| Name | cfn2iam JSON |
| Version |
0.1.0
JSON |
| download |
| home_page | None |
| Summary | A tool to automatically generate minimal IAM policy to deploy a CloudFormation stack from its template. |
| upload_time | 2025-08-13 08:48:58 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.9 |
| license | None |
| keywords |
aws
cloudformation
iam
permissions
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# CloudFormation to IAM (cfn2iam)
A tool to automatically generate minimal IAM policy to deploy a CloudFormation stack from its template.
## Overview
This tool analyzes CloudFormation templates to identify all resource types used, then queries the CloudFormation registry to determine the required IAM permissions for each resource type. It can generate IAM policy documents or create IAM roles with the appropriate permissions.
## Features
- Parse CloudFormation templates in JSON or YAML format
- Extract resource types and determine required permissions
- Generate IAM policy documents with appropriate permissions
- Create IAM roles with the generated permissions
- Option to allow or deny delete permissions
- Support for permissions boundaries
## Prerequisites
- Python 3.9+
- AWS CLI configured with [CloudFormation DescribeType](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeType.html) permission
- [uv package manager](https://docs.astral.sh/uv/getting-started/installation/)
## Installation
```bash
git clone https://github.com/mrlikl/cfn2iam.git
cd cfn2iam
uv sync
```
## Usage
```bash
python source/app.py <template_file> [options]
# or using shorthand options
python source/app.py -t <template_file> [options]
```
### Arguments
- `template_file` or `-t, --template-file`: Path to the CloudFormation template file (JSON or YAML)
### Options
- `-d, --allow-delete`: Allow delete permissions instead of denying them
- `-c, --create-role`: Create an IAM role with the generated permissions (default: True)
- `-r, --role-name`: Name for the IAM role (if not specified, uses 'cfn2iam-<random_hash>')
- `-p, --permissions-boundary`: ARN of the permissions boundary to attach to the role
### Examples
Generate a policy document from a template:
```bash
python source/app.py path/to/template.yaml
# or
python source/app.py -t path/to/template.yaml
```
Create an IAM role with delete permissions denied (default behavior):
```bash
python source/app.py path/to/template.yaml
```
Create an IAM role with delete permissions allowed:
```bash
python source/app.py path/to/template.yaml -d
```
Create an IAM role with a custom name:
```bash
python source/app.py path/to/template.yaml -r MyCustomRole
```
Create an IAM role with a permissions boundary:
```bash
python source/app.py path/to/template.yaml -p arn:aws:iam::123456789012:policy/boundary
```
## How It Works
1. The tool parses the CloudFormation template to extract all resource types
2. For each resource type, it queries the CloudFormation registry to get the required permissions
3. It categorizes permissions into "update" (create/update/read) and "delete-specific" permissions
4. It generates a policy document with appropriate Allow and Deny statements
5. It saves the policy document to a file with a unique name
6. If requested (default), it creates an IAM role with the generated policy
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
Raw data
{
"_id": null,
"home_page": null,
"name": "cfn2iam",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "aws, cloudformation, iam, permissions",
"author": null,
"author_email": "S Murali Krishnan <mrlikrsh@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/0b/50/7af370733f4b41df6ab11cda04099a18673d5a51f265301d403b9b1c46ea/cfn2iam-0.1.0.tar.gz",
"platform": null,
