# chainctl iam roles update

URL: https://edu.chainguard.dev/chainguard/chainctl/chainctl-docs/chainctl_iam_roles_update.md
Last Modified: April 28, 2026
Tags: chainctl, Reference, Product

 chainctl iam roles update Update an IAM role.
chainctl iam roles update ROLE_NAME|ROLE_ID [--capabilities=CAPABILITY,...] [--add-capabilities=CAPABILITY,...] [--remove-capabilities=CAPABILITY,...] [--description=DESCRIPTION] [--yes] [--output=id|json|table] Examples # Update a role with a complete set of capabilities chainctl iam roles update my-role --capabilities=policy.list,groups.list,identity.list # Add new capabilities to a role chainctl iam roles update my-role --add-capabilities=policy.create # Remove an existing capabilities from a role chainctl iam roles update my-role --remove-capabilities=identity.list # Interactively choose capabilities to add to a role chainctl iam roles update my-role --add-capabilities= Options --add-capabilities strings A comma separated list of capabilities to add to this role (can&#39;t be used with --capabilities). --capabilities strings A comma separated list of capabilities to grant this role. --description string A description of the role. --remove-capabilities strings A comma separated list of capabilities to remove from this role (can&#39;t be used with --capabilities). -y, --yes Automatic yes to prompts; assume &#34;yes&#34; as answer to all prompts and run non-interactively. Options inherited from parent commands --api string The url of the Chainguard platform API. (default &#34;https://console-api.enforce.dev&#34;) --audience string The Chainguard token audience to request. (default &#34;https://console-api.enforce.dev&#34;) --config string A specific chainctl config file. Uses CHAINCTL_CONFIG environment variable if a file is not passed explicitly. --console string The url of the Chainguard platform Console. (default &#34;https://console.chainguard.dev&#34;) --force-color Force color output even when stdout is not a TTY. -h, --help Help for chainctl --issuer string The url of the Chainguard STS endpoint. (default &#34;https://issuer.enforce.dev&#34;) --log-level string Set the log level (debug, info) (default &#34;ERROR&#34;) -o, --output string Output format. One of: [csv, env, go-template, id, json, markdown, none, table, terse, tree, wide] -v, --v int Set the log verbosity level. SEE ALSO chainctl iam roles	- IAM role resource interactions.