You can check whether the user exist or not by IAM User's credentials using AWS CLI/SDK
Attach iam:GetUser and iam:SimulatePrincipalPolicy policies to your IAM user.
Here iam:GetUser will be used to check the user existence and iam:SimulatePrincipalPolicy will be used to check the resource access.
1. Check existence:
You can use getUser() function of AWS-IAM to verify whether user exist or not
const iam = new AWS.IAM({
// Iam User access and secret Key
})
iam.getUser({}, (err,data)=>{
if(err)
console.log("User not exist");
else
console.log("User exist ", data);
})
if user exists:=>
`{
"User": {
"Path": "/",
"UserName": "userName",
"UserId": "AIDAY357ZXJ7ADSEWNGWA3",
"Arn": "arn:aws:iam::60977878822:user/userName", // required this in simulator
"CreateDate": "2020-08-05T14:48:49Z"
}
}`
2. For resource access you can use simulatePrincipalPolicy() function of AWS-IAM.
let params = {
PolicySourceArn = "Paste IAM user arn", // arn:aws:iam::60977878822:user/userName
ActionNames = ["ec2:RunInstances"]
}
iam.simulatePrincipalPolicy(params, (err, data)=> {
if(err)
console.log("Error", err);
else
console.log("Data ", data);
})
output:=>
`{
ResponseMetadata: { RequestId: '3e7cbc9a-ed7b-472a-b054-a6f3f37bf8c4' },
EvaluationResults:
[ { EvalActionName: 'iam:SimulatePrincipalPolicy',
EvalResourceName: '*',
**EvalDecision: 'allowed',** // check this
MatchedStatements: [Array],
MissingContextValues: [],
ResourceSpecificResults: [] },
],
IsTruncated: false
}`
If the EvalDecision is 'allowed' means your IAM User have the access to create new instances.