This query has an issue with an error
aws iam list-access-keys --user-name "User1_aws" --query AccessKeyMetadata.Status[?Value == 'Inactive'] --output text
The below query gives me both inactive and active keys as I have 2 keys one active and one inactive but it returns both keys for the same user even I put the filter for inactive key only. Can anyone help me with this
aws iam list-access-keys --user-name "user_aws" --query 'AccessKeyMetadata[].AccessKeyId' && AccessKeyMetadata.Status[?Value == 'Inactive'] --output text
This will help you.
aws iam list-access-keys --user-name "aws-user" --query 'AccessKeyMetadata[?Status == `Inactive`].AccessKeyId'
Related
I can filter on addresses that start with "john#"
aws cognito-idp list-users --user-pool-id my-pool --filter "email ^= \"john#\"" --limit 20
Is it possible to filter on ends with "#gmail.com"?
Not at the moment. You can follow this issue to see if in the future they add this feature: https://github.com/aws/aws-sdk-js/issues/3136
Yes it is possible.
If you use the --query instead of --filter you can query on anything in the resulting response by using JMESPath.
So to filter out #gmail.com you can do:
aws cognito-idp list-users --user-pool-id my-pool --query 'Users[?Attributes[?Name==`email` && contains(Value, `gmail.com`)]]
I have an account in AWS that I want to block access to the console from some users (more than 50 users).
It's can be achieve using aws-cli by running this aws iam delete-login-profile --user-name <name> but I don't want to do it manually one by one, there is a way to do it in bulk (using CSV file etc.)
Thanks!
So I managed to do it that way:
Exporting all users to .csv:
if aws iam list-users --output text --query 'Users[*].[UserName]' > users.csv
then
echo "Users list exported successfully"
else
echo "Export failed"
fi
And then:
#!/bin/bash
for n in $(cat users.csv )
do
aws iam delete-login-profile --user-name "${n}"
echo "Deleting login profile for ${n}"
done < users.csv
I would like to list tags for all of my roles within IAM.
aws iam list-role-tags --role-name role123 will only list tags for single role.
aws iam list-roles will list all the roles.
How do I concatenate these two cli commands to list all the tags in all roles?
You can do this with the following shell script:
# Get all role names as text
roles=$(aws iam list-roles \
--query 'Roles[*].RoleName' \
--output text)
# Loop through role names and get tags
for role in $roles
do
aws iam list-role-tags --role-name $role
done
If the respective role's tag lists were too long and got truncated you would have to do some extra work. But I think this is a good starting point.
Or if you just want to grab Tags and single-line command then try this
for rolename in $(aws iam list-roles --query 'Roles[*].RoleName' --output text);do aws iam list-role-tags --role-name $rolename --query "Tags";done
Output
[
{
"Key": "Name",
"Value": "test"
}
]
I run this command: aws iam list-users, and I get a list of users but not permissions (meaning if someone is root, or s3fullaccess and so for) are listed.
I run this other command: aws iam list-user-policies --user-name xxxxx, and I get this result below empty:
{
"PolicyNames": []
}
Which command or what combination of commands I need to display all users plus their respective permissions?, thanks.
That command only lists the user's inline policies, you would also need to get the list of managed policies attached to the IAM user. Then you would also need to get the list of groups a user belongs to, and list the inline policies and managed policies attached to each of the groups.
So from the CLI you would need to do the following:
aws iam list-user-policies
aws iam list-attached-user-policies
aws iam list-groups-for-user
# For each group:
aws iam list-group-policies
aws iam list-attached-group-policies
I highly recommend doing something like this in Python and Boto3, instead of using the AWS CLI tool.
