This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS Identity and Access Management **Resource types** + [AWS::IAM::AccessKey](aws-resource-iam-accesskey.md) + [AWS::IAM::Group](aws-resource-iam-group.md) + [AWS::IAM::GroupPolicy](aws-resource-iam-grouppolicy.md) + [AWS::IAM::InstanceProfile](aws-resource-iam-instanceprofile.md) + [AWS::IAM::ManagedPolicy](aws-resource-iam-managedpolicy.md) + [AWS::IAM::OIDCProvider](aws-resource-iam-oidcprovider.md) + [AWS::IAM::Policy](aws-resource-iam-policy.md) + [AWS::IAM::Role](aws-resource-iam-role.md) + [AWS::IAM::RolePolicy](aws-resource-iam-rolepolicy.md) + [AWS::IAM::SAMLProvider](aws-resource-iam-samlprovider.md) + [AWS::IAM::ServerCertificate](aws-resource-iam-servercertificate.md) + [AWS::IAM::ServiceLinkedRole](aws-resource-iam-servicelinkedrole.md) + [AWS::IAM::User](aws-resource-iam-user.md) + [AWS::IAM::UserPolicy](aws-resource-iam-userpolicy.md) + [AWS::IAM::UserToGroupAddition](aws-resource-iam-usertogroupaddition.md) + [AWS::IAM::VirtualMFADevice](aws-resource-iam-virtualmfadevice.md) # AWS::IAM::AccessKey Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is `Active`. For information about quotas on the number of keys you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. **Important** To ensure the security of your AWS account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can rotate access keys by increasing the value of the `serial` property. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::AccessKey", "Properties" : { "[Serial](#cfn-iam-accesskey-serial)" : Integer, "[Status](#cfn-iam-accesskey-status)" : String, "[UserName](#cfn-iam-accesskey-username)" : String } } ``` ### YAML ``` Type: AWS::IAM::AccessKey Properties: [Serial](#cfn-iam-accesskey-serial): Integer [Status](#cfn-iam-accesskey-status): String [UserName](#cfn-iam-accesskey-username): String ``` ## Properties `Serial` This value is specific to CloudFormation and can only be *incremented*. Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key. *Required*: No *Type*: Integer *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Status` The status of the access key. `Active` means that the key is valid for API calls, while `Inactive` means it is not. *Required*: No *Type*: String *Allowed values*: `Active | Inactive | Expired` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserName` The name of the IAM user that the new key will belong to. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `AccessKeyId`. For example: `AKIAIOSFODNN7EXAMPLE`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The ID for this access key. `SecretAccessKey` Returns the secret access key for the specified AWS::IAM::AccessKey resource. For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY. ## See also + To view `AWS::IAM::AccessKey` template example snippets, see [Declaring an IAM Access Key Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-accesskey). + [CreateAccessKey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::Group Creates a new group. For information about the number of groups you can create, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::Group", "Properties" : { "[GroupName](#cfn-iam-group-groupname)" : String, "[ManagedPolicyArns](#cfn-iam-group-managedpolicyarns)" : [ String, ... ], "[Path](#cfn-iam-group-path)" : String, "[Policies](#cfn-iam-group-policies)" : [ Policy, ... ] } } ``` ### YAML ``` Type: AWS::IAM::Group Properties: [GroupName](#cfn-iam-group-groupname): String [ManagedPolicyArns](#cfn-iam-group-managedpolicyarns): - String [Path](#cfn-iam-group-path): String [Policies](#cfn-iam-group-policies): - Policy ``` ## Properties `GroupName` The name of the group to create. Do not include the path in this value. The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don't specify a name, CloudFormation generates a unique physical ID and uses that ID for the group name. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}`. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ManagedPolicyArns` The Amazon Resource Name (ARN) of the IAM policy you want to attach. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Path` The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the \$1 (`\u0021`) through the DEL character (`\u007F`), including most punctuation characters, digits, and upper and lowercased letters. *Required*: No *Type*: String *Pattern*: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)` *Minimum*: `1` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Policies` Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group). The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. For information about limits on the number of inline policies that you can embed in a group, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide*. *Required*: No *Type*: Array of [Policy](aws-properties-iam-group-policy.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `GroupName`. For example: `mystack-mygroup-1DZETITOWEKVO`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::Group` resource. For example: `arn:aws:iam::123456789012:group/mystack-mygroup-1DZETITOWEKVO`. ## See also + To view `AWS::IAM::Group` template example snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group). + [CreateGroup](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::Group Policy Contains information about an attached policy. An attached policy is a managed policy that has been attached to a user, group, or role. For more information about managed policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PolicyDocument](#cfn-iam-group-policy-policydocument)" : Json, "[PolicyName](#cfn-iam-group-policy-policyname)" : String } ``` ### YAML ``` [PolicyDocument](#cfn-iam-group-policy-policydocument): Json [PolicyName](#cfn-iam-group-policy-policyname): String ``` ## Properties `PolicyDocument` The policy document. *Required*: Yes *Type*: Json *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `131072` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyName` The friendly name (not ARN) identifying the policy. *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + [PolicyDetail](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PolicyDetail.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::GroupPolicy Adds or updates an inline policy document that is embedded in the specified IAM group. A group can also have managed policies attached to it. To attach a managed policy to a group, use [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html). To create a new managed policy, use [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html). For information about policies, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. For information about the maximum number of inline policies that you can embed in a group, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::GroupPolicy", "Properties" : { "[GroupName](#cfn-iam-grouppolicy-groupname)" : String, "[PolicyDocument](#cfn-iam-grouppolicy-policydocument)" : Json, "[PolicyName](#cfn-iam-grouppolicy-policyname)" : String } } ``` ### YAML ``` Type: AWS::IAM::GroupPolicy Properties: [GroupName](#cfn-iam-grouppolicy-groupname): String [PolicyDocument](#cfn-iam-grouppolicy-policydocument): Json [PolicyName](#cfn-iam-grouppolicy-policyname): String ``` ## Properties `GroupName` The name of the group to associate the policy with. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@-. *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PolicyDocument` The policy document. You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: + Any printable ASCII character ranging from the space character (`\u0020`) through the end of the ASCII character range + The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\u00FF`) + The special characters tab (`\u0009`), line feed (`\u000A`), and carriage return (`\u000D`) *Required*: No *Type*: Json *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `131072` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyName` The name of the policy document. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When the logical ID of this resource is provided to the `Ref` intrinsic function, `Ref` returns the resource name. