We Keep Coding

AWS CLI not listing policies attached to role

I followed the instructions here to set up and remove a python lambda function (and associated AWS resources).
When I try to clean up the function, role-policy and role, the instructions failed because the CLI does not manage to find the attached role policies. In particular, if I run:
aws iam list-role-policies --role-name myrolename
... I get an output of:
{
"PolicyNames": []
}
But when I look up the same role in the AWS console, I can see the policy is there.
So what is going on here? Is this an AWS bug (CLI version aws-cli/2.1.33 Python/3.9.2 Darwin/20.4.0 source/x86_64), or am I muddled up here somehow?

As i can see from the image, its a managed policy and unfortunately list-role-policies only Lists the names of the inline policies that are embedded in the specified IAM role.
Doc says
An IAM role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies
use this for example
aws iam list-attached-role-policies --role-name SecurityAuditRole

How to switch between roles from the ec2 cli?

I provision an ec2 instance with a specific role. I want to the change the assumed role later form the ec2 cli to gain crross-account access, do something, and then switch back to my original role. How can I achieve this?

I'd use the ~/.aws/config file with the additional profile added.
Assuming that RoleA is your Instance Profile Role,
RoleB is the RoleB is the role you want to assume
RoleA has sts:assumerole
Update your ~/.aws/config to look like the following
[profile roleb]
role_arn = arn:aws:iam::123412341234:role/RoleB
region=us-east-1
credential_source = Ec2InstanceMetadata
So when you want to run the role from the assumed role b you would
aws s3 --profile roleb ls
For more info
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

You would not switch to another role. Rather, you would request temporary credentials associated with another role, then use those new credentials to make API calls.
The steps would be:
Call aws sts assume-role --role-arn arn:aws:iam::nnn:role/your-role --role-session-name foo
Grab the temporary credentials that are returned. I would recommend storing them in the ~/.aws/credentials file by using aws configure --profile role2
Then make API call with that role, such as: aws s3 ls --profile role2
To use the original credentials, just leave off the --profile.

How do I delete an AWS resource by ARN?

I have a service-linked role in AWS that I need to delete. When I try to delete it in IAM it fails and has a popup with the ARNs of two resources that use this role. This brain-dead blog post shows me the steps to recreate the problem I'm having and tells me that I need to delete the resources that use the role I'm trying to delete. Duh.
I've tried searching the given ARNs in the IAM search window, but it doesn't find them.
Now that I have the ARNs, how can I delete them so I can delete this role?

There is no API that provide delete of any resource by any ARN. You need to use specific services for delete resources.
If you have ARNs - according to documentation - it will be 3rd part (by ":" character):
arn:partition:SERVICE:region:account-id... // SERVICE where your resource is present
For example - if you have that ARN:
arn:aws:ec2:us-east-1:1234567890:instance/i-12345678901234567
That indicates it's EC2 instance. You can delete it via AWS Console (UI) or by example using AWS CLI:
aws --region us-east-1 ec2 terminate-instances --instance-ids i-12345678901234567
EDIT
According to link you provided (brain-dead blog post) there are ARNs of Redshift clusters, so you can try delete them via AWS CLI using this command:
aws --region <REGION> redshift delete-cluster --cluster-identifier <CLUSTER ID>
Where REGION and CLUSTER ID you can obtain from ARNs.
If you want to delete them from UI (AWS Console) - don't forget change to proper region.

Find role being used on server from AWS CLI

I'm on an EC2 instance that has an IAM role attached to it, and would like to be able to verify that I am indeed using this role from the AWS CLI.
I'm imagining being able to call something like this (but can't find anything like it in the CLI docs):
$ aws get-current-role-details
Does this functionality exist?

Use the AWS STS command get-caller-identity.
Returns details about the IAM identity whose credentials are used to call the API.
$ aws sts get-caller-identity
{
"UserId": "AIDAxxx",
"Account": "xxx",
"Arn": "arn:aws:iam::xxx:user/Tyrone321"
}
You can then take the role name, and query IAM for the role details using both iam list-role-policies for inline policies and iam-list-attached-role-policies for attached managed policies (thanks to #Dimitry K for the callout).
$ aws iam list-attached-role-policies --role-name Tyrone321
{
"AttachedPolicies": [
{
"PolicyName": "SomePolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
},
{
"PolicyName": "AnotherPolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
} ]
}
To get the actual IAM permissions, use aws iam get-policy to get the default policy version ID, and then aws iam get-policy-version with the version ID to retrieve the actual policy statements.
If the IAM principal is a user, the commands are aws iam list-attached-user-policies and aws iam get-user-policy.
See the AWS IAM CLI reference for more information.

There is a more simple and elegant way to get the current role details.
$ curl http://169.254.169.254/latest/meta-data/iam/info
{
"Code" : "Success",
"LastUpdated" : "2019-05-08T13:15:52Z",
"InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/rolename",
"InstanceProfileId" : "AIPAIFNV5UU4JJLAXXXXX"
}
In InstanceProfileArn you can see your role name

Unfortunately, there is not a simple way to get that information. You'll need to get there through the following path:
Step 1. Get the current EC2 instance ID from the instance metadata.
curl -s http://169.254.169.254/latest/meta-data/instance-id
You may need the current region as well.
curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/\(.*\)[a-z]/\1/'
Step 2. Get the ID of the IAM Instance Profile attached to your EC2 instance.
aws ec2 describe-instances \
--region us-east-1 \
--instance-id i-12345678 \
--query 'Reservations[0].Instances[0].IamInstanceProfile.Id'
Remember to substitute the EC2 instance ID and region as required.
Step 3. Get the IAM instance profile roles.
aws iam list-instance-profiles \
--query "InstanceProfiles[?InstanceProfileId=='ABCDEFG'].Roles"
Remember to substitute the IAM instance profile ID.
Notes:
An IAM instance profile may have more than one IAM role associated with it. Usually it will be only one, but it could have more.

Create S3 Bucket in another Account

I have an ec2 instance configured with an IAM Role to read S3 in its own account. I configured a cross account role in another AWS account that has rights to create S3 buckets. I then gave the role that the ec2 instance is assigned access to the use the cross account role.
When I try to create the s3 bucket, it tries to create it in it's own account. How do I tell the aws cli to create the bucket in the other account?

Refer cross account python script https://blogs.aws.amazon.com/security/post/Tx70F69I9G8TYG/How-to-enable-cross-account-access-to-the-AWS-Management-Console
When you run it you will automatically redirect to cross account AWS Console...and if you don't want to run python script..login through switch role option.
Through cli you must have to run sts command...for example aws sts assume-role --role-arn crossSccountRoleARN --role-session-name "DemoRoleSession" > /tmp/assume-role-output.txt