Cloudformation can I create a new role referencing an existing policy?

src: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

The AWS::IAM::Role types now have a ManagedPolicyArns field where you can set this. You just need to grab the ARN (easy to grab from IAM console) and place it in that field. In the example below I created a role that provides read-only ECR access so my image can pull docker containers from ECR.

  ecrRole:
    Type: AWS::IAM::Role
    Properties:
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole

You can achieve this by using managed policies. Put the defined policy that you want to share in a customer managed policy, then attach that defined policy to each role where you want to use it. Any future changes to your managed policy will immediately be applied to all the roles that have the managed policy attached.

You can either create the customer managed policy in CloudFormation, through a AWS::IAM::ManagedPolicy resource, or attach an existing managed policy.


To expand on @markusk's answer re: Managed Policies - yes, that.

Example:

"ManagedPolicy": {
  "Type": "AWS::IAM::ManagedPolicy",
  "Properties": {
    "Description": "something descriptive",
    "Groups": [ ... ref(s) for groups ... ],
    "Roles: [{"Ref":"AppTierS3AccessRole"}],
    "Users": [ ... ref(s) for users ... ],
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        ...
      ]
    }
  }
}