Get IAM Role Name Using IAM Role ID

2
votes

All AWS IAM Roles have an associated Role Name and Role ID. The Role ID is not usually seen because the AWS Console displays just the Role Name. Inside the JSON message of an S3 Event there's a PrincipalID value that contains the Role ID of the role that was used to perform the S3 action e.g., "principalId":"AWS:AROAKJDKSDKF93HSA:123456789.

From this document we see,

Each IAM entity (user, group, or role) has a defined aws:userid variable. You will need this variable for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’s aws:userId value is defined as UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example, AROAEXAMPLEID:userdefinedsessionname).

So we know that the PrincipalId in the S3 Event message is a Role ID to an IAM Role. How can I use that Role ID to get the Role Name? I've searched through the IAM and STS libraries but I don't see any API that allows me to pass in the Role ID and get the Role Name. STS GetCallerIdentity doesn't help and IAM GetRole only accepts a Role Name as input.

Any help would be greatly appreciated. I am simply consuming S3 Events, reading the PrincipalID value from the S3 Event's message json, extracting the IAM Role ID from the PrincipalID, and I need a way to get the IAM Role Name using the IAM Role ID.

2
amazon-web-servicesamazon-s3amazon-iamaws-sts
Can you simply issue ListRoles and then filter on the role ID? PS why do you need the role name? Is it just for diagnostics?jarmod
Thanks @jarmod I'll look into that approach! And we want the Role Name because we have a mapping of Role Names to Teams and this will help us know who created what data in S3.Kyle Bridenstine

2 Answers

3
votes

Here is a quick way to get it through AWS CLI:

aws iam list-roles --query 'Roles[?RoleId==`AROAEXAMPLEID`]'
1
votes

Using python for example you can use list_roles.
The output will give you the role id of each role. Just loop it and search for RoleId you want.

{
    'Roles': [
        {
            'Path': 'string',
            'RoleName': 'string',
            'RoleId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'AssumeRolePolicyDocument': 'string',
            'Description': 'string',
            'MaxSessionDuration': 123,
            'PermissionsBoundary': {
                'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                'PermissionsBoundaryArn': 'string'
            },
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'RoleLastUsed': {
                'LastUsedDate': datetime(2015, 1, 1),
                'Region': 'string'
            }
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

RoleId (string)
The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the IAM User Guide.

Reference: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.list_roles

Also I recommend you to use Paginator.

Some AWS operations return results that are incomplete and require subsequent requests in order to attain the entire result set. The process of sending subsequent requests to continue where a previous request left off is called pagination

Reference: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/paginators.html