"description": "# CloudFormation to IAM (cfn2iam)\n\nA tool to automatically generate minimal IAM policy to deploy a CloudFormation stack from its template.\n\n## Overview\n\nThis tool analyzes CloudFormation templates to identify all resource types used, then queries the CloudFormation registry to determine the required IAM permissions for each resource type. It can generate IAM policy documents or create IAM roles with the appropriate permissions.\n\n## Features\n\n- Parse CloudFormation templates in JSON or YAML format\n- Extract resource types and determine required permissions\n- Generate IAM policy documents with appropriate permissions\n- Create IAM roles with the generated permissions\n- Option to allow or deny delete permissions\n- Support for permissions boundaries\n\n## Prerequisites\n\n- Python 3.9+\n- AWS CLI configured with [CloudFormation DescribeType](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeType.html) permission\n- [uv package manager](https://docs.astral.sh/uv/getting-started/installation/)\n\n## Installation\n\n```bash\ngit clone https://github.com/mrlikl/cfn2iam.git\ncd cfn2iam\nuv sync\n```\n\n## Usage\n\n```bash\npython source/app.py <template_file> [options]\n# or using shorthand options\npython source/app.py -t <template_file> [options]\n```\n\n### Arguments\n\n- `template_file` or `-t, --template-file`: Path to the CloudFormation template file (JSON or YAML)\n\n### Options\n\n- `-d, --allow-delete`: Allow delete permissions instead of denying them\n- `-c, --create-role`: Create an IAM role with the generated permissions (default: True)\n- `-r, --role-name`: Name for the IAM role (if not specified, uses 'cfn2iam-<random_hash>')\n- `-p, --permissions-boundary`: ARN of the permissions boundary to attach to the role\n\n### Examples\n\nGenerate a policy document from a template:\n```bash\npython source/app.py path/to/template.yaml\n# or\npython source/app.py -t path/to/template.yaml\n```\n\nCreate an IAM role with delete permissions denied (default behavior):\n```bash\npython source/app.py path/to/template.yaml\n```\n\nCreate an IAM role with delete permissions allowed:\n```bash\npython source/app.py path/to/template.yaml -d\n```\n\nCreate an IAM role with a custom name:\n```bash\npython source/app.py path/to/template.yaml -r MyCustomRole\n```\n\nCreate an IAM role with a permissions boundary:\n```bash\npython source/app.py path/to/template.yaml -p arn:aws:iam::123456789012:policy/boundary\n```\n\n## How It Works\n\n1. The tool parses the CloudFormation template to extract all resource types\n2. For each resource type, it queries the CloudFormation registry to get the required permissions\n3. It categorizes permissions into \"update\" (create/update/read) and \"delete-specific\" permissions\n4. It generates a policy document with appropriate Allow and Deny statements\n5. It saves the policy document to a file with a unique name\n6. If requested (default), it creates an IAM role with the generated policy\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n",
"bugtrack_url": null,
"license": null,
"summary": "A tool to automatically generate minimal IAM policy to deploy a CloudFormation stack from its template.",
"version": "0.1.0",
"project_urls": {
"Homepage": "https://github.com/mrlikl/cfn2iam.git"
},
"split_keywords": [
"aws",
" cloudformation",
" iam",
" permissions"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "4406700d9c0092ff8ef986ec70edd4775f96aadbf9f73fd73db713bc1ae7ba47",
"md5": "d42b0155bc42190977316a6b684be1f3",
"sha256": "5c2a67711d800bae12f0fec7b9046cc166d47e4426a01eb168838f632a27b896"
},
"downloads": -1,
"filename": "cfn2iam-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "d42b0155bc42190977316a6b684be1f3",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 5862,
"upload_time": "2025-08-13T08:48:57",
"upload_time_iso_8601": "2025-08-13T08:48:57.442776Z",
"url": "https://files.pythonhosted.org/packages/44/06/700d9c0092ff8ef986ec70edd4775f96aadbf9f73fd73db713bc1ae7ba47/cfn2iam-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "0b507af370733f4b41df6ab11cda04099a18673d5a51f265301d403b9b1c46ea",
"md5": "ad8edfc251d6950318c35511db486360",
"sha256": "a05a9d03d1b18725d507d5e75f088e3e56ea0797d07a47dd7ff2d870011eb441"
},
"downloads": -1,
"filename": "cfn2iam-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "ad8edfc251d6950318c35511db486360",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 16910,
"upload_time": "2025-08-13T08:48:58",
"upload_time_iso_8601": "2025-08-13T08:48:58.680968Z",
"url": "https://files.pythonhosted.org/packages/0b/50/7af370733f4b41df6ab11cda04099a18673d5a51f265301d403b9b1c46ea/cfn2iam-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-13 08:48:58",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "mrlikl",
"github_project": "cfn2iam",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "cfn2iam"
}
