0 votes
1 view
in AWS by (18.2k points)

I want to create an IAM policy and attach it to some IAM role using AWS command-line interface.

Creating a policy is quite simple:

aws iam create-policy --policy-name "${policy_name}" --policy-document file://policy.json

But to attach the newly created policy to the target role I must know the ARN of the policy:

aws iam attach-role-policy --role-name "${role_name}" --policy-arn "${policy_arn}"

What is the correct way to retrieve ARN of the newly created policy?

Right now I'm constructing policy_arn myself using policy_name and the account_id:

policy_arn=arn:aws:iam::"${account_id}":policy/"${policy_name}"

This is how I retrieve the account_id:

account_id=$(aws ec2 describe-security-groups --query 'SecurityGroups[0].OwnerId' --output text)

However, this feels quite hacky.

Is there a better way to find out ARN of the created policy?

1 Answer

0 votes
by (42.5k points)

ARN will be printed if you add --output to create-policy:

aws iam create-policy --policy-name "${policy_name}" --policy-document file://policy.json --output text

With this you can get the policies and the ARN:

aws iam list-policies --query 'Policies[*].[PolicyName, Arn]' --output text

For one policy, you can get the ARN like this:

aws iam list-policies --query 'Policies[?PolicyName==`FullAccess`].Arn' --output text

Output:

arn:aws:iam::aws:policy/FullAccess

Welcome to Intellipaat Community. Get your technical queries answered by top developers !


Categories

...