AWS::IAM::Role requiring iam:UpdateRoleDescription to update role description

[miguel-aws]

Name of the resource

AWS::IAM::Role

Resource Name

AWS::IAM::Role

Issue Description

Via the IAM console, you can change a role's description with just the iam:UpdateRole permission.

However, updating the description of a role created via CloudFormation requires iam:UpdateRoleDescription.

According to the IAM documentation [1], use UpdateRole instead of UpdateRoleDescription

Why is there a difference in these behavior and does it not follow IAM documentation?

[1] https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRoleDescription.html

Expected Behavior

CloudFormation uses UpdateRole

Observed Behavior

CloudFormation uses UpdateRoleDescription

Test Cases

Create

Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      Description: "my description"
      AssumeRolePolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:sts::${AWS::AccountId}:assumed-role/Admin/email1@test.com"
                ]
              },
              "Action": "sts:AssumeRole"
            }
          ]
        }

Update

Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      Description: "my new description"
      AssumeRolePolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:sts::${AWS::AccountId}:assumed-role/Admin/email1@test.com"
                ]
              },
              "Action": "sts:AssumeRole"
            }
          ]
        }

Other Details

No response

[nmeisen]

If you want this tracked by the bot add it to the project! Right now it's not being tracked