AWS PowerShell CLI: How to obtain list of Policies applied to an Instance

Question

I have a lot of instances running an an AWS Account. Each is attached to a different IAM Role (1). I can review the Role via the Management Console (2) and see the attached Policies (3).

I want to obtain a list of these programmatically. I have written some powershell.

$region = 'eu-west-3'
Set-DefaultAWSRegion -Region $region
$ec2 = Get-EC2Instance    
$ec2list = $ec2.Instances

$ec2listdetails = $ec2list | ForEach-Object {
    $properties = [ordered]@{
    Name = ($_ | Select-Object -ExpandProperty tags | Where-Object -Property Key -eq Name).value
    InstanceState = $_.State.Name
    InstanceID = $_.InstanceId
    InstanceType = $_.InstanceType
    Platform = $_.Platform
    PlatformDetails = $_.PlatformDetails
    LaunchTime = $_.launchtime
    KeyName = $_.KeyName
    AmiID = $_.ImageID
    ImageName = (Get-EC2Image -ImageId $_.ImageID).Name
    IamRoleID = $_.IamInstanceProfile.Id
    IamRoleARN = $_.IamInstanceProfile.Arn
    PrivateIP = $_.PrivateIpAddress
    SubnetId = $_.SubnetId
    SubnetName = (Get-EC2Subnet -subnetid ($_.SubnetId) | Select-Object -ExpandProperty tags | Where-Object -Property Key -eq Name).value
    NetworkInterfaceId = $_.networkinterfaces.networkinterfaceid
    MAC = $_.networkinterfaces.MacAddress
    VPCId = $_.VpcId
    VPCName = (Get-EC2VPC -vpcid ($_.vpcId) | Select-Object -ExpandProperty tags | Where-Object -Property Key -eq Name).value
    AZ = $_.placement.AvailabilityZone
    SG = $_.SecurityGroups.GroupName
    BackupTag = ($_ | Select-Object -ExpandProperty tags | Where-Object -Property Key -eq BackupTag).value
    ProductTag = ($_ | Select-Object -ExpandProperty tags | Where-Object -Property Key -eq Product).value
    }
    New-Object -TypeName PSObject -Property $properties
}
 
$ec2listdetails | Sort-Object -Property SubnetName | Export-Csv -Path "$($PWD.Path)\ec2-report-$region.csv"

Get-EC2Instance returns the following properties:

The returned property is the IamInstanceProfile, I can't seem to find the correct command to get all Policies attached to that Profile programmatically?

Any ideas?

You need https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html and https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html to list the inline and attached managed policies. — luk2302, Jan 27 '23 at 12:54
The problem is that list-attached-role-policies requires the --role-name parameter which is the friendly name of the role. However, Get-EC2Instance does not return the friendly name it returns the "Instance Profile ARN". — MickyD, Jan 29 '23 at 12:07

user21801075 · Answer 1 · 2023-05-03T00:03:15.097

0

1You can use this in order to get the Role and that will take only the human readable text

..... $ec2listdetails = $ec2list | ForEach-Object { $s = $.IamInstanceProfile.arn # u need this object to be split and create variable $properties = [ordered]@{ Name = ($ | Select-Object -ExpandProperty tags | Where-Object -Property Key -eq Name).value InstanceState = $_.State.Name . . . IamRoleARN = ($s -split "/" )1 #use this to get the Role name only not the entire arn . . }

edited May 03 '23 at 00:03

answered May 02 '23 at 23:51

user21801075

1
1

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 04 '23 at 16:59

AWS PowerShell CLI: How to obtain list of Policies applied to an Instance

1 Answers1