inspec/docs/resources/aws_iam_role.md.erb

---
title: About the aws_iam_role Resource
platform: aws
---

# aws\_iam\_role

Use the `aws_iam_role` InSpec audit resource to test properties of a single IAM Role. A Role is a collection of permissions that may be temporarily assumed by a user, EC2 Instance, Lambda Function, or certain other resources.

<br>

## Syntax

    # Ensure that a certain role exists by name
    describe aws_iam_role('my-role') do
      it { should exist }
    end

<br>

## Resource Parameters

### role\_name

This resource expects a single parameter that uniquely identifies the IAM Role, the Role Name. You may pass it as a string, or as the value in a hash:

    describe aws_iam_role('my-role') do
      it { should exist }
    end
    # Same
    describe aws_iam_role(role_name: 'my-role') do
      it { should exist }
    end

<br>

## Properties

### description

A textual description of the IAM Role.

    describe aws_iam_role('my-role') do
      its('description') { should be('Our most important Role')}
    end

<br>

## Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

### exist

Indicates that the Role Name provided was found. Use `should_not` to test for IAM Roles that should not exist.

    describe aws_iam_role('should-be-there') do
      it { should exist }
    end

    describe aws_iam_role('should-not-be-there') do
      it { should_not exist }
    end

## AWS Permissions

Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetRole` action with Effect set to Allow.

You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).