When you’re working with the AWS CLI, it’s crucial to understand what permissions your current IAM user or role has.
Not knowing what you’re authorized to do can lead to unexpected outcomes or wasted time trying to perform tasks you don’t have access to. That’s why it’s useful to be able to test your permissions via the AWS CLI.
In this post, I’ll walk you through how you can list the permissions attached to your active IAM user or role via the AWS CLI.
You’ll learn how to identify your current IAM user or role and then use that information to list all the permissions that have been granted. Let’s dive in!
Table of Contents
Check the credentials and get its permissions for your current user with the AWS CLI
Before you can find out which permissions are attached to your current user credentials in the AWS CLI. You first need to log in to the specified AWS CLI profile.
Otherwise, you can’t run any AWS CLI commands on your AWS account.
1. Get the details about the IAM user or role that is currently active in the AWS CLI
To get the details of the IAM user or role that is currently active in your AWS CLI session, we’ll use the GetCallerIdentity API.
You don’t need any extra permissions to perform this call and it allows you to fetch your session data such as UserId
, AccountId
and STS Session Arn
.
The command to fetch this session’s caller identity is:
➜ aws sts get-caller-identity
{
"UserId": "AROAWNKD5CBCQIUX5M2TG:dannysteenman",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_956be961792eba06/dannysteenman"
}
But for this blog post we want to find out what the IAM role or user name is of the session that is currently activated on your AWS CLI so that we can find out its permissions in their policy.
To get that string, we’ll perform the following command:
aws sts get-caller-identity --query "Arn" --output text | cut -d'/' -f2
This will return the IAM Role name that you’ve assumed.
➜ aws sts get-caller-identity --query "Arn" --output text | cut -d'/' -f2
AWSReservedSSO_AdministratorAccess_956be961792eba06
2. List the permissions that are attached to your IAM user or role in the AWS CLI
Now we want to find out what permissions this IAM user or role has. In order to do that we GetAccountAuthorizationDetails API. This API retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.
In our case we want to find out what permissions and policies are attached to our active IAM role that’s currently active in the AWS CLI.
To do that, run the command aws iam get-account-authorization-details --filter Role --query 'RoleDetailList[?RoleName==`<insert_rour_role_name>`]'
.
Note: Replace the RoleName with the one your fetched in the previous step.
This will return the following output:
➜ aws iam get-account-authorization-details --filter Role --query 'RoleDetailList[?RoleName==`AWSReservedSSO_AdministratorAccess_956be961792eba06`]'
[
{
"Path": "/aws-reserved/sso.amazonaws.com/eu-west-1/",
"RoleName": "AWSReservedSSO_AdministratorAccess_956be961792eba06",
"RoleId": "AROAWNKD5CBCQIUX5M2TG",
"Arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AdministratorAccess_956be961792eba06",
"CreateDate": "2023-03-16T15:28:17+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:saml-provider/AWSSSO_55dca73e624e5908_DO_NOT_DELETE"
},
"Action": [
"sts:AssumeRoleWithSAML",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
},
"InstanceProfileList": [],
"RolePolicyList": [],
"AttachedManagedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
}
],
"Tags": [],
"RoleLastUsed": {
"LastUsedDate": "2023-08-01T09:17:54+00:00",
"Region": "us-east-1"
}
}
]
Conclusion
Being able to check your AWS permissions via the CLI is a valuable skill. It can save you time and avoid potential complications when working with AWS resources.
Now that you understand how to find the permissions for your active IAM user or role, you have an extra tool in your belt for managing and understanding your AWS environment.
Remember that permissions in AWS are granted through policies, which can be attached directly to an IAM user or role, or to a group that the IAM user or role belongs to. These policies define what actions are allowed or denied on which AWS resources.
In this post, we have focused on the command-line interface, but it’s worth noting that you can also check your permissions through the AWS Management Console, under the IAM service.