How do I create a role with AWS managed policy using aws-cli?

Question

I am trying to create an IAM role with AWS managed policy, however it asks me for policy document.

aws iam create-role --role-name test-role 
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument --assume-role-policy-document is required

I am trying to attach an aws managed policy like AWSLambdaFullAccess

Answer 1

Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. Every IAM role requires a trust policy.

You have to specify a trust policy when creating a role through the CLI. Identity-based policies (managed/inline) can be attached to a role afterwards by using attach-role-policy or put-role-policy commands.

The following trust policy lets Lambda service assume this role. You have to provide this file as input to the command using assume-role-policy-document option.

trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

aws iam create-role --role-name Test-Role --assume-role-policy-document file://trust-policy.json

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSLambdaFullAccess --role-name Test-Role