# yaml-language-server: $schema=https://raw.githubusercontent.com/pulumi/pulumi/master/pkg/codegen/schema/pulumi.json --- name: aws-iam types: "aws-iam:index:AccountPasswordPolicy": type: object description: Options to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. properties: maxAge: type: integer description: | The number of days that an user password is valid. If not set or a value of `0` is provided, then passwords will not expire. minimumLength: type: integer description: | Minimum length to require for user passwords. Defaults to `8` if not set or the provided value is invalid. Valid values are between 6 and 128. allowUsersToChange: type: boolean description: | Whether to allow users to change their own password. hardExpiry: type: boolean description: | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset). reusePrevention: type: integer description: | The number of previous passwords that users are prevented from reusing. If not set or a value of `0` is provided, no reuse prevention policy will be used. requireLowercaseCharacters: type: boolean description: | Whether to require lowercase characters for user passwords. requireUppercaseCharacters: type: boolean description: | Whether to require uppercase characters for user passwords. requireNumbers: type: boolean description: | Whether to require numbers for user passwords. requireSymbols: type: boolean description: | Whether to require symbols for user passwords. required: - allowUsersToChange - hardExpiry - requireLowercaseCharacters - requireUppercaseCharacters - requireNumbers - requireSymbols "aws-iam:index:RoleWithMFA": type: object description: An IAM role that requires MFA. properties: name: type: string description: IAM role with the access. default: admin path: type: string description: Path of the IAM role. default: "/" policyArns: type: array description: List of policy ARNs to use for the role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for the role. default: "" tags: type: object description: A map of tags to add. additionalProperties: type: string requiresMfa: type: boolean description: Whether the role requires MFA. default: true "aws-iam:index:EKSServiceAccountRole": type: object properties: name: type: string description: IAM role name. default: "" namePrefix: type: string description: IAM role name prefix. default: "" path: type: string description: Path of admin IAM role. default: "/" policyArns: type: array description: List of policy ARNs to use for the role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for the role. default: "" description: type: string description: IAM Role description. "aws-iam:index:Role": type: object description: An IAM role. properties: name: type: string description: IAM role name. default: "" namePrefix: type: string description: IAM role name prefix. default: "" path: type: string description: Path of admin IAM role. default: "/" policyArns: type: array description: List of policy ARNs to use for the role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for the role. default: "" "aws-iam:index:AdminRole": type: object description: The admin role. properties: name: type: string description: IAM role with admin access. default: admin path: type: string description: Path of admin IAM role. default: "/" policyArns: type: array description: List of policy ARNs to use for admin role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for admin role. default: "" tags: type: object description: A map of tags to add. additionalProperties: type: string "aws-iam:index:AdminRoleWithMFA": type: object description: The admin role. properties: name: type: string description: IAM role with admin access. path: type: string description: Path of admin IAM role. policyArns: type: array description: List of policy ARNs to use for admin role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for admin role. default: "" tags: type: object description: A map of tags to add. additionalProperties: type: string requiresMfa: type: boolean description: Whether admin role requires MFA. "aws-iam:index:PoweruserRole": type: object description: The poweruser role. properties: name: type: string description: IAM role with poweruser access. default: poweruser path: type: string description: Path of poweruser IAM role. default: "/" policyArns: type: array description: List of policy ARNs to use for poweruser role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for poweruser role. default: "" tags: type: object description: A map of tags to add. additionalProperties: type: string "aws-iam:index:PoweruserRoleWithMFA": type: object description: The poweruser role. properties: name: type: string description: IAM role with poweruser access. default: poweruser path: type: string description: Path of poweruser IAM role. default: "/" policyArns: type: array description: List of policy ARNs to use for poweruser role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for poweruser role. default: "" tags: type: object description: A map of tags to add. additionalProperties: type: string requiresMfa: type: boolean description: Whether admin role requires MFA. default: true "aws-iam:index:ReadonlyRole": type: object description: The readonly role. properties: name: type: string description: IAM role with readonly access. default: readonly path: type: string description: Path of readonly IAM role. default: "/" policyArns: type: array description: List of policy ARNs to use for readonly