List every policy on an IAM role
📑 On this page
Part 114 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
A role permission review requires two lists because managed and inline policies are stored differently.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
aws iam list-attached-role-policies \
--role-name "$ROLE_NAME"
aws iam list-role-policies \
--role-name "$ROLE_NAME"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam list-attached-role-policies \
--role-name "$ROLE_NAME" \
--query "AttachedPolicies[].{Type:'managed',Name:PolicyName,Arn:PolicyArn}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam list-role-policies \
--role-name "$ROLE_NAME" \
--query "PolicyNames[]" \
--output textRetrieve each inline name with get-role-policy to inspect its document.
Common mistake
Do not infer effective permission from these two lists alone. Permission boundaries, session policies, SCPs, and resource policies may narrow or expand the final path.
Cleanup
# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identityKeep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.
Next, we will learn Assume an IAM role with STS.