1

Is there a way to get the trust relationship policy document using boto3? I am trying to audit the roles that allow third party access to my AWS environment.

I have been scouring the boto3 APIs to find an applicable function call, and have tried iam.client.get_role_policy as well as iam.client.get_account_authorization_details.

However, I can't quite determine what parameters to pass based on the policy information I need for a particular role, so I'm not sure those functions will return the information I'm seeking.

Essentially, for each IAM role in my account, I am trying to find the following information:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{acctID}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": {externalID}
        }
      }
    }
  ]
}

I figure that if "sts:ExternalId": {externalID} is a part of the trust relationship, then the policy gives 3rd party access.

If there is a better way of doing this, I would love to know. I don't have much experience with IAM Roles/Policies.

Bri
  • 336
  • 3
  • 12

1 Answers1

1

You should use the GetRole API to retrieve the trust i.e. assume role policy.

sudo
  • 1,853
  • 1
  • 7
  • 14
  • Ugh, thank you. That shouldn't have been nearly as challenging as it was for me. – Bri Apr 02 '19 at 19:44