Attach an IAM policy to a role using an Amazon SDK
The following code examples show how to attach an IAM policy to a role.
Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code examples:
- .NET
-
- Amazon SDK for .NET
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. /// <summary> /// Attach an IAM policy to a role. /// </summary> /// <param name="policyArn">The policy to attach.</param> /// <param name="roleName">The role that the policy will be attached to.</param> /// <returns>A Boolean value indicating the success of the action.</returns> public async Task<bool> AttachRolePolicyAsync(string policyArn, string roleName) { var response = await _IAMService.AttachRolePolicyAsync(new AttachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; }-
For API details, see AttachRolePolicy in Amazon SDK for .NET API Reference.
-
- Bash
-
- Amazon CLI with Bash script
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function iam_attach_role_policy # # This function attaches an IAM policy to a tole. # # Parameters: # -n role_name -- The name of the IAM role. # -p policy_ARN -- The IAM policy document ARN.. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function iam_attach_role_policy() { local role_name policy_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function iam_attach_role_policy" echo "Attaches an AWS Identity and Access Management (IAM) policy to an IAM role." echo " -n role_name The name of the IAM role." echo " -p policy_ARN -- The IAM policy document ARN." echo "" } # Retrieve the calling parameters. while getopts "n:p:h" option; do case "${option}" in n) role_name="${OPTARG}" ;; p) policy_arn="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$role_name" ]]; then errecho "ERROR: You must provide a role name with the -n parameter." usage return 1 fi if [[ -z "$policy_arn" ]]; then errecho "ERROR: You must provide a policy ARN with the -p parameter." usage return 1 fi response=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "$policy_arn") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports attach-role-policy operation failed.\n$response" return 1 fi echo "$response" return 0 }-
For API details, see AttachRolePolicy in Amazon CLI Command Reference.
-
- C++
-
- SDK for C++
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. bool AwsDoc::IAM::attachRolePolicy(const Aws::String &roleName, const Aws::String &policyArn, const Aws::Client::ClientConfiguration &clientConfig) { Aws::IAM::IAMClient iam(clientConfig); Aws::IAM::Model::ListAttachedRolePoliciesRequest list_request; list_request.SetRoleName(roleName); bool done = false; while (!done) { auto list_outcome = iam.ListAttachedRolePolicies(list_request); if (!list_outcome.IsSuccess()) { std::cerr << "Failed to list attached policies of role " << roleName << ": " << list_outcome.GetError().GetMessage() << std::endl; return false; } const auto &policies = list_outcome.GetResult().GetAttachedPolicies(); if (std::any_of(policies.cbegin(), policies.cend(), [=](const Aws::IAM::Model::AttachedPolicy &policy) { return policy.GetPolicyArn() == policyArn; })) { std::cout << "Policy " << policyArn << " is already attached to role " << roleName << std::endl; return true; } done = !list_outcome.GetResult().GetIsTruncated(); list_request.SetMarker(list_outcome.GetResult().GetMarker()); } Aws::IAM::Model::AttachRolePolicyRequest request; request.SetRoleName(roleName); request.SetPolicyArn(policyArn); Aws::IAM::Model::AttachRolePolicyOutcome outcome = iam.AttachRolePolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Failed to attach policy " << policyArn << " to role " << roleName << ": " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Successfully attached policy " << policyArn << " to role " << roleName << std::endl; } return outcome.IsSuccess(); }-
For API details, see AttachRolePolicy in Amazon SDK for C++ API Reference.
-
- Go
-
- SDK for Go V2
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. // RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions // used in the examples. // It contains an IAM service client that is used to perform role actions. type RoleWrapper struct { IamClient *iam.Client } // AttachRolePolicy attaches a policy to a role. func (wrapper RoleWrapper) AttachRolePolicy(policyArn string, roleName string) error { _, err := wrapper.IamClient.AttachRolePolicy(context.TODO(), &iam.AttachRolePolicyInput{ PolicyArn: aws.String(policyArn), RoleName: aws.String(roleName), }) if err != nil { log.Printf("Couldn't attach policy %v to role %v. Here's why: %v\n", policyArn, roleName, err) } return err }-
For API details, see AttachRolePolicy
in Amazon SDK for Go API Reference.
