added roles assumable

commenting assumable role functionality removed hardcoded region from roles assumable
2018-09-25 16:22:30 -04:00
parent e66a273277
commit 159a9d862c
2 changed files with 33 additions and 0 deletions
--- a/libs/iam.py
+++ b/libs/iam.py
@@ -455,6 +455,33 @@ def iam_list_roles():
    except KeyboardInterrupt:
        print("CTRL-C received, exiting...")

+def iam_list_roles_assumable():
+    '''
+    Lists IAM roles that are assumable by AWS Principals and excludes roles that are assumable by Services
+    '''
+    print("### Roles that can be Assumed by AWS Principals ###")
+    try:
+        for region in regions:
+            client = boto3.client('iam', region_name=region)
+            response = client.list_roles()
+            roles = response.get("Roles")
+            for role in roles:
+                if "AWS" in role["AssumeRolePolicyDocument"]["Statement"][0]["Principal"]:
+                    print(role["RoleId"] + " " + role["RoleName"])
+                    print(role["AssumeRolePolicyDocument"]["Statement"][0]["Principal"]["AWS"])
+    except botocore.exceptions.ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientTokenId':
+            sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'AccessDenied':
+            print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
+            print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'OptInRequired':
+            print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
+        else:
+            print("Unexpected error: {}" .format(e))
+    except KeyboardInterrupt:
+        print("CTRL-C received, exiting...")

 def iam_list_policies():
    '''
--- a/modules/iam.py
+++ b/modules/iam.py
@@ -60,6 +60,12 @@ def module_iam_list_roles():
    '''
    iam_list_roles()

+def module_iam_list_roles_assumable():
+    '''
+    Lists the IAM roles that have the specified path prefix that are assumable by AWS principals and excludes roles assumable by AWS services. If there are none, the operation returns an empty list.
+    python3 weirdAAL.py -m iam_list_roles_assumable -t yolo
+    '''
+    iam_list_roles_assumable()

 def module_iam_list_policies():
    '''