At the moment I have a shared S3 bucket which has specific access to particular key paths (i.e. folders) for different instances. I've been able to create instance profile with my new role and test no problem limiting to access to that folder.
My problem is that there is an existing generic role with defined policies, that I also want to be able to include in my new role for each stack.
In cloudformation is it possible to include policies defined in one role to be included in another role without having to redefine the policy document in the new role?
Something like the following:
"AppTierS3AccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
}
]
},
"Path": "/",
"Policies": [ { "Ref": "existing-policy" } ]
}
},
The "existing-policy" being the important part here. I have tried to find the arn of the existing policy to try and reference it but I'm a bit stuck.