AWS IAM Role Policy Attachment
This page shows how to write Terraform and CloudFormation for IAM Role Policy Attachment and write them securely.
aws_iam_role_policy_attachment (Terraform)
The Role Policy Attachment in IAM can be configured in Terraform with the resource name aws_iam_role_policy_attachment
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_role.name
}
resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSServicePolicy" {
resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks-cluster-role.name
}
resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSServicePolicy" {
resource "aws_iam_role_policy_attachment" "full_admin" {
count = length(var.saml_provider_arn) > 0 ? 1 : 0
role = aws_iam_role.full_admin[0].name
policy_arn = aws_iam_policy.full_admin.arn
}
Parameters
-
id
optional computed - string -
policy_arn
required - string -
role
required - string
Explanation in Terraform Registry
Attaches a Managed IAM Policy to an IAM role
NOTE: The usage of this resource conflicts with the
aws_iam_policy_attachment
resource and will permanently show a difference if both are defined. NOTE: For a given role, this resource is incompatible with using theaws_iam_role
resourcemanaged_policy_arns
argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and Terraform will show a permanent difference.
Tips: Best Practices for The Other AWS IAM Resources
In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_iam_account_password_policy
Ensure AWS IAM account password policies requires long passwords
It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.
AWS::IAM::Role (CloudFormation)
The Role in IAM can be configured in CloudFormation with the resource name AWS::IAM::Role
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::IAM::Role
SampleCodeBuildServiceRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
run: "echo \" AuthorizerIamRoleLambdaExecution:\n Type: AWS::IAM::Role\n Properties:\n PermissionsBoundary: ${{ inputs.boundary_policy }}\n BatchIamRoleLambdaExecution:\n Type: AWS::IAM::Role\n Properties:\n PermissionsBoundary: ${{ inputs.boundary_policy }}\n IamRoleLambdaExecution:\n Type: AWS::IAM::Role\n Properties:\n PermissionsBoundary: ${{ inputs.boundary_policy }}\n LocksIamRoleLambdaExecution:\n Type: AWS::IAM::Role\n Properties:\n PermissionsBoundary: ${{ inputs.boundary_policy }}\" >> serverless.yml"
shell: bash
- run: echo "Removing deletion policies from config"
shell: bash
- name: Removing deletion policies from config
run: "sed -i '/DeletionPolicy: Retain/d' serverless.yml"
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
],
"AssumeRolePolicyDocument": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "PhonyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "AWSDeepLensServiceRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"resourceType": "AWS::IAM::Role",
"resourceId": "AROAIVXMURFRN7EZGVNNA",
"resourceName": "config-role",
"relationshipName": "Is attached to Role"
},
{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Version":"2012-10-17",
"Statement":[
{
Parameters
-
AssumeRolePolicyDocument
required - Json -
Description
optional - String -
ManagedPolicyArns
optional - List -
MaxSessionDuration
optional - Integer -
Path
optional - String -
PermissionsBoundary
optional - String -
Policies
optional - List of Policy -
RoleName
optional - String -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
Creates a new role for your AWS account. For more information about roles, see IAM roles. For information about quotas for role names and the number of roles you can create, see IAM and AWS STS quotas in the IAM User Guide.
Frequently asked questions
What is AWS IAM Role Policy Attachment?
AWS IAM Role Policy Attachment is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS IAM Role Policy Attachment?
For Terraform, the blacknikka/eks-terraform, msgit17/eks-terraform and GSA/grace-iam source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the suzuxander/samples, rayepps/dragon-api and cmfcruz/cloudformation_templates source code examples are useful. See the CloudFormation Example section for further details.