All AWS IAM Roles have an associated Role Name and Role ID. The Role ID is not usually seen because the AWS Console displays just the Role Name. Inside the JSON message of an S3 Event there’s a PrincipalID value that contains the Role ID of the role that was used to perform the S3 action e.g.,
From this document we see,
Each IAM entity (user, group, or role) has a defined aws:userid
variable. You will need this variable for use within the bucket policy
to specify the role or user as an exception in a conditional element.
An assumed-role’s aws:userId value is defined as
UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example,
So we know that the PrincipalId in the S3 Event message is a Role ID to an IAM Role. How can I use that Role ID to get the Role Name? I’ve searched through the IAM and STS libraries but I don’t see any API that allows me to pass in the Role ID and get the Role Name. STS GetCallerIdentity doesn’t help and IAM GetRole only accepts a Role Name as input.
Any help would be greatly appreciated. I am simply consuming S3 Events, reading the PrincipalID value from the S3 Event’s message json, extracting the IAM Role ID from the PrincipalID, and I need a way to get the IAM Role Name using the IAM Role ID.
Using python for example you can use
The output will give you the role id of each role. Just loop it and search for
RoleId you want.
'CreateDate': datetime(2015, 1, 1),
'LastUsedDate': datetime(2015, 1, 1),
The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the IAM User Guide.
Also I recommend you to use
Some AWS operations return results that are incomplete and require
subsequent requests in order to attain the entire result set. The
process of sending subsequent requests to continue where a previous
request left off is called pagination