Michał Sakowicz avatar.

Michał Sakowicz

Software craftsman. Hooked on distributed systems. Proponent of simplicity. Bigger picture advocate.

GitHub  |  LinkedIn  |  Twitter  |  RSS  |  Contact

AWS CLI - working with IAM roles

Posted by Michał Sakowicz on 18 April, 2018

This is quick ‘remind me’ post. To create role use following command:

aws iam create-role --role-name Test-Role --assume-role-policy-document file://role.json

Below role.json is trust relationship document that tells AWS that newly created entity assumes role of AWS Lambda.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

To make role usable we need to attach policies, in this case I attach inline policy:

aws iam put-role-policy --role-name Test-Role --policy-name ExamplePolicy --policy-document file://policy.json

Here in policy.json we are describing what action are allowed for our new role. In this case our Lambda can interact with DynamoDB and CloudWatch.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams",
                "dynamodb:PutItem",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

To delete role first we need to remove all policies attached. We can list policies attached to role using:

aws iam list-role-policies --role-name Test-Role

To remove policy:

aws iam delete-role-policy --role-name Test-Role --policy-name ExamplePolicy

Finally to delete role:

aws iam delete-role --role-name Test-Role