This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

• An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
• An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
• An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2) - Let's say the Identity-Based Policy attached to john.doe does NOT allow create S3 - john.doe could Assume a Role that allows create S3
  • Assume Role or Switch Role using Python boto3
  • Assume Role or Switch Role using Terraform
  • Assume Role or Switch Role using the AWS CLI
  • Often, a Role will have two Policies:
    • Trust Relationship
    • Permission Policy

The aws iam list-roles command can be used to list the IAM (Identity and Access Management) Roles. Something like this should be returned.

~]$ aws iam list-roles
{
    "Roles": [
        {
            "Path": "/",
            "RoleName": "my-role",
            "RoleId": "ARABCDITL71234TJARYZV",
            "Arn": "arn:aws:iam::123456789012:role/my-rolee",
            "CreateDate": "2023-07-18T06:08:58+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "arn:aws:iam::123456789012:root"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        }
    ]
}

• The aws iam attach-user-policy command can be used to attach a policy to a user using the ARN (Amazon Resource Number) of the policy.
• The aws iam attach-role-policy command (this article) can be used to attach a policy to a role using the ARN (Amazon Resource Number) of the policy.

In this example, the ReadOnlyAccess policy is attached to my-role.

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name my-role

• The aws iam list-attached-user-policies command should list the policies that have been attached to a user.
• The aws iam list-attached-role-policies command should list the policies that have been attached to a role.

In this example, the ReadOnlyAccess policy is attached to my-role.

~]$ aws iam list-attached-role-policies --role-name my-role
{
    "AttachedPolicies": [
        {
            "PolicyName": "ReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess"
        }
    ]
}