
This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
The aws iam create-role command can be used to create an IAM (Identity and Access Management) Role.
- An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
- An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
- An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2). Let's say the Identity-Based Policy attached to john.doe does NOT allow "create S3"
- The Role that allows "create S3" could be attached to john.doe - or, john.doe could Assume the Role:
- Often, a Role will have two Policies:
The aws iam create-role command can be used to created a role. By default, the role will not have any Trust Relationship policies or Permission Policies attached, meaning the role will not have permission to do anything. It's just an empty role that you would then attach one or more policies to.
aws iam create-role --role-name my-role
Or, you can create a JSON file that contains the Trust Relationship policy that you want to attach to the role.
In this example, the role will allow user john.doe to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:user/john.doe" },
"Action": "sts:AssumeRole"
}
]
}
In this example, the role will allow the API Gateway service to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "apigateway.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}
And then the aws iam create-role command with the --assume-role-policy-document option can be used to create the role with an attached Trust Relationship policy.
~]$ aws iam create-role --role-name my-role --assume-role-policy-document file://my.json
{
"Role": {
"Path": "/",
"RoleName": "my-role",
"RoleId": "AROA2MITL76GPTDCUEJO5",
"Arn": "arn:aws:iam::123456789012:role/my-role",
"CreateDate": "2023-07-18T06:08:58+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/john.doe"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
If you also want to attach one or more Permission Policies to the role, the aws iam attach-role-policy command can be used.
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/my-permission-policy --role-name my-role
Did you find this article helpful?
If so, consider buying me a coffee over at