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples **Topics** + [Group embedded inline policy document](#aws-resource-iam-grouppolicy--examples--Group_embedded_inline_policy_document) + [Group embedded inline policy document with Ref function](#aws-resource-iam-grouppolicy--examples--Group_embedded_inline_policy_document_with_Ref_function) ### Group embedded inline policy document This example shows an inline policy document in `AWS::IAM::GroupPolicy`. The policy will be embedded in the specified IAM user group, `CFNUserGroup`. #### JSON ``` { "Type": "AWS::IAM::GroupPolicy", "Properties": { "PolicyName": "CFNUsers", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:Describe*", "cloudformation:List*", "cloudformation:Get*" ], "Resource": "*" } ] }, "GroupName": "CFNUserGroup" } } ``` #### YAML ``` Type: 'AWS::IAM::GroupPolicy' Properties: PolicyName: CFNUsers PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'cloudformation:Describe*' - 'cloudformation:List*' - 'cloudformation:Get*' Resource: '*' GroupName: CFNUserGroup ``` ### Group embedded inline policy document with Ref function This example shows an inline policy document in `AWS::IAM::GroupPolicy`. The example uses the `Ref` function in the `GroupName` property to specify the logical ID of a `AWS::IAM::Group` resource. For the logical ID of the `AWS::IAM::Group` resource, `Ref` returns the role name. #### JSON ``` { "Type": "AWS::IAM::GroupPolicy", "Properties": { "PolicyName": "CFNUsers", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:Describe*", "cloudformation:List*", "cloudformation:Get*" ], "Resource": "*" } ] }, "GroupName": { "Ref": "CFNUserGroup" } } } ``` #### YAML ``` Type: 'AWS::IAM::GroupPolicy' Properties: PolicyName: CFNUsers PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'cloudformation:Describe*' - 'cloudformation:List*' - 'cloudformation:Get*' Resource: '*' GroupName: !Ref CFNUserGroup ``` ## See also + [PutGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html) in the *AWS Identity and Access Management API Reference* + [AWS::IAM::Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html) # AWS::IAM::InstanceProfile Creates a new instance profile. For information about instance profiles, see [Using instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html). For information about the number of instance profiles you can create, see [IAM object quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::InstanceProfile", "Properties" : { "[InstanceProfileName](#cfn-iam-instanceprofile-instanceprofilename)" : String, "[Path](#cfn-iam-instanceprofile-path)" : String, "[Roles](#cfn-iam-instanceprofile-roles)" : [ String, ... ] } } ``` ### YAML ``` Type: AWS::IAM::InstanceProfile Properties: [InstanceProfileName](#cfn-iam-instanceprofile-instanceprofilename): String [Path](#cfn-iam-instanceprofile-path): String [Roles](#cfn-iam-instanceprofile-roles): - String ``` ## Properties `InstanceProfileName` The name of the instance profile to create. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: No *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Path` The path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the \$1 (`\u0021`) through the DEL character (`\u007F`), including most punctuation characters, digits, and upper and lowercased letters. *Required*: No *Type*: String *Pattern*: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)` *Minimum*: `1` *Maximum*: `512` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Roles` The name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the resource name. For example: `{ "Ref": "MyProfile" }` For the `AWS::IAM::InstanceProfile` resource with the logical ID `MyProfile`, Ref returns the name of the instance profile. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the instance profile. For example: `{"Fn::GetAtt" : ["MyProfile", "Arn"] }` This returns a value such as `arn:aws:iam::1234567890:instance-profile/MyProfile-ASDNSDLKJ`. ## Examples ### Instance Profile In this example, the InstanceProfile resource refers to the role by specifying its name, "MyRole". #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MyInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "MyRole" } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: "2010-09-09" Resources: MyInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Path: "/" Roles: - Ref: "MyRole" ``` ## See also + [CreateInstanceProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateInstanceProfile.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::ManagedPolicy Creates a new managed policy for your AWS account. This operation creates a policy version with a version identifier of `v1` and sets v1 as the policy's default version. For more information about policy versions, see [Versioning for managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html) in the *IAM User Guide*. As a best practice, you can validate your IAM policies. To learn more, see [Validating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html) in the *IAM User Guide*. For more information about managed policies in general, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::ManagedPolicy", "Properties" : { "[Description](#cfn-iam-managedpolicy-description)" : String, "[Groups](#cfn-iam-managedpolicy-groups)" : [ String, ... ], "[ManagedPolicyName](#cfn-iam-managedpolicy-managedpolicyname)" : String, "[Path](#cfn-iam-managedpolicy-path)" : String, "[PolicyDocument](#cfn-iam-managedpolicy-policydocument)" : Json, "[Roles](#cfn-iam-managedpolicy-roles)" : [ String, ... ], "[Users](#cfn-iam-managedpolicy-users)" : [ String, ... ] } } ``` ### YAML ``` Type: AWS::IAM::ManagedPolicy Properties: [Description](#cfn-iam-managedpolicy-description): String [Groups](#cfn-iam-managedpolicy-groups): - String [ManagedPolicyName](#cfn-iam-managedpolicy-managedpolicyname): String [Path](#cfn-iam-managedpolicy-path): String [PolicyDocument](#cfn-iam-managedpolicy-policydocument): Json [Roles](#cfn-iam-managedpolicy-roles): - String [Users](#cfn-iam-managedpolicy-users): - String ``` ## Properties `Description` A friendly description of the policy. Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables." The policy description is immutable. After a value is assigned, it cannot be changed. *Required*: No *Type*: String *Maximum*: `1000` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Groups` The name (friendly name, not ARN) of the group to attach the policy to. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: No *Type*: Array of String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ManagedPolicyName` The friendly name of the policy. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}`. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Path` The path for the policy. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the \$1 (`\u0021`) through the DEL character (`\u007F`), including most punctuation characters, digits, and upper and lowercased letters. You cannot use an asterisk (\$1) in the path name. *Required*: No *Type*: String *Pattern*: `((/[A-Za-z0-9\.,\+@=_-]+)*)/` *Minimum*: `1` *Maximum*: `512` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PolicyDocument` The JSON policy document that you want to use as the content for the new policy. You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and AWS STS character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length). To learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide*. The [regex pattern](http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: + Any printable ASCII character ranging from the space character (`\u0020`) through the end of the ASCII character range + The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\u00FF`) + The special characters tab (`\u0009`), line feed (`\u000A`), and carriage return (`\u000D`) *Required*: Yes *Type*: Json *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `131072` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Roles` The name (friendly name, not ARN) of the role to attach the policy to. This parameter allows (per its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy`) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service`) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Users` The name (friendly name, not ARN) of the IAM user to attach the policy to. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: No *Type*: Array of String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ARN. In the following sample, the `Ref` function returns the ARN of the `CreateTestDBPolicy` managed policy, such as `arn:aws:iam::123456789012:policy/teststack-CreateTestDBPolicy-16M23YE3CS700`. `{ "Ref": "CreateTestDBPolicy" }` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `AttachmentCount` The number of principal entities (users, groups, and roles) that the policy is attached to. `CreateDate` The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the policy was created. `DefaultVersionId` The identifier for the version of the policy that is set as the default (operative) version. For more information about policy versions, see [Versioning for managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html) in the *IAM User Guide*. `IsAttachable` Specifies whether the policy can be attached to an IAM user, group, or role. `PermissionsBoundaryUsageCount` The number of entities (users and roles) for which the policy is used as the permissions boundary. For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. `PolicyArn` The Amazon Resource Name (ARN) of the managed policy that you want information about. