如何列出我所属的AWS IAM组?

huangapple go评论61阅读模式
英文:

How can I list the AWS IAM groups in which I am a member?

问题

标题已经说明了一切。只要提供了AWS访问密钥和秘钥,就可以获取用户所属的IAM组列表吗?AWS API支持自我反思吗?

编辑:这个问题假设除了作为组成员之外没有授予其他权限。例如,这个特定的IAM用户只有从一个ECR存储库中读取的权限,并没有权限调用list-groups-for-user

英文:

The title says it all, really. Given an AWS access key and secret, it it possible to get a list of IAM groups to which the user belongs? Is any self-introspection possible with the AWS APIs?

Edit: The question is assuming that no other privileges are granted other than being part of a group itself. For example, this particular IAM user only has permissions to read from an ECR repo and does not have privileges to call list-groups-for-user.

答案1

得分: 2

是的,这是可能的。

如果已授予用户运行该命令的特定权限。

来自文档 list-groups-for-user

> 列出指定 IAM 用户所属的 IAM 用户组。list-groups-for-user 是一个分页操作。可能需要多次发出 API 调用,以检索完整的结果数据集。

您可以这样做:

aws iam list-groups-for-user --user-name Bob

这应该会输出类似于以下内容:

"Groups": [
    {
        "Path": "/",
        "CreateDate": "2013-05-06T01:18:08Z",
        "GroupId": "AKIAIOSFODNN7EXAMPLE",
        "Arn": "arn:aws:iam::123456789012:group/Admin",
        "GroupName": "Admin"
    },
    {
        "Path": "/",
        "CreateDate": "2013-05-06T01:37:28Z",
        "GroupId": "AKIAI44QH8DHBEXAMPLE",
        "Arn": "arn:aws:iam::123456789012:group/s3-Users",
        "GroupName": "s3-Users"
    }
]

关于 list-groups-for-user 的完整文档在这里

英文:

Yes, it's possible.

If specific permissions have been granted for the user to run the command.

From the docs list-groups-for-user:

> Lists the IAM groups that the specified IAM user belongs to. list-groups-for-user is a paginated operation. Multiple API calls may be issued in order to retrieve the entire data set of results.

You can do something like this:

aws iam list-groups-for-user --user-name Bob

Which sould output something like this:

"Groups": [
    {
        "Path": "/",
        "CreateDate": "2013-05-06T01:18:08Z",
        "GroupId": "AKIAIOSFODNN7EXAMPLE",
        "Arn": "arn:aws:iam::123456789012:group/Admin",
        "GroupName": "Admin"
    },
    {
        "Path": "/",
        "CreateDate": "2013-05-06T01:37:28Z",
        "GroupId": "AKIAI44QH8DHBEXAMPLE",
        "Arn": "arn:aws:iam::123456789012:group/s3-Users",
        "GroupName": "s3-Users"
    }
]

Full documentation on list-groups-for-user is here.

答案2

得分: -1

如果您没有调用 iam:ListGroupsForUseriam:ListGroups + iam:GetGroup 的权限,那么您就没有运气了*。AWS主体可以在没有显式权限的情况下调用的唯一API操作是 sts:GetCallerIdentity(除了一些根本不需要AWS凭据的API操作,例如 sts:AssumeRoleWithWebIdentity 和部分Cognito操作),该操作返回使用凭据调用它的主体的身份。没有无需权限的API操作可以列出主体的权限、列出其组成员或类似的操作。

*我不确定 iam:AddUserToGroupiam:RemoveUserFromGroup 如果用户已经是或不是目标组的成员会返回什么错误。它们可能会显示组成员身份,但如果您没有 iam:ListGroupsForUser 的权限,您极有可能没有这些权限。

英文:

If you do not have permission to call iam:ListGroupsForUser, or iam:ListGroups + iam:GetGroup, then you're out of luck*. The only API operation that an AWS principal can call without an explicit permission is sts:GetCallerIdentity (apart from a few API actions that do not require AWS credentials at all, such as sts:AssumeRoleWithWebIdentity and parts of Cognito), which returns the identity of the principal whose credentials were used to call it. There are no permissionless API actions to list the permissions of a principal, list its group memberships, or anything like that.

*I'm not sure what errors iam:AddUserToGroup and iam:RemoveUserFromGroup return if the user already is or is not a member of the target group. It's possible that they might reveal group membership -- but if you don't have permission for iam:ListGroupsForUser, you're highly unlikely to have permissions for these.

huangapple
  • 本文由 发表于 2023年6月1日 16:08:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/76379875.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定