← All posts
2 min read

List inline policies on an IAM user

#aws#cli#iam#security#identity
📑 On this page

Part 93 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Inline policy listing returns names only. Use get-user-policy to inspect the actual statement document.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws iam list-user-policies \
  --user-name "$USER_NAME"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam get-user-policy \
  --user-name "$USER_NAME" \
  --policy-name "$INLINE_POLICY_NAME"

The returned policy document is attached only to this user.

One tiny variation

aws iam list-user-policies \
  --user-name "$USER_NAME" \
  --query "PolicyNames[]" \
  --output text

The text output is convenient for a controlled audit loop.

Common mistake

Do not delete a user before capturing or intentionally discarding its inline policies. Inline policies disappear with the identity.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn Understand IAM policy JSON anatomy.

Official AWS CLI reference