I want to share with you a little trick I’ve learned for finding IAM roles by name in single or multiple AWS accounts.
Now, I know what you’re thinking. “But hey, isn’t finding IAM roles just a simple matter of using the correct AWS CLI command or navigating through the IAM dashboard in the AWS console?”
Well, my friend, you would be correct in thinking that. However, what if I told you that there was a way to search for IAM roles across multiple AWS accounts, all at once?
That’s right, with just a few lines of Python code, you too can wield the power of multiple AWS accounts and find those pesky IAM roles in no time.
But enough talk, let’s get down to business. In the next four parts of this series, we’ll be covering the following topics:
- Setting up your Python environment and installing the necessary libraries.
- Reading a list of profiles from a configuration file.
- Searching for IAM roles using the
boto3library. - Putting it all together in a complete Python script.
Setting up your Python environment and installing the necessary libraries.
First things first, let’s make sure we have Python installed on our system. You can check your Python version by running the following command:
python --version
If you don’t have Python installed, you can download the latest version from the official Python website: https://www.python.org/downloads/
Next, we’ll need to install the boto3 library, which allows us to interact with AWS APIs using Python. You can install boto3 using pip, the Python package manager, like so:
pip install boto3
We’ll also need the configparser and botocore libraries. You can install these by running the following commands:
pip install configparser pip install botocore
Reading a list of profiles from a configuration file.
Now it’s time to read a list of profiles from a configuration file.
But first, let’s take a step back and understand why we need to do this.
When working with AWS APIs, we need to provide authentication credentials in order to make API calls. One way to do this is to use AWS profiles, which are stored in the ~/.aws/credentials file on your local machine.
A profile consists of an AWS access key and secret key, which are used to sign API requests, as well as a default region and output format. You can create as many profiles as you need, each with its own set of credentials.
For example, let’s say you have two AWS accounts, one for production and one for staging. You can create a profile for each of these accounts, and switch between them as needed.
Now, let’s get back to our Python script. We’ll start by reading the configuration file using the configparser library. The configuration file is a simple text file that contains a list of profiles, one per line.
Here’s an example of what the configuration file might look like:
[multipleProfiles]
profile_list = "profile1 profile2"
We can read this file using the ConfigParser class from the configparser library, like so:
import configparser
config = configparser.ConfigParser()
config.read('/path/to/configuration/file')
Next, we’ll retrieve the list of profiles from the configuration file using the get method:
profile_list = config.get('multipleProfiles', 'profile_list')
Finally, we’ll split the list of profiles into a Python list using the split method:
profile_list = profile_list.split(' ')
With these simple steps, we’ve read a list of profiles from a configuration file and stored them in a Python list.
Searching for IAM roles using the boto3 library.
Now it’s time to search for IAM roles using the boto3 library.
First, let’s import the boto3 library and create an iam client. We’ll also import the ClientError exception from the botocore.exceptions module, which we’ll use to handle any errors that may occur while interacting with the AWS API.
import boto3
from botocore.exceptions import ClientError
client = boto3.client('iam')
Next, we’ll create a paginator for the list_roles API operation. This allows us to retrieve all the roles in the account, one page at a time.
paginator = client.get_paginator('list_roles')
page_iterator = paginator.paginate()
Now we can iterate through the pages of results, using a for loop:
for page in page_iterator: # Do something with the page of results
Inside the loop, we can iterate through the list of roles and check if the role name matches the search pattern using a regular expression. If it does, we can print out the role name, role ARN, account name, and region.
import re
pattern = 'my-role'
for page in page_iterator:
for role in page['Roles']:
role_name = role['RoleName']
role_arn = role['Arn']
if re.search(pattern, role_name, re.IGNORECASE):
# Role name matches search pattern, print out the details
print(f'Role name: {role_name}')
print(f'Role ARN: {role_arn}')
# ...
Putting it all together in a complete Python script.
Now it’s time to put everything together in a complete Python script.
First, let’s define a Config object that allows us to set the maximum number of attempts for retries. This is useful in case of any transient errors that may occur when interacting with the AWS API.
from botocore.config import Config
config = Config(
retries = dict(
max_attempts = 10
)
)
Next, we’ll define a function to read the list of profiles from the configuration file. This function uses the ConfigParser class from the configparser library to read the file, and the get method to retrieve the list of profiles.
import configparser
def read_profile_list(config_file):
config = configparser.ConfigParser()
config.read(config_file)
profile_list = config.get('multipleProfiles', 'profile_list')
profile_list = profile_list.split(' ')
return profile_list
Now let’s define the main function, which searches for IAM roles using the boto3 library. This function takes in a profile name and the search pattern as arguments.
import boto3
import re
from botocore.exceptions import ClientError
def find_iam_role(profile_name, pattern):
session = boto3.Session(profile_name=profile_name)
iam = session.client("iam", config=config)
try:
roles = iam.list_roles()
account_alias = iam.list_account_aliases()
account_name = account_alias['AccountAliases'][0]
region = "us-east-1"
paginator = iam.get_paginator('list_roles')
page_iterator = paginator.paginate()
for page in page_iterator:
for role in page['Roles']:
role_arn = role['Arn']
role_name = role['RoleName']
if re.search(pattern, role_name, re.IGNORECASE):
print(f"{role_name};{role_arn};{account_name};{region}")
except ClientError as e:
print(f"Error: {e}")
Finally, we’ll put everything together in the main script. We’ll read the list of profiles from the configuration file, and then call the find_iam_role function for each profile.
config_file = '/path/to/configuration/file'
pattern = input("\nProvide pattern to search for --> ")
print(f"ROLE_NAME;ROLE_ARN;ACCOUNT_NAME;REGION")
profile_list = read_profile_list(config_file)
for profile_name in profile_list:
find_iam_role(profile_name, pattern)
Full code available on GITHUB:
https://github.com/wozoopa/python/blob/main/find-iam-role-based-on-name.py
That’s all in this session..
Until next time Traveler..
