This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

• An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
• An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
• An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2). Let's say the Identity-Based Policy attached to john.doe does NOT allow "create S3"
  • The Role that allows "create S3" could be attached to john.doe - or, john.doe could Assume the Role:
    • Assume Role or Switch Role using Python boto3
    • Assume Role or Switch Role using Terraform
    • Assume Role or Switch Role using the AWS CLI
  • Often, a Role will have two Policies:
    • Trust Relationship
    • Permission Policy

Let's create a JSON file named policy.json that contains the policy JSON, perhaps something like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricData"
            ],
            "Resource": "*"
        }
    ]
}

Then the aws iam create-policy command can be used to create a policy.

aws iam create-policy --policy-name my-cloudwatch-getmetricsdata --policy-document file://getmetricsdata.json