Attach a managed policy to an IAM role
📑 On this page
Part 113 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
Attaching a permission policy defines what sessions using the role can request.
Before you run it
ROLE_NAME="aws-zero-demo-role"
POLICY_ARN="arn:aws:iam::123456789012:policy/AwsZeroListBuckets"Inspect both the role trust policy and managed policy document before connecting them.
The command
aws iam attach-role-policy \
--role-name "$ROLE_NAME" \
--policy-arn "$POLICY_ARN"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam list-attached-role-policies \
--role-name "$ROLE_NAME" \
--query "AttachedPolicies[].{Name:PolicyName,Arn:PolicyArn}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam put-role-policy \
--role-name "$ROLE_NAME" \
--policy-name InlineDemo \
--policy-document file://inline-policy.jsonRoles can also have inline policies, though managed policies usually improve reuse and versioning.
Common mistake
A role attachment affects every future session of that role. Review workload and human usage before broadening it.
Cleanup
aws iam list-attached-role-policies --role-name "$ROLE_NAME"Keep the demo attachment for the assume-role lessons.
Next, we will learn List every policy on an IAM role.