I'm on an EC2 instance that has an IAM role attached to it, and would like to be able to verify that I am indeed using this role from the AWS CLI.
I'm imagining being able to call something like this (but can't find anything like it in the CLI docs):
$ aws get-current-role-details
Does this functionality exist?
Use the AWS STS command get-caller-identity.
Returns details about the IAM identity whose credentials are used to call the API.
$ aws sts get-caller-identity
{
"UserId": "AIDAxxx",
"Account": "xxx",
"Arn": "arn:aws:iam::xxx:user/Tyrone321"
}
You can then take the role name, and query IAM for the role details using both iam list-role-policies for inline policies and iam-list-attached-role-policies for attached managed policies (thanks to #Dimitry K for the callout).
$ aws iam list-attached-role-policies --role-name Tyrone321
{
"AttachedPolicies": [
{
"PolicyName": "SomePolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
},
{
"PolicyName": "AnotherPolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
} ]
}
To get the actual IAM permissions, use aws iam get-policy to get the default policy version ID, and then aws iam get-policy-version with the version ID to retrieve the actual policy statements.
If the IAM principal is a user, the commands are aws iam list-attached-user-policies and aws iam get-user-policy.
See the AWS IAM CLI reference for more information.
There is a more simple and elegant way to get the current role details.
$ curl http://169.254.169.254/latest/meta-data/iam/info
{
"Code" : "Success",
"LastUpdated" : "2019-05-08T13:15:52Z",
"InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/rolename",
"InstanceProfileId" : "AIPAIFNV5UU4JJLAXXXXX"
}
In InstanceProfileArn you can see your role name
Unfortunately, there is not a simple way to get that information. You'll need to get there through the following path:
Step 1. Get the current EC2 instance ID from the instance metadata.
curl -s http://169.254.169.254/latest/meta-data/instance-id
You may need the current region as well.
curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/\(.*\)[a-z]/\1/'
Step 2. Get the ID of the IAM Instance Profile attached to your EC2 instance.
aws ec2 describe-instances \
--region us-east-1 \
--instance-id i-12345678 \
--query 'Reservations[0].Instances[0].IamInstanceProfile.Id'
Remember to substitute the EC2 instance ID and region as required.
Step 3. Get the IAM instance profile roles.
aws iam list-instance-profiles \
--query "InstanceProfiles[?InstanceProfileId=='ABCDEFG'].Roles"
Remember to substitute the IAM instance profile ID.
Notes:
An IAM instance profile may have more than one IAM role associated with it. Usually it will be only one, but it could have more.
Related
I am copying the name of a policy a created (and attached to a role) and running the following command:
▶ aws iam get-role-policy --role-name MyRole --policy-name MyPolicy
however I am getting:
An error occurred (NoSuchEntity) when calling the GetRolePolicy operation: The role policy with name MyPolicy cannot be found.
The policy is right there, I am copying the name from the AWS console.
What is the issue here?
I have also tried the following, that does list the policy
$ aws iam list-attached-role-policies --role-name MyRole
{
"AttachedPolicies": [
{
"PolicyName": "MyPolicy",
"PolicyArn": "arn:aws:iam::123456789:policy/MyPolicy"
}
]
}
(END)
list-attached-role-policies lists all managed policies attached to a role and get-role-policy retrieves an inline policy. In order to retrieve a managed policy you'll want to use get-policy, get the policy version from there and retrieve it using get-policy-version.
Inside an Amazon EC2 instance with an IAM role:
$ aws sts get-caller-identity
{
"Account": "999999999999",
"UserId": "AROA4AD2EEIE4XYIBOEYP:i-abcdefg12345678",
"Arn": "arn:aws:sts::999999999999:assumed-role/my-instance-iam-role/i-abcdefg12345678"
}
The IAM role session name is the instance ID.
Is there a way to update this session name on the fly?
