Reputation: 875
AWS CloudFormation - Attach existing managed policy to existing role through a template
I am deploying a CloudFormation template to AWS. A role for my Lambda invocation is being created by a template that I am importing, and I cannot modify it directly. I wish to modify that role to attach the AWS managed policy AWSLambdaVPCAccessExecutionRole that already exists in my AWS account. So far, all of my searches have come up empty.
- I have found instructions for how to create a new role with an existing managed policy
- I have found instructions for how to create a new policy and attach it to an existing role.
- I have found instructions for how to Update a Stack using the AWS console or the CLI, but not via a template (YAML or JSON)
- I have found instructions for calling something called
aws_iam_role_policy_attachmentin something called Terraform, but that is not available to me
I am hoping for something like the following but I cannot find any evidence of this existing anywhere. Is there anything that can do what I am trying to do?
---
Resources:
AdditionalRolePermissions:
Type: "AWS::IAM::RolePolicyAttachment"
Properties:
Roles:
- Ref: ExistingRole
PolicyName:
- Ref: ExistingPolicy
The best solution I have come up with so far is to create a new policy that has a manually created PolicyDocument that is the same as the existing one for AWSLambdaVPCAccessExecutionRole and attach it to the role upon creation. I would prefer not to do that though because it will be harder to maintain.
Upvotes: 2
Views: 4729
Answers (2)
Reputation: 3120
It is possible as of 2021. Please see: https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-attach-managed-policy/
Example:
AWSTemplateFormatVersion: '2010-09-09'
Description: something cool
Resources:
IAM:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
RoleName: some_role_name
Policies:
['arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole']
Upvotes: 0
Reputation: 8137
Unfortunately, you can not do this in pure CloudFormation unless you create a custom resource but this isn't really pure CloudFormation at that point as you'd need to create a lambda and other resources to implement the custom resource. There is no concept of a policy attachment in CloudFormation presently and these attachments only happen when you define a policy or role resource.
The simplest thing would be to go with your solution of creating a policy that duplicates AWSLambdaVPCAccessExecutionRole. That policy is fairly simple and shouldn't clutter up your CloudFormation template too much compared to some other complicated policies.
Upvotes: 2
Related Questions
- cloudformation template to create IAM role with inline policy
- CloudFormation template - Using existing IAM role in for Lambda functions
- Associate existing IAM role with EC2 instance in CloudFormation
- CloudFormation template to update the IAM Role's policy
- Attach more than one IAM inline policy from cloudformation to the same role
- Attach policy to a IAM Role
- how can I attach multiple pre-existing AWS managed roles to a policy?
- Using Existing Role in CloudFormation Template
- Create IAM role and attach a custom policy
- Create IAM role only with managed cloudformation policy