Find role being used on server from AWS CLI

Question

I'm on an EC2 instance that has an IAM role attached to it, and would like to be able to verify that I am indeed using this role from the AWS CLI.

I'm imagining being able to call something like this (but can't find anything like it in the CLI docs):

$ aws get-current-role-details 

Does this functionality exist?

Answer 1

Use the AWS STS command get-caller-identity.

Returns details about the IAM identity whose credentials are used to call the API.

$ aws sts get-caller-identity {     "UserId": "AIDAxxx",     "Account": "xxx",     "Arn": "arn:aws:iam::xxx:user/Tyrone321" } 

You can then take the role name, and query IAM for the role details using both iam list-role-policies for inline policies and iam-list-attached-role-policies for attached managed policies (thanks to @Dimitry K for the callout).

$ aws iam list-attached-role-policies --role-name Tyrone321 {   "AttachedPolicies": [   {     "PolicyName": "SomePolicy",     "PolicyArn": "arn:aws:iam::aws:policy/xxx"   },   {     "PolicyName": "AnotherPolicy",     "PolicyArn": "arn:aws:iam::aws:policy/xxx"   } ] } 

To get the actual IAM permissions, use aws iam get-policy to get the default policy version ID, and then aws iam get-policy-version with the version ID to retrieve the actual policy statements. If the IAM principal is a user, the commands are aws iam list-attached-user-policies and aws iam get-user-policy. See the AWS IAM CLI reference for more information.