Explainable IAM
Introduction
Section titled “Introduction”The IAM Policy Engine logs output related to failed policy evaluation directly to the LocalStack logs. You can enable DEBUG=1 to gain visibility into these log messages, allowing you to identify the additional policies required for your request to succeed.
Getting started
Section titled “Getting started”This guide is designed for users new to Explainable IAM and assumes basic knowledge of the AWS CLI and our awslocal wrapper script.
Start your LocalStack container with the DEBUG=1 and ENFORCE_IAM=1 environment variables set:
In this guide, we will create a policy for creating Lambda functions by only allowing the lambda:CreateFunction permission. However we have not included the iam:PassRole permission, and we will use the Policy Engine’s log to point out adding the necessary permission.
Create a new user
Section titled “Create a new user”Create a policy document named policy_1.json and add the following content:
You can now create a new user named test-user, and put the policy in place by executing the following commands:
You can further create an access key for the user by executing the following command:
Export the access key and secret key as environment variables:
Attempt to create a Lambda function
Section titled “Attempt to create a Lambda function”You can now attempt to create a Lambda function using the newly created user’s credentials:
You can inspect the LocalStack logs, to observe the presence of five log entries directly related to the denied request:
Upon examination, it becomes apparent that the action iam:PassRole is not allowed; rather, it is implicitly denied for your user concerning the resource arn:aws:iam::000000000000:role/lambda-role. This implies that there is no explicit deny statement in the relevant policies, but there is also no allow statement, resulting in the implicit denial of the action. You can incorporate this action into the policy.
Incorporate the action into the policy
Section titled “Incorporate the action into the policy”For illustrative purposes, we will keep the example straightforward, using the same wildcard resource. Edit the policy_1.json file to include the iam:PassRole action:
Re-run the Lambda CreateFunction API. You will notice that the request is now successful, and the function is created.
Soft Mode
Section titled “Soft Mode”Enabling IAM_SOFT_MODE=1 allows you to review the logs and assess whether your requests would have been denied or granted while executing your entire stack without disruptions.
Using this, you can avoid the need for redeployment to address each missing permission individually, streamlining the debugging process and enhancing the efficiency of your IAM configurations.