IAM caching: better to query against actual state instead? about kappa HOT 6 OPEN

Yeah, that's actually a good idea. Could do the same for function configuration. Then, if we can eliminate the need for caching the zip file checksum locally we could eliminate the local cache completely which would be a very good thing.

from kappa.

So, maybe I'm missing it but is there an IAM API request that will return the policy document associated with a Managed Policy or a version of a Managed Policy?

from kappa.

It's GetPolicy, the arn is like "arn:aws:iam::aws:policy/AWSLambdaFullAccess"

from kappa.

It's actually GetPolicyVersion, I think. It doesn't preserve the original form so you have to do a more intelligent diff then just doing a string compare.

from kappa.

Ah I see, I didn't look hard enough (i.e. at all) at the output of aws-cli, just that it completed without errors.

from kappa.

The following is POC code to get the current policy document. You'll still need to compare each statement, but that should be relatively easy?

import boto3

client = boto3.client('iam')

policy_arn = 'arn:aws:iam::093535234988:policy/kappa/{0}_{1}'.format(app_name, app_env)
response = client.get_policy(
    PolicyArn=policy_arn
)
version_id = response.get('Policy', {}).get('DefaultVersionId', None)
if version_id is None:
    raise Exception('Failed to get policy')

response = client.get_policy_version(
    PolicyArn=policy_arn,
    VersionId=version_id
)
document = response.get('PolicyVersion', {}).get('Document', None)
if document is None:
    raise Exception('Failed to get current policy document')

# compare the version here

No idea what the policy is around error handling, so feel free to substitute that here.

from kappa.