aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard
verified publisher icon aws

Need a feature for getting IAM Role's trust policy alone in CLI.

Open nrssutharsanan opened this issue 1 year ago • 6 comments

Describe the feature

Need a feature request for getting IAM Role's trust policy alone in CLI. As of now we have to perform iam get-role CLI command and then manipulate to get the role's trust policy alone. I feel its valuable to add a new feature / command to get role's trust policy alone. Suggested code -- aws iam get-role-trust-policy --role-name <<your role name>> __

Use Case

This is required when we want to do some manipulations to the existing Trust policy and add new policies , since the CLI gives only the option to overwrite an existing policy.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • [X] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

CLI version used

2.17.47

Environment details (OS name and version, etc.)

Windows/Linux,etc

nrssutharsanan avatar Sep 10 '24 07:09 nrssutharsanan

Python/3.12.5 Linux/5.10.223-211.872.amzn2.x86_64 source/x86_64.alpine.3

nrssutharsanan avatar Sep 10 '24 07:09 nrssutharsanan

Hi nrssutharsanan@, thanks for reaching out. As you have mentioned, the $ aws iam get-role --role-name already includes the Trust Policy. To isolate it, you could do Client side filtering ( https://docs.aws.amazon.com/cli/v1/userguide/cli-usage-filter.html#cli-usage-filter-client-side ). An example command would be: $ aws iam get-role --role-name --query 'Role.AssumeRolePolicyDocument' Could you clarify why this doesn't work for your use case? Thank you.

adev-code avatar Sep 11 '24 18:09 adev-code

Hey @adev-code -- Yes that does work, but whenever I want to update any Trust policy for a mass of accounts, I had to do an extra hop to getting this by running the above command and had to do some JQ modifications and then do an update trust policy.

So having to just get the Trust Policy alone , just like get managed policy etc , which even can be got in get-role, but still we do have separate command for.it, so similar ly if I have a separate command to fetch only the trust policy, it is better for me to go and do updates at scale.

nrssutharsanan avatar Sep 12 '24 06:09 nrssutharsanan

Hi @nrssutharsanan, I have submitted a feature request to the IAM team to create an operation that gives the Trust Policy of the role. Please refer to an SDK or AWS CLI changelog (https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) for updates about this going forward. Please let me know if you have any other questions. Thanks!

adev-code avatar Sep 12 '24 22:09 adev-code

Hey @adev-code , will this be solved by IAM team or can I solve as well ?

nrssutharsanan avatar Sep 13 '24 09:09 nrssutharsanan

Hi @nrssutharsanan, the IAM team would provide updates on the SDK or AWS CLI changelog (https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) Please let me know if you have any other questions. Thanks!

adev-code avatar Sep 13 '24 19:09 adev-code

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

github-actions[bot] avatar Sep 23 '24 20:09 github-actions[bot]