Menu
I've searched quite a bit but cannot find a policy to allow a user to create IAM Roles from both the management console (AWS website), and from AWS CLI.
Any help is greatly appreciated
EDIT: More clarification, the end-goal is to allow the user to create an Instance IAM Role.
568
The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. An IAM role is both an identity and a resource that supports resource-based policies. For that reason, you must attach both a trust policy and an identity-based policy to an IAM role.
You can assign an existing IAM role to an AWS Directory Service user or group. The role must have a trust relationship with AWS Directory Service.
Here is the policy you need to use.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1469200763880",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
I've been using a policy like this to allow cloudformation templates to attach roles to ec2
If this isn't enough permissions then there is a list here
http://docs.aws.amazon.com/IAM/latest/UserGuide/list_iam.html
of all the available, allowable iam permissions and you can add as much as you like
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:DeleteInstanceProfile"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
