GetAccountAuthorizationDetails
Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account.
Note
Policies returned by this operation are URL-encoded compliant
with RFC 3986decode
method of the java.net.URLDecoder
utility class in
the Java SDK. Other languages and SDKs provide similar functionality.
You can optionally filter the results using the Filter
parameter. You can
paginate the results using the MaxItems
and Marker
parameters.
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
- Filter.member.N
-
A list of entity types used to filter the results. Only the entities that match the types you specify are included in the output. Use the value
LocalManagedPolicy
to include customer managed policies.The format for this parameter is a comma-separated (if more than one) list of strings. Each string value in the list must be one of the valid values listed below.
Type: Array of strings
Valid Values:
User | Role | Group | LocalManagedPolicy | AWSManagedPolicy
Required: No
- Marker
-
Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the
Marker
element in the response that you received to indicate where the next call should start.Type: String
Length Constraints: Minimum length of 1.
Pattern:
[\u0020-\u00FF]+
Required: No
- MaxItems
-
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the
IsTruncated
response element istrue
.If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the
IsTruncated
response element returnstrue
, andMarker
contains a value to include in the subsequent call that tells the service where to continue from.Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
Response Elements
The following elements are returned by the service.
- GroupDetailList.member.N
-
A list containing information about IAM groups.
Type: Array of GroupDetail objects
- IsTruncated
-
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the
Marker
request parameter to retrieve more items. Note that IAM might return fewer than theMaxItems
number of results even when there are more results available. We recommend that you checkIsTruncated
after every call to ensure that you receive all your results.Type: Boolean
- Marker
-
When
IsTruncated
istrue
, this element is present and contains the value to use for theMarker
parameter in a subsequent pagination request.Type: String
- Policies.member.N
-
A list containing information about managed policies.
Type: Array of ManagedPolicyDetail objects
- RoleDetailList.member.N
-
A list containing information about IAM roles.
Type: Array of RoleDetail objects
- UserDetailList.member.N
-
A list containing information about IAM users.
Type: Array of UserDetail objects
Errors
For information about the errors that are common to all actions, see Common Errors.
- ServiceFailure
-
The request processing has failed because of an unknown error, exception or failure.
HTTP Status Code: 500
Examples
Example
This example illustrates one usage of GetAccountAuthorizationDetails.
Sample Request
https://iam.amazonaws.com/?Action=GetAccountAuthorizationDetails
&Version=2010-05-08
&AUTHPARAMS
Sample Response
<GetAccountAuthorizationDetailsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<GetAccountAuthorizationDetailsResult>
<IsTruncated>true</IsTruncated>
<UserDetailList>
<member>
<GroupList>
<member>Admins</member>
</GroupList>
<AttachedManagedPolicies/>
<UserId>AIDACKCEVSQ6C2EXAMPLE</UserId>
<Path>/</Path>
<UserName>Alice</UserName>
<Arn>arn:aws:iam::123456789012:user/Alice</Arn>
<CreateDate>2013-10-14T18:32:24Z</CreateDate>
</member>
<member>
<GroupList>
<member>Admins</member>
</GroupList>
<AttachedManagedPolicies/>
<UserPolicyList>
<member>
<PolicyName>DenyBillingAndIAMPolicy</PolicyName>
<PolicyDocument>
{"Version":"2012-10-17","Statement":{"Effect":"Deny","Action":
["aws-portal:*","iam:*"],"Resource":"*"}}
</PolicyDocument>
</member>
</UserPolicyList>
<UserId>AIDACKCEVSQ6C3EXAMPLE</UserId>
<Path>/</Path>
<UserName>Bob</UserName>
