Skip to main content

stave permissions principal

Resolve permissions for a specific principal ARN

Usage

stave permissions principal [flags]

Description

Resolve and display the net effective permissions for a single IAM principal after all policy layers are applied.

Shows: effective allows, SCP ceiling, permission boundary constraint, role chains, and privilege classification.

Exit Codes: 0 Resolution complete, no critical findings 1 Principal has admin-equivalent or escalation findings 3 Incomplete resolution (snapshot data missing) 4 Internal error

Examples: stave nep principal --snapshot obs.json
--principal arn:aws:iam::123456789012:role/data-pipeline

stave nep principal --snapshot obs.json
--principal arn:aws:iam::123456789012:role/app
--format json --show-chains

Flags

FlagTypeDescription
--filter-servicestringfilter to a specific service prefix
-f, --formatstringoutput format: table | json (default: table)
--principalstringprincipal ARN to resolve (required)
--show-chainsboolinclude role chain detail
--show-deniedboolinclude denied actions
--snapshotstringpath to snapshot file (required)

Examples

stave nep principal --snapshot obs.json --principal arn:aws:iam::123:role/app