This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
To access AWS services, you need a valid AWS account with the necessary permissions. For users other than the root user, permissions are granted through IAM policies. The policy defines the set of permissions to AWS service, such as S3 buckets.
- An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
- An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
- An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2) - Let's say the Identity-Based Policy attached to john.doe does NOT allow create S3 - john.doe could Assume a Role that allows create S3
- Assume Role or Switch Role using Python boto3
- Assume Role or Switch Role using Terraform
- Assume Role or Switch Role using the AWS CLI
- Often, a Role will have two Policies:
The aws iam list-attached-user-policies command can be used to list the policies (permissions) associated with a user. By default, no policies are attached to the newly created user.
~]$ aws iam list-attached-user-policies --user-name john.doe
{
"AttachedPolicies": []
}
The aws iam list-policies command can be used to list all of the available policies.
aws iam list-policies
And here is an example of how to limit the output using the --query option.
aws iam list-policies --query 'Policies[?PolicyName==`ReadOnlyAccess`]'
Something like this should be returned.
{
"Policies": [
{
"PolicyName": "AdministratorAccess",
"PolicyId": "ANPAIWMBCKSKIEE64ZLYK",
"Arn": "arn:aws:iam::aws:policy/AdministratorAccess",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 2,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2015-02-06T18:39:46+00:00",
"UpdateDate": "2015-02-06T18:39:46+00:00"
},
{
"PolicyName": "PowerUserAccess",
"PolicyId": "ANPAJYRXTHIB4FOVS3ZXS",
"Arn": "arn:aws:iam::aws:policy/PowerUserAccess",
"Path": "/",
"DefaultVersionId": "v4",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2015-02-06T18:39:47+00:00",
"UpdateDate": "2019-03-20T22:19:03+00:00"
}
]
}
- The aws iam attach-user-policy command (this article) can be used to attach a policy to a user using the ARN (Amazon Resource Number) of the policy.
- The aws iam attach-role-policy command can be used to attach a policy to a role using the ARN (Amazon Resource Number) of the policy.
In this example, the ReadOnlyAccess policy is attached to user john.doe.
aws iam attach-user-policy --user-name john.doe --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
- The aws iam list-attached-user-policies command should list the policies that have been attached to a user.
- The aws iam list-attached-role-policies command should list the policies that have been attached to a role.
In this example, the ReadOnlyAccess policy is attached to user john.doe.
~]$ aws iam list-attached-user-policies --user-name john.doe
{
"AttachedPolicies": [
{
"PolicyName": "ReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
]
}
Did you find this article helpful?
If so, consider buying me a coffee over at 