在 AWS 下查看自己所拥有的权限
# 我是谁?
当我们拿到 AWS 访问凭证后,往往会面临一个问题,我是谁?
通过下面这条命令就能看到自己当前是那个用户了,如果返回的是 root 用户,那么恭喜你,你拥有所有的权限。
aws iam get-user
1
> aws iam get-user
{
"User": {
"UserId": "0123456789",
"Arn": "arn:aws:iam::0123456789:root",
"CreateDate": "2022-01-01T01:01:01Z",
"PasswordLastUsed": "2022-01-01T01:01:01Z"
}
}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
如果返回的不是 root 那么说明当前不是根用户
> aws iam get-user
{
"User": {
"Path": "/",
"UserName": "test",
"UserId": "ABCDEFGHIJKLMNOPQRST",
"Arn": "arn:aws:iam::0123456789:user/test",
"CreateDate": "2022-01-01T01:01:01Z",
"PasswordLastUsed": "2022-01-01T01:01:01Z"
}
}
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
# 我能做什么?
通过下面这条命令,就可以看到自己所拥有的权限了
aws iam list-attached-user-policies --user-name test
1
> aws iam list-attached-user-policies --user-name test
{
"AttachedPolicies": [
{
"PolicyName": "IAMFullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/IAMFullAccess"
},
{
"PolicyName": "AmazonECS_FullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonECS_FullAccess"
}
]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
不过能看到自己权限的前提是需要先拥有 iam 的相关权限,不然就会返回 AccessDenied
> aws iam list-attached-user-policies --user-name test
An error occurred (AccessDenied) when calling the ListAttachedUserPolicies operation: User: arn:aws:iam::0123456789:user/test is not authorized to perform: iam:ListAttachedUserPolicies on resource: user test because no identity-based policy allows the iam:ListAttachedUserPolicies action
1
2
3
2
3