Menu
I have a IAM role (with many policies and a trust relationship in it). I used this in building a AWS Cognito User Pool. However, this IAM role will be deleted soon.
Making a copy manually will be a chore and also not repeatable. I would like to make a copy either via CLI or script of some other repeatable way.
So far, I have searched through stackoverflow and google, but failed to find anything relevant.
Any help is appreciated.
748
One way to approach it is to duplicate the existing role along with all its policies, make the needed change on the new role and run your tests. There's no aws iam copy-role command though... So your only option is to duplicate the role and its associated policies manually or to script the process.
To add permissions to an IAM identity (IAM user, group, or role), you create a policy, validate the policy, and then attach the policy to the identity. You can attach multiple policies to an identity, and each policy can contain multiple permissions.
An IAM role is both an identity and a resource that supports resource-based policies. For that reason, you must attach both a trust policy and an identity-based policy to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role.
For assuming a role in the same account, you can either do the same thing as the cross-account situation, OR simply add the from role to the Trust Policy of the to role.
It looks like you will need to use:
list_role_policies() to obtain the names of inline policies attached to the roleget_role_policy() to retrieve inline policies
list_attached_role_policies() to list managed policies that are attached to the roleThen create a new role and use:
put_role_policy() to attach an inline policy
attach_role_policy() to attach a managed policy
Trust Relationship also has to be copied.
93
Thanks to @JohnRotenstein for pointing in the right direction. I came up with a Node.js script to automate the IAM role copy procedure.
Steps it performs along with AWS SDK APIs used:
getRole()
listRolePolicies(), getRolePolicy()
listAttachedRolePolicies()
createRole()
putRolePolicy()
attachRolePolicy()
The process is quite straightforward... The only interesting detail is steps 2 and 3 require recursive fetch to accommodate the fact that policies response can be paginated.
How to make a copy of AWS IAM role.
32
If Python is an option, perhaps boto3 can be helpful (AWS's SDK for Python)
Creating a role: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_role
Creating a policy: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_policy
More: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#client https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
