cloudemu

IAM

Identity, roles, and policy evaluation with wildcard matching

IAM

SDK-compat status: Live. Real aws-sdk-go-v2/service/iam, Azure Microsoft.Authorization (RBAC), and GCP IAM clients can point at the SDK-compat server. The full driver semantics (JSON policy evaluation, wildcards, explicit-deny override, instance profiles) are also available through the Portable Go API below.

Emulates identity and access management across all three providers.

Provider Mapping

ProviderServiceSDK-compatAccess
AWSIAM (users, groups, roles, policies, access keys, instance profiles)✓ Liveaws.IAM
AzureRBAC (Microsoft.Authorization role assignments + definitions)✓ Liveazure.IAM
GCPIAM (service accounts, roles, policy bindings)✓ Livegcp.IAM

Key Operations

Users and Roles

import iamdriver "github.com/stackshy/cloudemu/iam/driver"

// Create a user
aws.IAM.CreateUser(ctx, iamdriver.UserConfig{
    Name: "alice", Tags: map[string]string{"team": "backend"},
})

// Create a role
aws.IAM.CreateRole(ctx, iamdriver.RoleConfig{
    Name:             "s3-reader",
    AssumeRolePolicy: `{"Version":"2012-10-17","Statement":[...]}`,
})

Policies

// Attach a policy
aws.IAM.AttachPolicy(ctx, iamdriver.AttachPolicyInput{
    TargetType: "user",
    TargetName: "alice",
    PolicyDocument: `{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }]
    }`,
})

Permission Checking

allowed, _ := aws.IAM.CheckPermission(ctx, iamdriver.PermissionCheck{
    Principal: "alice",
    Action:    "s3:GetObject",
    Resource:  "arn:aws:s3:::my-bucket/file.txt",
})
// allowed == true

Policy Evaluation

cloudemu parses JSON policy documents with full support for:

  • Wildcard matching in actions and resources (s3:*, arn:aws:s3:::*)
  • Explicit Deny overrides Allow — matching real IAM behavior
  • Multiple statements with different effects

On this page