Attach a Policy to a Role with AWS CLI - Complete Guide

Table of Contents #

1. Attach an Inline Policy to a Role with AWS CLI
2. Attach AWS Managed Policies to an IAM Role with AWS CLI
3. Attach Customer Managed Policies to a Role with AWS CLI

Attach an Inline Policy to a Role with AWS CLI #

IAM policies define permissions needed to access AWS resources and can be associated with roles, users and groups.

To attach an inline policy to an IAM role, we have to:

1. store the contents of a policy in a json file
2. run the AWS CLI put-role-policy command

Let's define a policy that grants read permissions to all s3 buckets in an account, create a file called read-s3.json with the following content:

Copied!
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "s3:Get*",
          "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

Now that we've defined the inline policy, let's attach it to an IAM role. Open your terminal in the directory where you stored the read-s3.json file and run the put-role-policy command:

Copied!
aws iam put-role-policy --role-name role-example --policy-name read-s3 --policy-document file://read-s3.json

To verify the inline policy has been attached to the role, run the list-role-policies command.

Copied!
aws iam list-role-policies --role-name role-example

Attach AWS Managed Policies to an IAM Role with AWS CLI #

An AWS managed policy is one that's created and managed by AWS. These policies aim to provide permissions for the most common use cases.

To attach an AWS managed policy to an IAM role with the AWS CLI, use the attach-role-policy command.

Let's attach an AWS managed policy, that grants dynamodb read actions to an IAM role:

Copied!
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess --role-name role-example

To verify a managed policy has been successfully attached to an IAM role, run the list-attached-role-policies command.

Copied!
aws iam list-attached-role-policies --role-name role-example

Attach Customer Managed Policies to a Role with AWS CLI #

Customer managed policies are created and managed by the user. They can be attached to multiple principal entities at the same time.

To attach a customer managed policy to a Role with AWS CLI, we have to:

1. Create the managed policy and take note of the policy's arn
2. Use the attach-role-policy command to attach the policy to the role

Let's create a customer managed policy that grants read permissions to some CloudWatch actions. Create a file called read-cloudwatch.json with the following content:

Copied!
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:Get*",
        "logs:List*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

To create the customer managed policy, open your terminal in the directory where the read-s3.json file is stored and run the create-policy command.

Copied!
aws iam create-policy --policy-name read-cloudwatch --policy-document file://read-cloudwatch.json

To attach a customer managed policy to a role, execute the attach-role-policy command.

Copied!
aws iam attach-role-policy --policy-arn "YOUR_POLICY_ARN" --role-name role-example

To verify the customer managed policy has been successfully attached to the role, run the list-attached-role-policies command.

Copied!
aws iam list-attached-role-policies --role-name role-example

The output from the command shows both of our managed policies, the AWS managed one and the customer managed one.

Further Reading #

• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How does AWS CDK work
• What is a Token in AWS CDK
• CDK Constructs - Complete Guide
• What is an identifier (id) in AWS CDK
• How to use Context in AWS CDK
• How to use Parameters in AWS CDK