module · Identity & SSO

Aws Iam

AWS IAM — users, roles, groups, policies, access keys, and attachment/membership state. Four round-trippable state kinds (policies, role-policy-attachments, user-policy-attachments, group-memberships). Uses boto3 and the standard AWS credential chain.

Namespace: weave aws_iam Env: AWS_ACCESS_KEY_ID

Commands

State kinds

Identity & SSO

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

IAM API Reference

Variable	Description	Status
AWS_ACCESS_KEY_ID	Required for authentication.	required
AWS_SECRET_ACCESS_KEY	Required for authentication.	required
AWS_SESSION_TOKEN	Required for authentication.	required
AWS_REGION	Required for authentication.	required
AWS_PROFILE	Named profile when not using explicit access keys.	optional
AWS_DEFAULT_REGION	Synonym for AWS_REGION.	optional

Sanity-check the wiring:

weave secrets check
weave aws_iam --help
weave doctor   # reports AWS_ACCESS_KEY_ID status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
access-key	·	·	·	✓	·	·	·
group	✓	✓	✓	·	·	·	·
group-members	·	·	✓	·	·	·	·
group-memberships	·	·	·	·	✓	✓	✓
group-policies	·	·	✓	·	·	·	·
policies	·	·	·	·	✓	✓	✓
policy	✓	✓	·	·	·	·	·
role	✓	✓	✓	·	·	·	·
role-policies	·	·	✓	·	·	·	·
role-policy-attachments	·	·	·	·	✓	✓	✓
user	✓	✓	✓	·	·	·	·
user-policies	·	·	✓	·	·	·	·
user-policy-attachments	·	·	·	·	✓	✓	✓

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (4)

find group

read

Find an IAM group by name.

weave aws_iam find group <name>

find policy

read

Find a managed policy by ARN.

weave aws_iam find policy <arn>

find role

read

Find an IAM role by name.

weave aws_iam find role <name>

find user

read

Find an IAM user by name.

weave aws_iam find user <name>

list (4)

list groups

read

List IAM groups.

weave aws_iam list groups <arg>

list policies

read

List managed policies (Local = customer-managed).

weave aws_iam list policies <arg>

list roles

read

List IAM roles.

weave aws_iam list roles <arg>

list users

read

List IAM users.

weave aws_iam list users <arg>

show (5)

show group

read

Show one IAM group (metadata).

weave aws_iam show group <name>

show group-members

read

List IAM users in a group.

weave aws_iam show group-members <name>

show group-policies

read

Show managed policies attached to a group.

weave aws_iam show group-policies <name>

show role-policies

read

Show attached + inline policies for a role.

weave aws_iam show role-policies <name>

show user-policies

read

Show attached + inline policies for a user.

weave aws_iam show user-policies <name>

do (2)

do create-access-key

write

Create a new access key for a user.

weave aws_iam do create-access-key <user>

do delete-access-key

write

Delete an access key for a user.

weave aws_iam do delete-access-key <user> <key-id>

snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diff → apply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/aws_iam/.

policies

snapshot diff apply

All customer-managed IAM policies on the account (keyed by name).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: aws_iam
kind: policies
items:
  - # <fields specific to this kind — see snapshot output>

role-policy-attachments

snapshot diff apply

Managed policies attached to one IAM role (scoped via --role).

Scope: role
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: aws_iam
kind: role-policy-attachments
role: <value>
items:
  - # <fields specific to this kind — see snapshot output>

user-policy-attachments

snapshot diff apply

Managed policies attached to one IAM user (scoped via --user).

Scope: user
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: aws_iam
kind: user-policy-attachments
user: <value>
items:
  - # <fields specific to this kind — see snapshot output>

group-memberships

snapshot diff apply

IAM users that belong to one group (scoped via --group).

Scope: group
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: aws_iam
kind: group-memberships
group: <value>
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Version-control policies attached to a role

weave aws_iam snapshot role-policy-attachments --role=MyAppRole
weave aws_iam diff role-policy-attachments --role=MyAppRole
weave aws_iam apply role-policy-attachments --role=MyAppRole --yes

Version-control customer-managed IAM policies

Snapshot every local policy document, review diffs in PRs, apply intentionally.

weave aws_iam snapshot policies
$EDITOR .weave-state/aws_iam/policies.yaml
weave aws_iam diff policies
weave aws_iam apply policies --yes

Rotate access keys for a human IAM user

weave aws_iam find user <username>
weave aws_iam do create-access-key <username>
# distribute new key, then:
weave aws_iam do delete-access-key <username> <old-key-id> --yes

Audit roles before a deployment

weave aws_iam list roles
weave aws_iam find role <role-name>

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
aws_iam_policy	weave aws_iam snapshot/diff/apply policies
aws_iam_user	weave aws_iam find/list/show user + do create/delete access_key
aws_iam_role	weave aws_iam find/list/show role
aws_iam_group	weave aws_iam list group
aws_iam_role_policy_attachment	weave aws_iam snapshot/diff/apply role-policy-attachments
aws_iam_user_policy_attachment	weave aws_iam snapshot/diff/apply user-policy-attachments
aws_iam_group_membership	weave aws_iam snapshot/diff/apply group-memberships
aws_iam_user_group_membership	weave aws_iam show group-members + group-memberships state

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including AWS_ACCESS_KEY_ID) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave aws_iam diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/aws_iam. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.