role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for readonly role. default: "" tags: type: object description: A map of tags to add. additionalProperties: type: string "aws-iam:index:ReadonlyRoleWithMFA": type: object description: The readonly role. properties: name: type: string description: IAM role with readonly access. default: readonly path: type: string description: Path of readonly IAM role. default: "/" policyArns: type: array description: List of policy ARNs to use for readonly role. items: type: string permissionsBoundaryArn: type: string description: Permissions boundary ARN to use for readonly role. default: "" tags: type: object description: A map of tags to add. additionalProperties: type: string requiresMfa: type: boolean description: Whether admin role requires MFA. default: true "aws-iam:index:OIDCProvider": type: object properties: providerArn: type: string namespaceServiceAccounts: type: array items: type: string "aws-iam:index:EKSCertManagerPolicy": type: object description: The Cert Manager IAM policy to attach to the role. properties: attach: type: boolean description: Determines whether to attach the Cert Manager IAM policy to the role. hostedZoneArns: type: array description: | Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied. items: type: string required: - attach "aws-iam:index:EKSClusterAutoscalerPolicy": type: object description: The Cluster Autoscaler IAM policy to the role. properties: attach: type: boolean description: Determines whether to attach the Cluster Autoscaler IAM policy to the role. clusterIds: type: array description: List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy. items: type: string required: - attach - clusterIds "aws-iam:index:EKSEBSCSIPolicy": type: object description: The EBS CSI IAM policy to the role. properties: attach: type: boolean description: Determines whether to attach the EBS CSI IAM policy to the role. kmsCmkIds: type: array description: KMS CMK IDs to allow EBS CSI to manage encrypted volumes. items: type: string required: - attach - kmsCmkIds "aws-iam:index:EKSEFSCSIPolicy": type: object description: The EFS CSI IAM policy to the role. properties: attach: type: boolean description: Determines whether to attach the EFS CSI IAM policy to the role. required: - attach "aws-iam:index:EKSExternalDNSPolicy": type: object description: The External DNS IAM policy to the role. properties: attach: type: boolean description: Determines whether to attach the External DNS IAM policy to the role. hostedZoneArns: type: array description: | Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied. items: type: string required: - attach "aws-iam:index:EKSExternalSecretsPolicy": type: object description: The External Secrets policy to the role. properties: attach: type: boolean description: Determines whether to attach the External Secrets policy to the role. ssmParameterArns: type: array description: | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:*:*:parameter/*" will be applied. items: type: string secretsManagerArns: type: array description: List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:*:*:secret:*" will be applied. items: type: string required: - attach "aws-iam:index:FSxLustreCSIPolicy": type: object description: The FSx for Lustre CSI Driver IAM policy to the role. properties: attach: type: boolean description: Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role. serviceRoleArns: type: array description: | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*" will be applied. items: type: string required: - attach "aws-iam:index:EKSKarpenterControllerPolicy": type: object description: The Karpenter Controller policy to the role. properties: attach: type: boolean description: Determines whether to attach the Karpenter Controller policy to the role. clusterId: type: string description: Cluster ID where the Karpenter controller is provisioned/managing. default: "*" tagKey: type: string description: Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner. default: "karpenter.sh/discovery" ssmParameterArns: type: array description: | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:*:*:parameter/aws/service/*" will be applied. items: type: string nodeIamRoleArns: type: array description: | List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied. items: type: string subnetAccountId: type: string description: Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account. required: - attach "aws-iam:index:EKSLoadBalancerPolicy": type: object description: The Load Balancer policy. properties: controller: type: boolean description: Determines whether to attach the Load Balancer Controller policy to the role. targetGroupBindingOnly: type: boolean description: Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only. "aws-iam:index:EKSAppmeshPolicy": type: object description: The Appmesh policies. properties: controller: type: boolean description: Determines whether to attach the Appmesh Controller policy to the role. envoyProxy: type: boolean description: Determines whether to attach the Appmesh envoy proxy policy to the role. "aws-iam:index:EKSAmazonManagedServicePrometheusPolicy": type: object description: The Amazon Managed Service for Prometheus IAM policy to the role. properties: attach: type: boolean description: Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role. workspaceArns: type: array description: | List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided. items: