This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

• An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
• An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
• An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2) - Let's say the Identity-Based Policy attached to john.doe does NOT allow create S3 - john.doe could Assume a Role that allows create S3
  • Assume Role or Switch Role using Python boto3
  • Assume Role or Switch Role using Terraform
  • Assume Role or Switch Role using the AWS CLI
  • Often, a Role will have two Policies:
    • Trust Relationship
    • Permission Policy

The aws iam list-attached-user-policies command should list the policies that have been attached to a user.

The aws iam list-attached-role-policies command should list the policies that have been attached to a role.

In this example, the AdministratorAccess policy is attached to my-role.

~]$ aws iam list-attached-role-policies --role-name my-role
{
    "AttachedPolicies": [
        {
            "PolicyName": "ReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess"
        }
    ]
}

• The aws iam detach-user-policy command (this article) can be used to remove policies that have been attached to a user.
• The aws iam detach-role-policy command (this article) can be used to remove policies that have been attached to a role.

In this example, the AdministratorAccess policy is removed from my-role.

aws iam detach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/AdministratorAccess