IAM
Identity, roles, and policy evaluation with wildcard matching
IAM
SDK-compat status: Live. Real
aws-sdk-go-v2/service/iam, AzureMicrosoft.Authorization(RBAC), and GCP IAM clients can point at the SDK-compat server. The full driver semantics (JSON policy evaluation, wildcards, explicit-deny override, instance profiles) are also available through the Portable Go API below.
Emulates identity and access management across all three providers.
Provider Mapping
| Provider | Service | SDK-compat | Access |
|---|---|---|---|
| AWS | IAM (users, groups, roles, policies, access keys, instance profiles) | ✓ Live | aws.IAM |
| Azure | RBAC (Microsoft.Authorization role assignments + definitions) | ✓ Live | azure.IAM |
| GCP | IAM (service accounts, roles, policy bindings) | ✓ Live | gcp.IAM |
Key Operations
Users and Roles
import iamdriver "github.com/stackshy/cloudemu/iam/driver"
// Create a user
aws.IAM.CreateUser(ctx, iamdriver.UserConfig{
Name: "alice", Tags: map[string]string{"team": "backend"},
})
// Create a role
aws.IAM.CreateRole(ctx, iamdriver.RoleConfig{
Name: "s3-reader",
AssumeRolePolicy: `{"Version":"2012-10-17","Statement":[...]}`,
})Policies
// Attach a policy
aws.IAM.AttachPolicy(ctx, iamdriver.AttachPolicyInput{
TargetType: "user",
TargetName: "alice",
PolicyDocument: `{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}]
}`,
})Permission Checking
allowed, _ := aws.IAM.CheckPermission(ctx, iamdriver.PermissionCheck{
Principal: "alice",
Action: "s3:GetObject",
Resource: "arn:aws:s3:::my-bucket/file.txt",
})
// allowed == truePolicy Evaluation
cloudemu parses JSON policy documents with full support for:
- Wildcard matching in actions and resources (
s3:*,arn:aws:s3:::*) - Explicit Deny overrides Allow — matching real IAM behavior
- Multiple statements with different effects