Index syndication
comment syndication

Powershell: AWS and IAM policy retrieval

August 5, 2014 at 17:19 · Filed under AWS

I’ve recently been working more day to day on Amazon Web Services, and I found it a little unwieldy to navigate around policy documents assigned to IAM groups.

Sometimes you just want to have a local copy of the policies to edit/play with/look at.

Therefore, I came up with a quick script to solve this. Enjoy…
Of course, the AWS SDK for Powershell is required.

Glenn Russo said,

November 6, 2014 @ 10:22

Any chance you could share the powershell script. 🙂

lantrix said,

November 8, 2014 @ 12:27

It’s embedded in the post as a github gist; which you can find here:

Jamin said,

March 10, 2015 @ 08:56

Nice script. Very helpful. I extended it to do roles as well. Thank you for your help.

# Script to output all the IAM polcies

Import-Module AWSPowerShell
# For URL Decode of Policy document
[System.Reflection.Assembly]::LoadWithPartialName("System.web") | out-null
#Form Output for script
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | out-null

#Current Path
$path = (Get-Item -Path ".\" -Verbose).FullName

#Notify User
$caption = "Warning!"
$message = "This Script will override all current policies in:`n$path\Groups`nand`n$path\Roles`n with current AWS Policies! Do you want to proceed"
$yesNoButtons = 4

if ([System.Windows.Forms.MessageBox]::Show($message, $caption, $yesNoButtons) -eq "NO") {
Write "Script Terminated"
else {
#delete existing policies stored locally
if (Test-Path -LiteralPath $path\Groups -PathType Container) {
Remove-Item -Recurse -Force $path\Groups
if (Test-Path -LiteralPath $path\Roles -PathType Container) {
Remove-Item -Recurse -Force $path\Roles
$searchGroup = @()
$searchRole = @()
$groups = Get-IAMGroups
$roles = Get-IAMRoles
for ($i=0; $i -lt $groups.Count; $i++) {
Write-Host -NoNewline "Creating Dir: "
Write-Host $groups[$i].GroupName
#create new dir
New-Item -ItemType directory -Path $path\Groups\$($groups[$i].GroupName) | out-null
#Add this group to search array
$searchGroup += $groups[$i].GroupName
for ($i=0; $i -lt $roles.Count; $i++) {
Write-Host -NoNewline "Creating Dir: "
Write-Host $roles[$i].RoleName
#create new dir
New-Item -ItemType directory -Path $path\Roles\$($roles[$i].RoleName) | out-null
#Add this role to search array
$searchRole += $roles[$i].RoleName
#Get policies for each group and role and write out to directories
foreach ($searchtype in $searchGroup) {
Write-Host -NoNewline "Saving Policies for: "
Write-Host $searchtype
$a = Get-IAMGroupPolicies -GroupName $searchtype
foreach ($this in $a) {
$b = Get-IAMGroupPolicy -GroupName $searchtype -PolicyName $this
$c = $b.PolicyDocument
[system.web.httputility]::urldecode($c) > $path\Groups\$searchtype\$($b.PolicyName).json
foreach ($searchtype in $searchRole) {
Write-Host -NoNewline "Saving Policies for: "
Write-Host $searchtype
$a = Get-IAMRolePolicies -RoleName $searchtype
foreach ($this in $a) {
$b = Get-IAMRolePolicy -RoleName $searchtype -PolicyName $this
$c = $b.PolicyDocument
[system.web.httputility]::urldecode($c) > $path\Roles\$searchtype\$($b.PolicyName).json
Write-Host "Script Finished"

RSS feed for comments on this post · TrackBack URI

Leave a Comment