Get a users roles having their aws access key (or can I use IAM roles in my business logic)

Question

On AWS, if you have an EC2 instances temporary credentials, like ACCESS_KEY (plus secret key and temporary token if needed), how can you get a list of roles they belong to?

EDIT: I am not looking for the users role, I am looking for the role of the EC2 instance they are running on.

Basically I want to know if you can use IAM roles in your own business logic, like can I have a "production webserver" that can call an internal API but nobody else can?

Answer 1

After editing your question I can provide you with the following solution. The IAM profile can be accessed by using the EC2 metadata service. You can access it directly using curl or using one of the AWS scripting libraries such as boto.

curl http://169.254.169.254/latest/meta-data/iam/info/
{
  "Code" : "Success",
  "LastUpdated" : "2014-05-16T15:37:50Z",
  "InstanceProfileArn" : "***************",
  "InstanceProfileId" : "*********************"
}

Answer 2

It may be a little confusing because of the term "Role" that amazon chooses to use but they don't actually work as you expect. IAM has users and roles (profiles) but they are not directly related or linked. You cannot use them to do what you're attempting to do.

http://aws.amazon.com/iam/faqs/

Q: What is the difference between an IAM role and an IAM user?

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be “assumed” by authorized entities, such as IAM users, applications, or an AWS service like EC2.