Reputation: 6674
Find role being used on server from AWS CLI
I'm on an EC2 instance that has an IAM role attached to it, and would like to be able to verify that I am indeed using this role from the AWS CLI.
I'm imagining being able to call something like this (but can't find anything like it in the CLI docs):
$ aws get-current-role-details
Does this functionality exist?
Upvotes: 52
Views: 71200
Answers (3)
Reputation: 1922
Use the AWS STS command get-caller-identity.
Returns details about the IAM identity whose credentials are used to call the API.
$ aws sts get-caller-identity
{
"UserId": "AIDAxxx",
"Account": "xxx",
"Arn": "arn:aws:iam::xxx:user/Tyrone321"
}
You can then take the role name, and query IAM for the role details using both iam list-role-policies for inline policies and iam-list-attached-role-policies for attached managed policies (thanks to @Dimitry K for the callout).
$ aws iam list-attached-role-policies --role-name Tyrone321
{
"AttachedPolicies": [
{
"PolicyName": "SomePolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
},
{
"PolicyName": "AnotherPolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
} ]
}
To get the actual IAM permissions, use aws iam get-policy to get the default policy version ID, and then aws iam get-policy-version with the version ID to retrieve the actual policy statements.
If the IAM principal is a user, the commands are aws iam list-attached-user-policies and aws iam get-user-policy.
See the AWS IAM CLI reference for more information.
Upvotes: 93
Reputation: 407
There is a more simple and elegant way to get the current role details.
$ curl http://169.254.169.254/latest/meta-data/iam/info
{
"Code" : "Success",
"LastUpdated" : "2019-05-08T13:15:52Z",
"InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/rolename",
"InstanceProfileId" : "AIPAIFNV5UU4JJLAXXXXX"
}
In InstanceProfileArn you can see your role name
Upvotes: 29
Reputation: 36073
Unfortunately, there is not a simple way to get that information. You'll need to get there through the following path:
Step 1. Get the current EC2 instance ID from the instance metadata.
curl -s http://169.254.169.254/latest/meta-data/instance-id
You may need the current region as well.
curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/\(.*\)[a-z]/\1/'
Step 2. Get the ID of the IAM Instance Profile attached to your EC2 instance.
aws ec2 describe-instances \
--region us-east-1 \
--instance-id i-12345678 \
--query 'Reservations[0].Instances[0].IamInstanceProfile.Id'
Remember to substitute the EC2 instance ID and region as required.
Step 3. Get the IAM instance profile roles.
aws iam list-instance-profiles \
--query "InstanceProfiles[?InstanceProfileId=='ABCDEFG'].Roles"
Remember to substitute the IAM instance profile ID.
Notes:
- An IAM instance profile may have more than one IAM role associated with it. Usually it will be only one, but it could have more.
Upvotes: 14
Related Questions
- AWS IAM find a role that has a specific policy?
- Get IAM Role Name Using IAM Role ID
- How to query Assumed Role
- AWS IAM Roles : How to identify specific permission for each AWS service
- Which role is attached to instance
- How to get the ARN Value of IAM Role in AWS
- AWS -- how can I tell what is using a service-linked role?
- Get information about about the role that creates an AWS resource
- AWS IAM: List the resources a role has accessed
- AWS Console - Find and remove unused IAM roles