Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Need to make an identical copy of AWS IAM role (including policies and trust relationship it has)

Tags:

amazon-web-services

amazon-iam

amazon-cognito

I have a IAM role (with many policies and a trust relationship in it). I used this in building a AWS Cognito User Pool. However, this IAM role will be deleted soon.

Making a copy manually will be a chore and also not repeatable. I would like to make a copy either via CLI or script of some other repeatable way.

So far, I have searched through stackoverflow and google, but failed to find anything relevant.

Any help is appreciated.

like image 748
Mamun Avatar asked Apr 15 '20 05:04

Mamun

People also ask

Can you duplicate an IAM role?

One way to approach it is to duplicate the existing role along with all its policies, make the needed change on the new role and run your tests. There's no aws iam copy-role command though... So your only option is to duplicate the role and its associated policies manually or to script the process.

Can a IAM role have multiple policies?

To add permissions to an IAM identity (IAM user, group, or role), you create a policy, validate the policy, and then attach the policy to the identity. You can attach multiple policies to an identity, and each policy can contain multiple permissions.

What is the difference between roles and policies in AWS IAM?

An IAM role is both an identity and a resource that supports resource-based policies. For that reason, you must attach both a trust policy and an identity-based policy to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role.

Can I assume a role in the same account AWS?

For assuming a role in the same account, you can either do the same thing as the cross-account situation, OR simply add the from role to the Trust Policy of the to role.

3 Answers

It looks like you will need to use:

  • list_role_policies() to obtain the names of inline policies attached to the role
  • get_role_policy() to retrieve inline policies
  • list_attached_role_policies() to list managed policies that are attached to the role

Then create a new role and use:

  • put_role_policy() to attach an inline policy
  • attach_role_policy() to attach a managed policy

Trust Relationship also has to be copied.

like image 93
John Rotenstein Avatar answered Nov 15 '22 03:11

John Rotenstein

Thanks to @JohnRotenstein for pointing in the right direction. I came up with a Node.js script to automate the IAM role copy procedure.

Steps it performs along with AWS SDK APIs used:

  1. Fetch the source role along with its trust relationship policy: getRole()
  2. Fetch inline policies of the source role: listRolePolicies(), getRolePolicy()
  3. Fetch managed policies of the source role (both AWS- and customer-created): listAttachedRolePolicies()
  4. Create a new role copying over all relevant properties (including trust policy): createRole()
  5. Add all inline policies found in the source role to the new role: putRolePolicy()
  6. Attach all managed policies from the source role: attachRolePolicy()

The process is quite straightforward... The only interesting detail is steps 2 and 3 require recursive fetch to accommodate the fact that policies response can be paginated.

How to make a copy of AWS IAM role.

like image 32
Max Ivanov Avatar answered Nov 15 '22 03:11

Max Ivanov

If Python is an option, perhaps boto3 can be helpful (AWS's SDK for Python)

Creating a role: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_role

Creating a policy: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_policy

More: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#client https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html

like image 30
Tal L Avatar answered Nov 15 '22 05:11

Tal L
Sign in to Comment

Related questions

Deploy StepFunctions with CloudFormation, from external definition file
AWS Lambda Polling from SQS: in-flight messages count
How to add a Fargate Service to Inbound Security Rules?
AWS CodePipeline, CodeDeploy, SAM and Lambda: how to (inter)connect those?
Aurora PostgreSQL engine: no space left on device
How to set AWS Appsync request timeout limit || AWSAppSync Client not giving callback
AWS Lambda: async C# handler
With AWS SageMaker, is it possible to deploy a pre-trained model using the sagemaker SDK?
Lambda authorizer response using async/await in Node.js
Using Encrypted EBS Volumes in Auto Scaling Groups with CMK owned by a different AWS account
What is the difference between `Ref: logicalName` and `!Ref logicalName` in AWS Cloudformation templates in YAML?
How to run Tabler in production
What does 'Box-Usage' mean in AWS? [closed]
AWS Lambda vs EC2: Which one to choose
How to use an S3 uri?
Occasional 'temporary failure in name resolution' while connecting to AWS Aurora cluster
Enable object logging on s3 bucket via cloudformation
Search through values of all AWS Lambda function's environment variables in AWS account
Capistorano deploy SSHKit::Runner::ExecuteError : rake exit status: 1
aws eks create cluster error - us-east-1e does not currently have sufficient capacity to support the cluster [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!