Mission 006: Enumerate roles

Posted 3 weeks ago by Adminek

Enumeration spells – Enumerate roles

 

 

 

Welcome back Traveler..

 

Your mission today is clear:
“Generate a report of all IAM roles across your AWS accounts, perfectly formatted for Pivot tables. This report will include: role ID, role name, path, policies, and AWS account details

But before you begin, the path splits:

  • Pressed for time? Skip the story and head straight to the code ➡️
  • Ready to embrace the journey? Let’s dive in together and uncover the steps to success..

 

 

 

The Call to Adventure (Mission Context)

The air crackles with urgency as you step into the dimly lit war room—your workstation, screens humming with AWS accounts stretching across the cloud like an endless battlefield. The task has arrived, and it’s not a small one. Enumerate IAM roles. Across 100 AWS accounts. Every last detail.

You glance at the AWS console, your old nemesis. Clicking through menus, digging for role details one by one? A time sink. A nightmare. Worse yet, there’s no quick export, no easy way to get the full picture. And time is running out—other processes are waiting on this report, and delays aren’t an option.

The request is clear: deliver a complete report, formatted for analysis. Every IAM role’s name, ID, path, attached managed policies, inline policies, trust relationships—all of it, across every account, in one place.

This mission demands more than brute force. It calls for efficiency, precision, and the right spell.

No more clicking. No more frustration. It’s time to harness the magic of automation and extract the data with speed and clarity.

Let’s begin. There’s work to do.

 

The Quest Begins (Step by step guide)


WEAVING THE SPELL: ENUMERATING IAM ROLES

The code we’re about to invoke harnesses the boto3 library, the official AWS SDK for Python. With this, we wield the power of the cloud, traversing multiple AWS accounts with precision. This spell is essential for any sorcerer dealing with IAM role enumeration at scale.



import boto3
import configparser
import datetime
from botocore.exceptions import ClientError, NoCredentialsError, EndpointConnectionError
from botocore.config import Config
from halo import Halo

 

 

PREPARING OUR ARCANE CONFIGURATION

Before we begin summoning IAM roles, we must ensure our spell is properly configured. To prevent interruptions, we define our retry configuration and set the path for our AWS profile configuration file.



config = Config(
    retries=dict(
        max_attempts=10
    )
)

config_file = '/home/user1/.aws/.python-profiles.conf'
today = datetime.date.today().strftime("%F")
report_file = f"/tmp/{today}.IamRolesAndTheirPolicies.csv"

 

 

We also initialize our report file with a proper header, ensuring structured output for later analysis:



with open(report_file, "w") as file:
    file.write("ROLE_NAME;ROLE_PATH;ROLE_ID;ROLE_ARN;POLICY_NAMES;POLICY_ARNS;POLICY_TYPE;ACCOUNT_NAME;ACCOUNT_NR\n")

 

 

SUMMONING AWS PROFILES

Before diving into the depths of IAM roles, we must summon our AWS profiles from the configuration file. This allows us to systematically traverse multiple accounts in one session.



def summon_profiles(config_file):
"""Spell to summon (read) AWS profiles from the configuration file."""
config = configparser.ConfigParser()
config.read(config_file)
profile_list = config.get('testProfile', 'profile_list').split(' ') # choose your profile/profiles here
return profile_list

 

VALIDATING AWS CREDENTIALS

A sorcerer is only as powerful as the artifacts they wield. Without valid AWS credentials, this spell will falter before it even begins. We validate access to ensure our session is secure.



def validate_credentials(profile_name):
    """Validate AWS credentials for the given profile."""
    try:
        session = boto3.Session(profile_name=profile_name)
        sts = session.client('sts', config=config)
        sts.get_caller_identity()
        return True
    except NoCredentialsError:
        return False
    except ClientError as e:
        error_code = e.response['Error']['Code']
        if error_code == 'InvalidClientTokenId' or error_code == 'ExpiredToken':
            return False
        raise  # Re-raise unexpected ClientErrors
    except EndpointConnectionError:
        print("ERROR: Could not connect to AWS endpoint. Please check your internet connection.")
        return False

 

GET ACCOUNT NAME

Short potion to get AWS account name in the organization.





def get_account_name(profile_name):
    """Retrieve the account name for the specified AWS profile."""
    try:
        session = boto3.Session(profile_name=profile_name)
        iam = session.client('iam', config=config)
        sts = session.client('sts', config=config)
        aws_account = sts.get_caller_identity().get('Account')
        account_alias = iam.list_account_aliases()
        account_name = account_alias['AccountAliases'][0] if account_alias['AccountAliases'] else aws_account
        return account_name
    except (NoCredentialsError, ClientError) as e:
        print(f"ERROR: Failed to retrieve account identity for profile '{profile_name}'.")
        return None

 

enumerate roles

This spell unveils the hidden structure of IAM roles across realms (AWS accounts). With a single incantation, it retrieves role details, attached policies, and their lineage—casting light on permissions and securing the path ahead. Invoke it wisely, Traveler!



def enumerate_roles_and_policies(spell_title, profile_name):
profile_name = profile_name.replace('"', '')
"""Spell to enumerate IAM roles and their policies for a given AWS profile."""
session = boto3.Session(profile_name=profile_name)
iam = session.client('iam', config=config)
sts = session.client('sts', config=config)

# Initialize spinner at the start
spinner = None

try:
account_name = get_account_name(profile_name)
if not account_name:
print(f"ERROR: Skipping profile '{profile_name}' due to account retrieval failure.")
return

