Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Type family to get IAM action name from a request type? #864

Open
endgame opened this issue Dec 16, 2022 · 6 comments
Open

Type family to get IAM action name from a request type? #864

endgame opened this issue Dec 16, 2022 · 6 comments
Labels
enhancement post 2.0

Comments

@endgame
Copy link
Collaborator

endgame commented Dec 16, 2022

It could be neat to have a type family that maps things like Amazonka.DynamoDB.GetItem to "dynamodb:GetItem" :: Symbol. Might be a way to answer "which calls might this block of code make?" when combined with the right effect system library?
@endgame
Copy link
Collaborator Author

endgame commented Jan 5, 2023

https://reasonablypolymorphic.com/blog/abusing-constraints/ seems relevant here.

@arianvp
Copy link
Contributor

arianvp commented Aug 3, 2023
edited

Note that there are some more nuances to this. API calls usually have one-to-many relationship with IAM permissions. And this information is hidden all over the place in documentation and is not available in a machine-consumable format.

For example autoscaling:CreateAutoScalingGroup requires:

  • autoscaling:CreateAutoScalingGroup
  • ec2:RunInstances to actually spawn instances
  • If you are using a Launch template:
    • if the launch template has tags. ec2:CreateTags
    • if the launch template has an instance profile iam:PassRole

@endgame
Copy link
Collaborator Author

endgame commented Aug 3, 2023

Yes, that's an excellent point. Trying to trace all of those implications won't be practical. Another wrinkle: I hope to extend Amazonka to make it reasonably ergonomic to call API Gateway APIs which need IAM authentication, and it would be silly to call all of those execute-api:Invoke.

I currently think the contract we want to offer is that the Symbol provided denotes the name of the API operation, and for AWS API calls that's ${abbrev}:${OperationName}, and see if anyone builds anything cool on top of it, but I'm open to other ideas.

@arianvp
Copy link
Contributor

arianvp commented Aug 3, 2023

OTOH Haskell would be one of those languages that could excel at this. I can see the coolness potential here.

I'd imagine some kind of Free Arrow / Free Selective DSL for defining cloud resources and then you can do a static analysis to get the greatest fixpoint of IAM policy (Most-restrictive policy that allows all branches in the code)

@endgame
Copy link
Collaborator Author

endgame commented Aug 8, 2023

I think that's the sort of thing which could be provided by some other layer, once we expose the base API names.

@endgame endgame added this to the 2.1 milestone Apr 17, 2024
@endgame
Copy link
Collaborator Author

endgame commented Apr 24, 2024

Too complex for 2.1, unless we can find a good mapping between API name (e.g., ListBuckets) and IAM action name (s3:ListAllMyBuckets).

@endgame endgame removed this from the 2.1 milestone Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement post 2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@endgame @arianvp