Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
668b4d000b
constellation/hack/terraform/aws/iam/README.md
Fabian Kammel 668b4d000b
document usage of iamlive (#443) 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-11-04 14:01:23 +01:00

934 B
Raw Blame History

IAM

iamlive

iamlive dynamically determines the minimal permissions to call a set of AWS API calls.

It uses a local proxy to intercept API calls and incrementally generate the AWS policy.

In one session start iamlive:

iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json

In another session execute terraform:

PREFIX="record-iam"
terraform init
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX}
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX}

iamlive will present the generated policy, and after <CTRL-C> the iamlive process it will also write it to the specified file.