How can I attach an IAM managed policy to an IAM role in AWS CloudFormation?

Last updated: 2019-10-16

How can I add an existing or new AWS Identity and Access Management (IAM) managed policy to a new or existing IAM role in AWS CloudFormation?

Short Description

To add an existing or new IAM managed policy to a new IAM role resource, use the ManagedPolicyArns property of resource type AWS::IAM::Role. To add a new IAM managed policy to an existing IAM role resource, use the Roles property of resource type AWS::IAM::ManagedPolicy.

Your IAM managed policy can be an AWS managed policy or a customer managed policy.

Important: You can attach a maximum of 10 managed policies to an IAM role or user. The size of each managed policy can't exceed 6,144 characters. For more information, see Limitations on IAM Entities and Objects.

Based on your scenario, complete the steps in one of the following sections:

  • Add an existing IAM managed policy to a new IAM role
  • Add a new IAM managed policy to a new IAM role
  • Add a new IAM managed policy to an existing IAM role

Resolution

Add an existing IAM managed policy to a new IAM role

1.    In your AWS CloudFormation template, create a parameter or parameters that you can use to pass in the Amazon Resource Name (ARN) of your IAM managed policy. See the following example:

Parameters:
  awsExampleManagedPolicyParameterOne:
    Type: String
    Description: awsExampleIAMManagedPolicyARNOne
  awsExampleManagedPolicyParameterTwo:
    Type: String
    Description: awsExampleIAMManagedPolicyARNTwo

2.    In the Resources section of your template, for the resource of type AWS::IAM::Role, set Ref to the parameter or parameters that you created in step 1 (awsExampleManagedPolicyParameterOne and awsExampleManagedPolicyParameterTwo). See the following example:

Resources:
  RootRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - !Ref awsExampleManagedPolicyParameterOne            
        - !Ref awsExampleManagedPolicyParameterTwo

3.    To apply your existing IAM managed policy to your new IAM role, create a stack or update an existing stack based on your modified AWS CloudFormation template.

Add a new IAM managed policy to a new IAM role

1.    In your AWS CloudFormation template, create a new policy using the AWS::IAM::ManagedPolicy resource. See the following example:

SampleManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Sid: AllowAllUsersToListAccounts
            Effect: Allow
            Action:
              - iam:ListAccountAliases
              - iam:ListUsers
              - iam:GetAccountSummary
            Resource: "*"

2.    Use the !Ref logical ID syntax to attach the IAM managed policy resource to the AWS::IAM::Role resource.

For example, set Ref to the resource logical ID that you created in step 1 (SampleManagedPolicy). See the following example:

RootRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - !Ref SampleManagedPolicy

3.    To apply your new IAM managed policy to your new IAM role, create a stack or update an existing stack based on your modified AWS CloudFormation template.

Add a new IAM managed policy to an existing IAM role

1.    In your AWS CloudFormation template, create a parameter that you can use to pass in the name of your existing roles. See the following example:

Parameters:
  awsExampleRolesParameter:
    Type: CommaDelimitedList
    Description: Names of existing Roles you want to add to the newly created Managed Policy

2.    In the Resources section of your template, for the resource of type AWS::IAM::ManagedPolicy, set Ref to the parameter that you created in step 1 (awsExampleRolesParameter). See the following example:

Resources:
  SampleManagedPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AllowAllUsersToListAccounts
            Effect: Allow
            Action:
              - 'iam:ListAccountAliases'
              - 'iam:ListUsers'
              - 'iam:GetAccountSummary'
            Resource: '*'
      Roles: !Ref awsExampleRolesParameter

3.    To apply your new IAM managed policy to your existing IAM role, create a stack or update an existing stack based on your modified AWS CloudFormation template.


Did this article help you?

Anything we could improve?


Need more help?