Attach a Policy to a Role with AWS CLI - Complete Guide

avatar

Borislav Hadzhiev

Sun Sep 19 20213 min read

Table of Contents #

  1. Attach an Inline Policy to a Role with AWS CLI
  2. Attach AWS Managed Policies to an IAM Role with AWS CLI
  3. Attach Customer Managed Policies to a Role with AWS CLI

Attach an Inline Policy to a Role with AWS CLI #

IAM policies define permissions needed to access AWS resources and can be associated with roles, users and groups.

To attach an inline policy to an IAM role, we have to:

  1. store the contents of a policy in a json file
  2. run the AWS CLI put-role-policy command

Let's define a policy that grants read permissions to all s3 buckets in an account, create a file called read-s3.json with the following content:

read-s3.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*" } ] }

Now that we've defined the inline policy, let's attach it to an IAM role. Open your terminal in the directory where you stored the read-s3.json file and run the put-role-policy command:

shell
aws iam put-role-policy --role-name role-example --policy-name read-s3 --policy-document file://read-s3.json

attach inline policy to role

To verify the inline policy has been attached to the role, run the list-role-policies command.

shell
aws iam list-role-policies --role-name role-example

list inline policies of role

Attach AWS Managed Policies to an IAM Role with AWS CLI #

An AWS managed policy is one that's created and managed by AWS. These policies aim to provide permissions for the most common use cases.

To attach an AWS managed policy to an IAM role with the AWS CLI, use the attach-role-policy command.

Let's attach an AWS managed policy, that grants dynamodb read actions to an IAM role:

shell
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess --role-name role-example

attach aws managed policy to role

To verify a managed policy has been successfully attached to an IAM role, run the list-attached-role-policies command.

shell
aws iam list-attached-role-policies --role-name role-example

list aws managed policies

Attach Customer Managed Policies to a Role with AWS CLI #

Customer managed policies are created and managed by the user. They can be attached to multiple principal entities at the same time.

To attach a customer managed policy to a Role with AWS CLI, we have to:

  1. Create the managed policy and take note of the policy's arn
  2. Use the attach-role-policy command to attach the policy to the role

Let's create a customer managed policy that grants read permissions to some CloudWatch actions. Create a file called read-cloudwatch.json with the following content:

read-cloudwatch.json
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:Get*", "logs:List*" ], "Effect": "Allow", "Resource": "*" } ] }

To create the customer managed policy, open your terminal in the directory where the read-s3.json file is stored and run the create-policy command.

shell
aws iam create-policy --policy-name read-cloudwatch --policy-document file://read-cloudwatch.json

create customer managed policy

Copy and paste the policy's arn into a notepad, because we're going to need it in order to attach the policy to the IAM role.

To attach a customer managed policy to a role, execute the attach-role-policy command.

shell
aws iam attach-role-policy --policy-arn "YOUR_POLICY_ARN" --role-name role-example

attach customer managed policy to role

To verify the customer managed policy has been successfully attached to the role, run the list-attached-role-policies command.

shell
aws iam list-attached-role-policies --role-name role-example

list all managed policies of role

The output from the command shows both of our managed policies, the AWS managed one and the customer managed one.

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee