I'm having a hard time finding the correct API call to answer this question: given an IAM User, what is the effective IAM Policy document governing that user?
It looks like I can accomplish the above using a combination of several API calls and concatenating the policies in the client:
aws iam list-groups-for-user --user-name my-user
aws iam list-attached-group-policies --group-name my-group
aws iam list-attached-user-policies --user-name my-user
aws iam get-policy --policy-arn my-policy-arn
aws iam get-policy-version --policy-arn my-policy-arn -version-id my-version
This is at fewest 5 API calls and at most an unbounded number of calls. I'm hesitant to even write this logic because it is common for a user to belong to several groups and for those groups to contain tens or hundreds of policies.
Surely there is a single API endpoint somewhere that I am missing?
Something like this: aws iam get-effective-user-policy --user-name my-user
This isn't really supported in AWS, as the actions an IAM principal can perform are distributed across AWS; they're not stored in any one place. Access decisions are applied when requests are made, and so you should think of IAM policies in terms of a request being made.
When AWS APIs receive a request, this is what kicks in at a high level to determine whether the call is authorised:
AssumeRole
)Each of the above needs to Allow
the action for the user to be granted access.
So, you see, the actual access that is granted is spread across quite a few places. That list above is only for a single account, too. Cross-account access is even more distributed.
If you're only interested in identity-based policies, then the API calls you're making are covering it, however any of the others could have Deny
effects which prevent the action, even if identity-based policies allow the action, so you'd only be getting a partial picture.
Depending on what you're using this for I'd try not to get a complete picture of a user's access ahead of time, as you are essentially going to be querying every single AWS service for every user. The exception to this is security auditing, in which case there are a slew of tools that will try to do this for you, but be warned: IAM is a complex beast and auditing it is a tricky problem.
If you are only interested in permissions for certain AWS services, you might also consider using the command below. However, I don't think you're going to find a "one stop shop" to get all the permissions in one API call.
aws iam list-policies-granting-service-access
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With