Chatwithcloud logo

ChatWithCloud

AWS GenAI Tools
#AWS#JavaScript SDK#IAM Permissions#getCallerIdentity

Check Current IAM Identity and its Permissions

In this guide, we are going to lay out the necessary steps using AWS-SDK, CDK and Typescript to retrieve the currently assumed Identity and Access Management (IAM) role as well as its permissions.

The Code

Below is the TypeScript code that achieves the task:

import { STSClient, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
import { IAMClient, GetRolePolicyCommand } from '@aws-sdk/client-iam';

(async () => {
  try {
    const stsClient = new STSClient({});
    const identity = await stsClient.send(new GetCallerIdentityCommand({}));

    const roleArnParts = identity.Arn.split('/');
    const roleName = roleArnParts[roleArnParts.length - 1];

    const iamClient = new IAMClient({});
    const policy = await iamClient.send(new GetRolePolicyCommand({ RoleName: roleName }));

    console.log(policy.PolicyDocument);
  } catch (e) {
    console.error(e);
  }
})();

Detailed Code Explanation

Here's the step-by-step explanation of what our script does:

  1. Import the necessary libraries.
  2. Instantiate STSClient and get the assumed IAM role.
  3. Extract the role name from the ARN (Amazon Resource Name).
  4. Instantiate IAMClient and get the policy attached to the role.
  5. Log the policy document.

Expected Output

The output is a policy document string (in JSON format):

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":"service:action",
      "Resource":"resource"
    }
  ]
}

The policy document is essentially a set of instructions that defines who (IAM users) has what level of access to which AWS service or resource.

Considerations & Caveats

This script fetches the permissions of the assumed IAM role only. The IAM identity needs to have access to "sts:GetCallerIdentity" and "iam:GetRolePolicy" API operations. Handling of service control policies (SCPs) and resource-based policies is not covered in this script.

Required IAM Permissions and Example Policy

The IAM identity running the script must have permissions for sts:GetCallerIdentity and iam:GetRolePolicy actions. A ReadOnlyAccess managed policy or a custom policy with the following permission block will suffice:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": ["sts:GetCallerIdentity", "iam:GetRolePolicy"],
         "Resource": "*"
      }
   ]
}

FAQ

Q: Does this script retrieve permissions for all users in the account? A: No, it only fetches the permissions of the assumed IAM role.

Q: What kind of permissions does the IAM identity need to run this script? A: The identity requires permission for 'sts:GetCallerIdentity' and 'iam:GetRolePolicy' actions.

Q: Will this script handle service control policies and resource-based policies? A: No, handling of SCPs and resource-based policies is not covered in this script.

Q: What will happen if the IAM identity does not have the required permissions? A: AWS-SDK will throw an error, the error details will help in diagnosing the issue.





Related articles
Get the number of invocations for Lambda functions in the last 24 hoursMonitor and Notify When Approaching Service LimitsGet Current IAM Identity TypeScript