npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@cloud-copilot/iam-shrink

v0.1.54

Published

Shrink IAM Policies

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

davidjkerberdavidjkerber

Keywords

AWSIAMIAM Policy SizeIAM Policy Optimization

Readme

Shrink IAM Actions

NPM Version License: AGPL v3 GuardDog Known Vulnerabilities

Built in the Unix philosophy, this is a small tool with two goals:

  1. Shrink IAM actions lists by creating patterns that match only the actions specified and no others.
  2. Do #1 in a way that won't make your coworkers hate you.

Using Action Wildcards is not recommended, sometimes there are IAM Limits you can't get around. This tool helps you stay within those limits.

Getting Small While Staying Sane

IAM Actions are camel cased into a number of words. For example:

  • s3:GetObject -> "Get" "Object"
  • s3:GetObjectTagging -> "Get" "Object" "Tagging"

IAM Shrink will only replace one word at a time and will never replace part of a word. So for instance s3:GetObject will never get shrunk to something like s3:*et*. This is to balance size reduction with readability.

Existing Wildcards

If your input already contains wildcards, they will be preserved. For example:

cat "s3:Get*Tagging" | iam-shrink
# Output
s3:Get*Tagging

Existing wildcards will be removed under three conditions:

  1. If the wildcard does not match any actual actions and effectively does nothing. For instance if you input s3:Get*NonExistentAction, it will be removed.
  2. If the wildcard is redundant or can be replaced with a more general wildcard. For instance if you input s3:GetObject* and s3:Get*, only s3:Get* will be kept.
  3. If the shrink process finds a smaller wildcard that replaces the existing one. For instance if you input s3:GetObject*, but during the shrink process iam-shrink finds is valid s3:Get*, s3:GetObject* will be removed.

Removing Preexisting Wildcards

If you want to remove all existing wildcards from you policy you can use iam-expand before using iam-shrink.

curl "https://government-secrets.s3.amazonaws.com/secret-policy.json" | iam-expand | iam-shrink

Use in Browser

https://iam.cloudcopilot.io/tools/iam-shrink

Use in CLI

Installation

You can install it globally. This also works in the default AWS CloudShell!

npm install -g @cloud-copilot/iam-shrink

Depending on your configuration sudo may be required to install globally.

Help

iam-shrink --help

Shrink IAM Actions

Pass in Argument

It's unlikely that you will pass in on the CLI a number of actions after the command name, but you can. You'll need a large number of actions for it to be practical, so it's mostly for automation.

Usage: iam-shrink s3:GetBucketTagging s3:GetJobTagging s3:GetObjectTagging s3:GetObjectVersionTagging s3:GetStorageLensConfigurationTagging
# Output
s3:Get*Tagging

Read from stdin

If no actions are passed as arguments, the CLI will read from stdin.

cat "s3:GetBucketTagging s3:GetJobTagging s3:GetObjectTagging s3:GetObjectVersionTagging s3:GetStorageLensConfigurationTagging" | iam-shrink
# Output
s3:Get*Tagging

Shrink JSON input

If the input is a valid json document, the CLI will find every instance of Action and NotAction that is an array of strings and shrink them.

Given policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "groundstation:GetAgentConfiguration",
        "groundstation:GetConfig",
        "groundstation:GetDataflowEndpointGroup",
        "groundstation:GetMinuteUsage",
        "groundstation:GetMissionProfile",
        "groundstation:GetSatellite",
        "groundstation:ListConfigs",
        "groundstation:ListContacts",
        "groundstation:ListDataflowEndpointGroups",
        "groundstation:ListEphemerides",
        "groundstation:ListGroundStations",
        "groundstation:ListMissionProfiles",
        "groundstation:ListSatellites",
        "groundstation:ListTagsForResource",
        "s3:GetBucketTagging",
        "s3:GetJobTagging",
        "s3:GetObjectTagging",
        "s3:GetObjectVersionTagging",
        "s3:GetStorageLensConfigurationTagging"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "NotAction": [
        "organizations:DeleteOrganization",
        "organizations:DeleteOrganizationalUnit",
        "organizations:DeletePolicy",
        "organizations:DeleteResourcePolicy",
        "organizations:LeaveOrganization"
      ],
      "Resource": "*"
    }
  ]
}
cat policy.json | iam-shrink > smaller-policy.json

Gives this file in smaller-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["groundstation:List*", "groundstation:Get*", "s3:Get*Tagging"],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "NotAction": ["organizations:Delete*", "organizations:Leave*"],
      "Resource": "*"
    }
  ]
}

Configuring iterations

By default, the CLI will do two iterations of shrinking. This generally does a good balance between reducing size and maintaining readability. This can be adjusted with the --iterations flag.

Assuming the AWS Read Only policy is in readonly.json

You can change this with the `--iterations` flag.

```bash
# Default two iterations
cat readonly.json | iam-shrink | wc -m
# 61305 characters

# Increasing iterations
cat readonly.json | iam-shrink --iterations 3 | wc -m
# 45983 characters
cat readonly.json | iam-shrink --iterations 4 | wc -m
# 43654 characters
cat readonly.json | iam-shrink --iterations 5 | wc -m
# 43336 characters

# Unlimited iterations until the policy cannot be further reduced
cat readonly.json | iam-shrink --iterations 0 | wc -m
# 43281 characters

If you want to shrink the policy as much as possible, you can use --iterations 0. This will keep shrinking the policy until it can't be reduced any further.

Specify Access Levels

AWS has Access Levels that are assigned to all permissions in IAM. They are:

  • List
  • Read
  • Write
  • Tagging
  • Permissions management

By default iam-shrink will shrink all actions regardless of their access level. You can specify a list of access levels using the --levels argument to shrink only those actions.

# Shrink all actions
cat big-policy.json | iam-shrink

# Shrink only Read, List, and Tagging actions. Write, and Permissions management actions will be included without any wildcards
cat big-policy.json | iam-shrink --levels read list tagging

Other CLI Options

  • --remove-sids: Remove all Sid fields from the policy.
  • --remove-whitespace: Remove all whitespace from the output.

Use in TypeScript/Node

You can use the shrink function in your own code.

import { shrink } from '@cloud-copilot/iam-shrink'

const actions = [
  's3:GetBucketTagging',
  's3:GetJobTagging',
  's3:GetObjectTagging',
  's3:GetObjectVersionTagging',
  's3:GetStorageLensConfigurationTagging'
]

const shrunk = await shrink(actions)
console.log(shrunk)
// [ s3:Get*Tagging ]

You can specify the number of iterations as well.

import { shrink } from '@cloud-copilot/iam-shrink'

const bigListOfActions = getBigListOfActions()

const smallerList = await shrink(bigListOfActions, { iterations: 3 })
console.log(shrunk)