#amazon-iam #iam-policy #aws #statement #policies #resources #json

bin+lib aws-iam

A Rust crate for dealing with AWS IAM Policy resources

3 releases

0.2.2 Jun 15, 2022
0.2.1 Nov 6, 2019
0.2.0 Nov 6, 2019

#161 in Authentication

Download history 8/week @ 2024-02-17 2/week @ 2024-02-24 145/week @ 2024-03-02 25/week @ 2024-03-09 3/week @ 2024-03-16

178 downloads per month

MIT license

3.5K SLoC

Crate aws-iam

A Rust crate for dealing with AWS IAM Policy resources.

MIT License Minimum Rust Version crates.io docs.rs Build Audit GitHub stars


For the most part importing aws_iam::model provides the core types necessary to programmatically create Policy documents. You can also import aws_iam::model::builder to use a more fluent interface to construct Policies. The aws_iam::io module provides simple read and write functions, the write functions producing pretty printed JSON output.

The aws_iam::report module provides a set of traits that allow for visiting a Policy model, and implementations of these that write formatted versions of a Policy as documentation.


use aws_iam::model::*;
use aws_iam::io::write_to_writer;
use std::io::stdout;

let policy: Policy = PolicyBuilder::new()
            .may_perform_actions(vec!["s3:List*", "s3:Get*"])
                    .right_hand_bool("aws:MultiFactorAuthPresent", true)
write_to_writer(stdout(), &policy);

Results in the following JSON.

  "Id": "confidential-data-access",
  "Statement": {
    "Sid": "sid_e4d7f2d3-cfed-4346-9c5e-a8e9e38ef44f",
    "Effect": "Allow",
    "Action": [
    "Resource": [
    "Condition": {
      "BoolIfExists": {
        "aws:MultiFactorAuthPresent": "true"

policy Command-Line Tool

The policy tool provides some very basic policy resource operations. The most valuable of these is verify which will read a file, parse it and produce a formatted output. This output can be a documentation form which is useful for describing common policies.

 $ policy -h
policy 0.2.0

    policy [FLAGS] <SUBCOMMAND>

    -h, --help       Prints help information
    -V, --version    Prints version information
    -v, --verbose    The level of logging to perform, from off to trace

    help      Prints this message or the help of the given subcommand(s)
    new       Create a new default policy document
    verify    Verify an existing policy document

For example, given the following JSON policy:

  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "DenyAllUsersNotUsingMFA",
    "Effect": "Deny",
    "NotAction": "iam:*",
    "Resource": "*",
    "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}

the command policy verify -f markdown will produce the output between the following lines.


IAM Policy Version: 2012-10-17


Statement ID: DenyAllUsersNotUsingMFA


  • Action NOT = "iam:*"
  • Resource = "*"
  • Condition IF EXISTS aws:MultiFactorAuthPresent THEN
    • aws:MultiFactorAuthPresent Bool "false"


Version 0.2.2

  • Added implementations of common equality, ordering, and hashing traits (See Issue #19).

Version 0.2.1

  • Fixing missing_docs warnings.
  • Removed any_of(), condition_one(), and one() from builder, replaced with functions on Action, Principal, and Resource.

Version 0.2.0

  • First commit to Crates.io.
  • Completed markdown support for policy tool verification.
  • Completed changes to the model to support NotAction, NotPrincipal, and NotResource.
  • Filled obvious gaps in documentation.

Version 0.1.0

  • Initial commit stream to Github from private project.
  • Goal was to complete the existing model, documentation and add the policy tool.


  1. Add Latex output to policy.


~100K SLoC