9

Given the input of just an AWS Access Key and an AWS Secret Key, how can I use the AWS SDK to lookup what kind of permissions that the account can do?

I want do XYZ for a customer so the customer needs to give the access key and secret key to me to perform XYZ programmatically. However, before trying to do any of those actions, I'd like to verify that the credentials they gave me have access to certain privileges, such as being able to create S3 objects or being able to launch an EC2 instance.

That way, I can validate if the access key and secret key has permission to do something before I do it on their behalf.

Big Data Brian
  • 123
  • 1
  • 10

2 Answers2

3

You can use the SimulatePrincipalPolicy API to simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.

The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to.

You'll need to provide the "SimulatePrincipalPolicy" API with that user's ARN as the PolicySourceArn input parameter (no need to use the optional CallerArn input parameter). If you have the access key ID and secret access key, you can retrieve the user's ARN by calling the GetUser API using that user credentials, i.e., without specifying the UserName input parameter. If no user name is included, the GetUser API defaults to the user making the request.

Khalid T.
  • 10,039
  • 5
  • 45
  • 53
  • This could work if I had the CallerArn but I only have the access and secret keys. So maybe the question becomes "how can I lookup a user's ARN by only knowing or using their access or secret keys?" – Big Data Brian Feb 22 '17 at 21:02
  • I have updated my answer to include how you can get the user ARN. Remember, you don't need to use the **CallerArn** parameter. You only need the **PolicySourceArn**. – Khalid T. Feb 22 '17 at 21:09
  • Please check my answer above [ http://stackoverflow.com/a/42402517/649408 ] - also to get the ARN please check my other answer [ http://stackoverflow.com/a/31837458/649408 ] – Naveen Vijay Feb 22 '17 at 21:36
  • I like both your answers. My solution kind of uses both. I build a IAM Client from the SDK using the given keys, and then I call GetUser with no parameters which returns the user the client is using to access the API. From there, I get the ARN and username in the results. Then, I can either do a dry run on what I really want to run or I could use the SimulatePrinciplePolicy call. Both of your answers helped me. Thank you for the info! – Big Data Brian Feb 23 '17 at 17:21
1

I would suggest using the AWS CLI for the purpose and making use of the --dry-run flag for the CLI commands. I am unsure of how many AWS CLI operations support the --dry-run operation not to mention the Tag level / Resource level restrictions.

The --dry-run flag would try to check if you have permission to run the API or not without actually performing the request.

enter image description here

enter image description here

I also see the difficulty of testing (regression) as AWS has 60+ services and EC2 alone has 227 API commands [as of today]. Perhaps this might be the place where you would use your sed, awk, grep to build a shell script [and publish it in GITHUB]

SDKs do support this as well - it might be easier than the CLI approach

Naveen Vijay
  • 15,928
  • 7
  • 71
  • 92
  • 2
    It seems that this clause is not supported everywhere. E.g. running `aws s3 cp s3://blablabla . --recursive --dry-run` gives `Unknown options: --dry-run` – Suncatcher May 12 '18 at 07:10