← All posts
2 min read

Attach a managed policy to an IAM role

#aws#cli#iam#security#identity
📑 On this page

Part 113 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Attaching a permission policy defines what sessions using the role can request.

Before you run it

ROLE_NAME="aws-zero-demo-role"
POLICY_ARN="arn:aws:iam::123456789012:policy/AwsZeroListBuckets"

Inspect both the role trust policy and managed policy document before connecting them.

The command

aws iam attach-role-policy \
  --role-name "$ROLE_NAME" \
  --policy-arn "$POLICY_ARN"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam list-attached-role-policies \
  --role-name "$ROLE_NAME" \
  --query "AttachedPolicies[].{Name:PolicyName,Arn:PolicyArn}" \
  --output table

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam put-role-policy \
  --role-name "$ROLE_NAME" \
  --policy-name InlineDemo \
  --policy-document file://inline-policy.json

Roles can also have inline policies, though managed policies usually improve reuse and versioning.

Common mistake

A role attachment affects every future session of that role. Review workload and human usage before broadening it.

Cleanup

aws iam list-attached-role-policies --role-name "$ROLE_NAME"

Keep the demo attachment for the assume-role lessons.

Next, we will learn List every policy on an IAM role.

Official AWS CLI reference