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. `PolicyId` The stable and unique string identifying the policy. For more information about IDs, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. `UpdateDate` The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the policy was last updated. When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created. ## Examples ### Create managed policy The following example creates a managed policy and associates it with the `TestDBGroup` group. The managed policy grants users permission to create t2.micro database instances. The database must use the MySQL database engine and the instance name must include the prefix `test`. #### JSON ``` { "CreateTestDBPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "Description": "Policy for creating a test database", "Path": "/", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": { "Fn::Join": [ "", [ "arn:aws:rds:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":db:test*" ] ] }, "Condition": { "StringEquals": { "rds:DatabaseEngine": "mysql" } } }, { "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": { "Fn::Join": [ "", [ "arn:aws:rds:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":db:test*" ] ] }, "Condition": { "StringEquals": { "rds:DatabaseClass": "db.t2.micro" } } } ] }, "Groups": [ "TestDBGroup" ] } } } ``` #### YAML ``` CreateTestDBPolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: Description: Policy for creating a test database Path: / PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: 'rds:CreateDBInstance' Resource: !Join - '' - - 'arn:aws:rds:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':db:test*' Condition: StringEquals: 'rds:DatabaseEngine': mysql - Effect: Allow Action: 'rds:CreateDBInstance' Resource: !Join - '' - - 'arn:aws:rds:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':db:test*' Condition: StringEquals: 'rds:DatabaseClass': db.t2.micro Groups: - TestDBGroup ``` ## See also + [CreatePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html) in the *AWS Identity and Access Management API Reference* + [CreatePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html) in the *AWS Identity and Access Management API Reference* + [AttachGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html) in the *AWS Identity and Access Management API Reference* + [AttachRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html) in the *AWS Identity and Access Management API Reference* + [AttachUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::OIDCProvider Creates or updates an IAM entity to describe an identity provider (IdP) that supports [OpenID Connect (OIDC)](http://openid.net/connect/). The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider. When you create the IAM OIDC provider, you specify the following: + The URL of the OIDC identity provider (IdP) to trust + A list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider + A list of tags that are attached to the specified IAM OIDC provider + A list of thumbprints of one or more server certificates that the IdP uses You get all of this information from the OIDC IdP that you want to use to access AWS. When you update the IAM OIDC provider, you specify the following: + The URL of the OIDC identity provider (IdP) to trust + A list of client IDs (also known as audiences) that replaces the existing list of client IDs associated with the OIDC IdP + A list of tags that replaces the existing list of tags attached to the specified IAM OIDC provider + A list of thumbprints that replaces the existing list of server certificates thumbprints that the IdP uses **Note** The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) operation to highly privileged users. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::OIDCProvider", "Properties" : { "[ClientIdList](#cfn-iam-oidcprovider-clientidlist)" : [ String, ... ], "[Tags](#cfn-iam-oidcprovider-tags)" : [ Tag, ... ], "[ThumbprintList](#cfn-iam-oidcprovider-thumbprintlist)" : [ String, ... ], "[Url](#cfn-iam-oidcprovider-url)" : String } } ``` ### YAML ``` Type: AWS::IAM::OIDCProvider Properties: [ClientIdList](#cfn-iam-oidcprovider-clientidlist): - String [Tags](#cfn-iam-oidcprovider-tags): - Tag [ThumbprintList](#cfn-iam-oidcprovider-thumbprintlist): - String [Url](#cfn-iam-oidcprovider-url): String ``` ## Properties `ClientIdList` A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html). *Required*: No *Type*: Array of String *Minimum*: `1` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` A list of tags that are attached to the specified IAM OIDC provider. The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. *Required*: No *Type*: Array of [Tag](aws-properties-iam-oidcprovider-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ThumbprintList` A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html). This property is optional. If it is not included, IAM will retrieve and use the top intermediate certificate authority (CA) thumbprint of the OpenID Connect identity provider server certificate. *Required*: No *Type*: Array of String *Minimum*: `40` *Maximum*: `40 | 5` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Url` The URL that the IAM OIDC provider resource object is associated with. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html). *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `255` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ARN. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::OIDCProvider` resource. # AWS::IAM::OIDCProvider Tag A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-iam-oidcprovider-tag-key)" : String, "[Value](#cfn-iam-oidcprovider-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-iam-oidcprovider-tag-key): String [Value](#cfn-iam-oidcprovider-tag-value): String ``` ## Properties `Key` The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources`, `Accounting`, and `Support`. Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::IAM::Policy Adds or updates an inline policy document that is embedded in the specified IAM group, user or role. An IAM user can also have a managed policy attached to it. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties. For information about policy documents, see [Creating IAM policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. For information about limits on the number of inline policies that you can embed in an identity, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide*. **Important** This resource does not support [ drift detection ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html). The following inline policy resource types support drift detection: [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-grouppolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-grouppolicy.html) [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-rolepolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-rolepolicy.html) [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-userpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-userpolicy.html) ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::Policy", "Properties" : { "[Groups](#cfn-iam-policy-groups)" : [ String, ... ], "[PolicyDocument](#cfn-iam-policy-policydocument)" : Json, "[PolicyName](#cfn-iam-policy-policyname)" : String, "[Roles](#cfn-iam-policy-roles)" : [ String, ... ], "[Users](#cfn-iam-policy-users)" : [ String, ... ] } } ``` ### YAML ``` Type: AWS::IAM::Policy Properties: [Groups](#cfn-iam-policy-groups): - String [PolicyDocument](#cfn-iam-policy-policydocument): Json [PolicyName](#cfn-iam-policy-policyname): String [Roles](#cfn-iam-policy-roles): - String [Users](#cfn-iam-policy-users): - String ``` ## Properties `Groups` The name of the group to associate the policy with. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@-. *Required*: No *Type*: Array of String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyDocument` The policy document. You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: + Any printable ASCII character ranging from the space character (`\u0020`) through the end of the ASCII character range + The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\u00FF`) + The special characters tab (`\u0009`), line feed (`\u000A`), and carriage return (`\u000D`) *Required*: Yes *Type*: Json *Minimum*: `1` *Maximum*: `131072` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyName` The name of the policy document. