Based on work in https://github.com/iann0036/iamlive Using the data in map.json from https://github.com/iann0036/sdk-iam-map
I wanted to be able to use this same type of functionality without requiring yet another tool. As I already have jq included in all of my tooling I chose to use it for simplicity -- although the language itself is not always so simple to grok.
This script will allow you to execute your commands as arguments to the script. As it is setting environment variables we are able to gain insights into any process that is built using the aws sdk's, which include the cli, cli2, and terraform.
An example of an unauthenticated call to get-caller-identity will provide.
$ map-iam.sh aws sts get-caller-identity
An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
Similarly, an authenticated call will then show:
$ PAGER=cat map-iam.sh aws sts get-caller-identity
{
"UserId": "AIDASAMPLEUSERID:arledesma",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_b69091cd2e3a57cc/arledesma"
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
Describing the regions in ec2, filtered to endpoints containing the string us:
$ PAGER=cat map-iam.sh aws ec2 describe-regions --filters "Name=endpoint,Values=*us*"
{
"Regions": [
{
"Endpoint": "ec2.us-east-1.amazonaws.com",
"RegionName": "us-east-1",
"OptInStatus": "opt-in-not-required"
},
{
"Endpoint": "ec2.us-east-2.amazonaws.com",
"RegionName": "us-east-2",
"OptInStatus": "opt-in-not-required"
},
{
"Endpoint": "ec2.us-west-1.amazonaws.com",
"RegionName": "us-west-1",
"OptInStatus": "opt-in-not-required"
},
{
"Endpoint": "ec2.us-west-2.amazonaws.com",
"RegionName": "us-west-2",
"OptInStatus": "opt-in-not-required"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions"
],
"Resource": "*"
}
]
}
Organization cloudtrail with s3 bucket and kms key in separate account
$ PAGER=cat map-iam.sh aws cloudtrail describe-trails --include-shadow-trails
{
"trailList": [
{
"Name": "company-organization-trail",
"S3BucketName": "cloudtrail-123456789013-company-organization-trail-00001",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true,
"HomeRegion": "us-west-2",
"TrailARN": "arn:aws:cloudtrail:us-west-2:123456789012:trail/company-organization-trail",
"LogFileValidationEnabled": true,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789013:key/00000000-dead-beef-cafe-000000000001",
"HasCustomEventSelectors": true,
"HasInsightSelectors": false,
"IsOrganizationTrail": true
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails"
],
"Resource": "*"
}
]
}
Some will fail as the iam map is not yet complete. Failures may show up as either a service name value of null
in the action or possibly an incorrect service name.
An example of a failure can be seen with the stepfunctions service:
$ PAGER=cat map-iam.sh aws stepfunctions list-activities
{
"activities": []
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"null.listactivities"
],
"Resource": "*"
}
]
}
The map.json is only downloaded once with this script. As it is updated it may be a good idea to simply remove the file iann0036-sdk-iam-map.json
from your TMPDIR (probably /tmp
) and let the script download a new one. i.e. rm -f /tmp/iann0036-sdk-iam-map.json