Sometimes, we want to know if we have the necessary permissions to execute a certain command, but we don’t really want to execute it!
And let’s say that for some reason we can’t access IAM and check our permissions
For this, we have --dry-run, a parameter that is applicable to some commands that we can use in our AWS CLI.
Suppose we want to know if our user has the necessary permissions to run instances! we have a test user, teratip.
A correct example of run-instances would be something like this:
aws ec2 run-instances --image-id ami-02edf5731752693cc --instance-type t2.micro
But we don't want to run this, because if we have the correct permissions the instance will be created, and our billing will be affected!
So let’s just add --dry run to the command and see what happens
aws ec2 run-instances --dry-run --image-id ami-02edf5731752693cc --instance-type t2.micro
The message indicates that an error occurred when calling the RunInstances operation and the request would have been successful but we have specified the --dry-run flag
This is the correct behavior when we have the proper permissions for the operation.
Now, using a user that does have access to IAM, let’s check the policy assigned to the Teratip user:
As we can see, the Teratip user has the correct permissions to execute the ec2 run-instances command.
Now, let’s do a test, and remove the assigned policy from the user, and see what happens when we execute the command:
As we can see, then the operation is executed with --dry-run, and we don’t have the necessary permissions, we get a long error like this.
This is a great way to test our API calls and without affecting your billing.
Follow us on our social networks for more TeraTips