====== IAM ======


===== Get unused security groups =====


<code bash>
#!/bin/bash

#Get all security groups and check against network interfaces thety are allocated to.
echo "" > security_groups.txt
for SG in
$(aws ec2 describe-security-groups --profile nonprod_admin | jq --raw-output '.[][] | [.GroupId, .GroupName, .Description ] | @csv')
do
echo $SG
#echo $SG | tee  security_groups.txt | cut -f1 -d | aws ec2 describe-network-interfaces --filters Name=group-id,Values=${SG} --profile nonprod_admin
done

# Clean up our temporary mess
rm security_groups.txt
</code>


===== List roles =====

<code>
$ aws iam list-roles --profile dev_admin | jq .[][].RoleName | grep -i 'dev\|test\|nonprod'
"AJS-stepFunctionTest"
"AndrewLambdaTest"
"codebuild-test-service-role"
"codebuild-test-service-role22"
"developer"

</code>


===== Assume role =====

<code bash>
#!/bin/bash

ROLEARN='arn:aws:iam::12121212121212:role/myrole_ec2'

for ACCOUNT in 123412341234 432143214321
do
      printf "Using account ${ACCOUNT}"
      RESULT=$(aws sts assume-role --role-arn "arn:aws:iam::${ACCOUNT}:role/${ROLEARN}" --role-session-name AWSCLI-Session)

      export $(echo "${RESULT}" | jq .[]key-or-similar)
      export $(echo "${RESULT}" | jq .[]secret-stuff)
      export $(echo "${RESULT}" | jq .[]session-stuff) 

      aws sts get-caller-identity  # Should show info from assumed role in ${ACCOUNT}
done
</code>

===== AWS SSO =====

For times when you need to authenticate on a remote system without a browser. If you get a redirect to 127.0.0.1 failure error messge, this is for you:-

<code>
aws configure sso --use-device-code
</code>