How to list users and its permissions with AWS CLI?

Question

I run this command: aws iam list-users, and I get a list of users but not permissions (meaning if someone is root, or s3fullaccess and so for) are listed.

I run this other command: aws iam list-user-policies --user-name xxxxx, and I get this result below empty:

{
    "PolicyNames": []
}

Which command or what combination of commands I need to display all users plus their respective permissions?, thanks.

Answer 1

That command only lists the user's inline policies, you would also need to get the list of managed policies attached to the IAM user. Then you would also need to get the list of groups a user belongs to, and list the inline policies and managed policies attached to each of the groups.

So from the CLI you would need to do the following:

aws iam list-user-policies
aws iam list-attached-user-policies
aws iam list-groups-for-user

# For each group:
aws iam list-group-policies
aws iam list-attached-group-policies

I highly recommend doing something like this in Python and Boto3, instead of using the AWS CLI tool.

Answer 2

Inspired by this post, I wrote this to capture a user's permissions, prior to purging them, in case they need to be restored later:

function _getUserIamPermissions() {
    export AWS_PAGER="";
    local _user="${1}";
    
    local outputManagedPolicies="";
    local outputUserPolicies="";
    local outputManagedGroupPolicies="";
    local outputGroupPolicies="";

    # Managed Policies Attached to the IAM User
    local _managedpolicies=$(aws iam list-attached-user-policies --user-name "${_user}" | jq -r '.AttachedPolicies[].PolicyArn';);
    for policy in ${_managedpolicies}; do
        local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
        outputManagedPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}";);
        printf "%s" "${outputManagedPolicies}";
    done;

    # Inline Policies on the IAM User
    local _userpolicies=$(aws iam list-user-policies --user-name "${_user}" | jq -r '.PolicyNames[]';);
    for policy in ${_userpolicies}; do
        outputUserPolicies=$(aws iam get-user-policy --user-name "${_user}" --policy-name "${policy}";);
        printf "%s" "${outputUserPolicies}";
    done;

    # Get all of the IAM User's assigned IAM Groups
    local _groups=$(aws iam list-groups-for-user --user-name "${_user}" | jq -r '.Groups[].GroupName';);
    for group in ${_groups}; do
        # Managed Policies Attached to the IAM Group
        local _managedgrouppolicies=$(aws iam list-attached-group-policies --group-name "${group}" | jq -r '.AttachedPolicies[].PolicyArn';);
        for policy in ${_managedgrouppolicies}; do
            local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
            outputManagedGroupPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}" | jq --arg arn "${policy}" '{"PolicyArn": $arn, "Policy": .}';);
            printf "%s" "${outputManagedGroupPolicies}";
        done;

        # Inline Policies on the IAM Group
        local _grouppolicies=$(aws iam list-group-policies --group-name "${group}" | jq -r '.PolicyNames[]';);
        for policy in ${_grouppolicies}; do
            outputGroupPolicies=$(aws iam get-group-policy --group-name "${group}" --policy-name "${policy}";);
            printf "%s" "${outputGroupPolicies}";
        done;
    done;
}

function getUserIamPermissions() {
    local username="${1}";
    _getUserIamPermissions "${username}" | jq -s;
}

Updated based on information found here: # https://www.badllama.com/content/using-aws-cli-check-user-permissions

Usage: The fastest way to use it and the way I used it, was through AWS CloudShell. I opened the CloudShell terminal, pasted that in and then I'd run:

getUserIamPermissions <username>

The output is a JSON array containing all of a user's:

1. Managed Policies attached to the IAM User
2. Inline Policies on the IAM User
3. Managed Policies attached to the user's IAM Groups
4. Inline Policies on the user's IAM Groups

Answer 3

First, you get list of Policies (as mentioned in anser by @Mark-b)
Next you get versions of each policy:

aws iam list-policy-versions --policy-arn

For specific version, you query PolicyDocument

aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --version-id vX

You will get JSON formated PolicyDocument with IAM policy statements