Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Which API should we use to get the assigned roles from AWS Access Key and AWS Secret Access Key?

I was given a pair of AWS Access Key and AWS Access Secret.
I would like to confirm that the AWS User associated with the key has proper permissions and doesn’t have other unexpected roles. But I couldn’t find good API to do it. Is there any good API to know roles which attached to the user itself?

Though I’ve read document and googled it, I could not find a good way. I know that it is possible to test by calling the API itself one by one. But I’d like to get a list of roles attached to the user exhaustively if possible.

Tags:

2

Answers


  1. 0

    IAM Roles are not ‘attached’ to users. Instead, users can request to AssumeRole(). If they have the required permissions, then they will be given temporary credentials to use the IAM Role.

    Therefore, to determine whether a particular IAM User can use a particular IAM Role, you would need to look at:

    • The policies attached to the IAM User
    • The ‘trust policy’ attached to the IAM Role

    However, if you were using the word ‘roles’ to mean permissions in general, then you would need to look at the policies attached to the IAM User to see what permissions they have been granted. You could use the AWS Command-Line Interface (CLI) with commands like:

    • get-user-policy: Retrieves the specified inline policy document that is embedded in the specified IAM user.
    • list-attached-user-policies: Lists all managed policies that are attached to the specified IAM user.
    • For each attached policy, you could then call get-policy: Retrieves information about the specified managed policy.

    Users can also inherit permissions from IAM Groups, so you should check if the user is in an IAM Group and what permissions are attached to that group.

    To view the above information, you would also need to have been assigned permission to make these API calls. It is possible that you do not have such permissions, so you wouldn’t be able to view the actual permissions that you have been granted.

    Login or Signup to reply.
  2. 0

    To list the IAM roles and policies attached to a specific AWS user, you can use the AWS CLI.

    lists the managed policies attached to the user.

    aws iam list-attached-user-policies --user-name <username>

    lists the inline policies embedded within the user.

    aws iam list-user-policies --user-name <username>

    If the user belongs to any groups, this command lists those groups.

    aws iam list-groups-for-user --user-name <username>

    Although IAM users cannot have roles directly attached to them, you need to inspect the policies if you want to check which roles the user can assume. Specifically, you would look for policies attached to the user or their groups, including sts:AssumeRole actions.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search