AWS IAM Policy to allow user to create IAM Roles (from Management Console & AWS CLI)

Question

I've searched quite a bit but cannot find a policy to allow a user to create IAM Roles from both the management console (AWS website), and from AWS CLI.

Any help is greatly appreciated

EDIT: More clarification, the end-goal is to allow the user to create an Instance IAM Role.

score 13 · Answer 1 · answered Jul 22 '16 at 15:19

13

Here is the policy you need to use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1469200763880",
      "Action": [
        "iam:AttachRolePolicy",
        "iam:CreateRole"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

answered Jul 22 '16 at 15:19

Piyush Patil

14,512
6
35
54

Thank you for your help! – Fadi Jul 22 '16 at 18:25
Sometimes you need to add iam:PutRole too to the inline policy like that shown above. – Robert Oschler Nov 09 '19 at 03:08

score 6 · Accepted Answer · edited Nov 25 '16 at 12:30

I've been using a policy like this to allow cloudformation templates to attach roles to ec2

If this isn't enough permissions then there is a list here

http://docs.aws.amazon.com/IAM/latest/UserGuide/list_iam.html

of all the available, allowable iam permissions and you can add as much as you like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:PassRole",
                "iam:DeleteInstanceProfile"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

I appreciate the link that shows the different kinds of permissions along with the policy that I need. — Fadi, Jul 22 '16 at 18:25

AWS IAM Policy to allow user to create IAM Roles (from Management Console & AWS CLI)

2 Answers2