type: string required: - attach "aws-iam:index:EKSVeleroPolicy": type: object description: The Velero IAM policy to the role. properties: attach: type: boolean description: Determines whether to attach the Velero IAM policy to the role. s3BucketArns: type: array description: | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided. items: type: string required: - attach "aws-iam:index:EKSVPNCNIPolicy": type: object description: The VPC CNI IAM policy to the role. properties: attach: type: boolean description: Determines whether to attach the VPC CNI IAM policy to the role. enableIpv4: type: boolean description: Determines whether to enable IPv4 permissions for VPC CNI policy. enableIpv6: type: boolean description: Determines whether to enable IPv6 permissions for VPC CNI policy. required: - attach "aws-iam:index:EKSNodeTerminationHandlerPolicy": type: object description: The Node Termination Handler policy to the role. properties: attach: type: boolean description: Determines whether to attach the Node Termination Handler policy to the role. sqsQueueArns: type: array description: | List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided. items: type: string required: - attach "aws-iam:index:EKSRolePolicies": type: object description: The different policies to attach to the role. properties: certManager: description: The Cert Manager IAM policy. $ref: "#/types/aws-iam:index:EKSCertManagerPolicy" clusterAutoScaling: description: The Cluster Autoscaler IAM policy. $ref: "#/types/aws-iam:index:EKSClusterAutoscalerPolicy" ebsCsi: description: The EBS CSI IAM policy. $ref: "#/types/aws-iam:index:EKSEBSCSIPolicy" efsCsi: description: The EFS CSI IAM policy. $ref: "#/types/aws-iam:index:EKSEFSCSIPolicy" externalDns: description: The External DNS IAM policy. $ref: "#/types/aws-iam:index:EKSExternalDNSPolicy" externalSecrets: description: The External Secrets policy. $ref: "#/types/aws-iam:index:EKSExternalSecretsPolicy" fsxLustreCsi: description: The FSx for Lustre CSI Driver IAM policy. $ref: "#/types/aws-iam:index:FSxLustreCSIPolicy" karpenterController: description: The Karpenter Controller policy. $ref: "#/types/aws-iam:index:EKSKarpenterControllerPolicy" loadBalancer: description: The Load Balancer policy. $ref: "#/types/aws-iam:index:EKSLoadBalancerPolicy" appmesh: description: The Appmesh policies. $ref: "#/types/aws-iam:index:EKSAppmeshPolicy" amazonManagedServicePrometheus: description: The Amazon Managed Service for Prometheus IAM policy. $ref: "#/types/aws-iam:index:EKSAmazonManagedServicePrometheusPolicy" velero: description: The Velero IAM policy. $ref: "#/types/aws-iam:index:EKSVeleroPolicy" vpnCni: description: The VPC CNI IAM policy to the role. $ref: "#/types/aws-iam:index:EKSVPNCNIPolicy" nodeTerminationHandler: description: The Node Termination Handler policy to the role. $ref: "#/types/aws-iam:index:EKSNodeTerminationHandlerPolicy" "aws-iam:index:UserOutput": type: object description: The IAM user. properties: name: type: string description: The user's name. arn: type: string description: The ARN assigned by AWS for this user. uniqueId: type: string description: The unique ID assigned by AWS. loginProfileKeyFingerprint: type: string description: The fingerprint of the PGP key used to encrypt the password. loginProfileEncryptedPassword: type: string description: The encrypted password, base64 encoded. loginProfilePassword: type: string description: The user password. sshKeySshPublicKeyId: type: string description: The unique identifier for the SSH public key sshKeyFingerprint: type: string description: The unique identifier for the SSH public key. required: - name - arn - uniqueId "aws-iam:index:AccessKeyOutput": type: object description: The IAM access key. properties: id: type: string description: The access key ID. secret: type: string description: The access key secret. keyFingerprint: type: string description: The fingerprint of the PGP key used to encrypt the secret. encryptedSecret: type: string description: The encrypted secret, base64 encoded. sesSmtpPasswordV4: type: string description: The secret access key converted into an SES SMTP password by applying AWS's Sigv4 conversion algorithm. status: type: string description: Active or Inactive. Keys are initially active, but can be made inactive by other means. "aws-iam:index:KeybaseOutput": type: object properties: passwordDecryptCommand: type: string description: Decrypt user password command. passwordPgpMessage: type: string description: Encrypted password secretKeyDecryptCommand: type: string description: Decrypt access secret key command. secretKeyPgpMessage: type: string description: Encrypted access secret key. resources: "aws-iam:index:User": description: | This resources helps you create an IAM User, Login Profile, and Access Key. Additionally you can optionally upload an IAM SSH User Public Key. {{% examples %}} ## Example Usage {{% example %}} ### User ```typescript import * as iam from "@pulumi/aws-iam"; export const user = new iam.User("aws-iam-example-user", { name: "pulumipus", forceDestroy: true, pgpKey: "keybase:test", passwordResetRequired: false, }); ``` ```python import pulumi import pulumi_aws_iam as iam user = iam.User( 'user', name='pulumipus', force_destroy=True, pgp_key='keybase:test', password_reset_required=False, ) pulumi.export('user', user) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { user, err := iam.NewUser(ctx, "user", &iam.UserArgs{ Name: