Attach an Inline Policy to a Role with AWS CLI

avatar

Borislav Hadzhiev

Thu Sep 16 20213 min read

banner

Photo by Will Wilson

Table of Contents #

  1. Attaching Inline Policies to an IAM Role with AWS CLI
  2. Deleting Inline Policies from an IAM Role with AWS CLI

Attaching Inline Policies to an IAM Role with AWS CLI #

IAM policies define specific permissions needed to access AWS resources and can be associated with IAM roles, users or groups.

To attach an inline policy to an IAM role, we have to:

  1. write and store the policy in a json file on the local file system
  2. run the AWS CLI put-role-policy command

This is an example inline policy that grants read access to some CloudWatch actions:

read-cloudwatch.json
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", ], "Effect": "Allow", "Resource": "*" } ] }

Now that we have the policy stored on the local file system, open your terminal in the directory where you stored the file and execute the put-role-policy command:

shell
aws iam put-role-policy --role-name YourRole --policy-name YourPolicy --policy-document file://read-cloudwatch.json

attach policy to role

Notice that the inline-policy.json file is prefixed with file:// in the --policy-document parameter.

When passing local files as --parameters to an AWS CLI command, prefix the path with file:// for human-readable files or with fileb:// for binary (non human-readable) files.

In the code snippet we assume that the terminal is located in the same directory as the inline-policy.json file, however if the terminal is in a different directory we can still point to the file.

For example on linux and macOS you can use relative and absolute paths as follows:

shell
# relative path, navigate to directory aws iam put-role-policy --role-name YourRole --policy-name YourPolicy --policy-document file://./my-folder/read-cloudwatch.json # absolute path (notice 3 `/` characters in file:/// prefix) aws iam put-role-policy --role-name YourRole --policy-name YourPolicy --policy-document file:///home/john/read-bucket.json

On windows you can specify a file:// prefix as follows:

shell
aws iam put-role-policy --role-name YourRole --policy-name YourPolicy --policy-document file://C:\my-folder\read-bucket.json

To verify that the inline policy was successfully attached to the role, execute the list-role-policies command:

shell
aws iam list-role-policies --role-name YourRole

verify policy attached to role

Inline policies have a one-to-one relationship with the Principal (IAM Role, User or Group). This means that if we delete the IAM role, the inline policy also gets deleted.

When using a json file to attach inline policies to an IAM role, make sure that the json is syntactically correct.

If there is a syntax error in the inline policy json file, the AWS CLI throws an error: (MalformedPolicyDocument) when calling the PutRolePolicy operation: Syntax errors in policy.

malformed role policy

Deleting Inline Policies from an IAM Role with AWS CLI #

To get the name of the policy that should get deleted from the role, run the list-role-policies command:

shell
aws iam list-role-policies --role-name YourRole

verify policy attached to role

To delete an inline policy, attached to an IAM Role, using the AWS CLI, run the delete-role-policy command.

shell
aws iam delete-role-policy --role-name YourRole --policy-name YourPolicy

delete role policy

To verify the inline policy has been deleted from the role, run the list-role-policies command again:

shell
aws iam list-role-policies --role-name YourRole

verify policy deleted

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee