Summary
Add a native IAM policy model type that allows users to express cloud IAM policies (AWS IAM, Azure RBAC, GCP IAM) directly in Casbin's model CONF — enabling cross-cloud authorization with a single enforcement engine.
Motivation
Casbin already supports ACL, RBAC, ABAC, RESTful, and other models. However, organizations adopting Casbin for cloud infrastructure authorization must manually translate AWS IAM policy documents or Azure role definitions into Casbin's PERM metamodel. This translation is error-prone and creates a gap between cloud-native policy tools and Casbin's unified enforcement layer.
There is existing discussion around IAM-like policy optimization (#1688). A native model type would eliminate the translation step entirely.
Proposed Design
New model keywords
Introduce a model type that accepts statements in a JSON structure familiar to cloud practitioners:
{
"version": "2012-10-17",
"statement": [
{
"effect": "Allow",
"action": ["s3:GetObject", "s3:ListBucket"],
"resource": ["arn:aws:s3:::example-bucket/*"],
"condition": {
"IpAddress": {"aws:SourceIp": "10.0.0.0/8"}
}
}
]
}Under the hood, the model CONF would compile these into Casbin's existing PERM primitives:
[request_definition]
r = sub, action, resource, context
[policy_definition]
p = effect, action_pattern, resource_pattern, conditions
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = keyMatch5(r.action, p.action_pattern) && keyMatch5(r.resource, p.resource_pattern) && eval(conditions)
Implementation approach
- A new parser that reads cloud IAM JSON and generates Casbin policy rows
- Built-in condition key evaluators (IpAddress, StringEquals, DateLessThan, etc.)
- A or similar built-in function for ARN-style resource matching with wildcards and variables
- Optional: a CLI subcommand that reads a cloud policy JSON and outputs a Casbin model + policy file
Trade-offs
- Cloud IAM policies can exceed Casbin's performance budget for very large statement sets; document scalability expectations
- Condition key semantics differ between AWS, Azure, and GCP — start with AWS as the first-class implementation, then add adapters
- Not all cloud IAM features map cleanly (e.g., AWS permission boundaries, service control policies) — these can be v2 additions
Summary
Add a native IAM policy model type that allows users to express cloud IAM policies (AWS IAM, Azure RBAC, GCP IAM) directly in Casbin's model CONF — enabling cross-cloud authorization with a single enforcement engine.
Motivation
Casbin already supports ACL, RBAC, ABAC, RESTful, and other models. However, organizations adopting Casbin for cloud infrastructure authorization must manually translate AWS IAM policy documents or Azure role definitions into Casbin's PERM metamodel. This translation is error-prone and creates a gap between cloud-native policy tools and Casbin's unified enforcement layer.
There is existing discussion around IAM-like policy optimization (#1688). A native model type would eliminate the translation step entirely.
Proposed Design
New model keywords
Introduce a model type that accepts statements in a JSON structure familiar to cloud practitioners:
{ "version": "2012-10-17", "statement": [ { "effect": "Allow", "action": ["s3:GetObject", "s3:ListBucket"], "resource": ["arn:aws:s3:::example-bucket/*"], "condition": { "IpAddress": {"aws:SourceIp": "10.0.0.0/8"} } } ] }Under the hood, the model CONF would compile these into Casbin's existing PERM primitives:
Implementation approach
Trade-offs