Groundwork for Azure and GCP

iann0036 · Sep 16, 2023 · 2744025 · 2744025
1 parent 012caab
commit 2744025
Show file tree

Hide file tree

Showing 549 changed files with 116,008 additions and 85 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,9 @@
 # iamlive
 
-> Generate an IAM policy from AWS calls using client-side monitoring (CSM) or embedded proxy
+> Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy
+
+> [!IMPORTANT]  
+> The Azure and Google Cloud providers are in preview and may produce incorrect outputs at this time
 
 ![](https://raw.githubusercontent.com/iann0036/iamlive/assets/iamlive.gif)
 
@@ -32,7 +35,7 @@ brew install iann0036/iamlive/iamlive
 
 ### Other Methods
 
-* [Lambda Extension](https://github.com/iann0036/iamlive-lambda-extension)
+* [Lambda Extension](https://github.com/iann0036/iamlive-lambda-extension) _(AWS only)_
 * [Docker](https://meirg.co.il/2021/04/23/determining-aws-iam-policies-according-to-terraform-and-aws-cli/)
 * [GitHub Action (with Terraform)](https://github.com/scott-doyland-burrows/gha-composite-terraform-iamlive)
 
@@ -44,33 +47,35 @@ To start the listener, simply run `iamlive` in a separate window to your CLI / S
 
 You can optionally also include the following arguments to the `iamlive` command:
 
-**--set-ini:** when set, the `.aws/config` file will be updated to use the CSM monitoring or CA bundle and removed when exiting (_default: false_)
+**--provider:** the cloud service provider to intercept calls for (`aws`,`azure`,`gcp`) (_default: aws_)
+
+**--set-ini:** when set, the `.aws/config` file will be updated to use the CSM monitoring or CA bundle and removed when exiting (_default: false_) (_AWS only_)
 
-**--profile:** use the specified profile when combined with `--set-ini` (_default: default_)
+**--profile:** use the specified profile when combined with `--set-ini` (_default: default_) (_AWS only_)
 
-**--fails-only:** when set, only failed AWS calls will be added to the policy, csm mode only (_default: false_)
+**--fails-only:** when set, only failed AWS calls will be added to the policy, csm mode only (_default: false_) (_AWS only_)
 
 **--output-file:** specify a file that will be written to on SIGHUP or exit (_default: unset_)
 
 **--refresh-rate:** instead of flushing to console every API call, do it this number of seconds (_default: 0_)
 
-**--sort-alphabetical:** sort actions alphabetically (_default: false_)
+**--sort-alphabetical:** sort actions alphabetically (_default: false for AWS, otherwise true_)
 
 **--host:** host to listen on for CSM (_default: 127.0.0.1_)
 
 **--background:** when set, the process will return the current PID and run in the background without output (_default: false_)
 
-**--force-wildcard-resource:** when set, the Resource will always be a wildcard (_default: false_)
+**--force-wildcard-resource:** when set, the Resource will always be a wildcard (_default: false_) (_AWS only_)
 
-**--mode:** the listening mode (`csm`,`proxy`) (_default: csm_)
+**--mode:** the listening mode (`csm`,`proxy`) (_default: csm for aws, otherwise proxy_)
 
 **--bind-addr:** the bind address for proxy mode (_default: 127.0.0.1:10080_)
 
 **--ca-bundle:** the CA certificate bundle (PEM) to use for proxy mode (_default: ~/.iamlive/ca.pem_)
 
 **--ca-key:** the CA certificate key to use for proxy mode (_default: ~/.iamlive/ca.key_)
 
-**--account-id:** the AWS account ID to use in policy outputs within proxy mode (_default: 123456789012 unless detected_)
+**--account-id:** the AWS account ID to use in policy outputs within proxy mode (_default: 123456789012 unless detected_) (_AWS only_)
 
 _Basic Example (CSM Mode)_
 
@@ -84,6 +89,18 @@ _Basic Example (Proxy Mode)_
 iamlive --set-ini --mode proxy
 ```
 
+_Basic Example (Azure)_
+
+```
+iamlive --provider azure
+```
+
+_Basic Example (Google Cloud)_
+
+```
+iamlive --provider gcp
+```
+
 _Comprehensive Example (CSM Mode)_
 
 ```
@@ -100,7 +117,9 @@ The arguments may also be specified in an INI file located at `~/.iamlive/config
 
 ### CSM Mode
 
-Client-side monitoring mode is the default behaviour and will use [metrics](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/metrics.html) delivered locally via UDP to capture policy statements with the `Action` key only (`Resource` is only available in proxy mode).
+Client-side monitoring mode is the default behaviour for AWS and will use [metrics](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/metrics.html) delivered locally via UDP to capture policy statements with the `Action` key only (`Resource` is only available in proxy mode).
+
+CSM mode is only available for the AWS provider.
 
