Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Given an AWS Access / Secret Key Pair, how do I retrieve its IAM permissions?

Given the input of just an AWS Access Key and an AWS Secret Key, how can I use the AWS SDK to lookup what kind of permissions that the account can do?

I want do XYZ for a customer so the customer needs to give the access key and secret key to me to perform XYZ programmatically. However, before trying to do any of those actions, I'd like to verify that the credentials they gave me have access to certain privileges, such as being able to create S3 objects or being able to launch an EC2 instance.

That way, I can validate if the access key and secret key has permission to do something before I do it on their behalf.

like image 612
Big Data Brian Avatar asked Feb 22 '17 20:02

Big Data Brian


2 Answers

You can use the SimulatePrincipalPolicy API to simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.

The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to.

You'll need to provide the "SimulatePrincipalPolicy" API with that user's ARN as the PolicySourceArn input parameter (no need to use the optional CallerArn input parameter). If you have the access key ID and secret access key, you can retrieve the user's ARN by calling the GetUser API using that user credentials, i.e., without specifying the UserName input parameter. If no user name is included, the GetUser API defaults to the user making the request.

like image 80
Khalid T. Avatar answered Sep 30 '22 06:09

Khalid T.


I would suggest using the AWS CLI for the purpose and making use of the --dry-run flag for the CLI commands. I am unsure of how many AWS CLI operations support the --dry-run operation not to mention the Tag level / Resource level restrictions.

The --dry-run flag would try to check if you have permission to run the API or not without actually performing the request.

enter image description here

enter image description here

I also see the difficulty of testing (regression) as AWS has 60+ services and EC2 alone has 227 API commands [as of today]. Perhaps this might be the place where you would use your sed, awk, grep to build a shell script [and publish it in GITHUB]

SDKs do support this as well - it might be easier than the CLI approach

like image 43
Naveen Vijay Avatar answered Sep 30 '22 07:09

Naveen Vijay