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Roles` The name of the role to associate the policy with. This parameter allows (per its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy`) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service`) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Users` The name of the user to associate the policy with. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: No *Type*: Array of String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When the logical ID of this resource is provided to the `Ref` intrinsic function, `Ref` returns the resource name. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The stable and unique string identifying the policy. For more information about IDs, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. ## Examples **Topics** + [Policy with policy group](#aws-resource-iam-policy--examples--Policy_with_policy_group) + [Policy with specified role](#aws-resource-iam-policy--examples--Policy_with_specified_role) ### Policy with policy group #### JSON ``` { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "CFNUsers", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:Describe*", "cloudformation:List*", "cloudformation:Get*" ], "Resource": "*" } ] }, "Groups": [ { "Ref": "CFNUserGroup" } ] } } ``` #### YAML ``` Type: 'AWS::IAM::Policy' Properties: PolicyName: CFNUsers PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'cloudformation:Describe*' - 'cloudformation:List*' - 'cloudformation:Get*' Resource: '*' Groups: - !Ref CFNUserGroup ``` ### Policy with specified role #### JSON ``` { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } } ``` #### YAML ``` Type: 'AWS::IAM::Policy' Properties: PolicyName: root PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: '*' Resource: '*' Roles: - !Ref RootRole ``` ## See also + [AWS::IAM::GroupPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-grouppolicy.html) + [AWS::IAM::RolePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-rolepolicy.html) + [AWS::IAM::UserPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-userpolicy.html) + [PutGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html) in the *AWS Identity and Access Management API Reference* + [PutRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html) in the *AWS Identity and Access Management API Reference* + [PutUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html) in the *AWS Identity and Access Management API Reference* + [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *AWS Identity and Access Management User Guide* # AWS::IAM::Role Creates a new role for your AWS account. For more information about roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *IAM User Guide*. For information about quotas for role names and the number of roles you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::Role", "Properties" : { "[AssumeRolePolicyDocument](#cfn-iam-role-assumerolepolicydocument)" : Json, "[Description](#cfn-iam-role-description)" : String, "[ManagedPolicyArns](#cfn-iam-role-managedpolicyarns)" : [ String, ... ], "[MaxSessionDuration](#cfn-iam-role-maxsessionduration)" : Integer, "[Path](#cfn-iam-role-path)" : String, "[PermissionsBoundary](#cfn-iam-role-permissionsboundary)" : String, "[Policies](#cfn-iam-role-policies)" : [ Policy, ... ], "[RoleName](#cfn-iam-role-rolename)" : String, "[Tags](#cfn-iam-role-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::IAM::Role Properties: [AssumeRolePolicyDocument](#cfn-iam-role-assumerolepolicydocument): Json [Description](#cfn-iam-role-description): String [ManagedPolicyArns](#cfn-iam-role-managedpolicyarns): - String [MaxSessionDuration](#cfn-iam-role-maxsessionduration): Integer [Path](#cfn-iam-role-path): String [PermissionsBoundary](#cfn-iam-role-permissionsboundary): String [Policies](#cfn-iam-role-policies): - Policy [RoleName](#cfn-iam-role-rolename): String [Tags](#cfn-iam-role-tags): - Tag ``` ## Properties `AssumeRolePolicyDocument` The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples). For more information about the elements that you can use in an IAM policy, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. *Required*: Yes *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A description of the role that you provide. *Required*: No *Type*: String *Pattern*: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ManagedPolicyArns` A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaxSessionDuration` The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default value of one hour is applied. This setting can have a value from 1 hour to 12 hours. Anyone who assumes the role from the AWS CLI or API can use the `DurationSeconds` API parameter or the `duration-seconds`AWS CLI parameter to request a longer session. The `MaxSessionDuration` setting determines the maximum duration that can be requested using the `DurationSeconds` parameter. If users don't specify a value for the `DurationSeconds` parameter, their security credentials are valid for one hour by default. This applies when you use the `AssumeRole*` API operations or the `assume-role*`AWS CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide*. *Required*: No *Type*: Integer *Minimum*: `3600` *Maximum*: `43200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Path` The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the \$1 (`\u0021`) through the DEL character (`\u007F`), including most punctuation characters, digits, and upper and lowercased letters. *Required*: No *Type*: String *Pattern*: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)` *Minimum*: `1` *Maximum*: `512` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PermissionsBoundary` The ARN of the policy used to set the permissions boundary for the role. For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Policies` Adds or updates an inline policy document that is embedded in the specified IAM role. When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html). A role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. For information about limits on the number of inline policies that you can embed with a role, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide*. If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy`) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service`) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy. *Required*: No *Type*: Array of [Policy](aws-properties-iam-role-policy.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RoleName` A name for the IAM role, up to 64 characters in length. For valid values, see the `RoleName` parameter for the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *IAM User Guide*. This parameter allows (per its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both "Role1" and "role1". If you don't specify a name, CloudFormation generates a unique physical ID and uses that ID for the role name. If you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}`. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` A list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. *Required*: No *Type*: Array of [Tag](aws-properties-iam-role-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When the logical ID of this resource is provided to the `Ref` intrinsic function, `Ref` returns the resource name. For example: `{ "Ref": "RootRole" }` For the `AWS::IAM::Role` resource with the logical ID `RootRole`, `Ref` will return the role name. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the role. For example: `{"Fn::GetAtt" : ["MyRole", "Arn"] }` This will return a value such as `arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF`. `RoleId` Returns the stable and unique string identifying the role. For example, `AIDAJQABLZS4A3QDU576Q`. For more information about IDs, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in the *IAM User Guide*. ## Examples **Topics** + [Role with Embedded Policy and Instance Profiles](#aws-resource-iam-role--examples--Role_with_Embedded_Policy_and_Instance_Profiles) + [Role with External Policy and Instance Profiles](#aws-resource-iam-role--examples--Role_with_External_Policy_and_Instance_Profiles) ### Role with Embedded Policy and Instance Profiles This example shows an embedded policy in the `AWS::IAM::Role`. The policy is specified inline in the `Policies` property of the `AWS::IAM::Role`. #### ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "Policies": [ { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: "2010-09-09" Resources: RootRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: root PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: '*' Resource: '*' RootInstanceProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Path: / Roles: - !Ref RootRole ``` ### Role with External Policy and Instance Profiles In this example, the Policy and InstanceProfile resources are specified externally to the IAM Role. They refer to the role by specifying its name, "RootRole", in their respective `Roles` properties. