7

I would like to be able to query the AWS SDK to check what the IAM role of the current credentials is. I want to check if I am running using a particular role, and if not, then try to assume that role.

Is it possible to do this? I am using the AWS SDK for JavaScript for node.js. In the AWS.config.credentials, I have access to my keys, but not to which role they belong.

chazRock3K
  • 71
  • 1
  • 3
  • Is this for a set of user keys that has already assumed another Role, or for an ec2 instance that has a instance profile role? –  Apr 26 '15 at 05:05
  • Both. If the credentials are from my EC2 role, I would like to know the ARN of that role. If they credentials are from a set of user keys in my ~/.aws/credentials, I would like to know the ARN of that user. – chazRock3K Apr 27 '15 at 06:19

4 Answers4

4

I think the method you want is GetCallerIdentity on the STS (Security Token Service) API:

This returns either nice user info (if no role in effect):

{
  Account: "123456789012", 
  Arn: "arn:aws:iam::123456789012:user/Alice", 
  UserId: "AKIAI44QH8DHBEXAMPLE"
}

or info on the temporary session/user and role (if a role is in effect):

{
  Account: "123456789012", 
  Arn: "arn:aws:sts::123456789012:assumed-role/my-role-name/my-role-session-name", 
  UserId: "AKIAI44QH8DHBEXAMPLE:my-role-session-name"
}

As noted, IAM().GetUser() (to return info on the current user) only works in the first instance, if no role is assumed. It fails if there is a role, so code defensively, but it's worth considering as when no role is in effect it returns a nicely formatted objects (though you could just regex-parse the arn:aws:iam::(.*):user/(.*) ARN from the GetCallerIdentity):

{
  User: {
    Arn: "arn:aws:iam::123456789012:user/Bob", 
    CreateDate: <Date Representation>, 
    Path: "/", 
    UserId: "AKIAIOSFODNN7EXAMPLE", 
    UserName: "Bob"
  }
}

I suspect GetUser fails when a role is used because from what I can tell you are allocated a temporary user, I could see it being problematic to revert that role-assumption on the server, which would be necessary in order to make GetUser work in that case. And in some cases (instance profiles?) I think there isn't any real user account to revert back to.

Partly Cloudy
  • 6,508
  • 3
  • 27
  • 16
2

To get the username of a user based on a set of keys you can use:

var iam = new AWS.IAM(); iam.getUser().User.UserName;

The API docs give the full details.

To get the role arn of an instance you'd probably have to use the instance metadata API endpoint as there is no method available in the SDK.

This answer and this one give details on different ways to query instance metadata.

Community
  • 1
  • 1
  • Thanks. The IAM.getUser() method works great if you're credentialled as a user. Calling ec2-metadata, however, doesn't return any information about which profile is set for that instance. Even if it did, it could be misleading because the credentials might be overridden elsewhere. – chazRock3K Apr 28 '15 at 15:25
0

Using just the AWS CLI:

aws sts get-caller-identity

The AWS Security Token Service (STS) returns something like:

{
    "UserId": "ABBBCCC123123DDDDEEEE",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/bob"
}

(the username is within the Arn value, after the last :)

Filippo Vitale
  • 7,597
  • 3
  • 58
  • 64
0

I will provide example how to do it in AWS CLI and you can convert it into NodeJS code:

aws sts get-caller-identity

get ARN from the response and get the user name from there (everything that comes after user/)

aws iam list-groups-for-user --user-name UserNameFromPreviousResponse

Then for each group you can dive in to the policies that are builtin or attached to that group:

aws iam list-group-policies --group-name GroupName
aws iam list-attached-group-policies --group-name GroupName

from here you can dive in into the policies to get their ARN if needed but I believe at this level it already should satisfy your needs.

Sergey Kuznetsov
  • 518
  • 4
  • 10