Linting IAM Policies Automatically in Your Pipeline
2024 February 16

When writing IAM policies there are a lot of concerns that must be taken into account. These JSON documents can be the cause of a lot of hurt when deploying them. People often mess up formating, write overly broad permissions, and just don’t get them perfect the first time. Sure you could use a dumb linter just for JSON, but that doesn’t cover all the potential screw ups. So I want to share a smarter linter I found and how we integrated into our deployment pipeline.

It’s called Parliament and was created by Duo Labs, and has been integrated into many other projects like CloudMapper, iamlive, and various other things. The repository does look a bit dead, but at this point it seems that the library has been feature complete so don’t worry about the lack of recent commits. That’s a bad way of judging product health, and shows fear over something being done.

So the main challenge is that not all of your IAM policies will be in JSON, some might be defined in cloudformation templates or yaml files or nested inside of other json objects. For that we have jq (previously showcased), which allows us to manipulate and extract JSON objects on the command line.

So the key parts are identifying where your IAM policies are and getting them into the json format. Fortunately bash provides that with here files and most cicd in this day and age is just a docker container returning pass or fail based on command return code.

So wrapping up our solution looks like this.

pip install parliament
parliament --file your_iam_policy.json

# Unless of course you need to manipulate them in some way
parliament --file <(jq .your_policy target_file.json)

Remember you can also subscribe using RSS at the top of the page!

Share this on → Mastodon Twitter LinkedIn Reddit

A selected list of related posts that you might enjoy:

Written by Henry J Schmale on 2024 February 16
Hit Counter