|
| 1 | +# Detailed information about the map.json file |
| 2 | + |
| 3 | +The AWS map.json file is a JSON file that contains mappings of SDK calls to IAM actions. The file is structured in a way that allows for easy parsing and understanding of the relationships between SDK calls and IAM actions. Though there is a [custom mapping tool](https://iann0036.github.io/iam-dataset/util/index.html#) that can be used to assist in the update this file, it is not required to make changes to the file. |
| 4 | + |
| 5 | +## File Structure |
| 6 | + |
| 7 | +```jsonc |
| 8 | +{ |
| 9 | + "info": "string", // basic information about the origin of the file |
| 10 | + "sdk_permissionless_actions": [ // list of SDK calls that do not require permissions |
| 11 | + "DynamoDB.DescribeEndpoints", |
| 12 | + ... |
| 13 | + ], |
| 14 | + "sdk_method_iam_mappings": { // mapping of SDK calls to IAM actions, keyed by the SDK/API method name |
| 15 | + "Budgets.CreateBudget": [ // list of IAM permissions that are used to call the SDK method |
| 16 | + { // variant 1, used when the IAM permission has a resource type with variables associated with it |
| 17 | + "action": "budgets:CreateBudget", // the IAM action name |
| 18 | + "resource_mappings": { // mapping of the variables in the ARN templates for the resource types (as present in https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html) to the properties in the SDK call |
| 19 | + "BudgetName": { // the ARN variable name |
| 20 | + "template": "${Budget.BudgetName}" // the template to use to extract the value to be used in place of the ARN variable from the SDK call |
| 21 | + }, |
| 22 | + ... |
| 23 | + }, |
| 24 | + "undocumented": true, // (optional for all variants) if present and true, marks that the action is not documented within the AWS IAM documentation |
| 25 | + }, |
| 26 | + { // variant 2, used when the IAM permission has a resource type associated with it but the resource type has no variables |
| 27 | + "action": "sts:GetSessionToken", |
| 28 | + "resource_mappings": {} |
| 29 | + }, |
| 30 | + { // variant 3, used when the IAM ARN itself uses the specified template |
| 31 | + "action": "acm:UpdateCertificateOptions", |
| 32 | + "resource_mappings": {}, |
| 33 | + "resourcearn_mappings": { |
| 34 | + "certificate": "${CertificateArn}" // a mapping of the resource type to a template used to fulfil the entire ARN |
| 35 | + } |
| 36 | + }, |
| 37 | + { // variant 4, used to explicitely override the provided ARN template with the specified template |
| 38 | + "action": "iam:PassRole", |
| 39 | + "arn_override": { |
| 40 | + "template": "%%iftemplatematch%${IamRoleArn}%%" |
| 41 | + } |
| 42 | + }, |
| 43 | + { // additional note: the use of the "conditions" property may be present however is in draft and not yet fully supported - please do not use at this time |
| 44 | + "action": "dynamodb:PartiQLSelect", |
| 45 | + "resource_mappings": {}, |
| 46 | + "conditions": { |
| 47 | + "lhs": "Statements[].Statement", |
| 48 | + "op": "IContains", |
| 49 | + "rhs": "SELECT " |
| 50 | + } |
| 51 | + }, |
| 52 | + ... |
| 53 | + ], |
| 54 | + ... |
| 55 | + }, |
| 56 | + "sdk_service_mappings": { // mapping of friendly service names (as produced by CSM or the SDK) to IAM namespaces, IAM namespaces may appear more than once |
| 57 | + "ACM PCA": "acm-pca", |
| 58 | + ... |
| 59 | + }, |
| 60 | + "service_sdk_mappings": { // mapping of IAM namespaces to an array of possible friendly service names (as produced by CSM or the SDK) |
| 61 | + "a4b": [ |
| 62 | + "AlexaForBusiness" |
| 63 | + ], |
| 64 | + ... |
| 65 | + } |
| 66 | +} |
| 67 | +``` |
| 68 | + |
| 69 | +## Template Syntax |
| 70 | + |
| 71 | +The following syntax items may be used within the `template` and `arn_override` properties of the map.json file. Any other text will be treated as a literal string. |
| 72 | + |
| 73 | +`${PropertyName}` - Variable substitution for the `PropertyName` property |
| 74 | + |
| 75 | +`.` - A property within an object/map, used within variable substitution |
| 76 | + |
| 77 | +`[]` - For each value within the array, used within variable substitution |
| 78 | + |
| 79 | +`%%urlencode%${PropertyName}%%` - Performs a URL-encoding on the `PropertyName` property |
| 80 | + |
| 81 | +`%%many%${PropertyName}%${PropertyName2}%${PropertyName3}%%` - For each of the `PropertyName`, `PropertyName2` & `PropertyName3` properties (any length) |
| 82 | + |
| 83 | +`%%iftemplatematch%${ArnProperty}%%` - Only valid if the template matches the resource type's template |
| 84 | + |
| 85 | +`%%iftruthy%${PropertyName}%ValueIfTrue%ValueIfFalse%%` - Truthy test |
| 86 | + |
| 87 | +`%%regex%${PropertyName}%/(.+)/g%%` - Returns first capture group of Regex |
0 commit comments