pulumi.String("pulumipus"), ForceDestroy: pulumi.BoolPtr(true), PgpKey: pulumi.String("keybase:test"), PasswordResetRequired: pulumi.BoolPtr(false), }) if err != nil { return err } ctx.Export("user", user) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var user = new User("user", new UserArgs { Name = "pulumipus", ForceDestroy = true, PgpKey = "keybase:test", PasswordResetRequired = false, }); this.User = Output.Create(user); } [Output] public Output User { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: user: type: "aws-iam:index:User" properties: name: "pulumipus" forceDestroy: true pgpKey: "keybase:test" passwordResetRequired: false outputs: user: ${user} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: name: type: string description: Desired name for the IAM user. path: type: string description: Desired path for the IAM user. default: "/" forceDestroy: type: boolean description: When destroying this user, destroy even if it has non-Pulumi-managed IAM access keys, login profile or MFA devices. Without forceDestroy a user with non-Pulumi-managed access keys and login profile will fail to be destroyed. pgpKey: type: string description: Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key. passwordResetRequired: type: boolean description: Whether the user should be forced to reset the generated password on first login. passwordLength: type: integer description: The length of the generated password uploadIamUserSshKey: type: boolean description: Whether to upload a public ssh key to the IAM user. sshKeyEncoding: type: string description: Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM. default: "SSH" sshPublicKey: type: string description: The SSH public key. The public key must be encoded in ssh-rsa format or PEM format. permissionsBoundary: type: string description: The ARN of the policy that is used to set the permissions boundary for the user. tags: type: object description: A map of tags to add. additionalProperties: type: string requiredInputs: - name properties: userInfo: description: The IAM user. $ref: "#/types/aws-iam:index:UserOutput" accessKey: description: The IAM access key. $ref: "#/types/aws-iam:index:AccessKeyOutput" pgpKey: type: string description: PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted). keybase: $ref: "#/types/aws-iam:index:KeybaseOutput" required: - userInfo - accessKey - pgpKey - keybase "aws-iam:index:RoleForServiceAccountsEks": description: | This resources helps you create an IAM role which can be assumed by AWS EKS ServiceAccounts with optional policies for commonly used controllers/custom resources within EKS. The optional policies you can specify are: - Cert-Manager - Cluster Autoscaler - EBS CSI Driver - EFS CSI Driver - External DNS - External Secrets - FSx for Lustre CSI Driver - Karpenter - Load Balancer Controller - Load Balancer Controller Target Group Binding Only - App Mesh Controller - App Mesh Envoy Proxy - Managed Service for Prometheus - Node Termination Handler - Velero - VPC CNI {{% examples %}} ## Example Usage {{% example %}} ## VPC CNI ```typescript import * as iam from "@pulumi/aws-iam"; export const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks("aws-iam-example-role-for-service-accounts-eks", { role: { name: "vpc-cni" }, tags: { Name: "vpc-cni-irsa", }, oidcProviders: { main: { providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D", namespaceServiceAccounts: ["default:my-app", "canary:my-app"], } }, policies: { vpnCni: { attach: true, enableIpv4: true, }, }, }); ``` ```python import pulumi import pulumi_aws_iam as iam role_for_service_account_eks = iam.RoleForServiceAccountsEks( 'role_for_service_account_eks', role=iam.RoleArgs( name='vpc-cni' ), tags={ 'Name': 'vpc-cni-irsa', }, oidc_providers={ 'main': iam.OIDCProviderArgs( provider_arn='arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D', namespace_service_accounts=['default:my-app', 'canary:my-app'], ), }, policies=iam.EKSRolePoliciesArgs( vpn_cni=iam.EKSVPNCNIPolicyArgs( attach=True, enable_ipv4=True, ), ), ) pulumi.export('role_for_service_account_eks', role_for_service_account_eks) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { roleForServiceAccountsEKS, err := iam.NewRoleForServiceAccountsEks(ctx, "role-for-service-accounts-eks", &iam.RoleForServiceAccountsEksArgs{ Role: iam.EKSServiceAccountRolePtr(&iam.EKSServiceAccountRoleArgs{ Name: pulumi.String("vpc-cni"), }), Tags: pulumi.ToStringMap(map[string]string{ "Name": "vpc-cni-irsa", }), OidcProviders: iam.OIDCProviderMap{ "main": iam.OIDCProviderArgs{ ProviderArn: pulumi.String("arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"), NamespaceServiceAccounts: pulumi.ToStringArray([]string{"default:my-app", "canary:my-app"}), }, }, Policies: iam.EKSRolePoliciesPtr(&iam.EKSRolePoliciesArgs{ VpnCni: iam.EKSVPNCNIPolicyPtr(&iam.EKSVPNCNIPolicyArgs{ Attach: pulumi.Bool(true), EnableIpv4: pulumi.BoolPtr(true), }), }), }) if err != nil { return err } ctx.Export("roleForServiceAccountsEKS", roleForServiceAccountsEKS) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var roleForServiceAccountEks = new RoleForServiceAccountsEks("role-for-service-account-eks", new RoleForServiceAccountsEksArgs { Role = new EKSServiceAccountRoleArgs { Name = "vpn-cni", }, Tags = { {"Name", "vpc-cni-irsa"}, }, OidcProviders = { {"main", new OIDCProviderArgs { ProviderArn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D", NamespaceServiceAccounts = {"default:my-app", "canary:my-app"}, }}, }, Policies = new EKSRolePoliciesArgs { VpnCni = new EKSVPNCNIPolicyArgs { Attach = true, EnableIpv4 = true, }, }, }); this.RoleForServiceAccountEks = Output.Create(roleForServiceAccountEks); } [Output] public Output RoleForServiceAccountEks { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: roleForServiceAccountsEks: type: "aws-iam:index:RoleForServiceAccountsEks" properties: role: name: "vpc-cni" tags: Name: "vpc-cni-irsa" oidcProviders: main: providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" namespaceServiceAccounts: - "default:my-app" - "canary:my-app" policies: vpnCni: attach: true enableIpv4: true outputs: roleForServiceAccountsEks: ${roleForServiceAccountsEks} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: tags: type: object description: A map of tags to add. additionalProperties: type: string role: $ref: "#/types/aws-iam:index:EKSServiceAccountRole" policyNamePrefix: type: string description: IAM policy name prefix. default: "AmazonEKS_" maxSessionDuration: type: integer description: Maximum CLI/API session duration in seconds between 3600 and 43200. default: 3600 forceDetachPolicies: type: boolean description: Whether policies should be detached from this role when destroying. default: false oidcProviders: type: object description: Map of OIDC providers. additionalProperties: $ref: "#/types/aws-iam:index:OIDCProvider" assumeRoleConditionTest: type: string description: Name of the IAM condition operator to evaluate when assuming the role. default: "StringEquals" policies: $ref: "#/types/aws-iam:index:EKSRolePolicies" requiredInputs: [] properties: role: type: object properties: arn: type: string description: ARN of IAM role. name: type: string description: Name of IAM role. path: type: string description: Path of IAM role. uniqueId: type: string description: Unique ID of IAM role required: - role "aws-iam:index:ReadOnlyPolicy": description: | This resource helps you create an IAM read-only policy for the services you specify. The default AWS read-only policies may not include services you need or may contain services you do not need access to. This resource helps ensure your read-only policy has permissions to exactly what you specify. {{% examples %}} ## Example Usage {{% example %}} ## RDS and Dynamo Read Only Policy ```typescript import * as iam from "@pulumi/aws-iam"; export const readOnlyPolicy = new iam.ReadOnlyPolicy("aws-iam-example-read-only-policy", { name: "aws-iam-example-read-only", path: "/", description: "My example read only policy", allowedServices: [ "rds", "dynamodb" ], }); ``` ```python import pulumi import pulumi_aws_iam as iam read_only_policy = iam.ReadOnlyPolicy( 'read_only_policy', name='example', path='/', description='My example read only policy', allowed_services=['rds','dynamodb'], ) pulumi.export('read_only_policy', read_only_policy) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { readOnlyPolicy, err := iam.NewReadOnlyPolicy(ctx, "read-only-policy", &iam.ReadOnlyPolicyArgs{ Name: pulumi.String("example"), Path: pulumi.String("/"), Description: pulumi.String("My example policy"), AllowedServices: pulumi.ToStringArray([]string{"rds", "dynamodb"}), }) if err != nil { return err } ctx.Export("readOnlyPolicy", readOnlyPolicy) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var readOnlyPolicy = new ReadOnlyPolicy("read-only-policy", new ReadOnlyPolicyArgs { Name = "example", Path = "/", Description = "My example read only policy", AllowedServices = {"rds", "dynamodb"}, }); this.ReadOnlyPolicy = Output.Create(readOnlyPolicy); } [Output] public Output ReadOnlyPolicy { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: readOnlyPolicy: type: "aws-iam:index:ReadOnlyPolicy" properties: name: "example" path: "/" description: "My example read only policy" allowedServices: - "rds" - "dynamodb" outputs: readOnlyPolicy: ${readOnlyPolicy} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: name: type: string description: The name of the policy. path: type: string description: The path of the policy in IAM. default: "/" description: type: string description: The description of the policy. default: IAM Policy tags: type: object description: A map of tags to add. additionalProperties: type: string allowedServices: type: array description: List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html. items: type: string additionalPolicyJson: type: string description: "JSON policy document if you want to add custom actions." default: "{}" allowCloudwatchLogsQuery: type: boolean description: Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions. default: true allowPredefinedStsActions: type: boolean description: Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions. default: true allowWebConsoleServices: type: boolean description: Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services). default: true webConsoleServices: type: array description: List of web console services to allow. items: type: string requiredInputs: - name properties: policyJson: type: string description: Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies. id: type: string description: The policy's ID. name: type: string description: The name of the policy. arn: type: string description: The ARN assigned by AWS to this policy. description: type: string description: The description of the policy. path: type: string description: The path of the policy in IAM. policy: type: string description: The policy document. required: - policyJson - id - name - arn - description - path - policy "aws-iam:index:GroupWithPolicies": description: | This resources allows you to create an IAM group with specified IAM policies, and then add specified users into your created group. {{% examples %}} ## Example Usage {{% example %}} ## Group With Policies ```typescript import * as iam from "@pulumi/aws-iam"; export const groupWithPolicies = new iam.GroupWithPolicies("aws-iam-example-group-with-policies", { name: "superadmins", groupUsers: [ "user1", "user2" ], attachIamSelfManagementPolicy: true, customGroupPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ], customGroupPolicies: [{ "name": "AllowS3Listing", "policy": "{}", }], }); ``` ```python import pulumi import pulumi_aws_iam as iam group_with_policies = iam.GroupWithPolicies( 'group_with_policies', name='superadmins', group_users=['user1','user2'], attach_iam_self_management_policy=True, custom_group_policy_arns=['arn:aws:iam::aws:policy/AdministratorAccess'], custom_group_policies=[{ 'name': 'AllowS3Listing', 'policy': '{}', }], ) pulumi.export('group_with_policies', group_with_policies) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { groupWithPolicies, err := iam.NewGroupWithPolicies(ctx, "group-with-policies", &iam.GroupWithPoliciesArgs{ Name: pulumi.String("superadmins"), GroupUsers: pulumi.ToStringArray([]string{"user1", "user2"}), AttachIamSelfManagementPolicy: pulumi.BoolPtr(true), CustomGroupPolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AdministratorAccess"}), CustomGroupPolicies: pulumi.ToStringMapArray([]map[string]string{ { "name": "AllowS3Listing", "policy": "{}", }, }), }) if err != nil { return err } ctx.Export("groupWithPolicies", groupWithPolicies) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var groupWithPolicies = new GroupWithPolicies("group-with-policies", new GroupWithPoliciesArgs { Name = "superadmins", GroupUsers = {"user1", "user2"}, AttachIamSelfManagementPolicy = true, CustomGroupPolicyArns = {"arn:aws:iam::aws:policy/AdministratorAccess"}, CustomGroupPolicies = new InputList> { ImmutableDictionary.Create() .Add("name", "AllowS3Listing") .Add("policy", "{}"), }, }); this.GroupWithPolicies = Output.Create(groupWithPolicies); } [Output] public Output GroupWithPolicies { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: groupWithPolicies: type: "aws-iam:index:GroupWithPolicies" properties: name: "superadmins" groupUsers: - "user1" - "user2" attachIamSelfManagementPolicy: true customGroupPolicyArns: - "arn:aws:iam::aws:policy/AdministratorAccess" customGroupPolicies: - name: "AllowS3Listing" policy: "{}" outputs: groupWithPolicies: ${groupWithPolicies} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: name: type: string description: Name of IAM group. default: "" groupUsers: type: array description: List of IAM users to have in an IAM group which can assume the role. items: type: string customGroupPolicyArns: type: array description: List of IAM policies ARNs to attach to IAM group. items: type: string customGroupPolicies: type: array description: List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. items: type: object additionalProperties: type: string attachIamSelfManagementPolicy: type: boolean description: Whether to attach IAM policy which allows IAM users to manage their credentials and MFA. default: true iamSelfManagementPolicyNamePrefix: type: string description: Name prefix for IAM policy to create with IAM self-management permissions. default: "IAMSelfManagement-" awsAccountId: type: string description: AWS account id to use inside IAM policies. If empty, current AWS account ID will be used. default: "" tags: type: object description: A map of tags to add. additionalProperties: type: string requiredInputs: - name - groupUsers properties: awsAccountId: type: string description: IAM AWS account id. groupArn: type: string description: IAM group arn. groupUsers: type: array description: List of IAM users in IAM group items: type: string groupName: type: string description: IAM group name. required: - awsAccountId - groupArn - groupUsers - groupName "aws-iam:index:GroupWithAssumableRolesPolicy": description: | This resource helps you create an IAM Group with Users who are allowed to assume specified IAM roles. {{% examples %}} ## Example Usage {{% example %}} ## Group With Assumable Roles Policy ```typescript import * as iam from "@pulumi/aws-iam"; export const groupWithAssumableRolesPolicy = new iam.GroupWithAssumableRolesPolicy("aws-iam-example-group-with-assumable-roles-policy", { name: "production-readonly", assumableRoles: [ "arn:aws:iam::835367859855:role/readonly" ], groupUsers: [ "user1" ], }); ``` ```python import pulumi import pulumi_aws_iam as iam group_with_assume_roles_policy = iam.GroupWithAssumableRolesPolicy( 'group_with_assume_roles_policy', name='production-readonly', assumable_roles=['arn:aws:iam::835367859855:role/readonly'], group_users=['user1','user2'], ) pulumi.export('group_with_assume_roles_policy', group_with_assume_roles_policy) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { groupWithAssumableRolesPolicy, err := iam.NewGroupWithAssumableRolesPolicy(ctx, "group-with-assumable-roles-policy", &iam.GroupWithAssumableRolesPolicyArgs{ Name: pulumi.String("production-readonly"), AssumableRoles: pulumi.ToStringArray([]string{"arn:aws:iam::835367859855:role/readonly"}), GroupUsers: pulumi.ToStringArray([]string{"user1", "user2"}), }) if err != nil { return err } ctx.Export("groupWithAssumableRolesPolicy", groupWithAssumableRolesPolicy) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var groupWithAssumableRolePolicy = new GroupWithAssumableRolesPolicy("group-with-assumable-roles-policy", new GroupWithAssumableRolesPolicyArgs { Name = "production-readonly", AssumableRoles = {"arn:aws:iam::835367859855:role/readonly"}, GroupUsers = {"user1", "user2"}, }); this.GroupWithAssumableRolesPolicy = Output.Create(groupWithAssumableRolePolicy); } [Output] public Output GroupWithAssumableRolesPolicy { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: groupWithAssumableRolesPolicy: type: "aws-iam:index:GroupWithAssumableRolesPolicy" properties: name: "production-readonly" assumableRoles: - "arn:aws:iam::835367859855:role/readonly" groupUsers: - "user1" - "user2" outputs: groupWithAssumableRolesPolicy: ${groupWithAssumableRolesPolicy} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: tags: type: object description: A map of tags to add. additionalProperties: type: string name: type: string description: Name of IAM policy and IAM group. assumableRoles: type: array description: List of IAM roles ARNs which can be assumed by the group items: type: string groupUsers: type: array description: List of IAM users to have in an IAM group which can assume the role items: type: string requiredInputs: - name - assumableRoles - groupUsers properties: groupUsers: type: array description: List of IAM users in IAM group items: type: string assumableRoles: type: array description: List of IAM roles ARNs which can be assumed by the group items: type: string policyArn: type: string description: Assume role policy ARN of IAM group groupName: type: string description: IAM group name. groupArn: type: string description: IAM group arn. required: - groupUsers - assumableRoles - policyArn - groupName - groupArn "aws-iam:index:EKSRole": description: | This resource helps you create an IAM role that can be assumed by one or more EKS ServiceAccounts, in one or more EKS Clusters. With this resource: - You do not need any knowledge of cluster OIDC information. - You can assume the role from multiple EKS clusters, for example used in DR or when a workload is spread across clusters. - You can support multiple ServiceAccount in the same cluster, for example when a workload runs in multiple namespaces. Notes: - The EKS cluster needs to exist first, in the current AWS account and region - The key in the `Cluster Service Accounts` is the exact name of the EKS cluster. {{% examples %}} ## Example Usage {{% example %}} ## Multi Cluster With this resource you can provision an IAM Role named `my-app` that can be assumed from: - EKS cluster `staging-main-1`, namespace `default`, ServiceAccount called `my-app-staging`. - EKS cluster `staging-backup-1`, namespace `default`, ServiceAccount called `my-app-staging`. ```typescript import * as iam from "@pulumi/aws-iam"; export const eksRole = new iam.EKSRole("aws-iam-example-eks-role", { role: { name: "eks-role", policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ], }, tags: { Name: "eks-role", }, clusterServiceAccounts: { "staging-main-1": [ "default:my-app-staging" ], "staging-backup-1": [ "default:my-app-staging" ], }, }); ``` ```python import pulumi import pulumi_aws_iam as iam eks_role = iam.EKSRole( 'eks_role', role=iam.RoleArgs( name='eks-role', policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'], ), tags={ 'Name': 'eks-role', }, cluster_service_acccounts={ 'staging-main-1': [ 'default:my-app-staging' ], 'staging-backup-1': [ 'default:my-app-staging' ], }, ) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { eksRole, err := iam.NewEKSRole(ctx, "eks-role", &iam.EKSRoleArgs{ Role: iam.RoleArgs{ Name: pulumi.String("eks-role"), PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}), }, Tags: pulumi.ToStringMap(map[string]string{ "Role": "eks-role", }), Uncomment the below and replace actual cluster values. ClusterServiceAccounts: pulumi.ToStringArrayMap(map[string][]string{ "staging-main-1": {"default:my-app-staging"}, "staging-backup-1": {"default:my-app-staging"}, }), }) if err != nil { return err } ctx.Export("eksRole", eksRole) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; using System.Collections.Immutable; class MyStack : Stack { public MyStack() { var eksRole = new EKSRole("eks-role", new EKSRoleArgs { Role = new RoleArgs { Name = "eks-role", PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}, }, Tags = new InputMap { {"Name", "eks-role"}, }, Uncomment the below and replace actual cluster values. ClusterServiceAccounts = { {"staging-main-1", ImmutableArray.Create(new string[] {"default:my-app-staging"})}, {"staging-backup-1", ImmutableArray.Create(new string[] {"default:my-app-staging"})} }, }); this.EksRole = Output.Create(eksRole); } [Output] public Output EksRole { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: eksRole: type: "aws-iam:index:EKSRole" properties: role: name: "eks-role" policyArns: - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" tags: Name: "eks-role" clusterServiceAccounts: "staging-main-1": - "default:my-app-staging" "staging-backup-1": - "default:my-app-staging" outputs: eksRole: ${eksRole} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: tags: type: object description: A map of tags to add. additionalProperties: type: string role: $ref: "#/types/aws-iam:index:Role" rolePolicyArns: type: array description: ARNs of any policies to attach to the IAM