Index syndication
comment syndication

Powershell: AWS and IAM policy retrieval

August 5, 2014 at 17:19 · Filed under AWS

I’ve recently been working more day to day on Amazon Web Services, and I found it a little unwieldy to navigate around policy documents assigned to IAM groups.

Sometimes you just want to have a local copy of the policies to edit/play with/look at.

Therefore, I came up with a quick script to solve this. Enjoy…
Of course, the AWS SDK for Powershell is required.

Glenn Russo said,

November 6, 2014 @ 10:22

Any chance you could share the powershell script. 🙂

lantrix said,

November 8, 2014 @ 12:27

It’s embedded in the post as a github gist; which you can find here:

Jamin said,

March 10, 2015 @ 08:56

Nice script. Very helpful. I extended it to do roles as well. Thank you for your help.

# Script to output all the IAM polcies

Import-Module AWSPowerShell
# For URL Decode of Policy document
[System.Reflection.Assembly]::LoadWithPartialName("System.web") | out-null
#Form Output for script
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | out-null

#Current Path
$path = (Get-Item -Path ".\" -Verbose).FullName

#Notify User
$caption = "Warning!"
$message = "This Script will override all current policies in:`n$path\Groups`nand`n$path\Roles`n with current AWS Policies! Do you want to proceed"
$yesNoButtons = 4

if ([System.Windows.Forms.MessageBox]::Show($message, $caption, $yesNoButtons) -eq "NO") {
    Write "Script Terminated"
else {
    #delete existing policies stored locally
    if (Test-Path -LiteralPath $path\Groups -PathType Container) {
        Remove-Item -Recurse -Force $path\Groups
    if (Test-Path -LiteralPath $path\Roles -PathType Container) {
        Remove-Item -Recurse -Force $path\Roles
    $searchGroup = @()
    $searchRole = @()
    $groups = Get-IAMGroups
    $roles = Get-IAMRoles
    for ($i=0; $i -lt $groups.Count; $i++) {
        Write-Host -NoNewline "Creating Dir: "
        Write-Host $groups[$i].GroupName
        #create new dir
        New-Item -ItemType directory -Path $path\Groups\$($groups[$i].GroupName) | out-null
        #Add this group to search array
        $searchGroup += $groups[$i].GroupName
     for ($i=0; $i -lt $roles.Count; $i++) {
        Write-Host -NoNewline "Creating Dir: "
        Write-Host $roles[$i].RoleName
        #create new dir
        New-Item -ItemType directory -Path $path\Roles\$($roles[$i].RoleName) | out-null
        #Add this role to search array
        $searchRole += $roles[$i].RoleName
    #Get policies for each group and role and write out to directories
    foreach ($searchtype in $searchGroup) {
        Write-Host -NoNewline "Saving Policies for: "
        Write-Host $searchtype
        $a = Get-IAMGroupPolicies -GroupName  $searchtype
        foreach ($this in $a) {
            $b = Get-IAMGroupPolicy -GroupName $searchtype -PolicyName $this
            $c = $b.PolicyDocument
            [system.web.httputility]::urldecode($c) > $path\Groups\$searchtype\$($b.PolicyName).json
    foreach ($searchtype in $searchRole) {
        Write-Host -NoNewline "Saving Policies for: "
        Write-Host $searchtype
        $a = Get-IAMRolePolicies -RoleName  $searchtype
        foreach ($this in $a) {
            $b = Get-IAMRolePolicy -RoleName $searchtype -PolicyName $this
            $c = $b.PolicyDocument
            [system.web.httputility]::urldecode($c) > $path\Roles\$searchtype\$($b.PolicyName).json
    Write-Host "Script Finished"

RSS feed for comments on this post · TrackBack URI

Leave a Comment