Does anyone know how to create a policy using cloud formation and then have another cloud formation template that assigns that policy to a role?
I'm looking at http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html and that doesn't answer my question.
The link between a policy and a role is declared in the AWS::IAM::Policy resource. So, for instance, you can have one stack export the role and another stack import it using the intrinsic function Fn::ImportValue and link it to a policy resource.
Exporting stack:
Resources:
myRole:
Type: "AWS::IAM::Role"
Properties:
...
Outputs:
exportedRole:
Value: !Ref myRole
Export:
Name: "myExportedRole"
Importing stack:
Resources:
myPolicy:
Type: "AWS::IAM::Policy"
Properties:
Roles:
- !ImportValue myExportedRole
...
You can create the role and the policy at the same time. Here is an example:
"LambdaFunctionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "AlexaSkillCloudWatchLogsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLogging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
]
}
}
]
}
}
This resource creates a policy for a Lambda function with a policy included. Then you can include the ARN of the role in a lambda function in the same template with "Fn::GetAtt"
