This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
Let's say you have a user that has not been granted permission to do something, such as using the aws s3api list-buckets command to return the list of S3 Buckets that have been created. Perhaps Access Denied is returned.
~]$ aws s3api list-buckets --profile johndoe
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
The aws iam list-attached-user-policies command can be used to list the Permission Policies attached to a user. Check out my article Permission Policy vs Trust Policy. Perhaps john.doe does not have any Permission Policies attached yet.
~]$ aws iam list-attached-user-policies --user-name john.doe
{
"AttachedPolicies": []
}
Or does not have a Permission Policy attached that allows S3:ListBuckets.
]$ aws iam list-attached-user-policies --user-name john.doe
{
"AttachedPolicies": [
{
"PolicyName": "ElasticLoadBalancingFullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess"
},
{
"PolicyName": "AmazonS3FullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
]
}
One option would be to use the aws iam attach-user-policy command to attach a policy john.doe.
aws iam attach-user-policy --user-name john.doe --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
Or, perhaps it makes sense to use the aws iam create-role command to create a role.
aws iam create-role --role-name my-role --assume-role-policy-document file://my.json
And then use the aws iam attach-role-policy command to the role.
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name my-role
And then update your ~/.aws/config file with a profile that contains the Amazon Resource Number (ARN) of my-role. This assumes that profile "staging" exists in ~/.aws/credentials.
[profile assume_my_role]
role_arn = arn:aws:iam::123456789012:role/my-role
source_profile = staging
region = us-east-1
output = json
Now, john.doe should be able to use the aws s3api list-buckets command with --profile assume_my_role instead of --profile johndoe so that john.doe switches to my-role, which has the ReadOnlyAccess policy.
~]$ aws s3api list-buckets --profile assume_my_role
{
"Buckets": [
{
"Name": "my-bucket-abcdefg",
"CreationDate": "2023-06-02T02:22:19+00:00"
}
],
"Owner": {
"DisplayName": "jane.doe",
"ID": "ab0e0123456789103a77c82240d5c1234567891cc325c65b5c77712345643743"
}
}
Did you find this article helpful?
If so, consider buying me a coffee over at