CreatePolicy.go


// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: MIT-0
package main

import (
    "encoding/json"
    "flag"
    "fmt"

    "github.com/aws/aws-sdk-go/aws"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/iam"
    "github.com/aws/aws-sdk-go/service/iam/iamiface"
)

// StatementEntry will dictate what this policy allows or doesn't allow.
type StatementEntry struct {
    Effect   string
    Action   []string
    Resource string
}

// PolicyDocument is our definition of our policies to be uploaded to IAM.
type PolicyDocument struct {
    Version   string
    Statement []StatementEntry
}

// MakePolicy creates an IAM policy
// Inputs:
//     svc is an IAM service client
// Output:
//     If success, nil
//     Otherwise, an error from the call to json.Marshall or CreatePolicy
func MakePolicy(svc iamiface.IAMAPI, policyName *string) error {
    // Builds our policy document for IAM.
    policy := PolicyDocument{
        Version: "2012-10-17",
        Statement: []StatementEntry{
            StatementEntry{
                Effect: "Allow",
                Action: []string{
                    "logs:CreateLogGroup", // Allow for creating log groups
                },
                Resource: "RESOURCE ARN FOR logs:*",
            },
            StatementEntry{
                Effect: "Allow",
                // Allows for DeleteItem, GetItem, PutItem, Scan, and UpdateItem
                Action: []string{
                    "dynamodb:DeleteItem",
                    "dynamodb:GetItem",
                    "dynamodb:PutItem",
                    "dynamodb:Scan",
                    "dynamodb:UpdateItem",
                },
                Resource: "RESOURCE ARN FOR dynamodb:*",
            },
        },
    }

    b, err := json.Marshal(&policy)
    if err != nil {
        return err
    }

    _, err = svc.CreatePolicy(&iam.CreatePolicyInput{
        PolicyDocument: aws.String(string(b)),
        PolicyName:     policyName,
    })
    return err
}

func main() {
    policyName := flag.String("n", "", "The name of the policy")
    flag.Parse()

    if *policyName == "" {
        fmt.Println("You must supply the name of the policy (-n POLICY)")
        return
    }

    sess := session.Must(session.NewSessionWithOptions(session.Options{
        SharedConfigState: session.SharedConfigEnable,
    }))

    svc := iam.New(sess)

    err := MakePolicy(svc, policyName)
    if err != nil {
        fmt.Println("Got an error creating the policy:")
        fmt.Println(err)
        return
    }

    fmt.Println("Created policy " + *policyName)
}
Warning Javascript is disabled or is unavailable in your browser.
To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.
Document Conventions
CreatePolicy
CreatePolicy_test.go