How can I attach an IAM managed policy to an IAM role in AWS CloudFormation?
I want to add an existing or new AWS Identity and Access Management (IAM) managed policy to a new or existing IAM role in AWS CloudFormation.
Short description
To add an existing or new IAM managed policy to a new IAM role resource, use the ManagedPolicyArns property of resource type AWS::IAM::Role. To add a new IAM managed policy to an existing IAM role resource, use the Roles property of resource type AWS::IAM::ManagedPolicy.
Your IAM managed policy can be an AWS managed policy or a customer managed policy.
Important: You can attach a maximum of 10 managed policies to an IAM role or user. The size of each managed policy can't exceed 6,144 characters. For more information, see IAM and STS quotas.
Based on your scenario, complete the steps in one of the following sections:
- Add an existing IAM managed policy to a new IAM role
- Add a new IAM managed policy to a new IAM role
- Add a new IAM managed policy to an existing IAM role
Resolution
Add an existing IAM managed policy to a new IAM role
1. In your AWS CloudFormation template, create a parameter or parameters that you can use to pass in the Amazon Resource Name (ARN) of your IAM managed policy. See the following JSON and YAML examples.
JSON:
{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "awsExampleManagedPolicyParameterOne": { "Type": "String", "Description": "ARN of the first IAM Managed Policy to add to the role" }, "awsExampleManagedPolicyParameterTwo": { "Type": "String", "Description": "ARN of the second IAM Managed Policy to add to the role" } } }
YAML:
Parameters: awsExampleManagedPolicyParameterOne: Type: String Description: 'ARN of the first IAM Managed Policy to add to the role' awsExampleManagedPolicyParameterTwo: Type: String Description: 'ARN of the second IAM Managed Policy to add to the role'
2. In the Resources section of your template, for the resource of type AWS::IAM::Role, set Ref to the parameters that you created in step 1. For this example, these are the awsExampleManagedPolicyParameterOne and awsExampleManagedPolicyParameterTwo parameters. See the following JSON and YAML examples.
JSON:
{ "Resources": { "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "ManagedPolicyArns": [ { "Ref": "awsExampleManagedPolicyParameterOne" }, { "Ref": "awsExampleManagedPolicyParameterTwo" } ] } } } }
YAML:
Resources: RootRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - !Ref awsExampleManagedPolicyParameterOne - !Ref awsExampleManagedPolicyParameterTwo
3. To apply your existing IAM managed policy to your new IAM role, create a stack or update an existing stack based on your modified AWS CloudFormation template.
Add a new IAM managed policy to a new IAM role
1. In your AWS CloudFormation template, create a new policy using the AWS::IAM::ManagedPolicy resource. See the following JSON and YAML examples.
JSON:
{ "SampleManagedPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllUsersToListAccounts", "Effect": "Allow", "Action": [ "iam:ListAccountAliases", "iam:ListUsers", "iam:GetAccountSummary" ], "Resource": "*" } ] } } } }
YAML:
SampleManagedPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowAllUsersToListAccounts Effect: Allow Action: - iam:ListAccountAliases - iam:ListUsers - iam:GetAccountSummary Resource: "*"
2. Use the !Ref logical ID syntax to attach the IAM managed policy resource to the AWS::IAM::Role resource.
For example, set Ref to the resource logical ID that you created in step 1 (SampleManagedPolicy). See the following JSON and YAML examples.
JSON:
{ "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "ManagedPolicyArns": [ { "Ref": "SampleManagedPolicy" } ] } } }
YAML:
RootRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - !Ref SampleManagedPolicy
3. To apply your new IAM managed policy to your new IAM role, create a stack or update an existing stack based on your modified AWS CloudFormation template.
Add a new IAM managed policy to an existing IAM role
1. In your AWS CloudFormation template, create a parameter that you can use to pass in the name of your existing roles. See the following JSON and YAML examples.
JSON:
{ "Parameters": { "awsExampleRolesParameter": { "Type": "CommaDelimitedList", "Description": "Names of existing Roles you want to add to the newly created Managed Policy" } } }
YAML:
Parameters: awsExampleRolesParameter: Type: CommaDelimitedList Description: Names of existing Roles you want to add to the newly created Managed Policy
2. In the Resources section of your template, for the resource of type AWS::IAM::ManagedPolicy, set Ref to the parameter that you created in step 1 (awsExampleRolesParameter). See the following JSON and YAML examples.
JSON:
{ "Resources": { "SampleManagedPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllUsersToListAccounts", "Effect": "Allow", "Action": [ "iam:ListAccountAliases", "iam:ListUsers", "iam:GetAccountSummary" ], "Resource": "*" } ] }, "Roles": { "Ref": "awsExampleRolesParameter" } } } } }
YAML:
Resources: SampleManagedPolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowAllUsersToListAccounts Effect: Allow Action: - 'iam:ListAccountAliases' - 'iam:ListUsers' - 'iam:GetAccountSummary' Resource: '*' Roles: !Ref awsExampleRolesParameter
3. To apply your new IAM managed policy to your existing IAM role, create a stack or update an existing stack based on your modified AWS CloudFormation template.
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 3 meses
- OFICIAL DE AWSActualizada hace 8 meses
- OFICIAL DE AWSActualizada hace un año