AWS IAM Role Policy
This page shows how to write Terraform and CloudFormation for IAM Role Policy and write them securely.
aws_iam_role_policy (Terraform)
The Role Policy in IAM can be configured in Terraform with the resource name aws_iam_role_policy
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_iam_role_policy" "bag_register_replica_primary_readonly" {
role = module.bag_register.task_role_name
policy = data.aws_iam_policy_document.replica_primary_readonly.json
}
# bags_api
resource "aws_iam_role_policy" "AWS-CodePipeline-Service_oneClick_AWS-CodePipeline-Service_1524238658996" {
name = "oneClick_AWS-CodePipeline-Service_1524238658996"
policy = <<POLICY
{
"Statement": [
resource "aws_iam_role_policy" "AWS-CodePipeline-Service_oneClick_AWS-CodePipeline-Service_1524238658996" {
name = "oneClick_AWS-CodePipeline-Service_1524238658996"
policy = <<POLICY
{
"Statement": [
resource "aws_iam_role_policy" "ecs_goobi_s3_config_read" {
role = module.goobi.task_role
policy = data.aws_iam_policy_document.s3_read_workflow-configuration.json
}
resource "aws_iam_role_policy" "ecs_goobi_s3_data_rw" {
resource "aws_iam_role_policy" "ecs_goobi_s3_config_read" {
role = module.goobi.task_role
policy = data.aws_iam_policy_document.s3_read_workflow-configuration.json
}
resource "aws_iam_role_policy" "ecs_goobi_s3_data_rw" {
Parameters
-
id
optional computed - string -
name
optional computed - string -
name_prefix
optional - string -
policy
required - string -
role
required - string
Explanation in Terraform Registry
Provides an IAM role inline policy.
NOTE: For a given role, this resource is incompatible with using the
aws_iam_role
resourceinline_policy
argument. When using that argument and this resource, both will attempt to manage the role's inline policies and Terraform will show a permanent difference.
Tips: Best Practices for The Other AWS IAM Resources
In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_iam_account_password_policy
Ensure AWS IAM account password policies requires long passwords
It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.
AWS::IAM::Role (CloudFormation)
The Role in IAM can be configured in CloudFormation with the resource name AWS::IAM::Role
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
run: "echo \" AuthorizerIamRoleLambdaExecution:\n Type: AWS::IAM::Role\n Properties:\n PermissionsBoundary: ${{ inputs.boundary_policy }}\n BatchIamRoleLambdaExecution:\n Type: AWS::IAM::Role\n Properties:\n PermissionsBoundary: ${{ inputs.boundary_policy }}\n IamRoleLambdaExecution:\n Type: AWS::IAM::Role\n Properties:\n PermissionsBoundary: ${{ inputs.boundary_policy }}\n LocksIamRoleLambdaExecution:\n Type: AWS::IAM::Role\n Properties:\n PermissionsBoundary: ${{ inputs.boundary_policy }}\" >> serverless.yml"
shell: bash
- run: echo "Removing deletion policies from config"
shell: bash
- name: Removing deletion policies from config
run: "sed -i '/DeletionPolicy: Retain/d' serverless.yml"
Type: AWS::IAM::Role
Properties:
RoleName: slsLambdaDbRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
# Type: AWS::IAM::Role
# Properties:
# Path: /
# RoleName: ${self:provider.stage}EventWriterRole
# AssumeRolePolicyDocument:
# Version: '2012-10-17'
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
],
"AssumeRolePolicyDocument": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "PhonyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "AWSDeepLensServiceRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"resourceType": "AWS::IAM::Role",
"resourceId": "AROAIVXMURFRN7EZGVNNA",
"resourceName": "config-role",
"relationshipName": "Is attached to Role"
},
{
Parameters
-
AssumeRolePolicyDocument
required - Json -
Description
optional - String -
ManagedPolicyArns
optional - List -
MaxSessionDuration
optional - Integer -
Path
optional - String -
PermissionsBoundary
optional - String -
Policies
optional - List of Policy -
RoleName
optional - String -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
Creates a new role for your AWS account. For more information about roles, see IAM roles. For information about quotas for role names and the number of roles you can create, see IAM and AWS STS quotas in the IAM User Guide.
Frequently asked questions
What is AWS IAM Role Policy?
AWS IAM Role Policy is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS IAM Role Policy?
For Terraform, the wellcomecollection/storage-service, mortyre/misc and mortyre/misc source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the pipmagnet/dukascopy-data, troyready/git-lfs-s3 and twils0/finance-sls-lambda-node-db source code examples are useful. See the CloudFormation Example section for further details.