Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Given an AWS Access / Secret Key Pair, how do I retrieve its IAM permissions?

Tags:

amazon-web-services

amazon-iam

aws-sdk

Given the input of just an AWS Access Key and an AWS Secret Key, how can I use the AWS SDK to lookup what kind of permissions that the account can do?

I want do XYZ for a customer so the customer needs to give the access key and secret key to me to perform XYZ programmatically. However, before trying to do any of those actions, I'd like to verify that the credentials they gave me have access to certain privileges, such as being able to create S3 objects or being able to launch an EC2 instance.

That way, I can validate if the access key and secret key has permission to do something before I do it on their behalf.

like image 612
Big Data Brian Avatar asked Feb 22 '17 20:02

Big Data Brian

2 Answers

You can use the SimulatePrincipalPolicy API to simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.

The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to.

You'll need to provide the "SimulatePrincipalPolicy" API with that user's ARN as the PolicySourceArn input parameter (no need to use the optional CallerArn input parameter). If you have the access key ID and secret access key, you can retrieve the user's ARN by calling the GetUser API using that user credentials, i.e., without specifying the UserName input parameter. If no user name is included, the GetUser API defaults to the user making the request.

like image 80
Khalid T. Avatar answered Sep 30 '22 06:09

Khalid T.

I would suggest using the AWS CLI for the purpose and making use of the --dry-run flag for the CLI commands. I am unsure of how many AWS CLI operations support the --dry-run operation not to mention the Tag level / Resource level restrictions.

The --dry-run flag would try to check if you have permission to run the API or not without actually performing the request.

enter image description here

enter image description here

I also see the difficulty of testing (regression) as AWS has 60+ services and EC2 alone has 227 API commands [as of today]. Perhaps this might be the place where you would use your sed, awk, grep to build a shell script [and publish it in GITHUB]

SDKs do support this as well - it might be easier than the CLI approach

like image 43
Naveen Vijay Avatar answered Sep 30 '22 07:09

Naveen Vijay
Sign in to Comment

Related questions

Amazon EMR and Spark streaming
Updating aws lambda layer dependencies
API Gateway Lambda CORS handler. Getting Origin securely
Exposing a K8s TCP Service Endpoint to the Public Internet Without a Load Balancer
AWS Lambda using Winston logging loses Request ID
What should I use as Cognito's UserContextData => EncodedData?
How to deploy a static website to AWS S3 using nextjs
AWS SAM - Enforcing Request Validation in API Gateway Method by SAM Template
Authorize AWS API Gateway with either API Key or Authorizer
How do I update multiple EC2 instances that are load-balanced? [closed]
C# MailMessage to stream - encoding issue
Heroku-like deployment and environment configuration via EC2
AWS cloud formation delete failed
Conecting AWS Lambda to Redshift - Times out after 60 seconds
Amazon AWS Cognito and Python Boto3 to establish AWS connection and upload file to Bucket
Testing application locally that uses IAM Role
DynamoDB The security token included in the request is invalid UnrecognizedClientException
Amazon Cognito set identityId using developer authentication Obj C
Checking size of SQS message batches
Can/will AWS API Gateway -> Lambda performance be improved?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!