I was given a pair of AWS Access Key and AWS Access Secret.
I would like to confirm that the AWS User associated with the key has proper permissions and doesn’t have other unexpected roles. But I couldn’t find good API to do it. Is there any good API to know roles which attached to the user itself?
Though I’ve read document and googled it, I could not find a good way. I know that it is possible to test by calling the API itself one by one. But I’d like to get a list of roles attached to the user exhaustively if possible.
2
Answers
IAM Roles are not ‘attached’ to users. Instead, users can request to
AssumeRole()
. If they have the required permissions, then they will be given temporary credentials to use the IAM Role.Therefore, to determine whether a particular IAM User can use a particular IAM Role, you would need to look at:
However, if you were using the word ‘roles’ to mean permissions in general, then you would need to look at the policies attached to the IAM User to see what permissions they have been granted. You could use the AWS Command-Line Interface (CLI) with commands like:
Users can also inherit permissions from IAM Groups, so you should check if the user is in an IAM Group and what permissions are attached to that group.
To view the above information, you would also need to have been assigned permission to make these API calls. It is possible that you do not have such permissions, so you wouldn’t be able to view the actual permissions that you have been granted.
To list the IAM roles and policies attached to a specific AWS user, you can use the AWS CLI.
lists the managed policies attached to the user.
aws iam list-attached-user-policies --user-name <username>
lists the inline policies embedded within the user.
aws iam list-user-policies --user-name <username>
If the user belongs to any groups, this command lists those groups.
aws iam list-groups-for-user --user-name <username>
Although IAM users cannot have roles directly attached to them, you need to inspect the policies if you want to check which roles the user can assume. Specifically, you would look for policies attached to the user or their groups, including
sts:AssumeRole
actions.