
This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
An IAM (Identity and Access Management) Roles is similar, but not the same as an IAM User.
- An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
- An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
- An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2). Let's say the Identity-Based Policy attached to john.doe does NOT allow "create S3"
- The Role that allows "create S3" could be attached to john.doe - or, john.doe could Assume the Role:
- Often, a Role will have two Policies:
The aws iam list-roles command can be used to list the IAM (Identity and Access Management) Roles.
- IAM (Identity and Access Management) Roles contains one or more IAM Policies - Almost always, a Role will have two Policies.
- An IAM Policy contains the permissions to an AWS resource. For example, the AmazonEC2FullAccess policy permits full access to EC2. An IAM Policy can be applied to a user, group, or role.
Something like this should be returned.
aws iam list-roles
And here is an example of how to limit the output using the --query option.
aws iam list-roles --query 'Roles[?RoleName==`admin-role`]'
Something like this should be returned.
{
"Roles": [
{
"Path": "/",
"RoleName": "AWS-QuickSetup-StackSet-Local-AdministrationRole",
"RoleId": "AROA2MITL76GLYTJARYZV",
"Arn": "arn:aws:iam::123456789012:role/AWS-QuickSetup-StackSet-Local-AdministrationRole",
"CreateDate": "2022-10-06T08:01:40+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
]
}
Notice that the output includes AssumeRolePolicyDocument which is the Trust Relationship but does not include the attached Permission Policies. The aws iam list-attached-role-policies command can be used to list the Permission Policies attached to the role.
~]$ aws iam list-attached-role-policies --role-name my-role
{
"AttachedPolicies": [
{
"PolicyName": "ReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
]
}
Did you find this article helpful?
If so, consider buying me a coffee over at