Policy

The following snippet creates an S3 policy allowing full access to a specific bucket and/or path.

variable "policy_name" {}
variable "role_id" {}
variable "s3_url" {}

resource "aws_iam_role_policy" "main" {
  name = var.policy_name
  role = var.role_id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action   = ["s3:*"]
        Effect   = "Allow"
        Resource = "arn:aws:s3:::${var.s3_url}"
      }
    ]
  })
}

The following snippet builds on the (OIDC Example)[oidc.md] to attach a policy to the OIDC role that allow managing the role and policy.

variable "policy_name" {}
variable "role_id" {}

resource "aws_iam_role_policy" "main" {
  name = var.policy_name
  role = var.role_id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "iam:GetRole",
          "iam:ListRolePolicies",
          "iam:GetRolePolicy",
          "iam:ListAttachedRolePolicies",
          "iam:CreateRole",
          "iam:PutRolePolicy",
          "iam:DeleteRolePolicy",
          "iam:ListInstanceProfilesForRole",
          "iam:DeleteRole",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}