iam: implement substrate neutral policy document model

examples/pom.xml

@@ -81,6 +81,16 @@
             <artifactId>docstore-aws</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.salesforce.multicloudj</groupId>
+            <artifactId>iam-aws</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.salesforce.multicloudj</groupId>
+            <artifactId>iam-gcp</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>com.salesforce.multicloudj</groupId>
             <artifactId>dbbackuprestore-aws</artifactId>

examples/src/main/java/com/salesforce/multicloudj/iam/Main.java

@@ -4,10 +4,12 @@
 import com.salesforce.multicloudj.iam.client.IamClient;
 import com.salesforce.multicloudj.iam.model.AttachInlinePolicyRequest;
 import com.salesforce.multicloudj.iam.model.CreateOptions;
+import com.salesforce.multicloudj.iam.model.Effect;
 import com.salesforce.multicloudj.iam.model.GetAttachedPoliciesRequest;
 import com.salesforce.multicloudj.iam.model.GetInlinePolicyDetailsRequest;
 import com.salesforce.multicloudj.iam.model.PolicyDocument;
 import com.salesforce.multicloudj.iam.model.Statement;
+import com.salesforce.multicloudj.iam.model.StorageActions;
 import com.salesforce.multicloudj.iam.model.TrustConfiguration;
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -275,7 +277,7 @@ private void demonstratePolicyManagement() {
         "Press Enter to remove the storage policy (check cloud console before proceeding)...");
     showInfo("Removing storage policy...");
     try {
-      removePolicy("roles/storage.admin");
+      removePolicy("storage-policy");
       showSuccess("Successfully removed storage policy");
     } catch (Exception e) {
       showError("Failed to remove policy: " + e.getMessage());
@@ -374,20 +376,37 @@ private void deleteIdentity(String identityName) throws Exception {
   }
 
   /**
-   * Attach a storage policy using a single comprehensive GCP IAM role. Using roles/storage.admin
-   * which provides full storage permissions.
+   * Attach a storage policy using substrate-neutral actions. These actions will be translated to
+   * cloud-specific formats: - AWS: storage:GetObject → s3:GetObject, storage:* → s3:* - GCP:
+   * storage:GetObject → roles/storage.objectViewer, storage:* → roles/storage.admin
    */
   private void attachStoragePolicy() throws Exception {
     try (IamClient iamClient = initializeClient()) {
-      // Create a policy document using a single comprehensive GCP IAM role
+      // Create a comprehensive policy document using substrate-neutral actions
       PolicyDocument policyDocument =
           PolicyDocument.builder()
               .version("2024-01-01")
+              .statement(
+                  Statement.builder()
+                      .sid("StorageReadAccess")
+                      .effect(Effect.ALLOW)
+                      .action(StorageActions.GET_OBJECT)
+                      .action(StorageActions.LIST_BUCKET)
+                      .resource("storage://demo-bucket/*")
+                      .build())
+              .statement(
+                  Statement.builder()
+                      .sid("StorageWriteAccess")
+                      .effect(Effect.ALLOW)
+                      .action(StorageActions.PUT_OBJECT)
+                      .action(StorageActions.DELETE_OBJECT)
+                      .resource("storage://demo-bucket/*")
+                      .build())
               .statement(
                   Statement.builder()
                       .sid("StorageFullAccess")
-                      .effect("Allow")
-                      .action("roles/storage.admin")
+                      .effect(Effect.ALLOW)
+                      .action(StorageActions.ALL)
                       .resource("storage://demo-bucket/*")
                       .build())
               .build();

iam/iam-aws/src/main/java/com/salesforce/multicloudj/iam/aws/AwsIam.java

@@ -1,5 +1,7 @@
 package com.salesforce.multicloudj.iam.aws;
 
+import static com.salesforce.multicloudj.iam.aws.AwsIamPolicyTranslator.translateToAwsPolicy;
+
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -355,7 +357,7 @@ protected void doAttachInlinePolicy(AttachInlinePolicyRequest request) {
     }
 
     String roleName = request.getIdentityName();
-    String policyDocumentJson = buildInlinePolicyDocumentJson(request.getPolicyDocument());
+    String policyDocumentJson = translateToAwsPolicy(request.getPolicyDocument());
 
     PutRolePolicyRequest awsRequest =
         PutRolePolicyRequest.builder()
@@ -367,47 +369,6 @@ protected void doAttachInlinePolicy(AttachInlinePolicyRequest request) {
     this.iamClient.putRolePolicy(awsRequest);
   }
 
-  private static String buildInlinePolicyDocumentJson(PolicyDocument policyDocument) {
-    String version = policyDocument.getVersion();
-    if (StringUtils.isBlank(version)) {
-      version = POLICY_VERSION;
-    }
-    Map<String, Object> doc = new LinkedHashMap<>();
-    doc.put("Version", version);
-
-    List<Map<String, Object>> awsStatements = new ArrayList<>();
-    for (Statement stmt : policyDocument.getStatements()) {
-      Map<String, Object> awsStmt = new LinkedHashMap<>();
-      awsStmt.put("Effect", stmt.getEffect());
-
-      List<String> actions = stmt.getActions();
-      if (actions != null && !actions.isEmpty()) {
-        awsStmt.put("Action", actions);
-      }
-      if (StringUtils.isNotBlank(stmt.getSid())) {
-        awsStmt.put("Sid", stmt.getSid());
-      }
-      if (stmt.getResources() != null && !stmt.getResources().isEmpty()) {
-        awsStmt.put("Resource", stmt.getResources());
-      }
-      if (stmt.getConditions() != null && !stmt.getConditions().isEmpty()) {
-        awsStmt.put("Condition", stmt.getConditions());
-      }
-      if (stmt.getPrincipals() != null && !stmt.getPrincipals().isEmpty()) {
-        awsStmt.put("Principal", stmt.getPrincipals());
-      }
-
-      awsStatements.add(awsStmt);
-    }
-    doc.put("Statement", awsStatements);
-
-    try {
-      return OBJECT_MAPPER.writeValueAsString(doc);
-    } catch (JsonProcessingException e) {
-      throw new InvalidArgumentException("Failed to serialize inline policy document", e);
-    }
-  }
-
   /**
    * Get inline policy document attached to an IAM role.
    *