Getting AWS IAM user by access key id using sdk

0
votes

I'm trying to verify that an IAM user exists with an access key using the AWS SDK(js).

I am trying to build an access control module for an API. I can't deploy it on AWS. Instead of trying to build the whole thing, I want to handle user management using IAM but will need to build a custom module to check if current IAM user has access to resources.

I've checked the docs and looks like you can only get user by username. I thought maybe I can list the users and filter the user array by access key but obviously the list does not have access key info.

2
amazon-web-servicesaws-iam
For me it sounds like a use case for AWS Cognito. Did you try it?MaiKaY
was not aware of cognito, will check it outnupac

2 Answers

1
votes

The AWS Identity and Access Management (IAM) service is designed specifically for granting access to AWS resources. It is not designed as an authentication system for applications.

A more appropriate product would be Amazon Cognito:

Amazon Cognito lets you easily add user sign-up and sign-in and manage permissions for your mobile and web apps. You can create your own user directory within Amazon Cognito. You can also choose to authenticate users through social identity providers such as Facebook, or Amazon; with SAML identity solutions; or by using your own identity system. In addition, Amazon Cognito enables you to save data locally on users' devices, allowing your applications to work even when the devices are offline. You can then synchronize data across users' devices so that their app experience remains consistent regardless of the device they use.

With Amazon Cognito, you can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user management, authentication, and synchronization across devices.

0
votes

You can check whether the user exist or not by IAM User's credentials using AWS CLI/SDK

Attach iam:GetUser and iam:SimulatePrincipalPolicy policies to your IAM user.

Here iam:GetUser will be used to check the user existence and iam:SimulatePrincipalPolicy will be used to check the resource access.

1. Check existence:

You can use getUser() function of AWS-IAM to verify whether user exist or not

const iam = new AWS.IAM({
 // Iam User access and secret Key
})
iam.getUser({}, (err,data)=>{
  if(err)
    console.log("User not exist");
  else
    console.log("User exist ", data);
})

if user exists:=>

 `{

        "User": {

        "Path": "/",

        "UserName": "userName",

        "UserId": "AIDAY357ZXJ7ADSEWNGWA3",

        "Arn": "arn:aws:iam::60977878822:user/userName", // required this in simulator 

        "CreateDate": "2020-08-05T14:48:49Z"

        }
    }`

2. For resource access you can use simulatePrincipalPolicy() function of AWS-IAM.

let params = {
  PolicySourceArn = "Paste IAM user arn", // arn:aws:iam::60977878822:user/userName
  ActionNames = ["ec2:RunInstances"]
}
iam.simulatePrincipalPolicy(params, (err, data)=> {
  if(err)
    console.log("Error", err);
  else 
    console.log("Data ", data);
})

output:=>

    `{ 
         ResponseMetadata: { RequestId: '3e7cbc9a-ed7b-472a-b054-a6f3f37bf8c4' },

         EvaluationResults:

      [ { EvalActionName: 'iam:SimulatePrincipalPolicy',

          EvalResourceName: '*',

          **EvalDecision: 'allowed',**   // check this

          MatchedStatements: [Array],

          MissingContextValues: [],

          ResourceSpecificResults: [] },

         ],

      IsTruncated: false 
 }`

If the EvalDecision is 'allowed' means your IAM User have the access to create new instances.