I've got a CloudFormation template that brings up an auto-scaling group. It has the below instance profile and associated role and policy. Is there any way to also add an existing IAM role to the InstanceProfile? The AWS docs seem to say no:
Currently, a maximum of one role can be assigned to an instance profile.
Basically I want to leave the below role and policy creation in the template so the policy can reference the SQS resource (i.e. "Resource": [{ "Fn::GetAtt" : ["LifecycleSQS", "Arn"] }]) created by the template, while also assigning a pre-existing role that will give permissions to apps on the instances. I don't want to create these app specific permissions in the CloudFormation template.
"InstanceRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":[
"autoscaling.amazonaws.com"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
},
"Path":"/"
}
},
"RolePolicies":{
"Type":"AWS::IAM::Policy",
"Properties":{
"PolicyName": "MyRolePolicy,
"PolicyDocument":{
"Statement":[
{
"Effect": "Allow",
"Resource": [{ "Fn::GetAtt" : ["LifecycleSQS", "Arn"] }],
"Action": [
"sqs:SendMessage",
"sqs:GetQueueUrl",
"sns:Publish"
]
}
]
},
"Roles":[
{
"Ref":"InstanceRole"
}
]
}
},
"InstanceProfile":{
"Type":"AWS::IAM::InstanceProfile",
"Properties":{
"Path":"/",
"Roles":[
{
"Ref":"InstanceRole"
}
]
}
}