1. Check Current AWS Identity
aws sts get-caller-identityUse this first to see who you are currently acting as.
2. Check Current AWS CLI Credential/Profile
aws configure listIf profile shows <not set>, AWS CLI is usually using the default profile.
3. List All AWS Profiles
aws configure list-profiles4. Test a Specific Profile
aws sts get-caller-identity --profile PROFILE_NAME5. Credential Files
cat ~/.aws/credentials
cat ~/.aws/configEdit directly if needed:
nano ~/.aws/credentials
nano ~/.aws/config6. If You Are an IAM User
List attached managed policies:
aws iam list-attached-user-policies --user-name USER_NAMEList inline policies:
aws iam list-user-policies --user-name USER_NAMEList groups:
aws iam list-groups-for-user --user-name USER_NAMEGet one inline policy:
aws iam get-user-policy --user-name USER_NAME --policy-name POLICY_NAME7. If You Are Using a Role
List attached managed policies:
aws iam list-attached-role-policies --role-name ROLE_NAMEList inline policies:
aws iam list-role-policies --role-name ROLE_NAMEGet one inline policy:
aws iam get-role-policy --role-name ROLE_NAME --policy-name POLICY_NAME8. Check Group Policies
aws iam list-attached-group-policies --group-name GROUP_NAME
aws iam list-group-policies --group-name GROUP_NAME9. Inspect a Managed Policy
aws iam get-policy --policy-arn POLICY_ARN
aws iam get-policy-version --policy-arn POLICY_ARN --version-id VERSION_ID10. Fastest Way to Check a Specific Permission
Use AWS Console:
- Open
IAM - Open
Policy Simulator - Select your user or role
- Test actions such as:
s3:CreateBucketlambda:CreateFunctioncloudformation:CreateStackiam:PassRole
11. Common Permissions for CDK Deploy
cloudformation:*s3:*lambda:*dynamodb:*apigateway:*iam:PassRoleiam:CreateRoleiam:AttachRolePolicy
12. Quick Workflow
aws configure list
aws sts get-caller-identity
aws configure list-profilesThen:
- if ARN contains
user/, inspect the IAM user - if ARN contains
assumed-role/, inspect the IAM role - if deployment fails, check
iam:PassRolefirst