← All posts
2 min read

Inspect an IAM role and its trust policy

#aws#cli#iam#security#identity
📑 On this page

Part 111 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

get-role returns stable role identity, session duration, description, tags metadata, and the decoded trust policy.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws iam get-role --role-name "$ROLE_NAME"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam get-role \
  --role-name "$ROLE_NAME" \
  --query "Role.{Arn:Arn,RoleId:RoleId,Created:CreateDate,MaxSessionSeconds:MaxSessionDuration,Trust:AssumeRolePolicyDocument}"

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam list-role-tags \
  --role-name "$ROLE_NAME" \
  --output table

Tags can document owner and purpose or participate in ABAC.

Common mistake

The trust policy's Principal is not the complete authorization story. Same-account and cross-account assumptions can also require caller identity permission and conditions.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn Update an IAM role trust policy.

Official AWS CLI reference