AWS IAM Role Policy

This page shows how to write Terraform and CloudFormation for IAM Role Policy and write them securely.

aws_iam_role_policy (Terraform)

The Role Policy in IAM can be configured in Terraform with the resource name aws_iam_role_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

iam_role_policy.tf#L3
resource "aws_iam_role_policy" "bag_register_replica_primary_readonly" {
  role   = module.bag_register.task_role_name
  policy = data.aws_iam_policy_document.replica_primary_readonly.json
}

# bags_api
iam_role_policy.tf#L1
resource "aws_iam_role_policy" "AWS-CodePipeline-Service_oneClick_AWS-CodePipeline-Service_1524238658996" {
  name = "oneClick_AWS-CodePipeline-Service_1524238658996"

  policy = <<POLICY
{
  "Statement": [
iam_role_policy.tf#L1
resource "aws_iam_role_policy" "AWS-CodePipeline-Service_oneClick_AWS-CodePipeline-Service_1524238658996" {
  name = "oneClick_AWS-CodePipeline-Service_1524238658996"

  policy = <<POLICY
{
  "Statement": [
iam_role_policy.tf#L1
resource "aws_iam_role_policy" "ecs_goobi_s3_config_read" {
  role   = module.goobi.task_role
  policy = data.aws_iam_policy_document.s3_read_workflow-configuration.json
}

resource "aws_iam_role_policy" "ecs_goobi_s3_data_rw" {
iam_role_policy.tf#L1
resource "aws_iam_role_policy" "ecs_goobi_s3_config_read" {
  role   = module.goobi.task_role
  policy = data.aws_iam_policy_document.s3_read_workflow-configuration.json
}

resource "aws_iam_role_policy" "ecs_goobi_s3_data_rw" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an IAM role inline policy.

NOTE: For a given role, this resource is incompatible with using the aws_iam_role resource inline_policy argument. When using that argument and this resource, both will attempt to manage the role's inline policies and Terraform will show a permanent difference.

Tips: Best Practices for The Other AWS IAM Resources

In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_iam_account_password_policy

Ensure AWS IAM account password policies requires long passwords

It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.

Review your AWS IAM settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::IAM::Role (CloudFormation)

The Role in IAM can be configured in CloudFormation with the resource name AWS::IAM::Role. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

deploy.yml#L56
        Type: "AWS::IAM::Role"
        Properties:
            AssumeRolePolicyDocument:
                Version: "2012-10-17"
                Statement:
                  - Effect: "Allow"
action.yml#L29
      run: "echo \"    AuthorizerIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    BatchIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    IamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    LocksIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\" >> serverless.yml"
      shell: bash
    - run: echo "Removing deletion policies from config"
      shell: bash
    - name: Removing deletion policies from config
      run: "sed -i '/DeletionPolicy: Retain/d' serverless.yml"
serverless.yml#L160
      Type: AWS::IAM::Role
      Properties:
        RoleName: slsLambdaDbRole
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
serverless.yml#L139
    #   Type: AWS::IAM::Role
    #   Properties:
    #     Path: /
    #     RoleName: ${self:provider.stage}EventWriterRole
    #     AssumeRolePolicyDocument:
    #       Version: '2012-10-17'
security.yml#L13
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
demo.json#L8
            "Type": "AWS::IAM::Role",
            "Properties": {
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/ReadOnlyAccess"
                ],
                "AssumeRolePolicyDocument": {
DeepLensIamRoles.json#L5
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "AWSDeepLensServiceRole",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
Scout2-Master-002-IAMRoles-Global-Wait.json#L5
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "PhonyRole",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
integ.runtime.inlinecode.expected.json#L4
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
AWS_IAM_Policy.json#L19
        "resourceType": "AWS::IAM::Role",
        "resourceId": "AROAIVXMURFRN7EZGVNNA",
        "resourceName": "config-role",
        "relationshipName": "Is attached to Role"
      },
      {

Parameters

Explanation in CloudFormation Registry

Creates a new role for your AWS account. For more information about roles, see IAM roles. For information about quotas for role names and the number of roles you can create, see IAM and AWS STS quotas in the IAM User Guide.

Frequently asked questions

What is AWS IAM Role Policy?

AWS IAM Role Policy is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS IAM Role Policy?

For Terraform, the wellcomecollection/storage-service, mortyre/misc and mortyre/misc source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the pipmagnet/dukascopy-data, troyready/git-lfs-s3 and twils0/finance-sls-lambda-node-db source code examples are useful. See the CloudFormation Example section for further details.