Amazon Web Services (AWS) - Create role using the AWS CLI
by
Jeremy Canfield |
Updated: April 15 2024
| Amazon Web Services (AWS) articles
This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
The aws iam create-role command can be used to create an IAM (Identity and Access Management) Role.
- An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
- An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
- An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2) - Let's say the Identity-Based Policy attached to john.doe does NOT allow create S3 - john.doe could Assume a Role that allows create S3
- Assume Role or Switch Role using Python boto3
- Assume Role or Switch Role using Terraform
- Assume Role or Switch Role using the AWS CLI
- Often, a Role will have two Policies:
When creating a role you will need to include JSON. For example, let's say my.json contains the following. In this example, the role will allow user john.doe to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:user/john.doe" },
"Action": "sts:AssumeRole"
}
]
}
In this example, the role will allow the API Gateway service to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "apigateway.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}
And then the aws iam create-role command can be used to create the role.
~]$ aws iam create-role --role-name my-role --assume-role-policy-document file://my.json
{
"Role": {
"Path": "/",
"RoleName": "my-role",
"RoleId": "AROA2MITL76GPTDCUEJO5",
"Arn": "arn:aws:iam::123456789012:role/my-role",
"CreateDate": "2023-07-18T06:08:58+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/john.doe"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
Did you find this article helpful?
If so, consider buying me a coffee over at 