Role
Provides an Iam Role
Sampke Code
Role with a pre-defined AWS policy
Create an Iam Role and attach an pre-defined AWS Policy
exports.createResources = () => [
{
type: "Role",
group: "IAM",
name: "ecsInstanceRole",
properties: ({}) => ({
Path: "/",
AssumeRolePolicyDocument: {
Version: "2008-10-17",
Statement: [
{
Sid: "",
Effect: "Allow",
Principal: {
Service: "ec2.amazonaws.com",
},
Action: "sts:AssumeRole",
},
],
},
AttachedPolicies: [
{
PolicyName: "AmazonEC2ContainerServiceforEC2Role",
PolicyArn:
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
},
],
}),
];
Attach a user defined policy to a role
Create an Iam Role and attach an user-defined AWS Policy
exports.createResources = () => [
{
type: "Role",
group: "IAM",
name: "lambda-role",
properties: ({}) => ({
Path: "/",
AssumeRolePolicyDocument: {
Version: "2012-10-17",
Statement: [
{
Sid: "",
Effect: "Allow",
Principal: {
Service: "lambda.amazonaws.com",
},
Action: "sts:AssumeRole",
},
],
},
}),
dependencies: () => ({
policies: ["lambda-policy"],
}),
},
{
type: "Policy",
group: "IAM",
name: "lambda-policy",
properties: ({}) => ({
PolicyDocument: {
Version: "2012-10-17",
Statement: [
{
Action: ["logs:*"],
Effect: "Allow",
Resource: "*",
},
],
},
Path: "/",
Description: "Allow logs",
}),
},
];
Add an inline policy to a role
exports.createResources = () => [
{
type: "Role",
group: "IAM",
properties: ({}) => ({
RoleName: "lambda-role",
AssumeRolePolicyDocument: {
Version: "2012-10-17",
Statement: [
{
Sid: "",
Effect: "Allow",
Principal: {
Service: "lambda.amazonaws.com",
},
Action: "sts:AssumeRole",
},
],
},
Policies: [
{
PolicyDocument: {
Version: "2012-10-17",
Statement: [
{
Action: "dynamodb:*",
Resource: [
"arn:aws:dynamodb:eu-west-2:1234567890:table/AppsyncCdkAppStack-CDKNotesTable254A7FD1-3MPG6DUNDCO9",
],
Effect: "Allow",
},
],
},
PolicyName: "AppSyncNotesHandlerServiceRoleDefaultPolicy12C70C4F",
},
],
}),
dependencies: () => ({
policies: ["lambda-policy"],
}),
},
];
Add a role to an instance profile
exports.createResources = () => [
{
type: "Role",
group: "IAM",
properties: ({}) => ({
RoleName: "role-ecs",
Path: "/",
AssumeRolePolicyDocument: {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: {
Service: "ec2.amazonaws.com",
},
Action: "sts:AssumeRole",
},
],
},
}),
},
{
type: "InstanceProfile",
group: "IAM",
name: "role-ecs",
dependencies: () => ({
roles: ["role-ecs"],
}),
},
];
Properties
Dependencies
Used By
- APIGateway Account
- APIGateway RestApi
- ApiGatewayV2 Integration
- AppConfig Configuration Profile
- AutoScaling AutoScalingGroup
- AppRunner Service
- AppSync DataSource
- AppSync GraphqlApi
- Batch Compute Environment
- Batch Job Definition
- CloudFormation Stack
- CloudTrail Trail
- CloudWatchEvents Target
- CloudWatchLogs SubscriptionFilter
- CodeBuild Project
- CodeDeploy Application
- CodePipeline Pipeline
- Config Configuration Recorder
- EC2 Flow Logs
- EC2 Vpc Endpoint
- ECS TaskDefinition
- EKS Cluster
- EKS NodeGroup
- Firehose DeliveryStream
- IAM Instance Profile
- Lambda Function
- Glue Job
- RDS DBInstance
- RDS DBCluster
- RDS DBProxy
- SSM Document
- StepFunctions StateMachine
Examples
- APIGateway restapi-lambda
- ApiGatewayV2 http-lambda
- apigw-http-api-eventbridge
- AppRunner apprunner-simple
- [aws-cdk-examples/application-load-balancer-fargate-service]((https://github.com/grucloud/grucloud/tree/main/examples/aws/aws-cdk-examples/application-load-balancer-fargate-service)
- AppSync graphql
- serverless-patterns appsync-eventbridge
- CodeBuild codebuild-simple
- Codedeploy codedeploy-ecs
- CodePipeline code-pipeline-ecr
- EC2 flow logs on vpc
- EKS simple
- Step function invoking a Glue job
- IAM simple example
- RDS aurora-v2
- apigw-http-api-lambda-rds-proxy
- StepFunctions send item to dynamoDB
List
gc list -t IAM::Role
Listing resources on 1 provider: aws
✓ aws
✓ Initialising
✓ Listing 1/1
┌────────────────────────────────────────────────────────────────────────────────────────┐
│ 3 iam::Role from aws │
├────────────────────────────────────────────────────────────────────────────────────────┤
│ name: role-cluster │
│ managedByUs: Yes │
│ live: │
│ Path: / │
│ RoleName: role-cluster │