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: "2010-09-09" Resources: RootRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" RolePolicies: Type: "AWS::IAM::Policy" Properties: PolicyName: "root" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "*" Resource: "*" Roles: - Ref: "RootRole" RootInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Path: "/" Roles: - Ref: "RootRole" ``` ## See also + To view `AWS::IAM::User` template example snippets, see [IAM role template examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenarios-iamroles). + [AWS Identity and Access Management Template Snippets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html) + [CreateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) in the *AWS Identity and Access Management API Reference* + [AWS::IAM::InstanceProfile](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html) # AWS::IAM::Role Policy Contains information about an attached policy. An attached policy is a managed policy that has been attached to a user, group, or role. For more information about managed policies, refer to [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PolicyDocument](#cfn-iam-role-policy-policydocument)" : Json, "[PolicyName](#cfn-iam-role-policy-policyname)" : String } ``` ### YAML ``` [PolicyDocument](#cfn-iam-role-policy-policydocument): Json [PolicyName](#cfn-iam-role-policy-policyname): String ``` ## Properties `PolicyDocument` The entire contents of the policy that defines permissions. For more information, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). *Required*: Yes *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyName` The friendly name (not ARN) identifying the policy. *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Role Policy This example shows how the policy document is declared. #### JSON ``` { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "IamListAccess", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" } ] } } ``` #### YAML ``` PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Sid: IamListAccess Effect: Allow Action: - 'iam:ListRoles' - 'iam:ListUsers' Resource: '*' ``` ## See also + [PolicyDetail](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PolicyDetail.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::Role Tag A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-iam-role-tag-key)" : String, "[Value](#cfn-iam-role-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-iam-role-tag-key): String [Value](#cfn-iam-role-tag-value): String ``` ## Properties `Key` The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices. *Required*: Yes *Type*: String *Pattern*: `[\p{L}\p{Z}\p{N}_.:/=+\-@]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources`, `Accounting`, and `Support`. Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values. *Required*: Yes *Type*: String *Pattern*: `[\p{L}\p{Z}\p{N}_.:/=+\-@]*` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::IAM::RolePolicy Adds or updates an inline policy document that is embedded in the specified IAM role. When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role, using [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html). You can update a role's trust policy using [https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAssumeRolePolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAssumeRolePolicy.html). For information about roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) in the *IAM User Guide*. A role can also have a managed policy attached to it. To attach a managed policy to a role, use [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html). To create a new managed policy, use [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html). For information about policies, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. For information about the maximum number of inline policies that you can embed with a role, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::RolePolicy", "Properties" : { "[PolicyDocument](#cfn-iam-rolepolicy-policydocument)" : Json, "[PolicyName](#cfn-iam-rolepolicy-policyname)" : String, "[RoleName](#cfn-iam-rolepolicy-rolename)" : String } } ``` ### YAML ``` Type: AWS::IAM::RolePolicy Properties: [PolicyDocument](#cfn-iam-rolepolicy-policydocument): Json [PolicyName](#cfn-iam-rolepolicy-policyname): String [RoleName](#cfn-iam-rolepolicy-rolename): String ``` ## Properties `PolicyDocument` The policy document. You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: + Any printable ASCII character ranging from the space character (`\u0020`) through the end of the ASCII character range + The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\u00FF`) + The special characters tab (`\u0009`), line feed (`\u000A`), and carriage return (`\u000D`) *Required*: No *Type*: Json *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `131072` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyName` The name of the policy document. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RoleName` The name of the role to associate the policy with. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When the logical ID of this resource is provided to the `Ref` intrinsic function, `Ref` returns the resource name. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples **Topics** + [Role embedded inline policy document](#aws-resource-iam-rolepolicy--examples--Role_embedded_inline_policy_document) + [Role embedded inline policy document with Ref function](#aws-resource-iam-rolepolicy--examples--Role_embedded_inline_policy_document_with_Ref_function) ### Role embedded inline policy document This example shows an inline policy document in `AWS::IAM::RolePolicy`. The policy will be embedded in the specified IAM role, `RootRole`. #### JSON ``` { "Type": "AWS::IAM::RolePolicy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "RoleName": "RootRole" } } ``` #### YAML ``` Type: 'AWS::IAM::RolePolicy' Properties: PolicyName: root PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: '*' Resource: '*' RoleName: RootRole ``` ### Role embedded inline policy document with Ref function This example shows an inline policy document in `AWS::IAM::RolePolicy`. The example uses the `Ref` function in the `RoleName` property to specify the logical ID of a `AWS::IAM::Role` resource. For the logical ID of the `AWS::IAM::Role` resource, `Ref` returns the role name. #### JSON ``` { "Type": "AWS::IAM::RolePolicy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "RoleName": { "Ref": "RootRole" } } } ``` #### YAML ``` Type: 'AWS::IAM::RolePolicy' Properties: PolicyName: root PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: '*' Resource: '*' RoleName: !Ref RootRole ``` ## See also + [PutRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html) in the *AWS Identity and Access Management API Reference* + [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html) # AWS::IAM::SAMLProvider Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0. The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS. When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP. **Note** This operation requires [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). For more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) and [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::SAMLProvider", "Properties" : { "[AddPrivateKey](#cfn-iam-samlprovider-addprivatekey)" : String, "[AssertionEncryptionMode](#cfn-iam-samlprovider-assertionencryptionmode)" : String, "[Name](#cfn-iam-samlprovider-name)" : String, "[PrivateKeyList](#cfn-iam-samlprovider-privatekeylist)" : [ SAMLPrivateKey, ... ], "[RemovePrivateKey](#cfn-iam-samlprovider-removeprivatekey)" : String, "[SamlMetadataDocument](#cfn-iam-samlprovider-samlmetadatadocument)" : String, "[Tags](#cfn-iam-samlprovider-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::IAM::SAMLProvider Properties: [AddPrivateKey](#cfn-iam-samlprovider-addprivatekey): String [AssertionEncryptionMode](#cfn-iam-samlprovider-assertionencryptionmode): String [Name](#cfn-iam-samlprovider-name): String [PrivateKeyList](#cfn-iam-samlprovider-privatekeylist): - SAMLPrivateKey [RemovePrivateKey](#cfn-iam-samlprovider-removeprivatekey): String [SamlMetadataDocument](#cfn-iam-samlprovider-samlmetadatadocument): String [Tags](#cfn-iam-samlprovider-tags): - Tag ``` ## Properties `AddPrivateKey` Specifies the new private key from your external identity provider. The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions. *Required*: No *Type*: String *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `16384` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `AssertionEncryptionMode` Specifies the encryption setting for the SAML provider. *Required*: No *Type*: String *Allowed values*: `Allowed | Required` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the provider to create. