How to query Assumed Role

Question

My application generates this error message:

arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue

How can I see more information about which roles or permissions are attached to this assumed role?

I have tried querying for this with the AWS CLI using aws iam get-user / list-users / get-role / list-roles but neither exist. I looked at querying under STS but couldn't see an appropriate option.

I couldn't find this role in the AWS console.

Answer 1

How can I see more information about which roles or permissions are attached to this assumed role?

You can access this information a number of ways, if you know the name of the role you can use the IAM service, here is a boto3 example:

import boto3
iam = boto3.resource('iam')
role = iam.Role('AWSServiceRoleForRDS')

for pol in role.attached_policies.iterator():
    print(pol)

For me this gives:

iam.Policy(arn='arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy')

The sole policy I have attached to this role. Obviously, you'll need to substitute the role name you are interested in here in place of 'AWSServiceRoleForRDS'

In general this will print out all the policies attached to the role (to stdout).

In order to do make this query you need to be authenticated as a user or role that has permissions to access the IAM role (or user).

Update: How to find the name of the role from an ARN?

following the aws docs for IAM identifies you can identify the role name from the arn for sts assumed roles they follow this format:

arn:aws:sts::account:assumed-role/role-name/role-session-name

Based on what was posted:

arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue

it looks like my-service-role is the name of the assumed role.