Is there a way to programmatically list all of the available actions for an AWS service?

Question

I am looking for a way to list all of the actions that can be used in a AWS IAM policy.

This is an example policy that uses IAM actions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1457442845000",
            "Effect": "Allow",
            "Action": [
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:GetGroupPolicy",
                "iam:CreateGroup",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRolePolicy",
                "iam:ListAttachedGroupPolicies"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

I would like to search through actions from a file, and for that I would like to have all the available actions. I could not find a way yet to get that list. Any direction is appreciated.

Answer 1

The available actions for each service are in the documentation for those services, for example the list of IAM actions is in the IAM documentation, and the list of EC2 actions is in the EC2 documentation.

This page has links to all the actions for each service.

Answer 2

Adding my comment as an answer as well. I currently maintain the project https://github.com/TryTryAgain/aws-iam-actions-list

It checks the policies.js file mentioned in other answers here but also "announces" New Services and things like that. Fun to peruse commits https://github.com/TryTryAgain/aws-iam-actions-list/commits/master during AWS re:Invent time or if you're waiting for a particular IAM action to be added/released :)

https://github.com/TryTryAgain/aws-iam-actions-list/blob/master/all-actions.txt contains a full list of all known IAM actions from that policies file listed in alphabetical order; from within the last 4 hours, based on that policies.js file. You can then use regex filters against that all-actions.txt file to quickly find particular things you may be interested in as well. Please feel free to open up any issues or comment back here with suggestions.

For example, to get all actions for the new "Q" service:

grep ^q:.* all-actions.txt

or for getting back all EC2 actions that contain "Ingress" or "Egress":

grep -E "^ec2:.*Ingress|Egress.*" all-actions.txt

Answer 3

I was pretty annoyed that there is no easy way to do this, so I built a python utility tool that takes the data from https://awspolicygen.s3.amazonaws.com/js/policies.js and translates it into a python dictionary. It also handles caching of the file locally so running the command doesn't take too long after running it once.

Easy way to get a list:

pip install pyiamvortex
pyiamvortex get-aws-actions

ref:

• https://pypi.org/project/pyiamvortex/
• https://github.com/nbajoel/pyiamvortex

Answer 4

Fluggo's service authorization reference scraper is a machine readable version of the official Service Authorization Reference documentation.

The GitHub repo history shows an audit trail of policy changes.

Here's an example of how to use it.

Save the auth reference.

curl \
--silent \
--show-error \
--url 'https://raw.githubusercontent.com/fluggo/aws-service-auth-reference/master/service-auth.json' \
> /tmp/auth.json 

Search for IAM actions ending in "Role".

cat /tmp/auth.json \
| jq --raw-output '
  .[]
  | {service: .servicePrefix} + (.actions[] | {action: .name})
  | select(.service == "iam" and (.action | match("Role$")))
  | "\(.service):\(.action)"
'

Output:

iam:CreateRole
iam:CreateServiceLinkedRole
iam:DeleteRole
iam:DeleteServiceLinkedRole
iam:GetRole
iam:ListInstanceProfilesForRole
iam:PassRole
iam:TagRole
iam:UntagRole
iam:UpdateRole

I used this to discover that allowing iam:*Role isn't a good way to allow all lifecycle actions on a normal role because it allows things like CreateServiceLinkedRole and PassRole.

Answer 5

If you have node installed on your machine, simply type npx get-aws-actions in your terminal. No need to install anything. This npx command fetches the actions from the AWS policy generator file https://awspolicygen.s3.amazonaws.com/js/policies.js and support text search to pinpoint the actions for specific AWS services (e.g., search for s3: to list all the S3 actions).

Answer 6

Amazon provides a policy generator which it self, knows all of the possible APIs and Actions at the current point in time.

One can generate a list of Actions from the AWS Policy Generator policies.js:

curl --header 'Connection: keep-alive' \
     --header 'Pragma: no-cache' \
     --header 'Cache-Control: no-cache' \
     --header 'Accept: */*' \
     --header 'Referer: https://awspolicygen.s3.amazonaws.com/policygen.html' \
     --header 'Accept-Language: en-US,en;q=0.9' \
     --silent \
     --compressed \
     'https://awspolicygen.s3.amazonaws.com/js/policies.js' |
    cut -d= -f2 |
    jq -r '.serviceMap[] | .StringPrefix as $prefix | .Actions[] | "\($prefix):\(.)"' |
    sort |
    uniq

Answer 7

I liked Trentium answer, but it will need maintenance.

I think I will use the AWS Policy Generator call for the policies.js file

Answer 8

Lists of all actions available for each service are available in the IAM Reference Documentation here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html

Actions, Resources and applicable Conditions are defined.

Answer 9

Ran into the same issue, except was looking for Actions associated with more than just AWS Service IAM. Solved by:

• Pulling the AWS SDK for Javascript ( see https://sdk.amazonaws.com/builder/js/ ) for all services.
• Loading the resulting minified javascript file ( aws-sdk-2.680.0.min.js ) as part of a small custom HTML document.
• Writing a javascript function that takes the desired service, and loops through the object AWS.apiLoader.services[ 'iam' ][ Version ].operations, pulling the list of Actions. ( Note that 'Version' is in the format of yyyy-mm-dd and in the minified javascript file, there was only one entry for each AWS service. )
• Exporting the results.

Hope someone finds this helpful, as this was the only way I was able to programmatically get a comprehensive list of the Actions associated with an AWS Service...