create AWS IAM Policy using cloudformation

Question

I have an IAM role(MyIAMrole) which has already been created. I want to attach a policy to this role using a Cloudformation template.

"Mypolicy":{
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "assume-role-policy",
        "PolicyDocument": {
          "Version" : "2012-10-17",
        "Statement": [
        { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" }
      ]
    },
    "Roles": [ { "Ref": "arn:aws:iam::*:role/MyIAMrole" } ]
  }
}

When I try to validate this I am getting an error saying "Unreolved reference options".

How to attach this policy to an already existing role?

John Rotenstein John Rotenstein · Accepted Answer · 2017-11-01T04:46:17

I managed to get your code snippet to work by referring to the Name of a role rather than the ARN.

As per the AWS::IAM::Policy documentation:

Roles: The names of AWS::IAM::Roles to which this policy will be attached.

However, while the stack went to CREATE_COMPLETE, I couldn't see the policy listed in the Policies section of IAM, nor could I see the policy attached to the referenced role.

It might be that you cannot use CloudFormation to attach a policy to an existing role. You might need to create the Role as part of the CloudFormation template to be able to attach a role.

create AWS IAM Policy using cloudformation

1 Answers