Reputation: 396
Programmatically Examine Trust Relationships
Is there a way to get the trust relationship policy document using boto3? I am trying to audit the roles that allow third party access to my AWS environment.
I have been scouring the boto3 APIs to find an applicable function call, and have tried iam.client.get_role_policy as well as iam.client.get_account_authorization_details.
However, I can't quite determine what parameters to pass based on the policy information I need for a particular role, so I'm not sure those functions will return the information I'm seeking.
Essentially, for each IAM role in my account, I am trying to find the following information:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{acctID}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {externalID}
}
}
}
]
}
I figure that if "sts:ExternalId": {externalID} is a part of the trust relationship, then the policy gives 3rd party access.
If there is a better way of doing this, I would love to know. I don't have much experience with IAM Roles/Policies.
Upvotes: 2
Views: 1140
Answers (1)
Related Questions
- boto3 equivalent to gather all aws security groups
- Python boto function for getting ALL policies associated with a ROLE?
- Get AWS IAM policy Access Advisor records from CLI or SDK
- Edit an existing IAM Role trust policy using boto3
- Conditions on the Trust Policy of an IAM Role
- How do I determine which AWS Access Keys are used for boto3 calls in Python?
- How can we fetch IAM users, their groups and policies?
- Is it possible to specify a pattern for an AWS role Trust Relationship
- boto3 iam client: get policy by name
- Using boto (AWS Python), how do I get a list of IAM users?