# Spinner indicating the start of the spell
spinner = Halo(text=f"Casting '{spell_title}' spell on account: {account_name}", spinner="dots", color="cyan")
spinner.start()

paginator = iam.get_paginator('list_roles')
page_iterator = paginator.paginate()

for page in page_iterator:
for role in page['Roles']:
role_name = role['RoleName']
role_arn = role['Arn']
role_id = role['RoleId']
role_path = role['Path']
account_nr = role_arn.split('::')[1].split(':')[0]

# Process inline policies
inline_policies = iam.list_role_policies(RoleName=role_name)['PolicyNames']
policy_names = inline_policies or "NO-INLINE-POLICIES"
policy_arns = "N/A" if not inline_policies else []
policy_type = "inline" if inline_policies else "N/A"

# Write inline policies to the report
write_line = f"{role_name};{role_path};{role_id};{role_arn};{policy_names};{policy_arns};{policy_type};{account_name};{account_nr}"
with open(report_file, "a") as file:
print(write_line, file=file)

# Process managed policies
managed_policies = iam.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']
policy_names = [policy['PolicyName'] for policy in managed_policies] or "NO-MANAGED-POLICIES"
policy_arns = [policy['PolicyArn'] for policy in managed_policies] or "N/A"
policy_type = "managed" if managed_policies else "N/A"

write_line = f"{role_name};{role_path};{role_id};{role_arn};{policy_names};{policy_arns};{policy_type};{account_name};{account_nr}"
with open(report_file, "a") as file:
print(write_line, file=file)

if spinner:
spinner.succeed(f"Spell '{spell_title}' successfully cast on account: {account_name}")

except ClientError as e:
error_code = e.response['Error']['Code']

# Handle InvalidClientTokenId error specifically
if error_code == 'InvalidClientTokenId':
print(f"ERROR - Invalid or expired credentials for profile '{profile_name}'. Please check your AWS credentials.")
print(f"Skipping {profile_name}")
else:
print(f"ClientError encountered for profile '{profile_name}': {e}")

spinner.fail(f"Failed to cast spell '{spell_title}' on account: {profile_name}")

except Exception as e:
# Catch any other general exceptions
print(f"An unexpected error occurred for profile '{profile_name}': {e}")
spinner.fail(f"Failed to cast spell '{spell_title}' on account: {profile_name}")

 

Spell of Invocation, Validation & The Grand Summoning

Before the magic unfolds, this spell ensures all conduits (AWS profiles) are valid. It scans each realm, verifying credentials and preparing the ground for a flawless execution. Only the worthy profiles proceed—ensuring precision and efficiency in the journey ahead.

With a single command, the arcane forces awaken. This spell orchestrates the full ritual—retrieving IAM role insights across realms, forging a detailed artifact (CSV report) that holds the secrets of AWS identities. The mission is executed flawlessly, and the knowledge is secured.





def main_loop(spell_title, profiles=None):
    # If a single profile is passed as a string, wrap it in a list
    if isinstance(profiles, str):
        profiles = [profiles]
    elif profiles is None:
        profiles = summon_profiles(config_file)  # Load profiles if not provided
   
    for profile in profiles:
        profile_name = profile.replace('"', '').strip()
        spinner = Halo(text=f"Validating credentials for profile: {profile_name}", spinner="dots", color="cyan")
        spinner.start()
        if validate_credentials(profile_name):
            spinner.succeed(f"Credentials validated for profile: {profile_name}")
            enumerate_roles_and_policies(spell_title, profile_name)
        else:
            spinner.fail(f"Skipping '{profile_name}' due to invalid or expired credentials")
    # Notify user where the CSV report is saved
    print(f"\nThe report has been saved to: {report_file}")

# Main execution part to make the script runnable independently
if __name__ == "__main__":
    # Default spell title and load profiles if run independently
    default_spell_title = "Enumerate IAM Roles and Policies"
    main_loop(default_spell_title)

 

 

Here’s an example output:



Casting 'Enumerate IAM Roles and Policies' spell on account: MyAWSAccount...
✅ Spell 'Enumerate IAM Roles and Policies' successfully cast on account: MyAWSAccount
The report has been saved to: /tmp/YYYY-MM-DD.IamRolesAndTheirPolicies.csv

Now you can grab your data from /tmp directory and continue your audit. Congratulations!! All that in few seconds.

GRab the full code

 

Full code available on GITHUB:

https://github.com/wildcardslasher/TheQuestForge/tree/main/modules/enumerate_roles

 

Wrap-up

⚡ Join The CloudExceller Chronicles

A new letter of potions, spells, and cloud mastery is released every week, Traveler. The free edition arms you with powerful tools and knowledge, but soon, the paid edition will unlock even more—advanced spells, exclusive tools, and a behind-the-scenes look into the journey of a Cloud Security Architect in action.

🔮 Stay ahead. Master the cloud.
📜 Subscribe now and prepare for what’s coming.

👉 Join the adventure today! 🚀

 

traveler’s log

The path of mastery is paved with relentless pursuit, long hours, and the weight of endless quests. But even the strongest warriors must recognize when their energy is spent.

Today, the forge burned a little too hot—weeks of near 18-hour days had taken their toll. So, the mission shifted. No screens. No spells. Just stepping outside, feeling the sun, and letting the world move at its own pace.

Traveler, remember—power isn’t just in pushing forward, but in knowing when to pause. The greatest insights often come not in the grind, but in the stillness. Take care of your mind, for it is the true source of your strength. 🔥✨

 

That’s all in this short mission.. 

Until next time Traveler..

Post Views: 7
Verified by MonsterInsights