I was given a pair of AWS Access Key and AWS Access Secret. I would like to confirm that the AWS User associated with the key has proper permissions and doesn't have other unexpected roles. But I couldn't find good API to do it. Is there any good API to know roles which attached to the user itself?
Though I've read document and googled it, I could not find a good way. I know that it is possible to test by calling the API itself one by one. But I'd like to get a list of roles attached to the user exhaustively if possible.
Resolved:
It is get-caller-identity that I had to know. The command returns AWS Account, AWS User ID and ARN of the User so that I can use the advised commands to know its policies, groups etc.
To list the IAM roles and policies attached to a specific AWS user, you can use the AWS CLI.
lists the managed policies attached to the user.
aws iam list-attached-user-policies --user-name <username>
lists the inline policies embedded within the user.
aws iam list-user-policies --user-name <username>
If the user belongs to any groups, this command lists those groups.
aws iam list-groups-for-user --user-name <username>
Although IAM users cannot have roles directly attached to them, you need to inspect the policies if you want to check which roles the user can assume. Specifically, you would look for policies attached to the user or their groups, including sts:AssumeRole actions.