英文:
How can I list the AWS IAM groups in which I am a member?
问题
标题已经说明了一切。只要提供了AWS访问密钥和秘钥,就可以获取用户所属的IAM组列表吗?AWS API支持自我反思吗?
编辑:这个问题假设除了作为组成员之外没有授予其他权限。例如,这个特定的IAM用户只有从一个ECR存储库中读取的权限,并没有权限调用list-groups-for-user
。
英文:
The title says it all, really. Given an AWS access key and secret, it it possible to get a list of IAM groups to which the user belongs? Is any self-introspection possible with the AWS APIs?
Edit: The question is assuming that no other privileges are granted other than being part of a group itself. For example, this particular IAM user only has permissions to read from an ECR repo and does not have privileges to call list-groups-for-user
.
答案1
得分: 2
是的,这是可能的。
如果已授予用户运行该命令的特定权限。
来自文档 list-groups-for-user
:
> 列出指定 IAM 用户所属的 IAM 用户组。list-groups-for-user
是一个分页操作。可能需要多次发出 API 调用,以检索完整的结果数据集。
您可以这样做:
aws iam list-groups-for-user --user-name Bob
这应该会输出类似于以下内容:
"Groups": [
{
"Path": "/",
"CreateDate": "2013-05-06T01:18:08Z",
"GroupId": "AKIAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/Admin",
"GroupName": "Admin"
},
{
"Path": "/",
"CreateDate": "2013-05-06T01:37:28Z",
"GroupId": "AKIAI44QH8DHBEXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/s3-Users",
"GroupName": "s3-Users"
}
]
关于 list-groups-for-user
的完整文档在这里。
英文:
Yes, it's possible.
If specific permissions have been granted for the user to run the command.
From the docs list-groups-for-user
:
> Lists the IAM groups that the specified IAM user belongs to. list-groups-for-user
is a paginated operation. Multiple API calls may be issued in order to retrieve the entire data set of results.
You can do something like this:
aws iam list-groups-for-user --user-name Bob
Which sould output something like this:
"Groups": [
{
"Path": "/",
"CreateDate": "2013-05-06T01:18:08Z",
"GroupId": "AKIAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/Admin",
"GroupName": "Admin"
},
{
"Path": "/",
"CreateDate": "2013-05-06T01:37:28Z",
"GroupId": "AKIAI44QH8DHBEXAMPLE",
"Arn": "arn:aws:iam::123456789012:group/s3-Users",
"GroupName": "s3-Users"
}
]
Full documentation on list-groups-for-user
is here.
答案2
得分: -1
如果您没有调用 iam:ListGroupsForUser
或 iam:ListGroups
+ iam:GetGroup
的权限,那么您就没有运气了*。AWS主体可以在没有显式权限的情况下调用的唯一API操作是 sts:GetCallerIdentity
(除了一些根本不需要AWS凭据的API操作,例如 sts:AssumeRoleWithWebIdentity
和部分Cognito操作),该操作返回使用凭据调用它的主体的身份。没有无需权限的API操作可以列出主体的权限、列出其组成员或类似的操作。
*我不确定 iam:AddUserToGroup
和 iam:RemoveUserFromGroup
如果用户已经是或不是目标组的成员会返回什么错误。它们可能会显示组成员身份,但如果您没有 iam:ListGroupsForUser
的权限,您极有可能没有这些权限。
英文:
If you do not have permission to call iam:ListGroupsForUser
, or iam:ListGroups
+ iam:GetGroup
, then you're out of luck*. The only API operation that an AWS principal can call without an explicit permission is sts:GetCallerIdentity
(apart from a few API actions that do not require AWS credentials at all, such as sts:AssumeRoleWithWebIdentity
and parts of Cognito), which returns the identity of the principal whose credentials were used to call it. There are no permissionless API actions to list the permissions of a principal, list its group memberships, or anything like that.
*I'm not sure what errors iam:AddUserToGroup
and iam:RemoveUserFromGroup
return if the user already is or is not a member of the target group. It's possible that they might reveal group membership -- but if you don't have permission for iam:ListGroupsForUser
, you're highly unlikely to have permissions for these.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论