How Do I Modify IAM Assume_role_policy in Pulumi?

Introduction

In this guide, we will walk you through the process of modifying an IAM assume_role_policy using Pulumi with TypeScript. The purpose of this guide is to help you understand how to create an IAM role and update its assume role policy to allow specific AWS services or accounts to assume the role. This is particularly useful for managing permissions and access controls in your AWS environment programmatically.

Key Points:

• We will create an IAM role.
• We will define and attach an assume role policy to the IAM role.
• The assume role policy will specify which AWS services or accounts are allowed to assume the role.

Step-by-Step Process

1. Create an IAM Role: Begin by creating an IAM role using Pulumi. This role will initially have an assume role policy that allows a specific AWS service to assume the role.

2. Define the Assume Role Policy: The initial policy will allow the EC2 service to assume the role. This is accomplished by specifying the Principal as Service: "ec2.amazonaws.com".

3. Modify the Assume Role Policy: Update the assume role policy to include additional permissions. In this example, we will allow both the ECS service and a specific AWS account to assume the role.

4. Update the IAM Role: Apply the updated assume role policy to the IAM role. This involves creating a new role with the updated policy.

5. Export the Role ARN: Finally, export the ARN of the updated role for use in other parts of your infrastructure.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an IAM role
const role = new aws.iam.Role("myRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Principal: {
                    Service: "ec2.amazonaws.com"
                },
                Action: "sts:AssumeRole"
            }
        ]
    })
});

// Modify the assume role policy
const updatedAssumeRolePolicy = JSON.stringify({
    Version: "2012-10-17",
    Statement: [
        {
            Effect: "Allow",
            Principal: {
                Service: "ecs.amazonaws.com"
            },
            Action: "sts:AssumeRole"
        },
        {
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::123456789012:root"
            },
            Action: "sts:AssumeRole"
        }
    ]
});

// Update the IAM role with the new assume role policy
const updatedRole = new aws.iam.Role("myUpdatedRole", {
    assumeRolePolicy: updatedAssumeRolePolicy
});

// Export the role ARN
export const roleArn = updatedRole.arn;

Summary

In this guide, we demonstrated how to create and modify an IAM assume role policy using Pulumi with TypeScript. We created an IAM role and initially set its assume role policy to allow the EC2 service to assume the role. We then updated the policy to include permissions for the ECS service and a specific AWS account. This guide shows how Pulumi can be used to manage and update IAM policies programmatically, providing a flexible and efficient way to handle AWS permissions and access controls.