AWS CLI retrieve the ARN of the newly created policy

Question

I want to create an IAM policy and attach it to some IAM role using AWS command-line interface.

Creating policy is quite simple:

aws iam create-policy --policy-name "${policy_name}" --policy-document file://policy.json

But to attach the newly created policy to the target role I must know the ARN of the policy:

aws iam attach-role-policy --role-name "${role_name}" --policy-arn "${policy_arn}"

What is the correct way to retrieve ARN of the newly created policy?

Right now I'm construcing policy_arn myself using policy_name and the account_id:

policy_arn=arn:aws:iam::"${account_id}":policy/"${policy_name}"

This is how I retrieve the account_id:

account_id=$(aws ec2 describe-security-groups --query 'SecurityGroups[0].OwnerId' --output text)

However this feels quite hacky.

Is there a better way to find out ARN of the created policy?

Answer 1

If you add --output text to your create-policy, it will print the ARN.

aws iam create-policy --policy-name "${policy_name}" --policy-document file://policy.json --output text

You can get the policies and their ARN:

aws iam list-policies --query 'Policies[*].[PolicyName, Arn]' --output text

To get the ARN for just one policy:

aws iam list-policies --query 'Policies[?PolicyName==`FullAccess`].Arn' --output text

Output:

arn:aws:iam::aws:policy/FullAccess