Given an AWS Access / Secret Key Pair, how do I retrieve its IAM permissions?

試著忘記壹切 提交于 2020-01-03 13:03:27

问题


Given the input of just an AWS Access Key and an AWS Secret Key, how can I use the AWS SDK to lookup what kind of permissions that the account can do?

I want do XYZ for a customer so the customer needs to give the access key and secret key to me to perform XYZ programmatically. However, before trying to do any of those actions, I'd like to verify that the credentials they gave me have access to certain privileges, such as being able to create S3 objects or being able to launch an EC2 instance.

That way, I can validate if the access key and secret key has permission to do something before I do it on their behalf.


回答1:


You can use the SimulatePrincipalPolicy API to simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.

The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to.

You'll need to provide the "SimulatePrincipalPolicy" API with that user's ARN as the PolicySourceArn input parameter (no need to use the optional CallerArn input parameter). If you have the access key ID and secret access key, you can retrieve the user's ARN by calling the GetUser API using that user credentials, i.e., without specifying the UserName input parameter. If no user name is included, the GetUser API defaults to the user making the request.




回答2:


I would suggest using the AWS CLI for the purpose and making use of the --dry-run flag for the CLI commands. I am unsure of how many AWS CLI operations support the --dry-run operation not to mention the Tag level / Resource level restrictions.

The --dry-run flag would try to check if you have permission to run the API or not without actually performing the request.

I also see the difficulty of testing (regression) as AWS has 60+ services and EC2 alone has 227 API commands [as of today]. Perhaps this might be the place where you would use your sed, awk, grep to build a shell script [and publish it in GITHUB]

SDKs do support this as well - it might be easier than the CLI approach



来源:https://stackoverflow.com/questions/42401632/given-an-aws-access-secret-key-pair-how-do-i-retrieve-its-iam-permissions

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!