Inspired by this post, I wrote this to capture a user's permissions, prior to purging them, in case they need to be restored later:
function _getUserIamPermissions() {
export AWS_PAGER="";
local _user="${1}";
local outputManagedPolicies="";
local outputUserPolicies="";
local outputManagedGroupPolicies="";
local outputGroupPolicies="";
# Managed Policies Attached to the IAM User
local _managedpolicies=$(aws iam list-attached-user-policies --user-name "${_user}" | jq -r '.AttachedPolicies[].PolicyArn';);
for policy in ${_managedpolicies}; do
local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
outputManagedPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}";);
printf "%s" "${outputManagedPolicies}";
done;
# Inline Policies on the IAM User
local _userpolicies=$(aws iam list-user-policies --user-name "${_user}" | jq -r '.PolicyNames[]';);
for policy in ${_userpolicies}; do
outputUserPolicies=$(aws iam get-user-policy --user-name "${_user}" --policy-name "${policy}";);
printf "%s" "${outputUserPolicies}";
done;
# Get all of the IAM User's assigned IAM Groups
local _groups=$(aws iam list-groups-for-user --user-name "${_user}" | jq -r '.Groups[].GroupName';);
for group in ${_groups}; do
# Managed Policies Attached to the IAM Group
local _managedgrouppolicies=$(aws iam list-attached-group-policies --group-name "${group}" | jq -r '.AttachedPolicies[].PolicyArn';);
for policy in ${_managedgrouppolicies}; do
local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
outputManagedGroupPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}" | jq --arg arn "${policy}" '{"PolicyArn": $arn, "Policy": .}';);
printf "%s" "${outputManagedGroupPolicies}";
done;
# Inline Policies on the IAM Group
local _grouppolicies=$(aws iam list-group-policies --group-name "${group}" | jq -r '.PolicyNames[]';);
for policy in ${_grouppolicies}; do
outputGroupPolicies=$(aws iam get-group-policy --group-name "${group}" --policy-name "${policy}";);
printf "%s" "${outputGroupPolicies}";
done;
done;
}
function getUserIamPermissions() {
local username="${1}";
_getUserIamPermissions "${username}" | jq -s;
}
Updated based on information found here: # https://www.badllama.com/content/using-aws-cli-check-user-permissions
Usage:
The fastest way to use it and the way I used it, was through AWS CloudShell. I opened the CloudShell terminal, pasted that in and then I'd run:
getUserIamPermissions <username>
The output is a JSON array containing all of a user's:
Managed Policies attached to the IAM User
Inline Policies on the IAM User
Managed Policies attached to the user's IAM Groups
Inline Policies on the user's IAM Groups
First, you get list of Policies (as mentioned in anser by #Mark-b)
Next you get versions of each policy:
aws iam list-policy-versions --policy-arn
For specific version, you query PolicyDocument
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --version-id vX
You will get JSON formated PolicyDocument with IAM policy statements
You can use AWS API GetAccountAuthorizationDetails to get a snapshot of the configuration of IAM permissions
Kindly run below one liner bash script regarding to list all users with their policies, groups,attached polices.
aws iam list-users |grep -i username > list_users ; cat list_users |awk '{print $NF}' |tr '\"' ' ' |tr '\,' ' '|while read user; do echo "\n\n--------------Getting information for user $user-----------\n\n" ; aws iam list-user-policies --user-name $user --output yaml; aws iam list-groups-for-user --user-name $user --output yaml;aws iam list-attached-user-policies --user-name $user --output yaml ;done ;echo;echo
Is there a way to list down the available AutoScalingGroups under an account and filter on top of it based on some tags?
I am looking for something like aws ecs list-clusters which gives list of ecs clusters.
Yes. You can use JMESPath syntax to filter the results of aws autoscaling describe-auto-scaling-groups command down to only those groups matching some tag's key/value pair. This uses the --query parameter, which is available for filtering on most AWS CLI commands.
Example to query by a single tag:
The example below filters results based on a tag where Key = 'Environment' and Value = 'Dev'.
aws autoscaling describe-auto-scaling-groups --query "AutoScalingGroups[? Tags[? (Key=='Environment') && Value=='Dev']]".AutoScalingGroupName
Example to query by multiple tags:
The example below filters results based on tags where Key = 'Environment' and Value = 'Dev', and Key = 'Name' and Value = 'MyValue'. This uses a pipe to query for the second tag on the resulting autoscaling groups of the query for the first tag.
aws autoscaling describe-auto-scaling-groups --query "AutoScalingGroups[? Tags[? (Key=='Environment') && Value=='Dev']] | [? Tags[? Key=='Name' && Value =='MyValue']]".AutoScalingGroupName
Further Reading
AWS Documentation - aws autoscaling describe-auto-scaling-groups
AWS Documentation - Controlling Command Output from the AWS Command Line Interface
The below AWS CLI command gives Auto Scaling Group with Tag having Key == Product and Value == test for a profile of account1
aws --profile account1 autoscaling describe-auto-scaling-groups \
--query 'AutoScalingGroups[?contains(Tags[?Key==`Product`].Value, `test`)].[AutoScalingGroupName]' --region eu-west-1 --output table
aws autoscaling describe-auto-scaling-groups \
--query AutoScalingGroups[].AutoScalingGroupName \
--filters \
"Name=tag:MyTagKey1,Values=MyTagValue1" \
"Name=tag:MyTagKey2,Values=MyTagValue2"