AWS IAM - How to show describe policy statements using the CLI?

Asked 24/5, 2020 at 12:54 Answered 3/12, 2020 at 22:36

amazon-web-services amazon-iam aws-cli amazon-policy

How can I use the AWS CLI to show an IAM policy's full body including the Effect, Action and Resource statements?

"aws iam list-policies" command lists all the policies but not the actual JSON E,A,R statements contained within the policy.

I could use the "aws iam get-policy-version" command but this does not show the policy name in its output. When I am running this command via a script to obtain information for dozens of policies, there is no way to know which policy the output will belong to.

Is there another way of doing this?

Graiggrail answered 24/5, 2020 at 12:54 Comment(1)

Can you expand the description of the desired output? – Pouched 24/5, 2020 at 14:13

The only to do this as you've said is the following:

Get all IAM Policies via the list-policies verb.
Loop over the output, taking the "PolicyId" and "DefaultVersionId".
Pass these into the get-policy-version verb.
Map the PolicyName from the iteration to the PolicyVersion.Document value in the second request.

Preconcert answered 24/5, 2020 at 13:9 Comment(0)

As mokugo-devops said in his answer, and you stated in your question, you could only use "get-policy-version" to get the proper JSON. Here is how I would do it:

RAW_POLICIES=$(aws iam list-policies --query Policies[].[Arn,PolicyName,DefaultVersionId])
POLICIES=$(echo $RAW_POLICIES | tr -d " " | sed 's/\],/\]\n/g')
for POLICY in $POLICIES
    do echo $POLICY | cut -d '"' -f 4
    echo -e "---------------\n"
    aws iam get-policy-version --version-id $(echo $POLICY | cut -d '"' -f 6) --policy-arn $(echo $POLICY | cut -d '"' -f 2)
    echo -e "\n-----------------\n"
done

Now a bit of explanation about the script: RAW_POLICIES will get you a giant list of arrays that would each contain the name of the policy as requested and the Policy ARN, and Default Version ID as needed. It would however contain spaces that would make iterating over it directly in bash less comfortable (though not impossible for the sufficiently stubborn).

To make the upcoming loop more easy we will clean the spaces and then use sed to insert the spaces we will need. This is done in the 2nd line which defines the POLICIES variable.

This leaves us very little to do in the actual loop. Here we just print the Policy name, some pretty lines and invoke the function that you predicted will be the one used, get-policy-version.

Pouched answered 25/5, 2020 at 17:28 Comment(0)

Slight modification to @uberhumus suggestion to reduce the number of policies that will be extracted . Use the --scope Local qualifier in the query to limit it . Otherwise it will spit out 100's of policies in the account . limiting the scope to local will only list policies which are user provisioned in the account ... Here's the modified version :

RAW_POLICIES=$(aws iam list-policies **--scope Local** --query Policies[].[Arn,PolicyName,DefaultVersionId])
POLICIES=$(echo $RAW_POLICIES | tr -d " " | sed 's/\],/\]\n/g')
for POLICY in $POLICIES
    do echo $POLICY | cut -d '"' -f 4
    echo -e "---------------\n"
    aws iam get-policy-version --version-id $(echo $POLICY | cut -d '"' -f 6) --policy-arn $(echo $POLICY | cut -d '"' -f 2)
    echo -e "\n-----------------\n"
done

Vanpelt answered 3/12, 2020 at 22:36 Comment(0)

Recommended topics

Hot tags