Miam

IAM

Manage AWS IAM users, groups, roles, and policies as code

Manages
AWS Identity and Access Management (IAM)
Language
Ruby
Package
miam
CLI
miam
Config file
IAMfile
Maintained by Cookpad after its transfer from codenize-tools, but releases are infrequent; pin your gem version and test aws-sdk upgrades before rolling them out.
IAMfile
user "bob", :path => "/developer/" do
  login_profile :password_reset_required=>true

  groups(
    "Admin"
  )

  policy "bob-policy" do
    {"Version"=>"2012-10-17",
     "Statement"=>
      [{"Action"=>["s3:Get*", "s3:List*"],
        "Effect"=>"Allow",
        "Resource"=>"*"}]}
  end
end
In short

Miam is a command-line tool that manages AWS IAM as code. You keep users, groups, roles, and policies in a Ruby file called an IAMfile, then apply it to update IAM. It exports current state, shows a dry-run diff, and applies changes idempotently.

What is Miam?

Miam manages AWS IAM as code. Users, groups, roles, and policies are all declared in a Ruby file called an IAMfile. The miam command diffs that file against live IAM and applies exactly the changes needed.

IAM is where drift hurts most. Permissions get granted for a one-off task and never revoked. Users who left the company keep access. Policies pile up that no one can explain. Miam keeps the whole picture in one reviewable file. Every permission change becomes a pull request with a diff. This is codenization applied to access control.

An IAMfile can hold:

  • Users, groups, and roles, with paths and login profiles
  • Inline policies written as plain policy-document hashes
  • Managed policy attachments and instance profiles

Miam began in the codenize-tools family and is now maintained by Cookpad. For database permissions, its cousins Gratan (MySQL grants) and Posgra (PostgreSQL grants) apply the same idea inside your database.

Key facts
  • Manages IAM users, groups, roles, and policies as code.
  • The whole permission model sits in one IAMfile in Git.
  • Handles inline policies, managed policy attachments, and instance profiles.
  • A first export doubles as a full IAM audit in plain text.
  • Dry-run reveals exactly which permissions would change before you apply.
  • Maintained by Cookpad, though releases are infrequent, so pin versions.
Illustration: AWS Identity and Access Management (IAM) managed as code with Miam
Getting started

Install and run Miam

1

Install

Install the miam gem (Ruby required).

$ gem install miam
2

Export current state

Pull the live IAM configuration into a IAMfile.

$ miam -e -o IAMfile
3

Dry-run, then apply

Preview the diff, then apply the change for real.

$ miam -a --dry-run

Miam is built for a simple export, review, apply loop. Capture the current state with miam -e. On large accounts, add --split for per-resource files and --export-concurrency to speed it up. Commit the result. That first export is an instant IAM audit: every user, group, role, and policy in plain text. It follows the classic export, review, apply workflow.

From then on, permission changes are edits to the IAMfile in a branch. Run miam -a --dry-run to see which users, memberships, and policies would change. Attach the output to the pull request, so reviewers approve the real effect, not just the intent. Merge, then run miam -a. Applies are idempotent, so re-running is safe. A scheduled dry-run catches permissions granted by hand in the console.

Pro tip

Run miam -e -o IAMfile the day you adopt it and read the output. It is often the first complete list a team has of who can do what across the account.

Capabilities

What Miam can do

Full IAM coverage

The DSL declares users, groups, roles, instance profiles, inline policies, and managed policy attachments. The whole permission model lives in one file.

Dry-run diffs

miam -a --dry-run prints every user, membership, and policy change before it lands. That matters when the resources being changed are permissions themselves.

Target and exclude filters

--target and --exclude take regular expressions to scope an apply or export. You can codenize IAM step by step, or manage only part of a shared account.

Templates with context

Reusable policy and user templates accept context variables. Per-team or per-environment patterns are defined once, not copy-pasted.

Split and JSON output

--split and --split-more break exports into per-resource files for cleaner diffs. --format switches between the Ruby DSL and JSON.

Fast, tunable exports

--export-concurrency parallelizes large exports. --ignore-login-profile skips console-password handling when you do not manage it.

In practice

When teams reach for Miam

Permission changes as pull requests

Instead of granting S3 access in the console, an engineer edits the IAMfile and opens a PR. Security reviews the exact policy JSON in the diff, and the dry-run shows what will attach before anyone approves.

Onboarding and offboarding

Creating a user with the right groups, path, and login profile is a small, reviewable diff. Offboarding is the reverse: delete the block, dry-run, apply. Git keeps a full history of who had access, and when.

Detecting IAM drift

Run miam -a --dry-run on a schedule in CI. Any output means someone changed IAM outside the file, such as an emergency grant. The team can then codify or revoke it while it is fresh.

Keeping multi-account IAM consistent

With templates and context variables, the same role and policy patterns apply across dev, staging, and production. --target filters let you roll changes out one account at a time.

FAQ

Miam questions, answered

How do I adopt Miam on an existing AWS account?
Run miam -e -o IAMfile to export all users, groups, roles, and policies without changing anything, then commit the file. Use --split on large accounts for one file per resource. After that, all changes flow through edits, dry-runs, and applies.
Will Miam delete users or policies that are not in my IAMfile?
Yes. The IAMfile is declarative, so managed resources missing from it are removed on apply. That is the point for offboarding, but it makes the dry-run essential. Use --target and --exclude to scope Miam to only the resources you intend to manage.
Does Miam support managed policies and roles?
Yes. The DSL attaches and detaches AWS managed and customer managed policies. It also handles inline policies as plain policy-document hashes, roles with assume-role documents, and instance profiles.
Is Miam still maintained, and should I use it over Terraform?
Miam is maintained by Cookpad, which took over after the original codenize-tools organization was archived, though releases are infrequent. Pin your gem version and test aws-sdk upgrades. Terraform also manages IAM well. Miam's edge is the one-command export of existing state and having no separate state file. See our codenize-tools vs Terraform guide.
Can I keep passwords and access keys out of Miam?
Yes. Miam manages login profiles, where the user must reset their console password, not secret values. --ignore-login-profile skips login-profile management entirely. Access keys are never stored in the IAMfile, so the file stays safe to commit.