New deal!

Join 90,000+ creators to write, schedule and publish on Twitter • Sign up for free → typefully.com

Contact us

Updated:

Check your credentials and its permissions using the AWS CLI

Danny Steenman

When you’re working with the AWS CLI, it’s crucial to understand what permissions your current IAM user or role has.

Not knowing what you’re authorized to do can lead to unexpected outcomes or wasted time trying to perform tasks you don’t have access to. That’s why it’s useful to be able to test your permissions via the AWS CLI.

In this post, I’ll walk you through how you can list the permissions attached to your active IAM user or role via the AWS CLI.

You’ll learn how to identify your current IAM user or role and then use that information to list all the permissions that have been granted. Let’s dive in!

Check the credentials and get its permissions for your current user with the AWS CLI

Before you can find out which permissions are attached to your current user credentials in the AWS CLI. You first need to log in to the specified AWS CLI profile.

Otherwise, you can’t run any AWS CLI commands on your AWS account.

1. Get the details about the IAM user or role that is currently active in the AWS CLI

To get the details of the IAM user or role that is currently active in your AWS CLI session, we’ll use the GetCallerIdentity API.

You don’t need any extra permissions to perform this call and it allows you to fetch your session data such as UserId, AccountId and STS Session Arn.

The command to fetch this session’s caller identity is:

➜ aws sts get-caller-identity
{
    "UserId": "AROAWNKD5CBCQIUX5M2TG:dannysteenman",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_956be961792eba06/dannysteenman"
}

But for this blog post we want to find out what the IAM role or user name is of the session that is currently activated on your AWS CLI so that we can find out its permissions in their policy.

To get that string, we’ll perform the following command:

aws sts get-caller-identity --query "Arn" --output text | cut -d'/' -f2

This will return the IAM Role name that you’ve assumed.

➜ aws sts get-caller-identity --query "Arn" --output text | cut -d'/' -f2

AWSReservedSSO_AdministratorAccess_956be961792eba06

2. List the permissions that are attached to your IAM user or role in the AWS CLI

Now we want to find out what permissions this IAM user or role has. In order to do that we GetAccountAuthorizationDetails API. This API retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.

In our case we want to find out what permissions and policies are attached to our active IAM role that’s currently active in the AWS CLI.

To do that, run the command aws iam get-account-authorization-details --filter Role --query 'RoleDetailList[?RoleName==`<insert_rour_role_name>`]'.

Note: Replace the RoleName with the one your fetched in the previous step.

This will return the following output:

➜ aws iam get-account-authorization-details --filter Role --query 'RoleDetailList[?RoleName==`AWSReservedSSO_AdministratorAccess_956be961792eba06`]'

[
    {
        "Path": "/aws-reserved/sso.amazonaws.com/eu-west-1/",
        "RoleName": "AWSReservedSSO_AdministratorAccess_956be961792eba06",
        "RoleId": "AROAWNKD5CBCQIUX5M2TG",
        "Arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AdministratorAccess_956be961792eba06",
        "CreateDate": "2023-03-16T15:28:17+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Federated": "arn:aws:iam::123456789012:saml-provider/AWSSSO_55dca73e624e5908_DO_NOT_DELETE"
                    },
                    "Action": [
                        "sts:AssumeRoleWithSAML",
                        "sts:TagSession"
                    ],
                    "Condition": {
                        "StringEquals": {
                            "SAML:aud": "https://signin.aws.amazon.com/saml"
                        }
                    }
                }
            ]
        },
        "InstanceProfileList": [],
        "RolePolicyList": [],
        "AttachedManagedPolicies": [
            {
                "PolicyName": "AdministratorAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
            }
        ],
        "Tags": [],
        "RoleLastUsed": {
            "LastUsedDate": "2023-08-01T09:17:54+00:00",
            "Region": "us-east-1"
        }
    }
]

Conclusion

Being able to check your AWS permissions via the CLI is a valuable skill. It can save you time and avoid potential complications when working with AWS resources.

Now that you understand how to find the permissions for your active IAM user or role, you have an extra tool in your belt for managing and understanding your AWS environment.

Remember that permissions in AWS are granted through policies, which can be attached directly to an IAM user or role, or to a group that the IAM user or role belongs to. These policies define what actions are allowed or denied on which AWS resources.

In this post, we have focused on the command-line interface, but it’s worth noting that you can also check your permissions through the AWS Management Console, under the IAM service.

, ,

Related posts

Danny Steenman

A Senior AWS Cloud Engineer with over 9 years of experience migrating workloads from on-premises to AWS Cloud.

I have helped companies of all sizes shape their cloud adoption strategies, optimizing operational efficiency, reducing costs, and improving organizational agility.

Connect with me today to discuss your cloud aspirations, and let’s work together to transform your business by leveraging the power of AWS Cloud.

I need help with..
stacked cubes
Improving or managing my CDK App.Maximize the potential of your AWS CDK app by leveraging the expertise of a seasoned CDK professional.
Reducing AWS Costs.We can start by doing a thorough assessment of your current AWS infrastructure, identifying areas with potential for cost reduction and efficiency improvement.
Verifying if my infrastructure is reliable and efficient.We’ve created a comprehensive AWS Operations Checklist that you can utilize to quickly verify if your AWS Resources are set up reliably and efficiently.