I am trying to write a batch file in windows to do below steps by CLI command(actual example), but I don't know how to create a role and set cli command for "Another AWS account" role type. Do you mind help me?
In the navigation pane on the left, choose Roles and then choose Create role.
Choose the Another AWS account role type.
For Account ID, type the Development account ID.
This tutorial uses the example account ID 111111111111 for the Development account. You should use a valid account ID. If you use an invalid account ID, such as 111111111111, IAM does not let you create the new role.
For now you do not need to require an external ID, or require users to have multi-factor authentication (MFA) in order to assume the role. So leave these options unselected. For more information, see Using Multi-Factor Authentication (MFA) in AWS
Choose Next: Permissions to set the permissions that will be associated with the role.
my codes for creating a role:
call aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://trustpolicy.json
my trustpolicy.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222075333:role/xxx-S3-Role"
}]
}
I am receiving below error:
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
I solve my problem by changing two parts.
1- by fix the path of policy
aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://c:\foldername\trustpolicy.json
2- I change the format of the policy by reverse engineering a policy that I created from the console, the format is in below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222075333:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}