AWS CLI retrieve the ARN of the newly created policy

Question

I want to create an IAM policy and attach it to some IAM role using AWS command-line interface.

Creating a policy is quite simple:

aws iam create-policy --policy-name "${policy_name}" --policy-document file://policy.json

But to attach the newly created policy to the target role I must know the ARN of the policy:

aws iam attach-role-policy --role-name "${role_name}" --policy-arn "${policy_arn}"

What is the correct way to retrieve ARN of the newly created policy?

Right now I'm constructing policy_arn myself using policy_name and the account_id:

policy_arn=arn:aws:iam::"${account_id}":policy/"${policy_name}"

This is how I retrieve the account_id:

account_id=$(aws ec2 describe-security-groups --query 'SecurityGroups[0].OwnerId' --output text)

However, this feels quite hacky.

Is there a better way to find out ARN of the created policy?

Answer 1

ARN will be printed if you add --output to create-policy:

aws iam create-policy --policy-name "${policy_name}" --policy-document file://policy.json --output text

With this you can get the policies and the ARN:

aws iam list-policies --query 'Policies[*].[PolicyName, Arn]' --output text

For one policy, you can get the ARN like this:

aws iam list-policies --query 'Policies[?PolicyName==`FullAccess`].Arn' --output text

Output:

arn:aws:iam::aws:policy/FullAccess

If you are keen to learn about the various AWS skills then this AWS Training page availed by Intellipaat is the right course for you. This course will help you learn to master AWS skills and ace the AWS certification exam!