AWS IAM Role

This page shows how to write Terraform and CloudFormation for IAM Role and write them securely.

aws_iam_role (Terraform)

The Role in IAM can be configured in Terraform with the resource name aws_iam_role. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

iamr.tf#L1
resource "aws_iam_role" "AWSServiceRoleForAmazonInspector" {
    name               = "AWSServiceRoleForAmazonInspector"
    path               = "/aws-service-role/inspector.amazonaws.com/"
    assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
iamr.tf#L1
resource "aws_iam_role" "aws-ec2-spot-fleet-tagging-role" {
    name               = "aws-ec2-spot-fleet-tagging-role"
    path               = "/"
    assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
iamr.tf#L1
resource "aws_iam_role" "aws-elasticbeanstalk-ec2-role" {
  name               = "aws-elasticbeanstalk-ec2-role"
  path               = "/"
  assume_role_policy = <<POLICY
{
  "Version": "2008-10-17",
iamr.tf#L1
resource "aws_iam_role" "aws-elasticbeanstalk-ec2-role" {
  name               = "aws-elasticbeanstalk-ec2-role"
  path               = "/"
  assume_role_policy = <<POLICY
{
  "Version": "2008-10-17",
iamr.tf#L1
resource "aws_iam_role" "aws-elasticbeanstalk-ec2-role" {
  name               = "aws-elasticbeanstalk-ec2-role"
  path               = "/"
  assume_role_policy = <<POLICY
{
  "Version": "2008-10-17",

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an IAM role.

NOTE: If policies are attached to the role via the aws_iam_policy_attachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws_iam_role_policy_attachment resource (recommended) does not have this requirement. NOTE: If you use this resource's managed_policy_arns argument or inline_policy configuration blocks, this resource will take over exclusive management of the role's respective policy types (e.g., both policy types if both arguments are used). These arguments are incompatible with other ways of managing a role's policies, such as aws_iam_policy_attachment, aws_iam_role_policy_attachment, and aws_iam_role_policy. If you attempt to manage a role's policies by multiple means, you will get resource cycling and/or errors.

Tips: Best Practices for The Other AWS IAM Resources

In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_iam_account_password_policy

Ensure AWS IAM account password policies requires long passwords

It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.

Review your AWS IAM settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::IAM::Role (CloudFormation)

The Role in IAM can be configured in CloudFormation with the resource name AWS::IAM::Role. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

role.yml#L47
    Type: AWS::IAM::Role
  SampleCodeBuildServiceRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
groups.yml#L47
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action: ['sts:AssumeRole']
          Effect: Allow
automation-roles.yml#L43
    Type: AWS::IAM::Role
  ConfigureS3BucketLoggingRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action:
action.yml#L29
      run: "echo \"    AuthorizerIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    BatchIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    IamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\n    LocksIamRoleLambdaExecution:\n      Type: AWS::IAM::Role\n      Properties:\n        PermissionsBoundary: ${{ inputs.boundary_policy }}\" >> serverless.yml"
      shell: bash
    - run: echo "Removing deletion policies from config"
      shell: bash
    - name: Removing deletion policies from config
      run: "sed -i '/DeletionPolicy: Retain/d' serverless.yml"
security.yml#L13
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
demo.json#L8
            "Type": "AWS::IAM::Role",
            "Properties": {
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/ReadOnlyAccess"
                ],
                "AssumeRolePolicyDocument": {
DeepLensIamRoles.json#L5
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "AWSDeepLensServiceRole",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
Scout2-Master-002-IAMRoles-Global-Wait.json#L5
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "PhonyRole",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
AWS_IAM_Policy.json#L19
        "resourceType": "AWS::IAM::Role",
        "resourceId": "AROAIVXMURFRN7EZGVNNA",
        "resourceName": "config-role",
        "relationshipName": "Is attached to Role"
      },
      {
identity-iam-roles.cloudformation.json#L175
         "Type":"AWS::IAM::Role",
         "Properties":{
            "AssumeRolePolicyDocument":{
               "Version":"2012-10-17",
               "Statement":[
                  {

Parameters

Explanation in CloudFormation Registry

Creates a new role for your AWS account. For more information about roles, see IAM roles. For information about quotas for role names and the number of roles you can create, see IAM and AWS STS quotas in the IAM User Guide.

Frequently asked questions

What is AWS IAM Role?

AWS IAM Role is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS IAM Role?

For Terraform, the mdigbazova/terraforming-4ha-live-all-resources, LuisFros/public-travis-builder and palerique/dynamodb-studies source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the suzuxander/samples, rayepps/dragon-api and gabrielkoo/aws-systemmanager-automation-roles source code examples are useful. See the CloudFormation Example section for further details.