Menu
So I'm constructing a cf stack for a role in AWS and I don't know how to go about the AssumeRolePolicyDocument field when designing a role that is not resource-based.
All the examples I've tried to look up each have a specific AWS resource designated under the "Principal" field (e.g. "Service": "ec2.amazonaws.com").
What's the correct way to go about the AssumeRolePolicyDocument field for roles that are designed for users, not resources?
653
To add an existing or new IAM managed policy to a new IAM role resource, use the ManagedPolicyArns property of resource type AWS::IAM::Role. To add a new IAM managed policy to an existing IAM role resource, use the Roles property of resource type AWS::IAM::ManagedPolicy.
AssumeRolePolicyDocument. The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see Template Examples.
To attach an IAM role to an instance (AWS CLI)Use the associate-iam-instance-profile command to attach the IAM role to the instance by specifying the instance profile. You can use the Amazon Resource Name (ARN) of the instance profile, or you can use its name.
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources.
You can specify an AWS IAM user using the AWS key instead of Service as the Principal for a role policy document, including an AssumeRolePolicyDocument:
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" }
Refer to the Specifying a Principal section of the IAM Policy Elements Reference for full details.
82
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
