From 159a9d862c023d46523706cca2bf74393f46302a Mon Sep 17 00:00:00 2001
From: Kenneth Toler <ktoler@ondeck.com>
Date: Tue, 25 Sep 2018 16:22:30 -0400
Subject: [PATCH] added roles assumable

commenting assumable role functionality

removed hardcoded region from roles assumable
---
 libs/iam.py    | 27 +++++++++++++++++++++++++++
 modules/iam.py |  6 ++++++
 2 files changed, 33 insertions(+)

diff --git a/libs/iam.py b/libs/iam.py
index c8f1062..25f3cf4 100644
--- a/libs/iam.py
+++ b/libs/iam.py
@@ -455,6 +455,33 @@ def iam_list_roles():
     except KeyboardInterrupt:
         print("CTRL-C received, exiting...")
 
+def iam_list_roles_assumable():
+    '''
+    Lists IAM roles that are assumable by AWS Principals and excludes roles that are assumable by Services
+    '''
+    print("### Roles that can be Assumed by AWS Principals ###")
+    try:
+        for region in regions:
+            client = boto3.client('iam', region_name=region)
+            response = client.list_roles()
+            roles = response.get("Roles")
+            for role in roles:
+                if "AWS" in role["AssumeRolePolicyDocument"]["Statement"][0]["Principal"]:
+                    print(role["RoleId"] + " " + role["RoleName"])
+                    print(role["AssumeRolePolicyDocument"]["Statement"][0]["Principal"]["AWS"])
+    except botocore.exceptions.ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientTokenId':
+            sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'AccessDenied':
+            print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
+            print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'OptInRequired':
+            print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
+        else:
+            print("Unexpected error: {}" .format(e))
+    except KeyboardInterrupt:
+        print("CTRL-C received, exiting...")
 
 def iam_list_policies():
     '''
diff --git a/modules/iam.py b/modules/iam.py
index b191b20..901494d 100644
--- a/modules/iam.py
+++ b/modules/iam.py
@@ -60,6 +60,12 @@ def module_iam_list_roles():
     '''
     iam_list_roles()
 
+def module_iam_list_roles_assumable():
+    '''
+    Lists the IAM roles that have the specified path prefix that are assumable by AWS principals and excludes roles assumable by AWS services. If there are none, the operation returns an empty list.
+    python3 weirdAAL.py -m iam_list_roles_assumable -t yolo
+    '''
+    iam_list_roles_assumable()
 
 def module_iam_list_policies():
     '''