For example temporarily change the assumed role session name
arn:aws:sts::999999999999:assumed-role/my-instance-iam-role/i-abcdefg12345678/specialSession
Or even
arn:aws:sts::999999999999:assumed-role/my-instance-iam-role/specialSession
(no instance id)
For Amazon EC2 instance profiles, AWS sets the role session on your behalf and sets the role session name to the instance profile ID. If you want to change the role, you may consider assuming the role again and setting a new name for the role session
:
$ aws sts assume-role --role-arn arn:aws:iam::999999999999:role/my-instance-iam-role --role-session-name newname
The command returns the required info for you the assume the role. Next, create three environment variables to assume the IAM role (please replace the value with the values from the previous command):
export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken
You could run get-caller-identity again:
$ aws sts get-caller-identity
{
"UserId": "AROARXXXXX:newname",
"Account": "999999999999",
"Arn": "arn:aws:sts::999999999999:assumed-role/my-instance-iam-role/newname"
}
I am using the aws ec2 describe-volumes with the out showing this:
{
"Volumes": [
Is there anyway to include the ownerarn in this?
The AWS CLI describe-volumes documentation shows the output that will be returned.
I'm not sure what you mean by ownerarn, but Amazon EBS volumes belong to an AWS Account that is identified by a 12-digit number. The Account ID is not returned as part of the describe-volumes call, but you can obtain it by calling aws iam get-user and extracting the Account ID from the returned Arn for the user.
Within AWS, resources are linked to AWS Accounts. They are not linked to IAM Users.
I am able to fetch one policy from all AWS accounts using below command.
aws --profile ${profile} iam list-policies --query 'Policies[?starts_with(PolicyName,`Policy-dynamo-db`)]'
Now I am trying to delete the policy using AWS-CLI from all my aws accounts using policy name. Is it possible to delete the policy using policy name? OR do I need to fetch the policy ARN for all the AWS accounts to delete. Any help with the command?
You can do this way :
Detach first policy from role.
aws iam delete-role-policy --role-name Test-Role --policy-name ExamplePolicy
And only way to delete policy is using ARN
aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy
Reference : https://docs.aws.amazon.com/cli/latest/reference/iam/delete-role-policy.html
Note : if your AWS IAM user doesn't have access to policy then you will not able list or delete those policy.
I was wondering how to use simulate-principal-policy using the AWS CLI for an assumed role.
To provide some context, as part of my application's startup, I want to ensure that the application has the necessary permissions to access all the AWS resources it needs. I do this by getting the caller identity using aws sts get-caller-identity and use the returned caller identity as the policy source arn for the simulate-principal-policy request.
When our application runs on EC2, it uses an assumed role. so, get-caller-identity returns an assumed role arn.
If I try to execute simulate-principal-policy using my user arn as the policy source arn, the command works fine.
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:sts::123456789021:user/divesh"
However, trying to execute the command above by using an assumed role reports an error.
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:sts::123456789021:assumed-role/development/development-session"
An error occurred (InvalidInput) when calling the SimulatePrincipalPolicy operation: Invalid Entity Arn: arn:aws:sts::123456789021:assumed-role/development/development-session does not clearly define entity type and name.
Our application runs on a Kubernetes cluster and uses kiam to associate IAM roles to pods.
The problem with your request is that you are using the "Profile ARN" instead of the "Role ARN". To get the Role Arn, you can do the following:
Pull the Role Name from the Instance Profile Arn:
arn:aws:sts::123456789021:assumed-role/development/development-session becomes development/development-session
Get the instance profile based on that name:
aws iam get-instance-profile --instance-profile-name Instance Profile Arn
Find the Role Arn in the resulting document:
{
"InstanceProfile":{
"Roles":[
{
"Arn":"arn:aws:iam::992863558783:role/YourRole"
}
]
}
}
Use this ARN in simulate-principal-policy
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:iam::992863558783:role/YourRole"
In Python, the script would look like this:
import boto3
iam= boto3.client('iam')
profileArn = 'arn:aws:sts::123456789021:assumed-role/development/development-session'
iamProfileName = iamInstanceProfileArn.split(':assumed-role/')[1]
profile = iam.get_instance_profile(InstanceProfileName=iamProfileName)
policySourceArns = []
for role in profile['InstanceProfile']['Roles']:
policySourceArns.append(role['Arn'])
retval = iam.simulate_principal_policy(
PolicySourceArn = policySourceArns[0],
ActionNames = ['sqs:Receivemessage']
)