<Arn>arn:aws:iam::123456789012:user/Bob</Arn>
<CreateDate>2013-10-14T18:32:25Z</CreateDate>
</member>
<member>
<GroupList>
<member>Dev</member>
<AttachedManagedPolicies/>
</GroupList>
<UserId>AIDACKCEVSQ6C4EXAMPLE</UserId>
<Path>/</Path>
<UserName>Charlie</UserName>
<Arn>arn:aws:iam::123456789012:user/Charlie</Arn>
<CreateDate>2013-10-14T18:33:56Z</CreateDate>
</member>
<member>
<GroupList>
<member>Dev</member>
</GroupList>
<AttachedManagedPolicies/>
<UserId>AIDACKCEVSQ6C5EXAMPLE</UserId>
<Path>/</Path>
<UserName>Danielle</UserName>
<Arn>arn:aws:iam::123456789012:user/Danielle</Arn>
<CreateDate>2013-10-14T18:33:56Z</CreateDate>
</member>
<member>
<GroupList>
<member>Finance</member>
</GroupList>
<AttachedManagedPolicies/>
<UserId>AIDACKCEVSQ6C6EXAMPLE</UserId>
<Path>/</Path>
<UserName>Elaine</UserName>
<Arn>arn:aws:iam::123456789012:user/Elaine</Arn>
<CreateDate>2013-10-14T18:57:48Z</CreateDate>
</member>
</UserDetailList>
<Marker>
EXAMPLEkakv9BCuUNFDtxWSyfzetYwEx2ADc8dnzfvERF5S6YMvXKx41t6gCl/eeaCX3Jo94/
bKqezEAg8TEVS99EKFLxm3jtbpl25FDWEXAMPLE
</Marker>
<GroupDetailList>
<member>
<GroupId>AIDACKCEVSQ6C7EXAMPLE</GroupId>
<AttachedManagedPolicies>
<member>
<PolicyName>AdministratorAccess</PolicyName>
<PolicyArn>arn:aws:iam::aws:policy/AdministratorAccess</PolicyArn>
</member>
</AttachedManagedPolicies>
<GroupName>Admins</GroupName>
<Path>/</Path>
<Arn>arn:aws:iam::123456789012:group/Admins</Arn>
<CreateDate>2013-10-14T18:32:24Z</CreateDate>
<GroupPolicyList/>
</member>
<member>
<GroupId>AIDACKCEVSQ6C8EXAMPLE</GroupId>
<AttachedManagedPolicies>
<member>
<PolicyName>PowerUserAccess</PolicyName>
<PolicyArn>arn:aws:iam::aws:policy/PowerUserAccess</PolicyArn>
</member>
</AttachedManagedPolicies>
<GroupName>Dev</GroupName>
<Path>/</Path>
<Arn>arn:aws:iam::123456789012:group/Dev</Arn>
<CreateDate>2013-10-14T18:33:55Z</CreateDate>
<GroupPolicyList/>
</member>
<member>
<GroupId>AIDACKCEVSQ6C9EXAMPLE</GroupId>
<AttachedManagedPolicies/>
<GroupName>Finance</GroupName>
<Path>/</Path>
<Arn>arn:aws:iam::123456789012:group/Finance</Arn>
<CreateDate>2013-10-14T18:57:48Z</CreateDate>
<GroupPolicyList>
<member>
<PolicyName>policygen-201310141157</PolicyName>
<PolicyDocument>
{"Version":"2012-10-17","Statement":[{"Action":["aws-portal:*"],
"Sid":"Stmt1381777017000","Resource":["*"],"Effect":"Allow"}]}
</PolicyDocument>
</member>
</GroupPolicyList>
</member>
</GroupDetailList>
<RoleDetailList>
<member>
<RolePolicyList/>
<AttachedManagedPolicies>
<member>
<PolicyName>AmazonS3FullAccess</PolicyName>
<PolicyArn>arn:aws:iam::aws:policy/AmazonS3FullAccess</PolicyArn>
</member>
<member>
<PolicyName>AmazonDynamoDBFullAccess</PolicyName>
<PolicyArn>arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess</PolicyArn>
</member>
</AttachedManagedPolicies>
<InstanceProfileList>
<member>
<InstanceProfileName>EC2role</InstanceProfileName>
<Roles>
<member>
<Path>/</Path>
<Arn>arn:aws:iam::123456789012:role/EC2role</Arn>
<RoleName>EC2role</RoleName>
<AssumeRolePolicyDocument>
{"Version":"2012-10-17","Statement":[{"Sid":"",
"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},
"Action":"sts:AssumeRole"}]}
</AssumeRolePolicyDocument>
<CreateDate>2014-07-30T17:09:20Z</CreateDate>
<RoleId>AROAFP4BKI7Y7TEXAMPLE</RoleId>
<RoleLastUsed>
<LastUsedDate>2019-11-20T17:09:20Z</LastUsedDate>
<Region>us-east-1</Region>
</RoleLastUsed>
</member>
</Roles>
<Path>/</Path>
<Arn>arn:aws:iam::123456789012:instance-profile/EC2role</Arn>
<InstanceProfileId>AIPAFFYRBHWXW2EXAMPLE</InstanceProfileId>
<CreateDate>2014-07-30T17:09:20Z</CreateDate>
</member>
</InstanceProfileList>
<Path>/</Path>
<Arn>arn:aws:iam::123456789012:role/EC2role</Arn>
<RoleName>EC2role</RoleName>
<AssumeRolePolicyDocument>
{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow",
"Principal":{"Service":"ec2.amazonaws.com"},
"Action":"sts:AssumeRole"}]}
</AssumeRolePolicyDocument>
<CreateDate>2014-07-30T17:09:20Z</CreateDate>
