Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
152978045c
constellation/hack/terraform/aws/iam
History
Fabian Kammel cf36b85ff9
extend permissions to allow logging (#461) 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-04 14:56:13 +01:00
..
main.tf extend permissions to allow logging (#461) 2022-11-04 14:56:13 +01:00
output.tf AB#2436: Initial support for create/terminate AWS NitroTPM instances 2022-10-21 12:24:18 +02:00
README.md document usage of iamlive (#443) 2022-11-04 14:01:23 +01:00
variables.tf AB#2436: Initial support for create/terminate AWS NitroTPM instances 2022-10-21 12:24:18 +02:00

README.md

IAM

iamlive

iamlive dynamically determines the minimal permissions to call a set of AWS API calls.

It uses a local proxy to intercept API calls and incrementally generate the AWS policy.

In one session start iamlive:

iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json

In another session execute terraform:

PREFIX="record-iam"
terraform init
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX}
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX}

iamlive will present the generated policy, and after <CTRL-C> the iamlive process it will also write it to the specified file.