- 最新
- 投票最多
- 评论最多
Thanks for the answers folks. From Shajam's & AI's answer, the most important bit from the ARN is the "something" role which I'm assuming. This is what actually has permissions & policies attached to it. To see what policies I have access to, I can look in UI or with aws iam list-attached-role-policies --role-name something. From there I can see that my role indeed lacks the permissions necessary to CreateTag.
I used an admin account to grant such permissions. Unfortunately CreateRole in particular is very broad / I'm not sure how to allow a role to CreateRoles but not to create a role with admin permissions. This might involve IAM permissions boundaries. But all in all that's a separate question & my initial question of "what permissions does whoever I'm currently signed in as have?" has been answered.
To debug what permissions your assumed role has, you can use the get-account-authorization-details command from the AWS CLI. This command provides comprehensive information about all IAM users, groups, roles, and policies in your AWS account, which can help you identify your permissions.
Based on your get-caller-identity output, you're operating with an assumed role (arn:aws:sts::123:assumed-role/something/botocore-session-123), not as a regular IAM user. This explains why you can't find your identity in the IAM users section of the console or use list-attached-user-policies.
To check the permissions for your assumed role:
- Run the following command to get details about all roles in your account:
aws iam get-account-authorization-details --filter Role
-
Look for the role named "something" in the output (the middle part of your assumed role ARN).
-
Within that role's details, examine:
AssumeRolePolicyDocument- Shows who can assume this roleAttachedManagedPolicies- Lists managed policies attached to the roleRolePolicyList- Shows inline policies for the role
The error message indicates you're missing the iam:CreateRole permission. To fix this, you'll need to:
- Identify which policy needs to be modified (either an attached managed policy or an inline policy)
- Add the
iam:CreateRolepermission to that policy - Ensure the policy is attached to your role
If you have administrator access through another user or role, you can add this permission by:
- Creating a new policy with the required permission and attaching it to your role
- Modifying an existing policy to include the permission
- Adding an inline policy directly to the role
Remember that for creating IAM roles, you typically need additional permissions like iam:PassRole, iam:CreatePolicy, and iam:AttachRolePolicy to make the role fully functional.
Sources
Use GetAccountAuthorizationDetails with an AWS SDK or CLI - AWS Identity and Access Management
Creating a DAX cluster - Amazon DynamoDB
Let's decode the user arn: arn:aws:sts::123:assumed-role/something/botocore-session-123
role name: something
session: botocore-session-123
You can find the IAM role in IAM console depending on your access level. You may or may not be able to modify your IAM permissions. It is dependent on your permissions.
This is a pretty good answer - the
aws iam get-account-authorization-details --filter Rolecommand actually works. My answer highlightsaws iam list-attached-role-policies --role-name somethingwhich is more specific / precisely what I asked for as opposed to needing some searching through a larger output.