Is there a way to update an IAM role's

assume_role_policy

? Basically instead of defining

assume_role_policy

at the creation of the role, we want to take an existing role then add additional statements in its

assume_role_policy

I don't think it's possible to create an IAM role without a trust policy (AssumeRolePolicy) in AWS. So you would have to pass some default/dummy policy initially. Are you creating the role through Pulumi, or are you looking for a way to edit an existing role?

I want to 1. Create an IAM role with a trust policy via a Pulumi project 2. In a different Pulumi project, get the role, then update the trust policy

I don't think this is possible, because the trust policy is an integral part of the role, and the role resource can only be part of one Pulumi stack. There are two solutions to this: Either you can re-arrange the resources (or create multiple roles) so that this problem does not occur, or you have to update the first stack after the second stack has been deployed. Without knowing anything about your application, from an AWS IAM perspective I'd say that the first option is the recommended one. You can create all policies in the first stack, and then create a dedicated role to assume for each of the resources/principals you create in the second stack and attach the policies to them. This gives you central control over permissions, while giving each principal a tightly scoped role to assume.

I see. Thanks for explaining this!