<RoleId>AROAFP4BKI7Y7TEXAMPLE</RoleId> </member>
</RoleDetailList>
<Policies>
<member>
<PolicyName>create-update-delete-set-managed-policies</PolicyName>
<DefaultVersionId>v1</DefaultVersionId>
<PolicyId>ANPAJ2UCCR6DPCEXAMPLE</PolicyId>
<Path>/</Path>
<PolicyVersionList>
<member>
<Document>
{"Version":"2012-10-17","Statement":{"Effect":"Allow",
"Action":["iam:CreatePolicy","iam:CreatePolicyVersion",
"iam:DeletePolicy","iam:DeletePolicyVersion","iam:GetPolicy",
"iam:GetPolicyVersion","iam:ListPolicies",
"iam:ListPolicyVersions","iam:SetDefaultPolicyVersion"],
"Resource":"*"}}
</Document>
<IsDefaultVersion>true</IsDefaultVersion>
<VersionId>v1</VersionId>
<CreateDate>2015-02-06T19:58:34Z</CreateDate>
</member>
</PolicyVersionList>
<Arn>
arn:aws:iam::123456789012:policy/create-update-delete-set-managed-policies
</Arn>
<AttachmentCount>1</AttachmentCount>
<CreateDate>2015-02-06T19:58:34Z</CreateDate>
<IsAttachable>true</IsAttachable>
<UpdateDate>2015-02-06T19:58:34Z</UpdateDate>
</member>
<member>
<PolicyName>S3-read-only-specific-bucket</PolicyName>
<DefaultVersionId>v1</DefaultVersionId>
<PolicyId>ANPAJ4AE5446DAEXAMPLE</PolicyId>
<Path>/</Path>
<PolicyVersionList>
<member>
<Document>
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":
["s3:Get*","s3:List*"],"Resource":["arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"]}]}
</Document>
<IsDefaultVersion>true</IsDefaultVersion>
<VersionId>v1</VersionId>
<CreateDate>2015-01-21T21:39:41Z</CreateDate>
</member>
</PolicyVersionList>
<Arn>arn:aws:iam::123456789012:policy/S3-read-only-specific-bucket</Arn>
<AttachmentCount>1</AttachmentCount>
<CreateDate>2015-01-21T21:39:41Z</CreateDate>
<IsAttachable>true</IsAttachable>
<UpdateDate>2015-01-21T23:39:41Z</UpdateDate>
</member>
<member>
<PolicyName>AWSOpsWorksRole</PolicyName>
<DefaultVersionId>v1</DefaultVersionId>
<PolicyId>ANPAE376NQ77WV6KGJEBE</PolicyId>
<Path>/service-role/</Path>
<PolicyVersionList>
<member>
<Document>
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":
["cloudwatch:GetMetricStatistics","ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones","ec2:DescribeInstances",
"ec2:DescribeKeyPairs","ec2:DescribeSecurityGroups","ec2:DescribeSubnets",
"ec2:DescribeVpcs","elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers","iam:GetRolePolicy",
"iam:ListInstanceProfiles","iam:ListRoles","iam:ListUsers",
"iam:PassRole","opsworks:*","rds:*"],"Resource":["*"]}]}
</Document>
<IsDefaultVersion>true</IsDefaultVersion>
<VersionId>v1</VersionId>
<CreateDate>2014-12-10T22:57:47Z</CreateDate>
</member>
</PolicyVersionList>
<Arn>arn:aws:iam::aws:policy/service-role/AWSOpsWorksRole</Arn>
<AttachmentCount>1</AttachmentCount>
<CreateDate>2015-02-06T18:41:27Z</CreateDate>
<IsAttachable>true</IsAttachable>
<UpdateDate>2015-02-06T18:41:27Z</UpdateDate>
</member>
<member>
<PolicyName>AmazonEC2FullAccess</PolicyName>
<DefaultVersionId>v1</DefaultVersionId>
<PolicyId>ANPAE3QWE5YT46TQ34WLG</PolicyId>
<Path>/</Path>
<PolicyVersionList>
<member>
<Document>
{"Version":"2012-10-17","Statement":[{"Action":"ec2:*",
"Effect":"Allow","Resource":"*"},{"Effect":"Allow",
"Action":"elasticloadbalancing:*","Resource":"*"},{"Effect":"Allow",
"Action":"cloudwatch:*","Resource":"*"},{"Effect":"Allow",
"Action":"autoscaling:*","Resource":"*"}]}
</Document>
<IsDefaultVersion>true</IsDefaultVersion>
<VersionId>v1</VersionId>
<CreateDate>2014-10-30T20:59:46Z</CreateDate>
</member>
</PolicyVersionList>
<Arn>arn:aws:iam::aws:policy/AmazonEC2FullAccess</Arn>
<AttachmentCount>1</AttachmentCount>
<CreateDate>2015-02-06T18:40:15Z</CreateDate>
<IsAttachable>true</IsAttachable>
<UpdateDate>2015-02-06T18:40:15Z</UpdateDate>
</member>
</Policies>
</GetAccountAuthorizationDetailsResult>
<ResponseMetadata>
<RequestId>92e79ae7-7399-11e4-8c85-4b53eEXAMPLE</RequestId>
</ResponseMetadata>
</GetAccountAuthorizationDetailsResponse>
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: