Policy
The following snippet creates an S3 policy allowing full access to a specific bucket and/or path.
variable "policy_name" {}
variable "role_id" {}
variable "s3_url" {}
resource "aws_iam_role_policy" "main" {
name = var.policy_name
role = var.role_id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["s3:*"]
Effect = "Allow"
Resource = "arn:aws:s3:::${var.s3_url}"
}
]
})
}
The following snippet builds on the (OIDC Example)[oidc.md] to attach a policy to the OIDC role that allow managing the role and policy.
variable "policy_name" {}
variable "role_id" {}
resource "aws_iam_role_policy" "main" {
name = var.policy_name
role = var.role_id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:GetRole",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:DeleteRole",
]
Effect = "Allow"
Resource = "*"
},
]
})
}