AWS IAM Role Policy

This page shows how to write Terraform and CloudFormation for IAM Role Policy and write them securely.

aws_iam_role_policy (Terraform)

The Role Policy in IAM can be configured in Terraform with the resource name aws_iam_role_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

iam_role_policy.tf#L3
resource "aws_iam_role_policy" "bag_register_replica_primary_readonly" {
  role   = module.bag_register.task_role_name
  policy = data.aws_iam_policy_document.replica_primary_readonly.json
}

# bags_api
iam_role_policy.tf#L1
resource "aws_iam_role_policy" "AWS-CodePipeline-Service_oneClick_AWS-CodePipeline-Service_1524238658996" {
  name = "oneClick_AWS-CodePipeline-Service_1524238658996"

  policy = <<POLICY
{
  "Statement": [
iam_role_policy.tf#L1
resource "aws_iam_role_policy" "AWS-CodePipeline-Service_oneClick_AWS-CodePipeline-Service_1524238658996" {
  name = "oneClick_AWS-CodePipeline-Service_1524238658996"

  policy = <<POLICY
{
  "Statement": [
iam_role_policy.tf#L1
resource "aws_iam_role_policy" "ecs_goobi_s3_config_read" {
  role   = module.goobi.task_role
  policy = data.aws_iam_policy_document.s3_read_workflow-configuration.json
}

resource "aws_iam_role_policy" "ecs_goobi_s3_data_rw" {
iam_role_policy.tf#L1
resource "aws_iam_role_policy" "ecs_goobi_s3_config_read" {
  role   = module.goobi.task_role
  policy = data.aws_iam_policy_document.s3_read_workflow-configuration.json
}

resource "aws_iam_role_policy" "ecs_goobi_s3_data_rw" {

Parameters

Explanation in Terraform Registry

Provides an IAM role inline policy.

NOTE: For a given role, this resource is incompatible with using the aws_iam_role resource inline_policy argument. When using that argument and this resource, both will attempt to manage the role's inline policies and Terraform will show a permanent difference.

AWS::IAM::Role (CloudFormation)

The Role in IAM can be configured in CloudFormation with the resource name AWS::IAM::Role. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

deploy.yml#L56
        Type: "AWS::IAM::Role"
        Properties:
            AssumeRolePolicyDocument:
                Version: "2012-10-17"
                Statement:
                  - Effect: "Allow"
action.yml#L29
      run: "echo \"    AuthorizerIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    BatchIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    IamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    LocksIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\" >> serverless.yml"
      shell: bash
    - run: echo "Removing deletion policies from config"
      shell: bash
    - name: Removing deletion policies from config
      run: "sed -i '/DeletionPolicy: Retain/d' serverless.yml"
serverless.yml#L160
      Type: AWS::IAM::Role
      Properties:
        RoleName: slsLambdaDbRole
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
serverless.yml#L139
    #   Type: AWS::IAM::Role
    #   Properties:
    #     Path: /
    #     RoleName: ${self:provider.stage}EventWriterRole
    #     AssumeRolePolicyDocument:
    #       Version: '2012-10-17'
security.yml#L13
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
demo.json#L8
            "Type": "AWS::IAM::Role",
            "Properties": {
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/ReadOnlyAccess"
                ],
                "AssumeRolePolicyDocument": {
Scout2-Master-002-IAMRoles-Global-Wait.json#L5
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "PhonyRole",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
DeepLensIamRoles.json#L5
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "AWSDeepLensServiceRole",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
integ.runtime.inlinecode.expected.json#L4
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
AWS_IAM_Policy.json#L19
        "resourceType": "AWS::IAM::Role",
        "resourceId": "AROAIVXMURFRN7EZGVNNA",
        "resourceName": "config-role",
        "relationshipName": "Is attached to Role"
      },
      {

Parameters

Explanation in CloudFormation Registry

Creates a new role for your AWS account. For more information about roles, see IAM roles. For information about quotas for role names and the number of roles you can create, see IAM and AWS STS quotas in the IAM User Guide.

Frequently asked questions

What is AWS IAM Role Policy?

AWS IAM Role Policy is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS IAM Role Policy?

For Terraform, the wellcomecollection/storage-service, mortyre/misc and mortyre/misc source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the pipmagnet/dukascopy-data, troyready/git-lfs-s3 and twils0/finance-sls-lambda-node-db source code examples are useful. See the CloudFormation Example section for further details.