│ RoleId: AROA4HNBM2ZQBIII7KZ4Z │
│ Arn: arn:aws:iam::840541460064:role/role-cluster │
│ CreateDate: 2021-07-21T13:29:11.000Z │
│ AssumeRolePolicyDocument: │
│ Version: 2012-10-17 │
│ Statement: │
│ - Effect: Allow │
│ Principal: │
│ Service: eks.amazonaws.com │
│ Action: sts:AssumeRole │
│ MaxSessionDuration: 3600 │
│ Tags: │
│ - Key: Name │
│ Value: role-cluster │
│ - Key: gc-managed-by │
│ Value: grucloud │
│ - Key: gc-created-by-provider │
│ Value: aws │
│ - Key: gc-stage │
│ Value: dev │
│ - Key: gc-project-name │
│ Value: @grucloud/example-module-aws-load-balancer-controller │
│ - Key: gc-namespace │
│ Value: EKS │
│ InstanceProfiles: [] │
│ AttachedPolicies: │
│ - PolicyName: AmazonEKSClusterPolicy │
│ PolicyArn: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy │
│ - PolicyName: AmazonEKSVPCResourceController │
│ PolicyArn: arn:aws:iam::aws:policy/AmazonEKSVPCResourceController │
│ Policies: [] │
│ │
├────────────────────────────────────────────────────────────────────────────────────────┤
│ name: role-load-balancer │
│ managedByUs: Yes │
│ live: │
│ Path: / │
│ RoleName: role-load-balancer │
│ RoleId: AROA4HNBM2ZQH2RLTJRCD │
│ Arn: arn:aws:iam::840541460064:role/role-load-balancer │
│ CreateDate: 2021-07-21T13:39:48.000Z │
│ AssumeRolePolicyDocument: │
│ Version: 2012-10-17 │
│ Statement: │
│ - Effect: Allow │
│ Principal: │
│ Federated: arn:aws:iam::840541460064:oidc-provider/oidc.eks.eu-west-2.amazo… │
│ Action: sts:AssumeRoleWithWebIdentity │
│ Condition: │
│ StringEquals: │
│ oidc.eks.eu-west-2.amazonaws.com/id/9377E3CCC52850A5BC4BEF6D012643E6:aud:… │
│ MaxSessionDuration: 3600 │
│ Tags: │
│ - Key: Name │
│ Value: role-load-balancer │
│ - Key: gc-managed-by │
│ Value: grucloud │
│ - Key: gc-created-by-provider │
│ Value: aws │
│ - Key: gc-stage │
│ Value: dev │
│ - Key: gc-project-name │
│ Value: @grucloud/example-module-aws-load-balancer-controller │
│ - Key: gc-namespace │
│ Value: LoadBalancerControllerRole │
│ AttachedPolicies: │
│ - PolicyName: AWSLoadBalancerControllerIAMPolicy │
│ PolicyArn: arn:aws:iam::840541460064:policy/AWSLoadBalancerControllerIAMPolicy │
│ InstanceProfiles: [] │
│ Policies: [] │
│ │
├────────────────────────────────────────────────────────────────────────────────────────┤
│ name: role-node-group │
│ managedByUs: Yes │
│ live: │
│ Path: / │
│ RoleName: role-node-group │
│ RoleId: AROA4HNBM2ZQAQEEDNKMM │
│ Arn: arn:aws:iam::840541460064:role/role-node-group │
│ CreateDate: 2021-07-21T13:29:11.000Z │
│ AssumeRolePolicyDocument: │
│ Version: 2012-10-17 │
│ Statement: │
│ - Effect: Allow │
│ Principal: │
│ Service: ec2.amazonaws.com │
│ Action: sts:AssumeRole │
│ MaxSessionDuration: 3600 │
│ Tags: │
│ - Key: Name │
│ Value: role-node-group │
│ - Key: gc-managed-by │
│ Value: grucloud │
│ - Key: gc-created-by-provider │
│ Value: aws │
│ - Key: gc-stage │
│ Value: dev │
│ - Key: gc-project-name │
│ Value: @grucloud/example-module-aws-load-balancer-controller │
│ - Key: gc-namespace │
│ Value: EKS │
│ AttachedPolicies: │
│ - PolicyName: AmazonEKSWorkerNodePolicy │
│ PolicyArn: arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy │
│ - PolicyName: AmazonEC2ContainerRegistryReadOnly │
│ PolicyArn: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly │
│ - PolicyName: AmazonEKS_CNI_Policy │
│ PolicyArn: arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy │
│ Policies: [] │
│ InstanceProfiles: │
│ - InstanceProfileName: eks-b6bd64a5-a3dc-30a8-b4a5-f6a7fd37e90d │
│ InstanceProfileId: AIPA4HNBM2ZQACXAPZ3H7 │
│ Arn: arn:aws:iam::840541460064:instance-profile/eks-b6bd64a5-a3dc-30a8-b4a5-f6a… │
│ Path: / │
│ │
└────────────────────────────────────────────────────────────────────────────────────────┘
List Summary:
Provider: aws
┌───────────────────────────────────────────────────────────────────────────────────┐
│ aws │
├────────────────────────────────┬──────────────────────────────────────────────────┤
│ iam::Role │ role-cluster │
│ │ role-load-balancer │
│ │ role-node-group │
└────────────────────────────────┴──────────────────────────────────────────────────┘
3 resources, 2 types, 1 provider
Command "gc l -t Role" executed in 5s