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: No *Type*: String *Pattern*: `[\w._-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PrivateKeyList` The private key metadata for the SAML provider. *Required*: No *Type*: Array of [SAMLPrivateKey](aws-properties-iam-samlprovider-samlprivatekey.md) *Maximum*: `2` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RemovePrivateKey` The Key ID of the private key to remove. *Required*: No *Type*: String *Pattern*: `[A-Z0-9]+` *Minimum*: `22` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `SamlMetadataDocument` An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. For more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide* *Required*: No *Type*: String *Minimum*: `1000` *Maximum*: `10000000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. *Required*: No *Type*: Array of [Tag](aws-properties-iam-samlprovider-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ARN. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::SAMLProvider` resource. `SamlProviderUUID` The unique identifier assigned to the SAML provider. # AWS::IAM::SAMLProvider SAMLPrivateKey Contains the private keys for the SAML provider. This data type is used as a response element in the [GetSAMLProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetSAMLProvider.html) operation. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[KeyId](#cfn-iam-samlprovider-samlprivatekey-keyid)" : String, "[Timestamp](#cfn-iam-samlprovider-samlprivatekey-timestamp)" : String } ``` ### YAML ``` [KeyId](#cfn-iam-samlprovider-samlprivatekey-keyid): String [Timestamp](#cfn-iam-samlprovider-samlprivatekey-timestamp): String ``` ## Properties `KeyId` The unique identifier for the SAML private key. *Required*: Yes *Type*: String *Pattern*: `[A-Z0-9]+` *Minimum*: `22` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Timestamp` The date and time, in [ISO 8601 date-time ](http://www.iso.org/iso/iso8601) format, when the private key was uploaded. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::IAM::SAMLProvider Tag A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-iam-samlprovider-tag-key)" : String, "[Value](#cfn-iam-samlprovider-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-iam-samlprovider-tag-key): String [Value](#cfn-iam-samlprovider-tag-value): String ``` ## Properties `Key` The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources`, `Accounting`, and `Support`. Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::IAM::ServerCertificate Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded. We recommend that you use [AWS Certificate Manager](https://docs.aws.amazon.com/acm/) to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the [AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/). For more information about working with server certificates, see [Working with server certificates](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) in the *IAM User Guide*. This topic includes a list of AWS services that can use the server certificates that you manage with IAM. For information about the number of server certificates you can upload, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. **Note** Because the body of the public key certificate, private key, and the certificate chain can be large, you should use POST rather than GET when calling `UploadServerCertificate`. For information about setting up signatures and authorization through the API, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference*. For general information about using the Query API with IAM, see [Calling the API by making HTTP query requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/programming.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::ServerCertificate", "Properties" : { "[CertificateBody](#cfn-iam-servercertificate-certificatebody)" : String, "[CertificateChain](#cfn-iam-servercertificate-certificatechain)" : String, "[Path](#cfn-iam-servercertificate-path)" : String, "[PrivateKey](#cfn-iam-servercertificate-privatekey)" : String, "[ServerCertificateName](#cfn-iam-servercertificate-servercertificatename)" : String, "[Tags](#cfn-iam-servercertificate-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::IAM::ServerCertificate Properties: [CertificateBody](#cfn-iam-servercertificate-certificatebody): String [CertificateChain](#cfn-iam-servercertificate-certificatechain): String [Path](#cfn-iam-servercertificate-path): String [PrivateKey](#cfn-iam-servercertificate-privatekey): String [ServerCertificateName](#cfn-iam-servercertificate-servercertificatename): String [Tags](#cfn-iam-servercertificate-tags): - Tag ``` ## Properties `CertificateBody` The contents of the public key certificate. *Required*: No *Type*: String *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `16384` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CertificateChain` The contents of the public key certificate chain. *Required*: No *Type*: String *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `2097152` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Path` The path for the server certificate. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the \$1 (`\u0021`) through the DEL character (`\u007F`), including most punctuation characters, digits, and upper and lowercased letters. If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the `path` parameter. The path must begin with `/cloudfront` and must include a trailing slash (for example, `/cloudfront/test/`). *Required*: No *Type*: String *Pattern*: `(\u002F)|(\u002F[\u0021-\u007F]+\u002F)` *Minimum*: `1` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrivateKey` The contents of the private key in PEM-encoded format. The [regex pattern](http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: + Any printable ASCII character ranging from the space character (`\u0020`) through the end of the ASCII character range + The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\u00FF`) + The special characters tab (`\u0009`), line feed (`\u000A`), and carriage return (`\u000D`) *Required*: No *Type*: String *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `16384` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ServerCertificateName` The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: No *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` A list of tags that are attached to the server certificate. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. *Required*: No *Type*: Array of [Tag](aws-properties-iam-servercertificate-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `ServerCertificateName`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::ServerCertificate` resource. # AWS::IAM::ServerCertificate Tag A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-iam-servercertificate-tag-key)" : String, "[Value](#cfn-iam-servercertificate-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-iam-servercertificate-tag-key): String [Value](#cfn-iam-servercertificate-tag-value): String ``` ## Properties `Key` The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources`, `Accounting`, and `Support`. Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::IAM::ServiceLinkedRole Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed. For more information, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *IAM User Guide*. To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::ServiceLinkedRole", "Properties" : { "[AWSServiceName](#cfn-iam-servicelinkedrole-awsservicename)" : String, "[CustomSuffix](#cfn-iam-servicelinkedrole-customsuffix)" : String, "[Description](#cfn-iam-servicelinkedrole-description)" : String } } ``` ### YAML ``` Type: AWS::IAM::ServiceLinkedRole Properties: [AWSServiceName](#cfn-iam-servicelinkedrole-awsservicename): String [CustomSuffix](#cfn-iam-servicelinkedrole-customsuffix): String [Description](#cfn-iam-servicelinkedrole-description): String ``` ## Properties `AWSServiceName` The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: `elasticbeanstalk.amazonaws.com`. Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. Look for the services that have **Yes **in the **Service-Linked Role** column. Choose the **Yes** link to view the service-linked role documentation for that service. *Required*: No *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CustomSuffix` A string that you provide, which is combined with the service-provided prefix to form the complete role name. If you make multiple requests for the same service, then you must supply a different `CustomSuffix` for each request. Otherwise the request fails with a duplicate role name error. For example, you could add `-1` or `-debug` to the suffix. Some services do not support the `CustomSuffix` parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix. *Required*: No *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Description` The description of the role. *Required*: No *Type*: String *Pattern*: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `RoleName` created for the service-linked role. The `CustomSuffix` is appended to the service-provided prefix with an underscore followed by the `CustomSuffix` to form the complete role name. For example, `AWSServiceRoleForAutoScaling` or `AWSServiceRoleForAutoScaling_TestSuffix` if a `CustomSuffix` is specified. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `RoleName` Returns the friendly name that identifies the role. For example, `AWSServiceRoleForAutoScaling` or `AWSServiceRoleForAutoScaling_TestSuffix` if a `CustomSuffix` is specified. ## Examples ### Service-Linked Role for Auto Scaling The following example creates a service-linked role that can be assumed by the Auto Scaling service. #### JSON ``` { "Description": "SLR resource create test - Auto Scaling", "Resources": { "BasicSLR": { "Type": "AWS::IAM::ServiceLinkedRole", "Properties": { "AWSServiceName": "autoscaling.amazonaws.com", "Description": "Test SLR description", "CustomSuffix": "TestSuffix" } } }, "Outputs": { "SLRId": { "Value": { "Ref": "BasicSLR" } } } } ``` #### YAML ``` Description: SLR resource create test - Auto Scaling Resources: BasicSLR: Type: 'AWS::IAM::ServiceLinkedRole' Properties: AWSServiceName: autoscaling.amazonaws.com Description: Test SLR description CustomSuffix: TestSuffix Outputs: SLRId: Value: !Ref BasicSLR ``` ## See also + [CreateServiceLinkedRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html) in the *AWS Identity and Access Management API Reference* + [Using Service-Linked Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *AWS Identity and Access Management User Guide* # AWS::IAM::User Creates a new IAM user for your AWS account. For information about quotas for the number of IAM users you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::User", "Properties" : { "[Groups](#cfn-iam-user-groups)" : [ String, ... ], "[LoginProfile](#cfn-iam-user-loginprofile)" : LoginProfile, "[ManagedPolicyArns](#cfn-iam-user-managedpolicyarns)" : [ String, ... ], "[Path](#cfn-iam-user-path)" : String, "[PermissionsBoundary](#cfn-iam-user-permissionsboundary)" : String, "[Policies](#cfn-iam-user-policies)" : [ Policy, ... ], "[Tags](#cfn-iam-user-tags)" : [ Tag, ... ], "[UserName](#cfn-iam-user-username)" : String } } ``` ### YAML ``` Type: AWS::IAM::User Properties: [Groups](#cfn-iam-user-groups): - String [LoginProfile](#cfn-iam-user-loginprofile): LoginProfile [ManagedPolicyArns](#cfn-iam-user-managedpolicyarns): - String [Path](#cfn-iam-user-path): String [PermissionsBoundary](#cfn-iam-user-permissionsboundary): String [Policies](#cfn-iam-user-policies): - Policy [Tags](#cfn-iam-user-tags): - Tag [UserName](#cfn-iam-user-username): String ``` ## Properties `Groups` A list of group names to which you want to add the user. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LoginProfile` Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console. You can use the AWS CLI, the AWS API, or the **Users** page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the **My Security Credentials** page in the AWS Management Console. For more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide*. *Required*: No *Type*: [LoginProfile](aws-properties-iam-user-loginprofile.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ManagedPolicyArns` A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user. For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Path` The path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the \$1 (`\u0021`) through the DEL character (`\u007F`), including most punctuation characters, digits, and upper and lowercased letters. *Required*: No *Type*: String *Pattern*: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)` *Minimum*: `1` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PermissionsBoundary` The ARN of the managed policy that is used to set the permissions boundary for the user. A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. For more information about policy types, see [Policy types ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) in the *IAM User Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Policies` Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user). The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. For information about limits on the number of inline policies that you can embed in a user, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide*. *Required*: No *Type*: Array of [Policy](aws-properties-iam-user-policy.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` A list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. *Required*: No *Type*: Array of [Tag](aws-properties-iam-user-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserName` The name of the user to create. Do not include the path in this value. This parameter allows (per its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john". If you don't specify a name, CloudFormation generates a unique physical ID and uses that ID for the user name. If you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}`. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `UserName`. For example: `mystack-myuser-1CCXAFG2H2U4D`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::User` resource. For example: `arn:aws:iam::123456789012:user/mystack-myuser-1CCXAFG2H2U4D`. ## See also + To view `AWS::IAM::User` template example snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user). + [CreateUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::User LoginProfile Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console. For more information about managing passwords, see [Managing Passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Password](#cfn-iam-user-loginprofile-password)" : String, "[PasswordResetRequired](#cfn-iam-user-loginprofile-passwordresetrequired)" : Boolean } ``` ### YAML ``` [Password](#cfn-iam-user-loginprofile-password): String [PasswordResetRequired](#cfn-iam-user-loginprofile-passwordresetrequired): Boolean ``` ## Properties `Password` The user's password. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PasswordResetRequired` Specifies whether the user is required to set a new password on next sign-in. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + [LoginProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_LoginProfile.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::User Policy Contains information about an attached policy. An attached policy is a managed policy that has been attached to a user, group, or role. For more information about managed policies, refer to [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PolicyDocument](#cfn-iam-user-policy-policydocument)" : Json, "[PolicyName](#cfn-iam-user-policy-policyname)" : String } ``` ### YAML ``` [PolicyDocument](#cfn-iam-user-policy-policydocument): Json [PolicyName](#cfn-iam-user-policy-policyname): String ``` ## Properties `PolicyDocument` The entire contents of the policy that defines permissions. For more information, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). *Required*: Yes *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyName` The friendly name (not ARN) identifying the policy. *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### IAM User Policy This example shows how the policy document is declared. #### JSON ``` { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "IamListAccess", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" } ] } } ``` #### YAML ``` PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Sid: IamListAccess Effect: Allow Action: - 'iam:ListRoles' - 'iam:ListUsers' Resource: '*' ``` ## See also + [PolicyDetail](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PolicyDetail.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::User Tag A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-iam-user-tag-key)" : String, "[Value](#cfn-iam-user-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-iam-user-tag-key): String [Value](#cfn-iam-user-tag-value): String ``` ## Properties `Key` The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices. *Required*: Yes *Type*: String *Pattern*: `[\p{L}\p{Z}\p{N}_.:/=+\-@]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources`, `Accounting`, and `Support`. Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values. *Required*: Yes *Type*: String *Pattern*: `[\p{L}\p{Z}\p{N}_.:/=+\-@]*` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::IAM::UserPolicy Adds or updates an inline policy document that is embedded in the specified IAM user. An IAM user can also have a managed policy attached to it. To attach a managed policy to a user, use [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html). To create a new managed policy, use [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html). For information about policies, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. For information about the maximum number of inline policies that you can embed in a user, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::UserPolicy", "Properties" : { "[PolicyDocument](#cfn-iam-userpolicy-policydocument)" : Json, "[PolicyName](#cfn-iam-userpolicy-policyname)" : String, "[UserName](#cfn-iam-userpolicy-username)" : String } } ``` ### YAML ``` Type: AWS::IAM::UserPolicy Properties: [PolicyDocument](#cfn-iam-userpolicy-policydocument): Json [PolicyName](#cfn-iam-userpolicy-policyname): String [UserName](#cfn-iam-userpolicy-username): String ``` ## Properties `PolicyDocument` The policy document. You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: + Any printable ASCII character ranging from the space character (`\u0020`) through the end of the ASCII character range + The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\u00FF`) + The special characters tab (`\u0009`), line feed (`\u000A`), and carriage return (`\u000D`) *Required*: No *Type*: Json *Pattern*: `[\u0009\u000A\u000D\u0020-\u00FF]+` *Minimum*: `1` *Maximum*: `131072` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyName` The name of the policy document. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `UserName` The name of the user to associate the policy with. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When the logical ID of this resource is provided to the `Ref` intrinsic function, `Ref` returns the resource name. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples **Topics** + [User embedded inline policy document](#aws-resource-iam-userpolicy--examples--User_embedded_inline_policy_document) + [User embedded inline policy document with Ref function](#aws-resource-iam-userpolicy--examples--User_embedded_inline_policy_document_with_Ref_function) ### User embedded inline policy document This example shows an inline policy document in `AWS::IAM::UserPolicy`. The policy will be embedded in the specified IAM user, `RootUser`. #### JSON ``` { "Type": "AWS::IAM::UserPolicy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "UserName": "RootUser" } } ``` #### YAML ``` Type: 'AWS::IAM::UserPolicy' Properties: PolicyName: root PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: '*' Resource: '*' UserName: RootUser ``` ### User embedded inline policy document with Ref function This example shows an inline policy document in `AWS::IAM::UserPolicy`. The example uses the `Ref` function in the `UserName` property to specify the logical ID of a `AWS::IAM::User` resource. For the logical ID of the `AWS::IAM::User` resource, `Ref` returns the user name. #### JSON ``` { "Type": "AWS::IAM::UserPolicy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "UserName": { "Ref": "RootUser" } } } ``` #### YAML ``` Type: 'AWS::IAM::UserPolicy' Properties: PolicyName: root PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: '*' Resource: '*' UserName: !Ref RootUser ``` ## See also + [PutUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html) in the *AWS Identity and Access Management API Reference* + [AWS::IAM::User](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html) # AWS::IAM::UserToGroupAddition Adds the specified user to the specified group. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::UserToGroupAddition", "Properties" : { "[GroupName](#cfn-iam-usertogroupaddition-groupname)" : String, "[Users](#cfn-iam-usertogroupaddition-users)" : [ String, ... ] } } ``` ### YAML ``` Type: AWS::IAM::UserToGroupAddition Properties: [GroupName](#cfn-iam-usertogroupaddition-groupname): String [Users](#cfn-iam-usertogroupaddition-users): - String ``` ## Properties `GroupName` The name of the group to update. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: Yes *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Users` A list of the names of the users that you want to add to the group. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When the logical ID of this resource is provided to the `Ref` intrinsic function, `Ref` returns the resource name. For example: `{ "Ref": "MyUserToGroupAddition" }` For the `AWS::IAM::UserToGroupAddition` resource with the logical ID `MyUserToGroupAddition`, `Ref` will return the AWS resource name. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The stable and unique string identifying the group. For more information about IDs, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. ## See also + To view `AWS::IAM::UserToGroupAddition` template example snippets, see [Add Users to a Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-addusertogroup). + [AddUserToGroup](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html) in the *AWS Identity and Access Management API Reference* # AWS::IAM::VirtualMFADevice Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use [EnableMFADevice](https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableMFADevice.html) to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, see [Using a virtual MFA device](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_VirtualMFA.html) in the *IAM User Guide*. For information about the maximum number of MFA devices you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*. **Important** The seed information contained in the QR code and the Base32 string should be treated like any other secret access information. In other words, protect the seed information as you would your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::IAM::VirtualMFADevice", "Properties" : { "[Path](#cfn-iam-virtualmfadevice-path)" : String, "[Tags](#cfn-iam-virtualmfadevice-tags)" : [ Tag, ... ], "[Users](#cfn-iam-virtualmfadevice-users)" : [ String, ... ], "[VirtualMfaDeviceName](#cfn-iam-virtualmfadevice-virtualmfadevicename)" : String } } ``` ### YAML ``` Type: AWS::IAM::VirtualMFADevice Properties: [Path](#cfn-iam-virtualmfadevice-path): String [Tags](#cfn-iam-virtualmfadevice-tags): - Tag [Users](#cfn-iam-virtualmfadevice-users): - String [VirtualMfaDeviceName](#cfn-iam-virtualmfadevice-virtualmfadevicename): String ``` ## Properties `Path` The path for the virtual MFA device. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the \$1 (`\u0021`) through the DEL character (`\u007F`), including most punctuation characters, digits, and upper and lowercased letters. *Required*: No *Type*: String *Pattern*: `(\u002F)|(\u002F[\u0021-\u007F]+\u002F)` *Minimum*: `1` *Maximum*: `512` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` A list of tags that you want to attach to the new IAM virtual MFA device. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. *Required*: No *Type*: Array of [Tag](aws-properties-iam-virtualmfadevice-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Users` The IAM user associated with this virtual MFA device. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VirtualMfaDeviceName` The name of the virtual MFA device, which must be unique. Use with path to uniquely identify a virtual MFA device. This parameter allows (through its [regex pattern](http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: \$1\$1=,.@- *Required*: No *Type*: String *Pattern*: `[\w+=,.@-]+` *Minimum*: `1` *Maximum*: `226` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `SerialNumber`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `SerialNumber` Returns the serial number for the specified `AWS::IAM::VirtualMFADevice` resource. # AWS::IAM::VirtualMFADevice Tag A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-iam-virtualmfadevice-tag-key)" : String, "[Value](#cfn-iam-virtualmfadevice-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-iam-virtualmfadevice-tag-key): String [Value](#cfn-iam-virtualmfadevice-tag-value): String ``` ## Properties `Key` The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources`, `Accounting`, and `Support`. Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)