Find role being used on server from AWS CLI

Question

I'm on an EC2 instance that has an IAM role attached to it, and would like to be able to verify that I am indeed using this role from the AWS CLI.

I'm imagining being able to call something like this (but can't find anything like it in the CLI docs):

$ aws get-current-role-details

Does this functionality exist?

when you are saying “on server”, do you mean on EC2 instance? — Bruce, Nov 15 '17 at 17:38
The following command will give you the details about the IAM role attached to the EC2 instance. It is present in the instance metadata: curl http://169.254.169.254/latest/meta-data/iam/info Is this what you are looking for? — krishna_mee2004, Nov 15 '17 at 18:38
updated my question to reflect that i am attempting to do this from an ec2 instance. simply finding the instance metadata is *not* what i'm interested in (I can find this from the console). I want to know, for instance, *what* role the AWS CLI is leveraging. — ryantuck, Nov 15 '17 at 19:53

Tyrone321 · Accepted Answer · 2021-12-02T04:18:10.550

Use the AWS STS command get-caller-identity.

Returns details about the IAM identity whose credentials are used to call the API.

$ aws sts get-caller-identity
{
    "UserId": "AIDAxxx",
    "Account": "xxx",
    "Arn": "arn:aws:iam::xxx:user/Tyrone321"
}

You can then take the role name, and query IAM for the role details using both iam list-role-policies for inline policies and iam-list-attached-role-policies for attached managed policies (thanks to @Dimitry K for the callout).

$ aws iam list-attached-role-policies --role-name Tyrone321
{
  "AttachedPolicies": [
  {
    "PolicyName": "SomePolicy",
    "PolicyArn": "arn:aws:iam::aws:policy/xxx"
  },
  {
    "PolicyName": "AnotherPolicy",
    "PolicyArn": "arn:aws:iam::aws:policy/xxx"
  } ]
}

To get the actual IAM permissions, use aws iam get-policy to get the default policy version ID, and then aws iam get-policy-version with the version ID to retrieve the actual policy statements. If the IAM principal is a user, the commands are aws iam list-attached-user-policies and aws iam get-user-policy. See the AWS IAM CLI reference for more information.

You also need to call `aws iam list-role-policies --role-name EMR_EC2_DefaultRole` in order to **get information about _Inline Policies_**. Just calling `list-attached-role-policies` will only give you information about _Managed Policies_ , but not _Inline Policies_ of that particular role. — Dimitry K, Feb 05 '21 at 16:05
In case we are using a federated user: `Account: 'XXX'` `Arn: arn:aws:sts::XXX:federated-user/XXX` `UserId: XXX` how can we find the role? — Fábio Araújo, May 11 '22 at 14:57

score 26 · Answer 2 · edited May 08 '19 at 14:00

26

There is a more simple and elegant way to get the current role details.

$ curl http://169.254.169.254/latest/meta-data/iam/info

{
  "Code" : "Success",
  "LastUpdated" : "2019-05-08T13:15:52Z",
  "InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/rolename",
  "InstanceProfileId" : "AIPAIFNV5UU4JJLAXXXXX"
}

In InstanceProfileArn you can see your role name

edited May 08 '19 at 14:00

Dharam Bhai

41
1
8

answered May 08 '19 at 13:54

Aditya Jangid

377
3
5

3

This will tell you which Instance Profile has been attached to the EC2 instance, but it doesn't verify the identity used when issuing AWS CLI commands. It won't be accurate if you've configured ```~/.aws/credentials``` or pass a credential to the AWS CLI command. – Tyrone321 May 12 '20 at 07:36
2

To add to what @Tyrone321 said, an instance profile is the last thing to be checked when authenticating an AWS api call. Although that curl command will tell you whether a role is attached to the instance, it won't tell you if it is being used. Docs on the order of precedence: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence – Scott McAllister Aug 31 '21 at 17:42

score 13 · Answer 3 · answered Nov 15 '17 at 18:20

Unfortunately, there is not a simple way to get that information. You'll need to get there through the following path:

Step 1. Get the current EC2 instance ID from the instance metadata.

curl -s http://169.254.169.254/latest/meta-data/instance-id

You may need the current region as well.

curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/\(.*\)[a-z]/\1/'

Step 2. Get the ID of the IAM Instance Profile attached to your EC2 instance.

aws ec2 describe-instances \
    --region us-east-1 \
    --instance-id i-12345678 \
    --query 'Reservations[0].Instances[0].IamInstanceProfile.Id'

Remember to substitute the EC2 instance ID and region as required.

Step 3. Get the IAM instance profile roles.

aws iam list-instance-profiles \
    --query "InstanceProfiles[?InstanceProfileId=='ABCDEFG'].Roles"

Remember to substitute the IAM instance profile ID.

Notes:

An IAM instance profile may have more than one IAM role associated with it. Usually it will be only one, but it could have more.

To clarify, querying this endpoint is called querying the instance's metadata. It returns everything in the context of the instance you're in, including the role. — eco, Nov 15 '18 at 20:04
This will tell you which Instance Profile has been attached to the EC2 instance, but it doesn't verify the identity used when issuing AWS CLI commands. It won't be accurate if you've configured ```~/.aws/credentials``` or pass a credential to the AWS CLI command. — Tyrone321, May 12 '20 at 07:38

Find role being used on server from AWS CLI

3 Answers3

Linked