← All posts
2 min read

Read an IAM managed policy document

#aws#cli#iam#security#identity
📑 On this page

Part 97 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Managed policy documents are versioned. Read the default version to understand the permissions currently granted by attachments.

Before you run it

POLICY_ARN="arn:aws:iam::123456789012:policy/AwsZeroListBuckets"

Use the exact customer managed policy ARN.

The command

VERSION_ID=$(aws iam get-policy \
  --policy-arn "$POLICY_ARN" \
  --query "Policy.DefaultVersionId" \
  --output text)
 
aws iam get-policy-version \
  --policy-arn "$POLICY_ARN" \
  --version-id "$VERSION_ID"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam get-policy-version \
  --policy-arn "$POLICY_ARN" \
  --version-id "$VERSION_ID" \
  --query "PolicyVersion.Document.Statement"

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam list-policy-versions \
  --policy-arn "$POLICY_ARN" \
  --query "Versions[].{ID:VersionId,Default:IsDefaultVersion,Created:CreateDate}" \
  --output table

Review version history before changing the default.

Common mistake

Do not assume version v1 is current. Always resolve DefaultVersionId.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn Attach a managed policy to an IAM user.

Official AWS CLI reference