AWACS (AWS Access Policy Language creation library)

2.5.0 · active · verified Sat Apr 11

AWACS is a Python library designed for creating AWS Access Policy Language (IAM policies) programmatically. It provides a structured way to define policies using Python objects, making them easier to manage, version, and integrate into infrastructure-as-code tools. The library regularly updates its definitions for AWS services and actions by scraping AWS documentation. It is actively maintained with frequent minor releases to incorporate new AWS actions and address scraper fixes, currently at version 2.5.0.

Warnings

breaking Version 2.0.0 of AWACS dropped support for Python 2.x. This was a major breaking change, requiring all users to migrate to Python 3.x.
Fix: Ensure your project runs on Python 3.x. The current stable version of AWACS requires Python >=3.9.
breaking The minimum required Python version has been progressively increased. As of version 2.5.0, AWACS officially requires Python >=3.9. Users on Python 3.6, 3.7, or 3.8 will encounter compatibility issues when upgrading to recent AWACS versions.
Fix: Upgrade your Python environment to 3.9 or newer before installing or upgrading to the latest AWACS versions.
gotcha AWACS dynamically generates AWS action definitions by scraping AWS documentation. If you're using an older version of the library, it might not contain the definitions for newly released AWS services or actions. This can lead to missing action errors or incomplete policies.
Fix: Regularly update `awacs` to the latest version (`pip install --upgrade awacs`) to ensure you have the most current AWS action definitions.
gotcha Version 2.4.0 included fixes for `mypy` which addressed implicit `Optional` types. Users relying on strict type checking with older `awacs` versions (prior to 2.4.0) might have encountered type-hinting related issues.
Fix: Upgrade to `awacs` version 2.4.0 or newer for improved type-checking compatibility and reliability, especially in projects using `mypy` or similar static analysis tools.

Install

pip install awacs Install stable version

Imports

Policy
```
from awacs.aws import Policy
```
Statement
```
from awacs.aws import Statement
```
Principal
```
from awacs.aws import Principal
```
Action
```
from awacs.aws import Action
```
Allow
```
from awacs.aws import Allow
```
ARN
```
from awacs.iam import ARN
```
AssumeRole
```
from awacs.sts import AssumeRole
```

get_service_principal

from awacs.helpers.trust import get_service_principal

Quickstart

This quickstart demonstrates how to create a simple AWS IAM AssumeRole policy and an S3 read-only policy using AWACS. It shows how to import core components like `Policy`, `Statement`, `Principal`, `Action`, `Effect`, and specific service actions (`AssumeRole`, `GetObject`, `ListBucket`) to build policies that can then be converted to a JSON string for use with AWS services.

from awacs.aws import Action, Allow, Policy, Principal, Statement
from awacs.iam import ARN
from awacs.sts import AssumeRole

# Create a basic AssumeRole policy
policy = Policy(
    Statement(
        Effect=Allow,
        Principal=Principal("AWS", ARN("arn:aws:iam::123456789012:root")),
        Action=[AssumeRole],
    )
)

# Convert the policy to JSON string
policy_json = policy.to_json()
print(policy_json)

# Example of an S3 read-only policy for a specific bucket
from awacs.s3 import GetObject, ListBucket

s3_read_policy = Policy(
    Statement(
        Effect=Allow,
        Action=[ListBucket],
        Resource=[ARN("arn:aws:s3:::my-example-bucket")]
    ),
    Statement(
        Effect=Allow,
        Action=[GetObject],
        Resource=[ARN("arn:aws:s3:::my-example-bucket/*")]
    )
)
print(s3_read_policy.to_json())

view raw JSON →