Miam
IAMManage AWS IAM users, groups, roles, and policies as code
- Manages
- AWS Identity and Access Management (IAM)
- Language
- Ruby
- Package
- miam
- CLI
- miam
- Config file
- IAMfile
user "bob", :path => "/developer/" do
login_profile :password_reset_required=>true
groups(
"Admin"
)
policy "bob-policy" do
{"Version"=>"2012-10-17",
"Statement"=>
[{"Action"=>["s3:Get*", "s3:List*"],
"Effect"=>"Allow",
"Resource"=>"*"}]}
end
end
Miam is a command-line tool that manages AWS IAM as code. You keep users, groups, roles, and policies in a Ruby file called an IAMfile, then apply it to update IAM. It exports current state, shows a dry-run diff, and applies changes idempotently.
What is Miam?
Miam manages AWS IAM as code. Users, groups, roles, and policies are all declared in a Ruby file called an IAMfile. The miam command diffs that file against live IAM and applies exactly the changes needed.
IAM is where drift hurts most. Permissions get granted for a one-off task and never revoked. Users who left the company keep access. Policies pile up that no one can explain. Miam keeps the whole picture in one reviewable file. Every permission change becomes a pull request with a diff. This is codenization applied to access control.
An IAMfile can hold:
- Users, groups, and roles, with paths and login profiles
- Inline policies written as plain policy-document hashes
- Managed policy attachments and instance profiles
Miam began in the codenize-tools family and is now maintained by Cookpad. For database permissions, its cousins Gratan (MySQL grants) and Posgra (PostgreSQL grants) apply the same idea inside your database.
- Manages IAM users, groups, roles, and policies as code.
- The whole permission model sits in one IAMfile in Git.
- Handles inline policies, managed policy attachments, and instance profiles.
- A first export doubles as a full IAM audit in plain text.
- Dry-run reveals exactly which permissions would change before you apply.
- Maintained by Cookpad, though releases are infrequent, so pin versions.
Install and run Miam
Install
Install the miam gem (Ruby required).
$ gem install miamExport current state
Pull the live IAM configuration into a IAMfile.
$ miam -e -o IAMfileDry-run, then apply
Preview the diff, then apply the change for real.
$ miam -a --dry-runMiam is built for a simple export, review, apply loop. Capture the current state with miam -e. On large accounts, add --split for per-resource files and --export-concurrency to speed it up. Commit the result. That first export is an instant IAM audit: every user, group, role, and policy in plain text. It follows the classic export, review, apply workflow.
From then on, permission changes are edits to the IAMfile in a branch. Run miam -a --dry-run to see which users, memberships, and policies would change. Attach the output to the pull request, so reviewers approve the real effect, not just the intent. Merge, then run miam -a. Applies are idempotent, so re-running is safe. A scheduled dry-run catches permissions granted by hand in the console.
Run miam -e -o IAMfile the day you adopt it and read the output. It is often the first complete list a team has of who can do what across the account.
What Miam can do
Full IAM coverage
The DSL declares users, groups, roles, instance profiles, inline policies, and managed policy attachments. The whole permission model lives in one file.
Dry-run diffs
miam -a --dry-run prints every user, membership, and policy change before it lands. That matters when the resources being changed are permissions themselves.
Target and exclude filters
--target and --exclude take regular expressions to scope an apply or export. You can codenize IAM step by step, or manage only part of a shared account.
Templates with context
Reusable policy and user templates accept context variables. Per-team or per-environment patterns are defined once, not copy-pasted.
Split and JSON output
--split and --split-more break exports into per-resource files for cleaner diffs. --format switches between the Ruby DSL and JSON.
Fast, tunable exports
--export-concurrency parallelizes large exports. --ignore-login-profile skips console-password handling when you do not manage it.
When teams reach for Miam
Permission changes as pull requests
Instead of granting S3 access in the console, an engineer edits the IAMfile and opens a PR. Security reviews the exact policy JSON in the diff, and the dry-run shows what will attach before anyone approves.
Onboarding and offboarding
Creating a user with the right groups, path, and login profile is a small, reviewable diff. Offboarding is the reverse: delete the block, dry-run, apply. Git keeps a full history of who had access, and when.
Detecting IAM drift
Run miam -a --dry-run on a schedule in CI. Any output means someone changed IAM outside the file, such as an emergency grant. The team can then codify or revoke it while it is fresh.
Keeping multi-account IAM consistent
With templates and context variables, the same role and policy patterns apply across dev, staging, and production. --target filters let you roll changes out one account at a time.