"IAMbic: the Terraform of Cloud IAM"
Easily manage and streamline cloud Identity and Access Management (IAM) with IAMbic, a multi-cloud IAM control plane. Discover more at https://docs.iambic.org.
- Universal Cloud Identity: Unify cloud identity management for AWS, Okta, Azure Active Directory, Google Workspace with more to come.
- Temporary Access: Declaratively define and automate expiration dates for resources, permissions, and access rules.
- Dynamic AWS Permissions: Simplify multi-account AWS management with flexible templates, allowing multi-account roles to have different permissions and access rules on different accounts.
- Drift Prevention: Protect the IAM resources you want to be exclusively managed via IAMbic. What is in Git becomes the absolute source of truth.
- GitOps-driven Cloud IAM (IAMOps): Leverage GitOps-driven Cloud IAM with human-readable formats and your favorite tools.
- Centralized Management: IAMbic keeps Git updated with the latest, complete state of your cloud environment, maintaining a single source of truth for auditing and compliance across multiple cloud providers in Git.
- Extendable: Integrate with various clouds and applications through a powerful plugin architecture.
- Auditable: Track changes to IAM policies, permissions, and rules with Git history. For AWS, IAmbic annotates out-of-band commits with details from CloudTrail.
Do you want to connect with our contributors?
Just click the button below and follow the instructions.
Dive into IAMbic with our quick-start guide and explore powerful template examples for AWS Multi-Account Roles, Dynamic Permissions, Okta Applications and Group Assignments, Azure Active Directory Users and Groups, and Google Workspace Group Assignments. We are rapidly expanding support for existing resources and cloud providers, so check back often!
IAMbic is available on PyPI:
python -m pip install iambic-coreIAMbic officially supports Python 3.9+.
Here are some examples showcasing IAMbic's capabilities:
Create a Cloudwatch role with static permissions across three accounts, dynamically generating role names based on the account the role is deployed to. This template would result in the creation of three roles: "dev_cloudwatch", "staging_cloudwatch", and "prod_cloudwatch" on the respective AWS accounts. See the Getting Started guide for AWS for more information.
template_type: NOQ::AWS::IAM::Role
identifier: '{{var.account_name}}_cloudwatch'
included_accounts:
- dev
- staging
- prod
properties:
description:
- description: Cloudwatch role for {{var.account_name}}
assume_role_policy_document:
statement:
- action:
- sts:AssumeRole
- sts:TagSession
effect: Allow
principal:
aws: arn:aws:iam::123456789012:role/ExampleRole
version: '2012-10-17'
inline_policies:
policy_name: cloudwatch_logs
statement:
- effect: allow
action:
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:GetLogEvents
- logs:GetLogRecord
- logs:GetQueryResults
- logs:TestMetricFilter
- logs:FilterLogEvents
- logs:StartQuery
- logs:StopQuery
resource: "*"
managed_policies:
- policy_arn: arn:aws:iam::aws:policy/AdministratorAccess
role_name: '{{var.account_name}}_cloudwatch'
tags:
- key: owner
value: devopsCreate a BackendDeveloperRole with varying permissions based on the AWS account. See the Getting Started guide for AWS for more information.
template_type: NOQ::AWS::IAM::Role
identifier: '{{var.account_name}}_backend_developer'
included_accounts:
- '*'
excluded_accounts:
- compliance
properties:
description:
- description: Backend developer role for {{var.account_name}}
assume_role_policy_document:
statement:
- action:
- sts:AssumeRole
- sts:TagSession
effect: Allow
principal:
aws: arn:aws:iam::123456789012:role/ExampleRole
version: '2012-10-17'
inline_policies:
- policy_name: s3_policy
statement:
- # Policy applies to role on all accounts except `customer_data`.
excluded_accounts:
- customer_data
effect: allow
action:
- s3:GetObject
- s3:ListObject
resource:
- "*"
condition:
StringNotEquals:
s3:ResourceTag/sensitive: 'true'
- # Allow write access to non-sensitive resources on the dev account
included_accounts:
- dev
effect: allow
action:
- s3:PutObject
resource:
- "*"
condition:
StringNotEquals:
s3:ResourceTag/sensitive: 'true'
role_name: '{{var.account_name}}_backend_developer'
tags:
- key: owner
value: devopsManage Okta application assignments, including expiration dates for specific users. See the Getting Started guide for Okta for more information.
template_type: NOQ::Okta::App
idp_name: development
properties:
name: Salesforce.com
assignments:
- user: [email protected]
- user: [email protected]
- user: [email protected]
expires_at: 2023-09-01T00:00 UTC
status: ACTIVEEasily manage Okta group assignments with expiration dates for members. See the Getting Started guide for Okta for more information.
template_type: NOQ::Okta::Group
idp_name: main
properties:
name: engineering_interns
description: Engineering Interns
members:
- username: [email protected]
expires_at: 2023-09-01 # Interns last day
- username: [email protected]
expires_at: 2023-09-01
Manage Google Workspace group assignments, including temporary access for external users. See the Getting Started guide for Google Workspace for more information.
template_type: NOQ::GoogleWorkspace::Group
properties:
name: DockerHub
description: Dockerhub Access
domain: example.com
email: [email protected]
members:
- email: [email protected]
role: OWNER
- email: [email protected]
- email: [email protected]
expires_at: 2023-03-05Manage Azure Active Directory users and their attributes. See the Getting Started guide for Azure AD for more information.
expires_at: 2025-01-01
template_type: NOQ::AzureAD::User
idp_name: development
properties:
display_name: Example User
given_name: Example
username: [email protected]Manage Azure Active Directory groups and group assignments, including temporary access for external users. See the Getting Started guide for Azure AD for more information.
template_type: NOQ::AzureAD::Group
idp_name: development
properties:
name: iambic_test_group
description: A test group to use with IAMbic
members:
- name: [email protected]
data_type: user
expires_at: tomorrowPreview a standalone IAMbic templates repository on how IAMbic tracks multi-cloud IAM assets in GitHub. The repository is made public for you to study. No need to make your repository public.
IAMbic is currently in beta, and is not yet recommended for use in production environments. We are actively working to improve the stability and performance of the software, and welcome feedback from the community.
If you choose to use IAMbic in its current state, please be aware that you may encounter bugs, performance issues, or other unexpected behavior. We strongly recommend testing IAMbic thoroughly in a non-production environment before using it in production.
Please report any issues or feedback to our GitHub issue tracker. Thank you for your support and contributions to the project!
Contributions to IAMbic are welcome and encouraged! If you find a bug or want to suggest an enhancement, please open an issue. Pull requests are also welcome.
If you have any questions or feedback, please reach out to us on Slack. We'd love to hear from you!
IAMbic is licensed under the Apache-2.0 license. Commercial licenses and support are also available from Noq Software, Inc.
Provider Plugins (Such as the AWS, Okta, Azure Active Directory, and Google Workspace plugins) are licensed under Apache 2. You are free to write your own provider plugins for internal services without releasing its source code.
For more information, please visit https://docs.iambic.org/license.