[PR #8] [MERGED] Support context in service reference AuthorizedActions #168

New issue

Closed

opened 2026-03-15 11:51:13 +03:00 by kerem · 0 comments

kerem commented

2026-03-15 11:51:13 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/awslabs/iam-policy-autopilot/pull/8
Author: @mschlaipfer
Created: 11/20/2025
Status: ✅ Merged
Merged: 11/20/2025
Merged by: @mschlaipfer

Base: prerelease ← Head: support-service-reference-context

📝 Commits (1)

6e726b7 Support context in service reference AuthorizedActions

📊 Changes

5 files changed (+377 additions, -34 deletions)

View changed files

📝 iam-policy-autopilot-policy-generation/src/enrichment/mod.rs (+6 -0)
📝 iam-policy-autopilot-policy-generation/src/enrichment/operation_fas_map.rs (+43 -16)
📝 iam-policy-autopilot-policy-generation/src/enrichment/resource_matcher.rs (+35 -11)
📝 iam-policy-autopilot-policy-generation/src/enrichment/service_reference.rs (+158 -7)
📝 iam-policy-autopilot-policy-generation/tests/public_api_integration_test.rs (+135 -0)

📄 Description

Issue #, if available:

Description of changes:

Now uses the the context from AuthorizedActions, for instance to add the iam:PassedToService condition for iam:PassRole.
Allows both String and Array in the FAS map context (to match the service reference type).

TODO: We currently silently continue when other types are in the FAS map. Instead, we should fail, but prevent runtime failures by parsing all configuration files (such as the FAS map) as part of our build, and fail the build if deserialization fails.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/awslabs/iam-policy-autopilot/pull/8 **Author:** [@mschlaipfer](https://github.com/mschlaipfer) **Created:** 11/20/2025 **Status:** ✅ Merged **Merged:** 11/20/2025 **Merged by:** [@mschlaipfer](https://github.com/mschlaipfer) **Base:** `prerelease` ← **Head:** `support-service-reference-context` --- ### 📝 Commits (1) - [`6e726b7`](https://github.com/awslabs/iam-policy-autopilot/commit/6e726b7872da5fe1290b61dbf2954d78d30cdd31) Support context in service reference AuthorizedActions ### 📊 Changes **5 files changed** (+377 additions, -34 deletions) <details> <summary>View changed files</summary> 📝 `iam-policy-autopilot-policy-generation/src/enrichment/mod.rs` (+6 -0) 📝 `iam-policy-autopilot-policy-generation/src/enrichment/operation_fas_map.rs` (+43 -16) 📝 `iam-policy-autopilot-policy-generation/src/enrichment/resource_matcher.rs` (+35 -11) 📝 `iam-policy-autopilot-policy-generation/src/enrichment/service_reference.rs` (+158 -7) 📝 `iam-policy-autopilot-policy-generation/tests/public_api_integration_test.rs` (+135 -0) </details> ### 📄 Description *Issue #, if available:* *Description of changes:* * Now uses the the context from `AuthorizedActions`, for instance to add the `iam:PassedToService` condition for `iam:PassRole`. * Allows both String and Array<String> in the FAS map context (to match the service reference type). TODO: We currently silently `continue` when other types are in the FAS map. Instead, we should fail, but prevent runtime failures by parsing all configuration files (such as the FAS map) as part of our build, and fail the build if deserialization fails. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>