If I run $ aws iam get-user --user-name anthony, I get result like this
{
"User": {
"Path": "/",
"UserName": "anthony",
"UserId": "E2S4XZIL9NRNSBIDBI5U6",
"Arn": "arn:aws:iam::123456:user/anthony",
"CreateDate": "2015-04-03T01:22:11Z",
"PasswordLastUsed": "2019-04-10T01:38:14Z"
}
}
If I want to get a list of role this login has, how can I do it with aws iam?
IAM User doesn't have IAM Roles, hence you can't list them.
IAM User can have IAM Policies (either attached directly or through IAM Group membership) that allow it to assume other roles.
You can list directly attached policies:
aws iam list-attached-user-policies --user-name ...
Group memberships:
aws iam list-groups-for-user --user-name ...
And from there groups policies:
aws iam list-attached-group-policies --group-name ... # group names from previous step
Hope that helps :)
Sadly with AWS cli tool it is not possible to list all roles a user can assume. As a workaround you can list all roles with associated users and search for your user in this output.
The following command lists all roles and filters (via jq tool) for role name and associated users:
aws iam list-roles --output=json | jq '.Roles[] | {role: .RoleName, user: .AssumeRolePolicyDocument.Statement[].Principal.AWS} | select(.user != null)'
Example output:
{
"role": "dev-ops-rw",
"user": "arn:aws:iam::123456789012:user/user1"
}
{
"role": "finance",
"user": "arn:aws:iam::123456789012:user/user2"
}
{
"role": "service",
"user": "arn:aws:iam::123456789012:user/user1"
}
This output shows that user1 can assume the roles dev-ops-rw and service. The user user2 can assume the role finance.
First do:
aws iam list-user-policies --user-name USER
Than do:
aws iam get-user-policy --user-name USER --policy-name POLICY-NAME-FOUND-ABOVE
