Menu
I run this command: aws iam list-users, and I get a list of users but not permissions (meaning if someone is root, or s3fullaccess and so for) are listed.
I run this other command: aws iam list-user-policies --user-name xxxxx, and I get this result below empty:
{
"PolicyNames": []
}
Which command or what combination of commands I need to display all users plus their respective permissions?, thanks.
299
AWS access levels AWS defines the following access level classifications for the actions in a service: List: Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.
That command only lists the user's inline policies, you would also need to get the list of managed policies attached to the IAM user. Then you would also need to get the list of groups a user belongs to, and list the inline policies and managed policies attached to each of the groups.
So from the CLI you would need to do the following:
aws iam list-user-policies
aws iam list-attached-user-policies
aws iam list-groups-for-user
# For each group:
aws iam list-group-policies
aws iam list-attached-group-policies
I highly recommend doing something like this in Python and Boto3, instead of using the AWS CLI tool.
124
Inspired by this post, I wrote this to capture a user's permissions, prior to purging them, in case they need to be restored later:
function _getUserIamPermissions() {
export AWS_PAGER="";
local _user="${1}";
local outputManagedPolicies="";
local outputUserPolicies="";
local outputManagedGroupPolicies="";
local outputGroupPolicies="";
# Managed Policies Attached to the IAM User
local _managedpolicies=$(aws iam list-attached-user-policies --user-name "${_user}" | jq -r '.AttachedPolicies[].PolicyArn';);
for policy in ${_managedpolicies}; do
local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
outputManagedPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}";);
printf "%s" "${outputManagedPolicies}";
done;
# Inline Policies on the IAM User
local _userpolicies=$(aws iam list-user-policies --user-name "${_user}" | jq -r '.PolicyNames[]';);
for policy in ${_userpolicies}; do
outputUserPolicies=$(aws iam get-user-policy --user-name "${_user}" --policy-name "${policy}";);
printf "%s" "${outputUserPolicies}";
done;
# Get all of the IAM User's assigned IAM Groups
local _groups=$(aws iam list-groups-for-user --user-name "${_user}" | jq -r '.Groups[].GroupName';);
for group in ${_groups}; do
# Managed Policies Attached to the IAM Group
local _managedgrouppolicies=$(aws iam list-attached-group-policies --group-name "${group}" | jq -r '.AttachedPolicies[].PolicyArn';);
for policy in ${_managedgrouppolicies}; do
local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
outputManagedGroupPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}" | jq --arg arn "${policy}" '{"PolicyArn": $arn, "Policy": .}';);
printf "%s" "${outputManagedGroupPolicies}";
done;
# Inline Policies on the IAM Group
local _grouppolicies=$(aws iam list-group-policies --group-name "${group}" | jq -r '.PolicyNames[]';);
for policy in ${_grouppolicies}; do
outputGroupPolicies=$(aws iam get-group-policy --group-name "${group}" --policy-name "${policy}";);
printf "%s" "${outputGroupPolicies}";
done;
done;
}
function getUserIamPermissions() {
local username="${1}";
_getUserIamPermissions "${username}" | jq -s;
}
Updated based on information found here: # https://www.badllama.com/content/using-aws-cli-check-user-permissions
Usage: The fastest way to use it and the way I used it, was through AWS CloudShell. I opened the CloudShell terminal, pasted that in and then I'd run:
getUserIamPermissions <username>
The output is a JSON array containing all of a user's:
28
First, you get list of Policies (as mentioned in anser by @Mark-b)
Next you get versions of each policy:
aws iam list-policy-versions --policy-arn
For specific version, you query PolicyDocument
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --version-id vX
You will get JSON formated PolicyDocument with IAM policy statements
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
