我正在控制台中查看 IAM 角色,我相信该角色已在 CloudFormation 模板中定义。如何识别定义 IAM 角色的模板?
以下 bash 脚本将扫描您账户中(所有区域)的所有 canformation 模板,并输出包含定义的所有 IAM 角色列表的 CSV。
(需要您拥有 AWS CLI 并经过身份验证)
#!/bin/bash
# Get a list of all AWS regions
REGIONS=$(aws ec2 describe-regions --query "Regions[*].RegionName" --output text)
# Loop through each region
for region in $REGIONS; do
echo "Checking region: $region"
# Get a list of all CloudFormation stacks in the region
STACKS=$(aws cloudformation list-stacks --region "$region" --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE --query "StackSummaries[*].StackName" --output text)
# Check if there are any stacks in this region
if [ -n "$STACKS" ]; then
# Loop through each stack
for stack in $STACKS; do
# Describe the stack resources
RESOURCES=$(aws cloudformation describe-stack-resources --region "$region" --stack-name "$stack" --query "StackResources[?ResourceType=='AWS::IAM::Role'].PhysicalResourceId" --output text)
# Check if there are any IAM roles in this stack
if [ -n "$RESOURCES" ]; then
# Loop through each IAM role
for role in $RESOURCES; do
echo "'$region', '$stack', '$role'"
done
fi
done
else
echo "No stacks found in region: $region"
fi
done