 #### CLI
 
@@ -128,9 +147,9 @@ export AWS_CSM_HOST=127.0.0.1
 
 ### Proxy Mode
 
-Proxy mode will serve a local HTTP(S) server (by default at `http://127.0.0.1:10080`) that will inspect requests sent to the AWS endpoints before forwarding on to generate IAM policy statements with both `Action` and `Resource` keys. The CA key/certificate pair will be automatically generated and stored within `~/.iamlive/` by default.
+Proxy mode will serve a local HTTP(S) server (by default at `http://127.0.0.1:10080`) that will inspect requests sent to the AWS endpoints before forwarding on to generate IAM policy statements. The CA key/certificate pair will be automatically generated and stored within `~/.iamlive/` by default.
 
-#### CLI
+#### AWS CLI
 
 To set the appropriate CA bundle in the AWS CLI, you should either use the `--set-ini` option or add the following to the relevant profile in `.aws/config`:
 
@@ -151,9 +170,11 @@ export HTTP_PROXY=http://127.0.0.1:10080
 export HTTPS_PROXY=http://127.0.0.1:10080
 ```
 
-#### SDKs
+#### AWS SDKs
 
-To enable CSM in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:
+To enable proxy mode in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:
+
+For AWS SDKs:
 
 ```
 export HTTP_PROXY=http://127.0.0.1:10080
@@ -163,6 +184,27 @@ export AWS_CA_BUNDLE=~/.iamlive/ca.pem
 
 Check the [official docs](https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-ca_bundle.html) for further details on setting the CA bundle.
 
+#### Azure CLI and SDKs
+
+To enable proxy mode in the Azure CLI or SDK, you can run the following in the window executing your application prior to it starting:
+
+```
+export HTTP_PROXY=http://127.0.0.1:10080
+export HTTPS_PROXY=http://127.0.0.1:10080
+export REQUESTS_CA_BUNDLE=~/.iamlive/ca.pem
+```
+
+#### Google Cloud CLI and SDKs
+
+To enable proxy mode in the Google Cloud CLI or SDKs, you can run the following in the window executing your application prior to it starting:
+
+```
+gcloud config set proxy/type http
+gcloud config set proxy/address 127.0.0.1
+gcloud config set proxy/port 10080
+gcloud config set core/custom_ca_certs_file ~/.iamlive/ca.pem
+```
+
 ## FAQs
 
 _I get a message "package embed is not in GOROOT" when attempting to build myself_

diff --git a/go.mod b/go.mod
@@ -8,6 +8,10 @@ require (
 	github.com/iann0036/goproxy v0.0.0-20210510114007-b2700d29a571
 	github.com/kenshaw/baseconv v0.1.1
 	github.com/mitchellh/go-homedir v1.1.0
+	github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852 // indirect
 	github.com/smartystreets/goconvey v1.6.4 // indirect
+	github.com/tidwall/gjson v1.16.0 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb // indirect
 	gopkg.in/ini.v1 v1.62.0
 )
diff --git a/go.sum b/go.sum
@@ -12,9 +12,20 @@ github.com/kenshaw/baseconv v0.1.1 h1:oAu/C7ipUT2PqT9DT0mZDGDg4URIglizZMjPv9oCu0
 github.com/kenshaw/baseconv v0.1.1/go.mod h1:yy9zGmnnR6vgOxOQb702nVdAG30JhyYZpj/5/m0siRI=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852 h1:Yl0tPBa8QPjGmesFh1D0rDy+q1Twx6FyU7VWHi8wZbI=
+github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852/go.mod h1:eqOVx5Vwu4gd2mmMZvVZsgIqNSaW3xxRThUJ0k/TPk4=
 github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/tidwall/gjson v1.16.0 h1:SyXa+dsSPpUlcwEDuKuEBJEz5vzTvOea+9rjyYodQFg=
+github.com/tidwall/gjson v1.16.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb h1:Ywfo8sUltxogBpFuMOFRrrSifO788kAFxmvVw31PtQQ=
+github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb/go.mod h1:ikPs9bRWicNw3S7XpJ8sK/smGwU9WcSVU3dy9qahYBM=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=