list-roles command

[simonw]

Probably need a list-roles command too for this, which could get a bit weird because it will list roles outside of the domain of S3 buckets.

Originally posted by @simonw in #59 (comment)

[simonw]

Built a prototype of this and spotted this is the --csv export:

role/,AccessAnalyzerMonitorServiceRole_J87R0IQVOP,AROAWXFXAIOZEHA5NK5HY,arn:aws:iam::462092780466:role/service-role/AccessAnalyzerMonitorServiceRole_J87R0IQVOP,2021-11-09 02:45:23+00:00,"{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'access-analyzer.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}",,3600,,,

The JSON policy in that CSV isn't being properly serialized, it's using str() of the Python dictionary when it should be using json.dumps()

[simonw]

The command should take zero or more optional role names - if provided it just outputs information for those roles, without them it outputs all roles.

[simonw]

It should have a --details option too, like list-buckets does, for pulling back things like the policies attached to each role using list_role_policies https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.list_role_policies

[simonw]

Wow there's a lot of work involved in --details. Fetching attached managed policies requires all of these steps:

• iam.list_attached_role_policies(RoleName=role_name) to get a list of policy names and ARNs
• iam.get_policy(PolicyArn=) on each one to get back policy details, but NOT the JSON policy
• iam.get_policy_version(PolicyArn='string',VersionId='string') on each to get the policy

Have to do list_role_policies and then get_role_policy on each of those (thankfully no third step) for inline policies too.

[simonw]

Moving this work to PR #62 - here's the --details implementation so far:

s3-credentials/s3_credentials/cli.py

Lines 545 to 582 in 8bfdc98

	if details:
	role_name = role["RoleName"]
	role["inline_policies"] = []
	# Get inline policy names, then policy for each one
	role_policies_response = iam.list_role_policies(
	RoleName=role_name,
	)
	# TODO: Warn on IsTruncated, maybe even paginate
	for policy_name in role_policies_response["PolicyNames"]:
	role_policy_response = iam.get_role_policy(
	RoleName=role_name,
	PolicyName=policy_name,
	)
	role_policy_response.pop("ResponseMetadata", None)
	role["inline_policies"].append(role_policy_response)
	# Get attached managed policies
	role["attached_policies"] = []
	attached_policies_response = iam.list_attached_role_policies(
	RoleName=role_name,
	)
	# TODO: Warn on IsTruncated, maybe even paginate
	for attached in attached_policies_response["AttachedPolicies"]:
	policy_arn = attached["PolicyArn"]
	attached_policy_response = iam.get_policy(
	PolicyArn=policy_arn,
	)
	policy_details = attached_policy_response["Policy"]
	# Also need to fetch the policy JSON
	version_id = policy_details["DefaultVersionId"]
	policy_version_response = iam.get_policy_version(
	PolicyArn=policy_arn,
	VersionId=version_id,
	)
	policy_details["PolicyVersion"] = policy_version_response[
	"PolicyVersion"
	]
	role["attached_policies"].append(policy_details)