Inspect an IAM role and its trust policy
📑 On this page
Part 111 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
get-role returns stable role identity, session duration, description, tags metadata, and the decoded trust policy.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
aws iam get-role --role-name "$ROLE_NAME"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam get-role \
--role-name "$ROLE_NAME" \
--query "Role.{Arn:Arn,RoleId:RoleId,Created:CreateDate,MaxSessionSeconds:MaxSessionDuration,Trust:AssumeRolePolicyDocument}"Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam list-role-tags \
--role-name "$ROLE_NAME" \
--output tableTags can document owner and purpose or participate in ABAC.
Common mistake
The trust policy's Principal is not the complete authorization story. Same-account and cross-account assumptions can also require caller identity permission and conditions.
Cleanup
# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identityKeep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.
Next, we will learn Update an IAM role trust policy.