org-aws-iam-role.el is an Emacs package for inspecting and modifying AWS IAM roles and their policy documents. It renders all role data—including trust policies, permissions boundaries, and all associated policies (AWS managed, customer managed, and inline)—in an interactive Org-mode buffer. It also includes a powerful IAM policy simulator to test a role's permissions against specific actions and resources directly within Emacs.
This package uses Org Babel and the AWS CLI under the hood, allowing you to edit policies directly in the buffer and apply them to your AWS account. All initial policy data is fetched asynchronously and in parallel.
- Browse and Inspect IAM Roles via an interactive prompt.
- Modify IAM Policies: Edit policies directly in the Org buffer and apply changes by executing the source block (
C-c C-c).- Supports Trust Policies, Permissions Boundaries, Customer-Managed, AWS-Managed, and Inline policies.
- IAM Policy Simulator: Test the role's permissions against a list of actions and resources using
iam:SimulatePrincipalPolicy(C-c C-s). - View Combined Permissions: Generate a single, unified JSON policy from all permission policies (
Customer-Managed,AWS-Managed, andInline) for a holistic view (C-c C-j). - Get Service Last Accessed Details: Fetches a report from AWS showing when services were last accessed by the role, using
iam:GenerateServiceLastAccessedDetails(C-c C-a). - Read-Only by Default: Buffers open in a safe, read-only mode to prevent accidental changes. Toggle editing with a keypress.
- Org Babel Integration using a custom
aws-iamlanguage for applying changes. - Asynchronous Parallel Fetching for fast initial loading of all policies.
- Org-mode Rendering with foldable sections for easy navigation.
- Switch AWS CLI profiles interactively.
- Authenticates via CLI and alerts on credential issues before running commands.
- GNU Emacs 29.1+
- AWS CLI installed and in your
PATH - Permissions for the following AWS IAM APIs:
sts:GetCallerIdentityiam:GetRoleiam:ListRolesiam:ListAttachedRolePoliciesiam:ListRolePoliciesiam:GetPolicyiam:GetPolicyVersioniam:GetRolePolicyiam:UpdateAssumeRolePolicy(to modify trust policies)iam:PutRolePolicy(to modify inline policies)iam:CreatePolicyVersion(to modify managed policies)iam:SimulatePrincipalPolicy(for the policy simulator)iam:GenerateServiceLastAccessedDetails(for last accessed report)iam:GetServiceLastAccessedDetails(for last accessed report)
Emacs libraries used: cl-lib, json, url-util, async, promise, ob-shell.
- Load the package (e.g.
(require 'org-aws-iam-role)) - Run:
M-x org-aws-iam-role-view-details - Select a role from the list.
- The buffer will open in read-only mode. To make changes:
a. Press
C-c C-eto toggle editable mode. b. Modify the JSON inside any policy's source block. c. PressC-c C-cinside the block to apply the changes to AWS. d. View the success or failure message in the#+RESULTS:block that appears. - To test the role's effective permissions, press
C-c C-sat any time to open the IAM policy simulator.
| Keybinding | Description |
|---|---|
C-c C-e |
Toggle read-only mode to allow/prevent edits. |
C-c C-s |
Simulate the role's policies against specific actions. |
C-c C-j |
View a combined JSON of all permission policies. |
C-c C-a |
Get service last accessed details for the role. |
C-c C-c |
Inside a source block, apply changes to AWS. |
C-c ( |
Hide all property drawers. |
C-c ) |
Reveal all property drawers. |
Optional variables for customizing behavior:
(setq org-aws-iam-role-profile "my-profile") ;; Use a specific AWS CLI profile
(setq org-aws-iam-role-read-only-by-default t) ;; Open buffers in read-only mode
(setq org-aws-iam-role-show-folded-by-default t) ;; Show Org buffer folded by default
(setq org-aws-iam-role-fullscreen nil) ;; Prevent the buffer from taking the full frameTo change the profile at runtime, you can run:
M-x org-aws-iam-role-set-profile