",
        "organizations:Leave*"
      ],
      "Resource": "*"
    }
  ]
}

Configuring iterations

By default, the CLI will do two iterations of shrinking. This generally does a good balance between reducing size and maintaining readability. This can be adjusted with the --iterations flag.

Assuming the AWS Read Only policy is in readonly.json

You can change this with the `--iterations` flag.

```bash
# Default two iterations
cat readonly.json | iam-shrink | wc -m
# 61305 characters

# Increasing iterations
cat readonly.json | iam-shrink --iterations=3 | wc -m
# 45983 characters
cat readonly.json | iam-shrink --iterations=4 | wc -m
# 43654 characters
cat readonly.json | iam-shrink --iterations=5 | wc -m
# 43336 characters

# Unlimited iterations until the policy cannot be further reduced
cat readonly.json | iam-shrink --iterations=0 | wc -m
# 43281 characters

If you want to shrink the policy as much as possible, you can use --iterations=0. This will keep shrinking the policy until it can't be reduced any further.

Use in TypeScript/Node

You can use the shrink function in your own code.

import { shrink } from '@cloud-copilot/iam-shrink';

const actions = [
  "s3:GetBucketTagging",
  "s3:GetJobTagging",
  "s3:GetObjectTagging",
  "s3:GetObjectVersionTagging",
  "s3:GetStorageLensConfigurationTagging"
];

const shrunk = await shrink(actions);
console.log(shrunk);
// [ s3:Get*Tagging ]

You can specify the number of iterations as well.

import { shrink } from '@cloud-copilot/iam-shrink';

const bigListOfActions = getBigListOfActions();

const smallerList = await shrink(bigListOfActions, { iterations: 3 });
console.log(shrunk);