Find role being used on server from AWS CLI

There is a more simple and elegant way to get the current role details.

$ curl http://169.254.169.254/latest/meta-data/iam/info

{
  "Code" : "Success",
  "LastUpdated" : "2019-05-08T13:15:52Z",
  "InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/rolename",
  "InstanceProfileId" : "AIPAIFNV5UU4JJLAXXXXX"
}

In InstanceProfileArn you can see your role name

Use the AWS STS command get-caller-identity.

Returns details about the IAM identity whose credentials are used to call the API.

$ aws sts get-caller-identity
{
    "UserId": "AIDAxxx",
    "Account": "xxx",
    "Arn": "arn:aws:iam::xxx:user/Tyrone321"
}

You can then take the role name, and query IAM for the role details using both iam list-role-policies for inline policies and iam-list-attached-role-policies for attached managed policies (thanks to @Dimitry K for the callout).

$ aws iam list-attached-role-policies --role-name Tyrone321
{
  "AttachedPolicies": [
  {
    "PolicyName": "SomePolicy",
    "PolicyArn": "arn:aws:iam::aws:policy/xxx"
  },
  {
    "PolicyName": "AnotherPolicy",
    "PolicyArn": "arn:aws:iam::aws:policy/xxx"
  } ]
}

To get the actual IAM permissions, use aws iam get-policy to get the default policy version ID, and then aws iam get-policy-version with the version ID to retrieve the actual policy statements. If the IAM principal is a user, the commands are aws iam list-attached-user-policies and aws iam get-user-policy. See the AWS IAM CLI reference for more information.

Find role being used on server from AWS CLI

Tags:

Amazon Web Services

Amazon Iam

Related

Recent Posts