-
- Java
-
- SDK for Java 2.x
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn ) { try { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .build(); ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request); List<AttachedPolicy> attachedPolicies = response.attachedPolicies(); // Ensure that the policy is not attached to this role String polArn = ""; for (AttachedPolicy policy: attachedPolicies) { polArn = policy.policyArn(); if (polArn.compareTo(policyArn)==0) { System.out.println(roleName + " policy is already attached to this role."); return; } } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); }-
For API details, see AttachRolePolicy in Amazon SDK for Java 2.x API Reference.
-
- JavaScript
-
- SDK for JavaScript (v3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. Attach the policy.
import { AttachRolePolicyCommand, IAMClient } from "@aws-sdk/client-iam"; const client = new IAMClient({}); /** * * @param {string} policyArn * @param {string} roleName */ export const attachRolePolicy = (policyArn, roleName) => { const command = new AttachRolePolicyCommand({ PolicyArn: policyArn, RoleName: roleName, }); return client.send(command); };-
For more information, see Amazon SDK for JavaScript Developer Guide.
-
For API details, see AttachRolePolicy in Amazon SDK for JavaScript API Reference.
-
- SDK for JavaScript (v2)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. // Load the AWS SDK for Node.js var AWS = require('aws-sdk'); // Set the region AWS.config.update({region: 'REGION'}); // Create the IAM service object var iam = new AWS.IAM({apiVersion: '2010-05-08'}); var paramsRoleList = { RoleName: process.argv[2] }; iam.listAttachedRolePolicies(paramsRoleList, function(err, data) { if (err) { console.log("Error", err); } else { var myRolePolicies = data.AttachedPolicies; myRolePolicies.forEach(function (val, index, array) { if (myRolePolicies[index].PolicyName === 'AmazonDynamoDBFullAccess') { console.log("AmazonDynamoDBFullAccess is already attached to this role.") process.exit(); } }); var params = { PolicyArn: 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess', RoleName: process.argv[2] }; iam.attachRolePolicy(params, function(err, data) { if (err) { console.log("Unable to attach policy to role", err); } else { console.log("Role attached successfully"); } }); } });-
For more information, see Amazon SDK for JavaScript Developer Guide.
-
For API details, see AttachRolePolicy in Amazon SDK for JavaScript API Reference.
-
- Kotlin
-
- SDK for Kotlin
-
Note
This is prerelease documentation for a feature in preview release. It is subject to change.
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. suspend fun attachIAMRolePolicy(roleNameVal: String, policyArnVal: String) { val request = ListAttachedRolePoliciesRequest { roleName = roleNameVal } IamClient { region = "AWS_GLOBAL" }.use { iamClient -> val response = iamClient.listAttachedRolePolicies(request) val attachedPolicies = response.attachedPolicies // Ensure that the policy is not attached to this role. val checkStatus: Int if (attachedPolicies != null) { checkStatus = checkList(attachedPolicies, policyArnVal) if (checkStatus == -1) return } val policyRequest = AttachRolePolicyRequest { roleName = roleNameVal policyArn = policyArnVal } iamClient.attachRolePolicy(policyRequest) println("Successfully attached policy $policyArnVal to role $roleNameVal") } } fun checkList(attachedPolicies: List<AttachedPolicy>, policyArnVal: String): Int { for (policy in attachedPolicies) { val polArn = policy.policyArn.toString() if (polArn.compareTo(policyArnVal) == 0) { println("The policy is already attached to this role.") return -1 } } return 0 }-
For API details, see AttachRolePolicy
in Amazon SDK for Kotlin API reference.
-
- PHP
-
- SDK for PHP
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. $uuid = uniqid(); $service = new IAMService(); $assumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"{$user['Arn']}\"}, \"Action\": \"sts:AssumeRole\" }] }"; $assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument); echo "Created role: {$assumeRoleRole['RoleName']}\n"; $listAllBucketsPolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": \"s3:ListAllMyBuckets\", \"Resource\": \"arn:aws:s3:::*\"}] }"; $listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument); echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n"; $service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']); public function attachRolePolicy($roleName, $policyArn) { return $this->customWaiter(function () use ($roleName, $policyArn) { $this->iamClient->attachRolePolicy([ 'PolicyArn' => $policyArn, 'RoleName' => $roleName, ]); }); }-
For API details, see AttachRolePolicy in Amazon SDK for PHP API Reference.
-
- Python
-
- SDK for Python (Boto3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. Attach a policy to a role using the Boto3 Policy object.
def attach_to_role(role_name, policy_arn): """ Attaches a policy to a role. :param role_name: The name of the role. **Note** this is the name, not the ARN. :param policy_arn: The ARN of the policy. """ try: iam.Policy(policy_arn).attach_role(RoleName=role_name) logger.info("Attached policy %s to role %s.", policy_arn, role_name) except ClientError: logger.exception("Couldn't attach policy %s to role %s.", policy_arn, role_name) raiseAttach a policy to a role using the Boto3 Role object.
def attach_policy(role_name, policy_arn): """ Attaches a policy to a role. :param role_name: The name of the role. **Note** this is the name, not the ARN. :param policy_arn: The ARN of the policy. """ try: iam.Role(role_name).attach_policy(PolicyArn=policy_arn) logger.info("Attached policy %s to role %s.", policy_arn, role_name) except ClientError: logger.exception("Couldn't attach policy %s to role %s.", policy_arn, role_name) raise-
For API details, see AttachRolePolicy in Amazon SDK for Python (Boto3) API Reference.
-
- Ruby
-
- SDK for Ruby
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. # Creates a policy that grants permission to list S3 buckets in the account, and # then attaches the policy to a role. # # @param policy_name [String] The name to give the policy. # @param role [Aws::IAM::Role] The role that the policy is attached to. # @return [Aws::IAM::Policy] The newly created policy. def create_and_attach_role_policy(policy_name, role) policy = @iam_resource.create_policy( policy_name: policy_name, policy_document: { Version: "2012-10-17", Statement: [{ Effect: "Allow", Action: "s3:ListAllMyBuckets", Resource: "arn:aws:s3:::*" }] }.to_json) role.attach_policy(policy_arn: policy.arn) puts("Created policy #{policy.policy_name} and attached it to role #{role.name}.") rescue Aws::Errors::ServiceError => e puts("Couldn't create a policy and attach it to role #{role.name}. Here's why: ") puts("\t#{e.code}: #{e.message}") raise else policy end-
For API details, see AttachRolePolicy in Amazon SDK for Ruby API Reference.
-
- Rust
-
- SDK for Rust
-
Note
This documentation is for an SDK in preview release. The SDK is subject to change and should not be used in production.
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. pub async fn attach_role_policy( client: &iamClient, role: &Role, policy: &Policy, ) -> Result<AttachRolePolicyOutput, SdkError<AttachRolePolicyError>> { client .attach_role_policy() .role_name(role.role_name.as_ref().unwrap()) .policy_arn(policy.arn.as_ref().unwrap()) .send() .await }-
For API details, see AttachRolePolicy
in Amazon SDK for Rust API reference.
-
- Swift
-
- SDK for Swift
-
Note
This is prerelease documentation for an SDK in preview release. It is subject to change.
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. public func attachRolePolicy(role: String, policyArn: String) async throws { let input = AttachRolePolicyInput( policyArn: policyArn, roleName: role ) do { _ = try await client.attachRolePolicy(input: input) } catch { throw error } }-
For API details, see AttachRolePolicy
in Amazon SDK for Swift API reference.
-
For a complete list of Amazon SDK developer guides and code examples, see Using IAM with an Amazon SDK. This topic also includes information about getting started and details about previous SDK versions.