How to create a policy using the AWS CLI

Question

I am trying to create a policy using the AWS CLI. In this command, what does file://policy refer to?

aws iam create-policy --policy-name my-policy --policy-document file://policy

I tried:

aws iam create-policy --policy-name mypolicy --policy-document file://mypolicy.json

Is this correct way of creating the policy?

Also, is there a way I can use policy json content directly when we create a policy using the AWS CLI? If yes, please share some examples.

Answer 1

file://policy refers to a local json file containing the policy statement that you wish to use to define the policy you're creating.

You can do this in-line with the CLI. To use the recommended EKS Autoscaler policy as an example:

aws iam create-policy \
    --policy-name AmazonEKSClusterAutoscalerPolicy \
    --policy-document \
'{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "ec2:DescribeLaunchTemplateVersions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}'

Answer 2

I don't know what you mean exactly by "use the json directly." If you are creating the json programmatically, you can use a process substitution as the file for the aws-cli.

Say I have this "template.json"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET"
    }
  ]
}

Here I will substitute the values with sed (I've included the command's stdout):

% sed 's/REGION/my-region-1/; s/ACCOUNT/my-account-id/; s/SECRET/my-secret-id/' template.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:my-region-1:my-account-id:secret:my-secret-id"
    }
  ]
}

And provide this command as a process substitution (like a temp file):

aws iam create-policy \
  --policy-name MyPolicy \
  --policy-document file://<(sed 's/REGION/my-region-1/; s/ACCOUNT/my-account-id/; s/SECRET/my-secret-id/' template.json)

Answer 3

Also, is there a way I can use policy json content directly when we create a policy using the AWS CLI?

Had the same question, and apparently, this is not possible . Most likely they did not add support for this because JSON content having a lot of spaces, newlines, etc, which messes up the command line input.

I wanted to generate multiple policies in an automated way , and used the following approach: define a blueprint JSON file, create a script that reads it, search&replaces the relevant parts, write out to a new file, and use that new file in the aws iam command.

Eg this script in Powershell replaces the tag "NUMBER" into "1":

$nr = "1"

$policy = Get-Content -Path 'policy.json'
$policy_letter = $policy -replace 'NUMBER', $nr

$fileOutput = 'policy_' + $nr+ '.json'
$policy_letter | Set-Content -Path $fileOutput

then use this outputted file to create the AWS Policy:

$cmd = "aws iam create-policy --policy-name policy" + $nr + " --policy-document file://./policy_" + $nr + ".json"
cmd /c $cmd

Answer 4

To create the policy from a json file

aws iam create-policy --policy-name <your-policy-nam> \
--policy-document file://<your-policy-template>.json

You can if you want to retrieve the policy arn:

POLICY_ARN=$(aws iam create-policy --policy-name <your-policy-nam> \
--policy-document file://<your-policy-template>.json \
--output text --query Policy.Arn)