constellation/hack/terraform/aws/iam
Fabian Kammel 668b4d000b
document usage of iamlive (#443)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-04 14:01:23 +01:00
..
main.tf aws: add needed IAM permission for join service 2022-11-03 16:44:54 +01:00
output.tf AB#2436: Initial support for create/terminate AWS NitroTPM instances 2022-10-21 12:24:18 +02:00
README.md document usage of iamlive (#443) 2022-11-04 14:01:23 +01:00
variables.tf AB#2436: Initial support for create/terminate AWS NitroTPM instances 2022-10-21 12:24:18 +02:00

IAM

iamlive

iamlive dynamically determines the minimal permissions to call a set of AWS API calls.

It uses a local proxy to intercept API calls and incrementally generate the AWS policy.

In one session start iamlive:

iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json

In another session execute terraform:

PREFIX="record-iam"
terraform init
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX}
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX}

iamlive will present the generated policy, and after <CTRL-C> the iamlive process it will also write it to the specified file.