Retrieves the specified inline policy document that is embedded with the specified IAM role.
Note
Policies returned by this operation are URL-encoded compliant with RFC 3986 . You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode
method of the java.net.URLDecoder
utility class in the Java SDK. Other languages and SDKs provide similar functionality.
An IAM role can also have managed policies attached to it. To retrieve a managed policy document that is attached to a role, use GetPolicy to determine the policy’s default version, then use GetPolicyVersion to retrieve the policy document.
For more information about policies, see Managed policies and inline policies in the IAM User Guide .
For more information about roles, see Using roles to delegate permissions and federate identities .
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
get-role-policy
--role-name <value>
--policy-name <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--role-name
(string)
The name of the role associated with the policy.
This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
--policy-name
(string)
The name of the policy document to get.
This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.
See ‘aws help’ for descriptions of global parameters.
Note
To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.
Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .
To get information about a policy attached to an IAM role
The following get-role-policy
command gets information about the specified policy attached to the role named Test-Role
:
aws iam get-role-policy --role-name Test-Role --policy-name ExamplePolicy
Output:
{
"RoleName": "Test-Role",
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:Put*",
"s3:Get*",
"s3:*MultipartUpload*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "1"
}
]
}
"PolicyName": "ExamplePolicy"
}
For more information, see Creating a Role in the Using IAM guide.
RoleName -> (string)
The role the policy is associated with.
PolicyName -> (string)
The name of the policy.
PolicyDocument -> (string)
The policy document.
IAM stores policies in JSON format. However, resources that were created using CloudFormation templates can be formatted in YAML. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.