Skip to content

mrlikl/cfn2iam

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.github/workflows
.github/workflows
 
 
samples
samples
 
 
source
source
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

CloudFormation to IAM (cfn2iam)

A tool to automatically generate minimal IAM policy to deploy a CloudFormation stack from its template.

Live tool here - https://mrlikl.github.io/cfn2iam/

PyPI - https://pypi.org/project/cfn2iam/

Overview

This tool analyzes CloudFormation templates to identify all resource types used, then queries the CloudFormation registry GitHub static website ((https://mrlikl.github.io/cfn2iam/backend/schemas/)) to determine the required IAM permissions for each resource type. It can generate IAM policy documents or create IAM roles with the appropriate permissions.

Features

  • (NEW) Added support for SAM
  • Parse CloudFormation templates in JSON or YAML format
  • Extract resource types and determine required permissions
  • Generate IAM policy documents with appropriate permissions
  • Create IAM roles with the generated permissions
  • Option to allow or deny delete permissions
  • Support for permissions boundaries

Installation

pip install cfn2iam

For IAM role creation functionality:

pip install cfn2iam[iam]

Usage

cfn2iam <template_path> [options]

Options

  • -d, --allow-delete: Allow delete permissions instead of denying them (default: False)
  • -c, --create-role: Create an IAM role with the generated permissions (default: False)
  • -r, --role-name: Name for the IAM role (if not specified, uses 'cfn2iam-<random_hash>')
  • -p, --permissions-boundary: ARN of the permissions boundary to attach to the role

Examples

Generate a policy document from a template:

cfn2iam path/to/template.yaml

Create an IAM role with delete permissions allowed:

cfn2iam path/to/template.yaml -d

Create an IAM role with a custom name:

cfn2iam path/to/template.yaml -r MyCustomRole

Create an IAM role with a permissions boundary:

cfn2iam path/to/template.yaml -p arn:aws:iam::123456789012:policy/boundary

How It Works

  1. The tool parses the CloudFormation template to extract all resource types
  2. For each resource type, it fetches the schema from pre-hosted GitHub schemas (https://mrlikl.github.io/cfn2iam/backend/schemas/)
  3. It categorizes permissions into "update" (create/update/read) and "delete-specific" permissions
  4. It generates a policy document with appropriate Allow and Deny statements
  5. It saves the policy document to a file with a unique name
  6. If requested (default), it creates an IAM role with the generated policy

License

This project is licensed under the MIT License - see the LICENSE file for details.

About

A tool to automatically generate minimal IAM policy to deploy a CloudFormation stack from its template.

mrlikl.github.io/cfn2iam/

Topics

aws cloudformation iam least-permissive policy-generation

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

6 tags

Contributors

Languages