Attach an existing policy to an existing role in CloudFormation

Question

How can a CloudFormation template attach an **existing** Policy to an **existing** Role?

From what I see we can:

- Attach a new policy to an existing role (`Roles` key on [AWS::IAM::(Managed)Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html))
- Attach an existing policy to a new role (`ManagedPolicyArns` key on [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html))

...but seems like maybe you'd need to resort to a custom resource for the case where both already exist?

For my use case, a solution with either Inline or Managed policies would be fine.

Accepted Answer

This is not possible in CloudFormation today as there is no such resource. Also, if we consider CloudFormation had a resource to do this, it would just be a logical resource that attaches a policy to a role, just like how we have route to route table attachment. 
So your options are

1. Use custom resource or 
 2. Create a new role and attach an existing policy to it or 
 3. Create a new policy and attach it to an existing role or 
 4. Create both in CloudFormation

Attach an existing policy to an existing role in CloudFormation

相關內容