| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
AWS::IAM::Role
Creates an AWS Identity and Access Management (IAM) role for EC2 Instances. An IAM role can be used to enable applications running on an Amazon EC2 instance to securely access your AWS resources.
For more information about IAM roles, see Working with Roles in the AWS Identity and Access Management User Guide.
Syntax
{
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": { JSON },
"Path": String,
"Policies": [ IAM policy, ... ]
}
} Properties
- AssumeRolePolicyDocument
The IAM assume role policy document associated with this role.
Required: Yes.
Type: A JSON policy document.
Update requires: no interruption
Note
There can be only one assume role policy document associated with a role, and currently the only policy supported allows an EC2 instance to assume the role. For an example of the allowed policy document, see Template Examples.
- Path
The path associated with this role. For information about IAM paths, see Friendly Names and Paths in the AWS Identity and Access Management User Guide.
Required: Yes.
Type: String.
Update requires: replacement
- Policies
A list of embedded policies to associate with this role. Policies can also be specified externally. For sample templates that demonstrates both embedded and external policies, see Template Examples.
Required: No.
Type: A list of IAM policies.
Update requires: no interruption
Notes on policies for IAM roles
For general information about IAM policies and policy documents, see How to Write a Policy in the AWS Identity and Access Management User Guide.
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic
function, it returns the resource name. For example:
{ "Ref": "RootRole" }For the IAM::Role with the logical ID "RootRole", Ref will return the resource
name.
For more information about using the Ref function, see Ref.
Fn::GetAtt
Fn::GetAtt returns a value for a specified attribute of this type.
This section lists the available attributes and corresponding return values.
- Arn
Returns the Amazon Resource Name (ARN) for the instance profile. For example:
{"Fn::GetAtt" : ["MyRole", "Arn"] }This will return a value such as
“arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF”.
For more information about using Fn:GetAtt, see Fn::GetAtt.
Template Examples
Example IAM Role with Embedded Policy and Instance Profiles
This example shows an embedded Policy in the IAM::Role. The policy is specified inline in the IAM::Role Policies property.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/",
"Policies": [ {
"PolicyName": "root",
"PolicyDocument": {
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
}
} ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "RootRole"
} ]
}
}
}
} Example IAM Role with External Policy and Instance Profiles
In this example, the Policy and InstanceProfile resources are specified externally to the IAM Role. They refer to the role by specifying its name, "RootRole", in their respective Roles properties.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ {
"Ref": "RootRole"
} ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "RootRole"
} ]
}
}
}
} 
