Attach an Inline Policy to a Role with AWS CLI

Table of Contents #

1. Attaching Inline Policies to an IAM Role with AWS CLI
2. Deleting Inline Policies from an IAM Role with AWS CLI

Attaching Inline Policies to an IAM Role with AWS CLI #

IAM policies define specific permissions needed to access AWS resources and can be associated with IAM roles, users or groups.

To attach an inline policy to an IAM role, we have to:

1. write and store the policy in a json file on the local file system
2. run the AWS CLI put-role-policy command

This is an example inline policy that grants read access to some CloudWatch actions:

Copied!
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Now that we have the policy stored on the local file system, open your terminal in the directory where you stored the file and run the put-role-policy command:

Copied!
aws iam put-role-policy --role-name YourRole --policy-name YourPolicy --policy-document file://read-cloudwatch.json

Notice that the inline-policy.json file is prefixed with file:// in the --policy-document parameter.

In the code snippet we assume that the terminal is located in the same directory as the inline-policy.json file, however if the terminal is in a different directory we can still point to the file.

For example on linux and macOS you can use relative and absolute paths as follows:

Copied!
# relative path, navigate to directory
aws iam put-role-policy --role-name YourRole --policy-name YourPolicy --policy-document file://./my-folder/read-cloudwatch.json

# absolute path (notice 3 `/` characters in file:/// prefix)
aws iam put-role-policy --role-name YourRole --policy-name YourPolicy --policy-document file:///home/john/read-bucket.json

On windows you can specify a file:// prefix as follows:

Copied!
aws iam put-role-policy --role-name YourRole --policy-name YourPolicy --policy-document file://C:\my-folder\read-bucket.json

To verify that the inline policy was successfully attached to the role, run the list-role-policies command:

Copied!
aws iam list-role-policies --role-name YourRole

When using a json file to attach inline policies to an IAM role, make sure that the json is syntactically correct.

Deleting Inline Policies from an IAM Role with AWS CLI #

To get the name of the policy that should get deleted from the role, run the list-role-policies command:

Copied!
aws iam list-role-policies --role-name YourRole

To delete an inline policy, attached to an IAM Role, using the AWS CLI, run the delete-role-policy command.

Copied!
aws iam delete-role-policy --role-name YourRole --policy-name YourPolicy

To verify the inline policy has been deleted from the role, run the list-role-policies command again:

Copied!
aws iam list-role-policies --role-name YourRole

Further Reading #

• How to turn off the Pager in AWS CLI
• How to Get your Account Id with AWS CLI
• How to Get your Default Profile with AWS CLI
• Manage Multiple Accounts with the AWS CLI
• Set your Default Profile's Name in AWS CLI
• How to Clear your AWS CLI Credentials
• Create a Role with AWS CLI - Complete Guide
• Create a Lambda Function with AWS CLI - Complete Guide
• Invoke Lambda Functions with AWS CLI - Complete Guide
• Tag an S3 Bucket with AWS CLI
• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How to use Parameters in AWS CDK