使用 IAM 角色 ID 获取 IAM 角色名称
Get IAM Role Name Using IAM Role ID
所有 AWS IAM 角色都有关联的角色名称和角色 ID。通常看不到角色 ID,因为 AWS 控制台仅显示角色名称。在 S3 Event there's a PrincipalID value 的 JSON 消息中,包含用于执行 S3 操作的角色的角色 ID,例如 "principalId":"AWS:AROAKJDKSDKF93HSA:123456789.
从this document我们看到,
Each IAM entity (user, group, or role) has a defined aws:userid
variable. You will need this variable for use within the bucket policy
to specify the role or user as an exception in a conditional element.
An assumed-role’s aws:userId value is defined as
UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example,
AROAEXAMPLEID:userdefinedsessionname).
所以我们知道 S3 Event message is a Role ID to an IAM Role. How can I use that Role ID to get the Role Name? I've searched through the IAM and STS libraries but I don't see any API that allows me to pass in the Role ID and get the Role Name. STS GetCallerIdentity doesn't help and IAM GetRole 中的 PrincipalId 只接受 Role Name 作为输入。
如有任何帮助,我们将不胜感激。我只是使用 S3 Events, reading the PrincipalID value from the S3 Event's message json,从 PrincipalID 中提取 IAM 角色 ID,我需要一种使用 IAM 角色 ID 获取 IAM 角色名称的方法。
例如使用 python 你可以使用 list_roles.
输出将为您提供每个角色的角色 ID。只需循环它并搜索您想要的RoleId。
{
'Roles': [
{
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string',
'Description': 'string',
'MaxSessionDuration': 123,
'PermissionsBoundary': {
'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
'PermissionsBoundaryArn': 'string'
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'RoleLastUsed': {
'LastUsedDate': datetime(2015, 1, 1),
'Region': 'string'
}
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
RoleId (string)
The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the IAM User Guide.
另外我推荐你使用Paginator。
Some AWS operations return results that are incomplete and require
subsequent requests in order to attain the entire result set. The
process of sending subsequent requests to continue where a previous
request left off is called pagination
参考:https://boto3.amazonaws.com/v1/documentation/api/latest/guide/paginators.html
这是通过 AWS CLI 获取它的快速方法:
aws iam list-roles --query 'Roles[?RoleId==`AROAEXAMPLEID`]'
所有 AWS IAM 角色都有关联的角色名称和角色 ID。通常看不到角色 ID,因为 AWS 控制台仅显示角色名称。在 S3 Event there's a PrincipalID value 的 JSON 消息中,包含用于执行 S3 操作的角色的角色 ID,例如 "principalId":"AWS:AROAKJDKSDKF93HSA:123456789.
从this document我们看到,
Each IAM entity (user, group, or role) has a defined aws:userid variable. You will need this variable for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’s aws:userId value is defined as UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example, AROAEXAMPLEID:userdefinedsessionname).
所以我们知道 S3 Event message is a Role ID to an IAM Role. How can I use that Role ID to get the Role Name? I've searched through the IAM and STS libraries but I don't see any API that allows me to pass in the Role ID and get the Role Name. STS GetCallerIdentity doesn't help and IAM GetRole 中的 PrincipalId 只接受 Role Name 作为输入。
如有任何帮助,我们将不胜感激。我只是使用 S3 Events, reading the PrincipalID value from the S3 Event's message json,从 PrincipalID 中提取 IAM 角色 ID,我需要一种使用 IAM 角色 ID 获取 IAM 角色名称的方法。
例如使用 python 你可以使用 list_roles.
输出将为您提供每个角色的角色 ID。只需循环它并搜索您想要的RoleId。
{
'Roles': [
{
'Path': 'string',
'RoleName': 'string',
'RoleId': 'string',
'Arn': 'string',
'CreateDate': datetime(2015, 1, 1),
'AssumeRolePolicyDocument': 'string',
'Description': 'string',
'MaxSessionDuration': 123,
'PermissionsBoundary': {
'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
'PermissionsBoundaryArn': 'string'
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'RoleLastUsed': {
'LastUsedDate': datetime(2015, 1, 1),
'Region': 'string'
}
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
RoleId (string)
The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the IAM User Guide.
另外我推荐你使用Paginator。
Some AWS operations return results that are incomplete and require subsequent requests in order to attain the entire result set. The process of sending subsequent requests to continue where a previous request left off is called pagination
参考:https://boto3.amazonaws.com/v1/documentation/api/latest/guide/paginators.html
这是通过 AWS CLI 获取它的快速方法:
aws iam list-roles --query 'Roles[?RoleId==`AROAEXAMPLEID`]'