Question 181100 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How can I list the AWS IAM groups in which I am a member?

The title says it all, really. Given an AWS access key and secret, it it possible to get a list of IAM groups to which the user belongs? Is any self-introspection possible with the AWS APIs?

Edit: The question is assuming that no other privileges are granted other than being part of a group itself. For example, this particular IAM user only has permissions to read from an ECR repo and does not have privileges to call list-groups-for-user.

Tags:

2

Answers


  1. 0

    Yes, it’s possible.

    If specific permissions have been granted for the user to run the command.

    From the docs list-groups-for-user:

    Lists the IAM groups that the specified IAM user belongs to. list-groups-for-user is a paginated operation. Multiple API calls may be issued in order to retrieve the entire data set of results.

    You can do something like this:

    aws iam list-groups-for-user --user-name Bob

    Which sould output something like this:

    "Groups": [
    {
        "Path": "/",
        "CreateDate": "2013-05-06T01:18:08Z",
        "GroupId": "AKIAIOSFODNN7EXAMPLE",
        "Arn": "arn:aws:iam::123456789012:group/Admin",
        "GroupName": "Admin"
    },
    {
        "Path": "/",
        "CreateDate": "2013-05-06T01:37:28Z",
        "GroupId": "AKIAI44QH8DHBEXAMPLE",
        "Arn": "arn:aws:iam::123456789012:group/s3-Users",
        "GroupName": "s3-Users"
    }
]

    Full documentation on list-groups-for-user is here.

    Login or Signup to reply.
  2. 0

    If you do not have permission to call iam:ListGroupsForUser, or iam:ListGroups + iam:GetGroup, then you’re out of luck*. The only API operation that an AWS principal can call without an explicit permission is sts:GetCallerIdentity, which returns the identity of the principal whose credentials were used to call it. There are no permissionless API actions to list the permissions of a principal, list its group memberships, or anything like that.

    *I’m not sure what errors iam:AddUserToGroup and iam:RemoveUserFromGroup return if the user already is or is not a member of the target group. It’s possible that they might reveal group membership — but if you don’t have permission for iam:ListGroupsForUser, you’re highly unlikely to have permissions for these.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search