Retrieval of In-Scope IAM Groups and Roles for User Principals

How to define in-scope IAM groups and in-scope IAM roles?

To retrieve the complete picture of in-scope IAM groups for user principal, it is necessary to have at least one of these two sets of permissions: iam:ListGroupsForUser; or iam:ListGroups and iam:GetGroup. The iam:ListGroupsForUser permission will directly return the IAM groups that the provided user principal ARN belongs to, while iam:ListGroups and iam:GetGroup will indirectly list all IAM groups and their membership, requiring to further filter to retrieve the complete set of in-scope IAM groups.

In term of in-scope IAM roles, it is necessary to have iam:ListRoles permission to retrieve the complete list of IAM roles, and perform the filtering on AssumeRolePolicyDocument of each role to disclose which role can be assumed directly by user principal or indirectly by the roles that can be assumed by user principal, to accumulate into the complete set of in-scope IAM roles.