iam

package

v0.0.0-...-d2c4f05 Latest Latest Go to latest Published: Aug 29, 2018 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pat00x/rbac

Links

Open Source Insights

README ¶

IAM Example

This examples shows how to use rbac to implement a permissions model similar to AWS IAM policies. The permission model makes use of the following patterns:

Each action is a string with the following format: "action_type:object_type", e.g. "list:users" or "delete:comment".
Each target is a unique identifier for the specified object_type in the action string (where applicable). IAM uses their concept of ARNs, which works well in this model as ARNs typically contain metadata about the object they represent. A typical ARN has the following pattern:

arn:aws:<service_name>:<region>:<account_id>:<object_type>:<object_id>

Roles

This section contains some example rbac.Role objects that can be created by using these patterns.

Administrator

This rbac.Role can do any action on any target.

func NewAdminRole() rbac.Role {
        return rbac.Role{
                RoleID: "Admin",
                Permissions: []rbac.Permission{
                        rbac.NewGlobPermission("*", "*"),
                },
        }
}

ReadOnly

This rbac.Role can do any read action on any target.

func NewReadOnlyRole() rbac.Role {
        return rbac.Role{
                RoleID: "Admin",
                Permissions: []rbac.Permission{
                        rbac.NewGlobPermission("read:*", "*"),
                },
        }
}

EC2Admin

This rbac.Role can do any action as long as the target belongs to the ec2 service.

func NewEC2AdminRole() rbac.Role {
        return rbac.Role{
                RoleID: "EC2Admin",
                Permissions: []rbac.Permission{
                        rbac.NewGlobPermission("*", "arn:aws:ec2:*"),
                },
        }
}

S3BucketReadOnly

This rbac.Role can do any read action as long as the target belongs to the specified S3 bucket.

func NewS3BucketReadOnlyRole(bucket string) rbac.Role {
        return rbac.Role{
                RoleID: "S3BucketReadOnly",
                Permissions: []rbac.Permission{
                        rbac.NewGlobPermission("read:*", fmt.Sprintf("arn:aws:s3:::%s*", bucket)),
                },
        }
}

Documentation ¶

Index ¶

func NewAdminRole() rbac.Role
func NewEC2AdminRole() rbac.Role
func NewReadOnlyRole() rbac.Role
func NewS3BucketReadOnlyRole(bucket string) rbac.Role

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewAdminRole ¶

func NewAdminRole() rbac.Role

NewAdminRole returns a rbac.Role that can do any action on any target.

func NewEC2AdminRole ¶

func NewEC2AdminRole() rbac.Role

NewEC2AdminRole returns a rbac.Role that can do any action as long as the target belongs to the "ec2" service.

func NewReadOnlyRole ¶

func NewReadOnlyRole() rbac.Role

NewReadOnlyRole returns a rbac.Role that can do any "read" action on any target.

func NewS3BucketReadOnlyRole ¶

func NewS3BucketReadOnlyRole(bucket string) rbac.Role

NewS3BucketReadOnlyRole returns a rbac.Role that can do any "read" action as long as the target belongs to the specified S3 bucket.

Types ¶

This section is empty.

Source Files ¶

View all Source files

iam.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL