Skip to content

Instantly share code, notes, and snippets.

@brianantonelli

brianantonelli/iam-role-types-policies.md

Last active December 1, 2021 16:03
Show Gist options
  • Save brianantonelli/e3fe950fffdd04275b306953a5742104 to your computer and use it in GitHub Desktop.
Save brianantonelli/e3fe950fffdd04275b306953a5742104 to your computer and use it in GitHub Desktop.
Download ZIP
iam-role-types-policies
Raw
iam-role-types-policies.md

AWS CloudWatch:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"logs.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS vmimport:

{
	"Version":"2012-10-17",
  "Statement":[
		{
      "Condition":{
        "StringEquals":{
          "sts:Externalid":"vmimport"
        }
      },
      "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
        "Service":"vmie.amazonaws.com"
      }
    }
  ]
}

Amazon Forecast:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"forecast.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS Transfer for SFTP:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"transfer.amazonaws.com"
      }
    }
  ]
}

AWS Service Catalog:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"sns.amazonaws.com"
      }
    }
  ]
}

AWS Amplify:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"amplify.amazonaws.com"
      }
    }
  ]
}

AWS Kinesis Analytics:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"kinesisanalytics.amazonaws.com"
      }
    }
  ]
}

Cross Account:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "AWS":"ARN_VAR"
      },
      "Sid":""
    }
  ]
}

Amazon Elastic Transcoder:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"elastictranscoder.amazonaws.com"
      }
    }
  ]
}

Amazon CloudWatch Events:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"events.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS OpsWorks:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"opsworks.amazonaws.com"
      }
    }
  ]
}

Amazon EC2:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"ec2.amazonaws.com"
      }
    }
  ]
}

Amazon RDS Role for Enhanced Monitoring:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"monitoring.rds.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS SWF:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"swf.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

CodePipeline:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"codepipeline.amazonaws.com"
      }
    }
  ]
}

Amazon EC2 Role for EC2 Container Service:

{
	"Version":"2008-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"ec2.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS Comprehend:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"comprehend.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

Amazon Elastic MapReduce:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"elasticmapreduce.amazonaws.com"
      }
    }
  ]
}

Manheim Bento Management:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":[
		      "ec2.amazonaws.com"
        ],
        "AWS":[
		      "arn:aws:iam::931528216295:role/acct-managed/bento_dev_sensei_iam_role",
          "arn:aws:iam::423319072129:role/bento_dev_ree_iam_role"
        ]
      }
    }
  ]
}

Amazon Machine Learning Role for Redshift Data Source:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"machinelearning.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS Glue Service:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"glue.amazonaws.com"
      }
    }
  ]
}

Amazon EKS:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"eks.amazonaws.com"
      }
    }
  ]
}

Service Catalog:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"servicecatalog.amazonaws.com"
      }
    }
  ]
}

Amazon EC2 Container Service Role:

{
	"Version":"2008-10-17","Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"ecs.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AutoScaling Notification Access:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"autoscaling.amazonaws.com"
      }
    }
  ]
}

AWS CloudHSM:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"cloudhsm.amazonaws.com"
      }
    }
  ]
}

Amazon EC2 Container Service Task Role:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"ecs-tasks.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS Backup:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"backup.amazonaws.com"
      }
    }
  ]
}

Amazon EC2 Role for Simple Systems Manager:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":[
		      "ec2.amazonaws.com",
          "ssm.amazonaws.com"
        ]
      },
      "Sid":""
    }
  ]
}

AWS AppSync:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"appsync.amazonaws.com"
      }
    }
  ]
}

Amazon Elastic MapReduce For Autoscaling:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":[
		      "elasticmapreduce.amazonaws.com",
          "application-autoscaling.amazonaws.com"
        ]
      }
    }
  ]
}

DynamoDB Autoscaling:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"application-autoscaling.amazonaws.com"
      }
    }
  ]
}

Amazon Data Lifecycle Manager:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"dlm.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

Amazon DAX:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"dax.amazonaws.com"
      }
    }
  ]
}

Amazon API Gateway:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"apigateway.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS IoT:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"iot.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS Lambda Edge:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":[
		      "lambda.amazonaws.com",
          "edgelambda.amazonaws.com"
        ]
      }
    }
  ]
}

Amazon SNS:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"sns.amazonaws.com"
      }
    }
  ]
}

Amazon EC2 Role for Data Pipeline:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	"Action":"sts:AssumeRole","Effect":"Allow","Principal":{
	"Service":"ec2.amazonaws.com"}}]}

Inner Account:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "AWS":"ARN_VAR"
      },
      "Sid":""
    }
  ]
}

AWS Data Pipeline:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":[
		      "datapipeline.amazonaws.com",
          "elasticmapreduce.amazonaws.com"
        ]
      }
    }
  ]
}

Amazon EC2 Container Service Autoscale Role:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"application-autoscaling.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

Amazon RDS:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"rds.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS CodeBuild:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"codebuild.amazonaws.com"
      }
    }
  ]
}

AWS Glue Service Notebook:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"ec2.amazonaws.com"
      }
    }
  ]
}

AWS Batch Service:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"batch.amazonaws.com"
      }
    }
  ]
}

Amazon Redshift:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"redshift.amazonaws.com"
      }
    }
  ]
}

AWS Elastic Beanstalk:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Condition":{
	      "StringEquals":{
	        "sts:ExternalId":"elasticbeanstalk"
        }
      },
      "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"elasticbeanstalk.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS Lambda:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"lambda.amazonaws.com"
      }
    }
  ]
}

AWS Greengrass Role:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"greengrass.amazonaws.com"
      }
    }
  ]
}

AWS Config:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"config.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

AWS Step Functions:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"states.amazonaws.com"
      }
    }
  ]
}

AWS Storage Gateway:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"storagegateway.amazonaws.com"
      }
    }
  ]
}

AWS Cloudformation Role:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"cloudformation.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

S3:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"s3.amazonaws.com"
      }
    }
  ]
}

Amazon Sagemaker:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"sagemaker.amazonaws.com"
      }
    }
  ]
}

AWS Directory Service:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"ds.amazonaws.com"
      }
    }
  ]
}

Firehose:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Condition":{
	      "StringEquals":{
          "sts:ExternalId":"AccountID"
        }
      },
      "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"firehose.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

Amazon Elasticsearch Service:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"es.amazonaws.com"
      }
    }
  ]
}

AWS CodeDeploy:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"codedeploy.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

Kinesis Firehose:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Condition":{
	      "StringEquals":{
	        "sts:ExternalId":"AccountID"
        }
      },
      "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
        "Service":"firehose.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

Amazon EC2 Spot Fleet Role:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"spotfleet.amazonaws.com"
      },
      "Sid":""
    }
  ]
}

Amazon Elastic MapReduce for EC2:

{
	"Version":"2012-10-17",
  "Statement":[
		{
	    "Action":"sts:AssumeRole",
      "Effect":"Allow",
      "Principal":{
	      "Service":"ec2.amazonaws.com"
      }
    }
  ]
}
@ekozlowski
Copy link

Thanks Brian! 👍

@webbbarker
Copy link

I've also updated the Trust Policy list in my fork if you'd like to pull in those changes as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment