stackoom
  简体   繁体   中英

Cloudformation template to attach existing policy to existing IAM role

 原文  2021-11-23 12:51:18       amazon-web-services/ amazon-cloudformation

Question

I want to attach an aws managed policy to an existing role. I am achieving this using template:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "AWS CloudFormation template to modify Role",
    "Parameters": {
        "MyRole": {
            "Type": "String",
            "Default": "MyRole",
            "Description": "Role to be modified"
        }
    },
    "Resources": {
        "S3FullAccess": {
            "Type": "AWS::IAM::ManagedPolicy",
            "Properties": {
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Action": [
                            "s3:*",
                            "s3-object-lambda:*"
                        ],
                        "Resource": "*"
                    }]
                },
                "Roles": [
                    "MyRole"
                ]
            }
        }
    }
}

This template will create a policy with s3FullAccess and attach it to MyRole. But I do not want to create a new policy, if I want to use the policy already present with aws for s3 full access, how can I do that.

And if I use this template:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "AWS CloudFormation template to modify Role",
    "Resources": {
        "IAMRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "Path": "/",
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/ReadOnlyAccess"
                ],
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Action": "sts:AssumeRole",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "*"
                        }
                    }]
                },
                "RoleName": "RoleName"
            }
        }
    }
}

This will attempt to create a new role and attach ReadOnlyPolicy to it. But if I want to attach a policy to existing role, how to refer that role in the template.

2 answers

solution1
 0  2021-11-23 21:46:53

You use your AWS::IAM::Role 's ManagedPolicyArns property, where you just specify the ARN of the manage policy to attach.

solution2
 0  2022-08-25 09:02:03

In general, CloudFormation service is for creating resources. There is not a native support to do something with already created resources if you don't import them.

If you don't want to import them, then, you have an option to write CloudFormation custom resource. You can create a lambda function-backed custom resource passing in the ARNs of the IAM policy and the IAM role you want to attach the policy to by IAM AttachRolePolicy API. More details are in AWS documentation .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS CloudFormation - Attach existing managed policy to existing role through a template Update an existing role's iam policy through cloudformation CloudFormation template - Using existing IAM role in for Lambda functions Using Existing Role in CloudFormation Template Attach policy to a IAM Role Can I use existing AWS IAM role to create S3 bucket via Cloudformation template? Attach IAM role using cloudformation Associate existing IAM role with EC2 instance in CloudFormation Attach IAM role to existing EC2 instance using terraform Ansible module to attach an IAM role to existing EC2 instances
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM