List all AWS IAM roles with their last used date

The following Python script will help to list all the AWS IAM roles with the last used date. If the role is not been used, it will show 'Never used" instead of date. You will require Python3.8 or above to run the script.

I prefer to use Tabulate to format the output in to table format. You can format the output in to HTML or even convert in to CSV file too.

Let's start the script to list all IAM role and its last used date.

import boto3

import time

from tabulate import tabulate

Once you've imported the boto3, time and tabulate module, let's setup the AWS session using the AWS config profile and region name.

session = boto3.Session(profile_name=profile, region_name=region)

iam_client = session.client('iam')

# use paginator if you have long list of IAM roles

paginator = iam_client.get_paginator('list_roles')

iterator = paginator.paginate()

The following lines will help to setup the header row of the table in the output. In this example, I am only printing IAM role name and last used date. You can add other attributes like Role Id, Arn, created date, AssumeRolePolicyDocument and action.

pending_request = []

pending_request.append(['IAM Role Name', 'Last used date'])

Here is the main block of code where script will run in to loops to get the Roles information. From the Roles information, it will extract the RoleName. Once you've role name, it will fetch the role information like Role Id, Arn, created date, AssumeRolePolicyDocument, action and last used date.

# Looping though Roles to get Role names

for page in iterator:

    for role_names in page['Roles']:

        role_name = role_names['RoleName']

        # Getting Role related data      

        get_roles = iam_client.get_role(

          RoleName=role_name

        )  

       

        reply = get_roles['Role']

        last_used = reply['RoleLastUsed']

       

        try:

            # Getting last used date of the role

            last_used_date = last_used['LastUsedDate']

            # print the role name and last used date

            if last_used_date != '':

                print_response = [reply['RoleName'], last_used['LastUsedDate'].strftime("%d/%m/%Y %H:%M:%S")]

                pending_request.append(print_response)

           

        except Exception as e:

            # print role name and 'Never used' if there is no last date available

            print_response = [reply['RoleName'], 'Never used']

            pending_request.append(print_response)

            continue

# Printing the putput

print(tabulate(pending_request, headers="firstrow",tablefmt='simple'))

You can format the way date and time shown in the output by modifying the values in .strftime("%d/%m/%Y %H:%M:%S").

Hope you find it useful.

Disclaimer: www.TechieTalks.co.uk does not conceal the possibility of error and shortcomings due to human or technical factors. www.TechieTalks.co.uk does not bear responsibility upon any loss or damage arising from conduct or activities related to the use of data and information contained in this blog.