Use managed iam policy @ ec2-role
iam.tf
resource "aws_iam_instance_profile" "test_profile" {
name = "test_profile"
roles = ["${aws_iam_role.role.name}"]
}
resource "aws_iam_role" "role" {
name = "test_role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
roles = ["${aws_iam_role.role.name}"]
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
}
How to get the managed iam policy's arn inventory
aws iam list-policies --query "Policies[][Arn]" --output text
arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess
arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess
arn:aws:iam::aws:policy/AWSMarketplaceFullAccess
arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role
arn:aws:iam::aws:policy/service-role/AWSQuickSightListIAM
arn:aws:iam::aws:policy/AmazonRDSFullAccess
arn:aws:iam::aws:policy/AmazonEC2FullAccess
arn:aws:iam::aws:policy/AWSElasticBeanstalkReadOnlyAccess
arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly
arn:aws:iam::aws:policy/AWSCodeCommitPowerUser
arn:aws:iam::aws:policy/AWSCodeCommitFullAccess
arn:aws:iam::aws:policy/AmazonSQSFullAccess
arn:aws:iam::aws:policy/AWSLambdaFullAccess
arn:aws:iam::aws:policy/service-role/AWSIoTLogging
arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
arn:aws:iam::aws:policy/service-role/AWSCloudHSMRole
arn:aws:iam::aws:policy/IAMFullAccess
arn:aws:iam::aws:policy/AmazonInspectorFullAccess
arn:aws:iam::aws:policy/AmazonElastiCacheFullAccess
arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy
arn:aws:iam::aws:policy/AWSMobileHub_ReadOnly
arn:aws:iam::aws:policy/service-role/CloudWatchEventsBuiltInTargetExecutionAccess
arn:aws:iam::aws:policy/AWSOpsWorksFullAccess
arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentAccess
arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole
arn:aws:iam::aws:policy/AmazonRoute53DomainsReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AWSOpsWorksRole
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
arn:aws:iam::aws:policy/SimpleWorkflowFullAccess
arn:aws:iam::aws:policy/AmazonS3FullAccess
arn:aws:iam::aws:policy/AWSStorageGatewayReadOnlyAccess
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role
arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess
arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth
arn:aws:iam::aws:policy/AmazonElasticMapReduceReadOnlyAccess
arn:aws:iam::aws:policy/AWSDirectoryServiceReadOnlyAccess
arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess
arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess
arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess
arn:aws:iam::aws:policy/AmazonMobileAnalyticsFullAccess
arn:aws:iam::aws:policy/AWSMobileHub_FullAccess
arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs
arn:aws:iam::aws:policy/service-role/AWSDataPipelineRole
arn:aws:iam::aws:policy/CloudWatchFullAccess
arn:aws:iam::aws:policy/ServiceCatalogAdminFullAccess
arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess
arn:aws:iam::aws:policy/AWSCodePipelineReadOnlyAccess
arn:aws:iam::aws:policy/ReadOnlyAccess
arn:aws:iam::aws:policy/AmazonMachineLearningBatchPredictionsAccess
arn:aws:iam::aws:policy/AWSCodeDeployReadOnlyAccess
arn:aws:iam::aws:policy/CloudSearchFullAccess
arn:aws:iam::aws:policy/AWSCloudHSMFullAccess
arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetRole
arn:aws:iam::aws:policy/AmazonElasticTranscoderJobsSubmitter
arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess
arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
arn:aws:iam::aws:policy/AmazonSESReadOnlyAccess
arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole
arn:aws:iam::aws:policy/AmazonMechanicalTurkReadOnly
arn:aws:iam::aws:policy/AmazonKinesisReadOnlyAccess
arn:aws:iam::aws:policy/AWSCodeDeployFullAccess
arn:aws:iam::aws:policy/CloudWatchActionsEC2Access
arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole
arn:aws:iam::aws:policy/AmazonRoute53DomainsFullAccess
arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess
arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess
arn:aws:iam::aws:policy/CloudFrontFullAccess
arn:aws:iam::aws:policy/service-role/AmazonMachineLearningRoleforRedshiftDataSource
arn:aws:iam::aws:policy/AmazonMobileAnalyticsNon-financialReportAccess
arn:aws:iam::aws:policy/AWSCloudTrailFullAccess
arn:aws:iam::aws:policy/AmazonCognitoDeveloperAuthenticatedIdentities
arn:aws:iam::aws:policy/service-role/AWSConfigRole
arn:aws:iam::aws:policy/AmazonRedshiftFullAccess
arn:aws:iam::aws:policy/AmazonZocaloReadOnlyAccess
arn:aws:iam::aws:policy/AWSCloudHSMReadOnlyAccess
arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess
arn:aws:iam::aws:policy/AmazonEC2ReportsAccess
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole
arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
arn:aws:iam::aws:policy/AmazonSQSReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AWSMobileHub_ServiceUseOnly
arn:aws:iam::aws:policy/AmazonKinesisFullAccess
arn:aws:iam::aws:policy/AmazonMachineLearningReadOnlyAccess
arn:aws:iam::aws:policy/service-role/RDSCloudHsmAuthorizationRole
arn:aws:iam::aws:policy/AmazonMachineLearningFullAccess
arn:aws:iam::aws:policy/AdministratorAccess
arn:aws:iam::aws:policy/AmazonMachineLearningRealTimePredictionOnlyAccess
arn:aws:iam::aws:policy/AWSConfigUserAccess
arn:aws:iam::aws:policy/AWSIoTConfigAccess
arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess
arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess
arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess
arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess
arn:aws:iam::aws:policy/AmazonWorkSpacesAdmin
arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole
arn:aws:iam::aws:policy/AmazonSESFullAccess
arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess
arn:aws:iam::aws:policy/AmazonKinesisFirehoseReadOnlyAccess
arn:aws:iam::aws:policy/AWSOpsWorksRegisterCLI
arn:aws:iam::aws:policy/AmazonDynamoDBFullAccesswithDataPipeline
arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforDataPipelineRole
arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator
arn:aws:iam::aws:policy/ServiceCatalogEndUserAccess
arn:aws:iam::aws:policy/AmazonMobileAnalyticsWriteOnlyAccess
arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess
arn:aws:iam::aws:policy/AWSConnector
arn:aws:iam::aws:policy/ServiceCatalogAdminReadOnlyAccess
arn:aws:iam::aws:policy/AmazonSSMFullAccess
arn:aws:iam::aws:policy/AWSCodeCommitReadOnly
arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess
arn:aws:iam::aws:policy/AmazonCognitoReadOnly
arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole
arn:aws:iam::aws:policy/AWSApplicationDiscoveryServiceFullAccess
arn:aws:iam::aws:policy/AmazonVPCFullAccess
arn:aws:iam::aws:policy/AWSImportExportFullAccess
arn:aws:iam::aws:policy/AmazonMechanicalTurkFullAccess
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser
arn:aws:iam::aws:policy/AmazonMachineLearningCreateOnlyAccess
arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess
arn:aws:iam::aws:policy/AWSLambdaExecute
arn:aws:iam::aws:policy/service-role/AWSIoTRuleActions
arn:aws:iam::aws:policy/service-role/AWSQuickSightDescribeRedshift
arn:aws:iam::aws:policy/service-role/VMImportExportRoleForAWSConnector
arn:aws:iam::aws:policy/AWSCodePipelineCustomActionAccess
arn:aws:iam::aws:policy/AWSOpsWorksInstanceRegistration
arn:aws:iam::aws:policy/AWSStorageGatewayFullAccess
arn:aws:iam::aws:policy/AmazonElasticTranscoderReadOnlyAccess
arn:aws:iam::aws:policy/AWSIoTConfigReadOnlyAccess
arn:aws:iam::aws:policy/AmazonWorkMailReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole
arn:aws:iam::aws:policy/ResourceGroupsandTagEditorReadOnlyAccess
arn:aws:iam::aws:policy/ServiceCatalogEndUserFullAccess
arn:aws:iam::aws:policy/AmazonMachineLearningManageRealTimeEndpointOnlyAccess
arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess
arn:aws:iam::aws:policy/CloudFrontReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AmazonSNSRole
arn:aws:iam::aws:policy/AmazonMobileAnalyticsFinancialReportAccess
arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService
arn:aws:iam::aws:policy/IAMReadOnlyAccess
arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess
arn:aws:iam::aws:policy/AmazonCognitoPowerUser
arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess
arn:aws:iam::aws:policy/AmazonZocaloFullAccess
arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess
arn:aws:iam::aws:policy/AWSAccountUsageReportAccess
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
arn:aws:iam::aws:policy/AmazonAppStreamFullAccess
arn:aws:iam::aws:policy/AWSIoTDataAccess
arn:aws:iam::aws:policy/AmazonESFullAccess
arn:aws:iam::aws:policy/AWSWAFFullAccess
arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess
arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
arn:aws:iam::aws:policy/ResourceGroupsandTagEditorFullAccess
arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
arn:aws:iam::aws:policy/AWSImportExportReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AmazonElasticTranscoderRole
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole
arn:aws:iam::aws:policy/AWSDeviceFarmFullAccess
arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess
arn:aws:iam::aws:policy/AWSMarketplaceRead-only
arn:aws:iam::aws:policy/AWSCodePipelineFullAccess
arn:aws:iam::aws:policy/AmazonWorkSpacesApplicationManagerAdminAccess
arn:aws:iam::aws:policy/AmazonDRSVPCManagement
arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
arn:aws:iam::aws:policy/AWSDirectConnectFullAccess
arn:aws:iam::aws:policy/AWSAccountActivityAccess
arn:aws:iam::aws:policy/AmazonGlacierFullAccess
arn:aws:iam::aws:policy/AmazonWorkMailFullAccess
arn:aws:iam::aws:policy/AWSMarketplaceManageSubscriptions
arn:aws:iam::aws:policy/AWSSupportAccess
arn:aws:iam::aws:policy/AWSLambdaInvocation-DynamoDB
arn:aws:iam::aws:policy/IAMUserSSHKeys
arn:aws:iam::aws:policy/AWSIoTFullAccess
arn:aws:iam::aws:policy/service-role/AWSQuickSightDescribeRDS
arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole
arn:aws:iam::aws:policy/AmazonESReadOnlyAccess
arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess
arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
arn:aws:iam::aws:policy/AWSDataPipelinePowerUser
arn:aws:iam::aws:policy/AmazonSNSFullAccess
arn:aws:iam::aws:policy/CloudSearchReadOnlyAccess
arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess
arn:aws:iam::aws:policy/AmazonRoute53FullAccess
arn:aws:iam::aws:policy/service-role/AWSLambdaRole
arn:aws:iam::aws:policy/AmazonAppStreamReadOnlyAccess
arn:aws:iam::aws:policy/AmazonInspectorReadOnlyAccess
arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess
arn:aws:iam::aws:policy/PowerUserAccess
arn:aws:iam::aws:policy/CloudWatchEventsFullAccess
arn:aws:iam::aws:policy/AWSDataPipelineFullAccess