-
Notifications
You must be signed in to change notification settings - Fork 0
/
CreateIAMInstanceProfile.ps1
67 lines (48 loc) · 2.21 KB
/
CreateIAMInstanceProfile.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Learn more
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
# Set the AWS region
Set-DefaultAWSRegion -Region us-east-1
# This policy allows the AWS Systems Manager service (ssm.amazonaws.com) to assume the role we'll create.
$assumeRolePolicy = @"
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ssm.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
}
"@
# Create the role and apply the assume role policy json
$role = New-IAMRole -RoleName "AutomationRole" -AssumeRolePolicyDocument $assumeRolePolicy
# Add the AmazonEC2RoleforSSM managed policy.
Register-IAMRolePolicy -RoleName $role.RoleName -PolicyArn 'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
# Add the CloudWatch Managed Policy.
Register-IAMRolePolicy -RoleName $role.RoleName -PolicyArn 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
# Create an instance profile that can be attached to an Amazon EC2 instance
$instanceProfile = New-IAMInstanceProfile -InstanceProfileName "AutomationInstanceProfile"
# Finally, add the role to the instance profile
Add-IAMRoleToInstanceProfile -InstanceProfileName $instanceProfile.InstanceProfileName -RoleName $role.RoleName
<#
# View what we've created
Get-IAMRole -RoleName "DemoSSMRole"
Get-IAMAttachedRolePolicies -RoleName "DemoSSMRole"
Get-IAMInstanceProfile -InstanceProfileName "DemoSSMInstanceProfile"
#>
<#
# Remove the policies, role, and instance profile:
# 1. Unregister the IAM Role Policy
Unregister-IAMRolePolicy -PolicyArn 'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM' -RoleName "DemoSSMRole"
Unregister-IAMRolePolicy -PolicyArn 'arn:aws:iam::aws:policy/CloudWatchFullAccess' -RoleName "DemoSSMRole"
# 2. Remove the role from the instance profile
Remove-IAMRoleFromInstanceProfile -RoleName "DemoSSMRole" -InstanceProfileName "DemoSSMInstanceProfile" -Force
# 3. Remove the Role
Remove-IAMRole -RoleName "DemoSSMRole" -Force
# 4. Remove the instance profile
Remove-IAMInstanceProfile -InstanceProfileName "DemoSSMInstanceProfile" -Force
#>