Table: alicloud_ram_role - Query Alicloud RAM Roles using SQL
Alicloud RAM (Resource Access Management) is a service that helps you manage user identities and access permissions. You can create and manage multiple identities under your Alibaba Cloud account, and control the resources that each identity can access. RAM allows you to grant precise access permissions to different users, user groups, and roles.
Table Usage Guide
The alicloud_ram_role table provides insights into RAM roles within Alicloud Resource Access Management. As a security analyst, explore role-specific details through this table, including permissions, trust policies, and associated metadata. Utilize it to uncover information about roles, such as those with wildcard permissions, the trust relationships between roles, and the verification of trust policies.
Examples
List the policies attached to the roles
This query is used to gain insights into the various policies attached to different roles within your Alicloud RAM. It allows you to assess the elements within each role's policy, such as the policy's name, type, default version, and attachment date, providing a comprehensive overview of your role-based access controls.
select name, policies ->> 'PolicyName' as policy_name, policies ->> 'PolicyType' as policy_type, policies ->> 'DefaultVersion' as policy_default_version, policies ->> 'AttachDate' as policy_attachment_datefrom alicloud_ram_role, jsonb_array_elements(attached_policy) as policiesorder by name;select name, json_extract(policies.value, '$.PolicyName') as policy_name, json_extract(policies.value, '$.PolicyType') as policy_type, json_extract(policies.value, '$.DefaultVersion') as policy_default_version, json_extract(policies.value, '$.AttachDate') as policy_attachment_datefrom alicloud_ram_role, json_each(attached_policy) as policiesorder by name;Find all roles having Administrator access
Discover the segments that have Administrator access within a system. This is particularly useful for auditing purposes, ensuring only the correct roles have such high-level permissions.
select name, policies ->> 'PolicyName' as policy_namefrom alicloud_ram_role, jsonb_array_elements(attached_policy) as policieswhere policies ->> 'PolicyName' = 'AdministratorAccess';select name, json_extract(policies.value, '$.PolicyName') as policy_namefrom alicloud_ram_role, json_each(attached_policy) as policieswhere json_extract(policies.value, '$.PolicyName') = 'AdministratorAccess';Find all roles grant cross-account access in the Trust Policy
This query allows you to identify roles that have been granted access to other accounts within the Trust Policy, providing a way to review and manage cross-account permissions. This can be useful in maintaining security and control over data access across multiple accounts.
select name, principal, split_part(principal, ':', 4) as foreign_accountfrom alicloud_ram_role, jsonb_array_elements(assume_role_policy_document -> 'Statement') as stmt, jsonb_array_elements_text(stmt -> 'Principal' -> 'RAM') as principalwhere split_part(principal, ':', 4) <> account_id;Error: SQLite does not support splitor string_to_array functions.Query examples
- action_trails_for_ram_role
- ecs_instances_for_ram_role
- ram_policies_for_ram_role
- ram_policies_for_role
- ram_role_1_year_count
- ram_role_24_hours_count
- ram_role_30_90_days_count
- ram_role_30_days_count
- ram_role_90_365_days_count
- ram_role_age_table
- ram_role_allows_cross_account_access_count
- ram_role_count
- ram_role_input
- ram_role_overview
- ram_role_policy_count_for_role
- ram_role_with_admin_access
- ram_role_with_admin_access_count
- ram_role_with_cross_account_access
- ram_roles_by_account
- ram_roles_by_creation_month
- ram_roles_for_ecs_instance
- ram_roles_for_ram_policy
- ram_roles_without_policy_count
- ram_user_manage_policies_hierarchy
Schema for alicloud_ram_role
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Alicloud Account ID in which the resource is located. |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| arn | text | The Alibaba Cloud Resource Name (ARN) of the RAM role. | |
| assume_role_policy_document | jsonb | The content of the policy that specifies one or more entities entrusted to assume the RAM role. | |
| assume_role_policy_document_std | jsonb | The standard content of the policy that specifies one or more entities entrusted to assume the RAM role. | |
| attached_policy | jsonb | A list of policies attached to a RAM role. | |
| create_date | timestamp with time zone | The time when the RAM role was created. | |
| description | text | The description of the RAM role. | |
| max_session_duration | bigint | The maximum session duration of the RAM role. | |
| name | text | = | The name of the RAM role. |
| region | text | The Alicloud region in which the resource is located. | |
| role_id | text | The ID of the RAM role. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| title | text | Title of the resource. | |
| update_date | timestamp with time zone | The time when the RAM role was modified. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloudYou can pass the configuration to the command with the --config argument:
steampipe_export_alicloud --config '<your_config>' alicloud_ram_role