Skip to content
Alchemy
GitHubXDiscord

RolePolicy

The RolePolicy resource lets you manage AWS IAM RolePolicys for fine-grained control over access to AWS resources.

Minimal Example

Section titled “Minimal Example”

Create a basic IAM RolePolicy with required properties and a common optional property for the policy document.

import AWS from "alchemy/aws/control";


const basicRolePolicy = await AWS.IAM.RolePolicy("basicRolePolicy", {
  RoleName: "myIAMRole",
  PolicyName: "myPolicy",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "s3:ListBucket",
        Resource: "arn:aws:s3:::my-bucket"
      }
    ]
  }
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure an IAM RolePolicy with additional permissions and a more complex policy document.

const advancedRolePolicy = await AWS.IAM.RolePolicy("advancedRolePolicy", {
  RoleName: "myIAMRole",
  PolicyName: "advancedPolicy",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: [
          "s3:GetObject",
          "s3:PutObject"
        ],
        Resource: "arn:aws:s3:::my-bucket/*"
      },
      {
        Effect: "Allow",
        Action: "ec2:DescribeInstances",
        Resource: "*"
      }
    ]
  }
});

Policy with Conditions

Section titled “Policy with Conditions”

Create an IAM RolePolicy that includes conditions for more granular control.

const conditionalRolePolicy = await AWS.IAM.RolePolicy("conditionalRolePolicy", {
  RoleName: "myIAMRole",
  PolicyName: "conditionalPolicy",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::my-bucket/*",
        Condition: {
          StringEquals: {
            "aws:SourceAccount": "123456789012"
          }
        }
      }
    ]
  }
});

Policy with Multiple Statements

Section titled “Policy with Multiple Statements”

Define a RolePolicy with multiple statements to cover different actions and resources.

const multiStatementRolePolicy = await AWS.IAM.RolePolicy("multiStatementRolePolicy", {
  RoleName: "myIAMRole",
  PolicyName: "multiStatementPolicy",
  PolicyDocument: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "dynamodb:Scan",
        Resource: "arn:aws:dynamodb:us-east-1:123456789012:table/my-table"
      },
      {
        Effect: "Allow",
        Action: "sqs:SendMessage",
        Resource: "arn:aws:sqs:us-east-1:123456789012:my-queue"
      }
    ]
  }
});