role. items: type: string maxSessionDuration: type: integer description: Maximum CLI/API session duration in seconds between 3600 and 43200. default: 3600 forceDetachPolicies: type: boolean description: Whether policies should be detached from this role when destroying. default: false clusterServiceAccounts: type: object description: "EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details" additionalProperties: type: array items: type: string providerUrlSaPairs: type: object description: OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used additionalProperties: type: array items: type: string requiredInputs: [] properties: arn: type: string description: ARN of IAM role. name: type: string description: Name of IAM role. path: type: string description: Path of IAM role. uniqueId: type: string description: Unique ID of IAM role. required: - arn - name - path - uniqueId "aws-iam:index:AssumableRoles": description: | This resource helps you create predefined IAM roles (`admin`, `poweruser`, and `readonly`) which can be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts and Users. {{% examples %}} ## Example Usage {{% example %}} ## Assumable Roles ```typescript import * as iam from "@pulumi/aws-iam"; export const assumableRoles = new iam.AssumableRoles("aws-iam-example-assumable-roles", { trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ], admin: {}, poweruser: { name: "developer", }, readonly: { requiresMfa: true, }, }); ``` ```python import pulumi import pulumi_aws_iam as iam assumable_roles = iam.AssumableRoles( 'assumable_roles', trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'], admin=iam.AdminRoleArgs(), poweruser=iam.PoweruserRoleArgs( name='developer', ), readonly=iam.ReadonlyRoleWithMFAArgs( requires_mfa=True, ), ) pulumi.export('assumable_roles', assumable_roles) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { assumableRoles, err := iam.NewAssumableRoles(ctx, "assumable-roles", &iam.AssumableRolesArgs{ TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}), Admin: iam.AdminRoleWithMFAArgs{}, Poweruser: iam.PoweruserRoleWithMFAArgs{ Name: pulumi.String("developer"), }, Readonly: iam.ReadonlyRoleWithMFAArgs{ RequiresMfa: pulumi.BoolPtr(true), }, }) if err != nil { return err } ctx.Export("assumableRoles", assumableRoles) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var assumableRoles = new AssumableRoles("assumable-roles", new AssumableRolesArgs { TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}, Admin = new AdminRoleWithMFAArgs(), Poweruser = new PoweruserRoleWithMFAArgs { Name = "developer", }, Readonly = new ReadonlyRoleWithMFAArgs { RequiresMfa = true, }, }); this.AssumableRoles = Output.Create(assumableRoles); } [Output] public Output AssumableRoles { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: assumableRoles: type: "aws-iam:index:AssumableRoles" properties: trustedRoleArns: - "arn:aws:iam::307990089504:root" - "arn:aws:iam::835367859851:user/pulumipus" poweruser: name: "developer" readonly: requiresMfa: true outputs: assumableRoles: ${assumableRoles} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: trustedRoleArns: type: array description: ARNs of AWS entities who can assume these roles. items: type: string trustedRoleServices: type: array description: AWS Services that can assume these roles. items: type: string mfaAge: type: integer description: Max age of valid MFA (in seconds) for roles which require MFA. default: 86400 admin: $ref: "#/types/aws-iam:index:AdminRoleWithMFA" poweruser: $ref: "#/types/aws-iam:index:PoweruserRoleWithMFA" readonly: $ref: "#/types/aws-iam:index:ReadonlyRoleWithMFA" maxSessionDuration: type: integer description: Maximum CLI/API session duration in seconds between 3600 and 43200. default: 3600 forceDetachPolicies: type: boolean description: Whether policies should be detached from this role when destroying. default: false requiredInputs: - admin properties: admin: type: object properties: roleArn: type: string description: ARN of admin IAM role. roleName: type: string description: Name of admin IAM role. rolePath: type: string description: Path of admin IAM role. roleUniqueId: type: string description: Unique ID of IAM role requiresMfa: type: string description: Whether readonly IAM role requires MFA. poweruser: type: object properties: roleArn: type: string description: ARN of poweruser IAM role. roleName: type: string description: Name of poweruser IAM role. rolePath: type: string description: Path of poweruser IAM role. roleUniqueId: type: string description: Unique ID of IAM role requiresMfa: type: string description: Whether readonly IAM role requires MFA. readonly: type: object properties: roleArn: type: string description: ARN of readonly IAM role. roleName: type: string description: Name of readonly IAM role. rolePath: type: string description: Path of readonly IAM role. roleUniqueId: type: string description: Unique ID of IAM role requiresMfa: type: string description: Whether readonly IAM role requires MFA. required: - admin "aws-iam:index:AssumableRolesWithSAML": description: | This resource helps you create predefined IAM roles (`admin`, `poweruser`, and `readonly`) which can be assumed by trusted resources using SAML Federated Users. {{% examples %}} ## Example Usage {{% example %}} ### Assumable Roles With SAML ```typescript import * as iam from "@pulumi/aws-iam"; export const assumableRolesWithSaml = new iam.AssumableRolesWithSAML("aws-iam-example-assumable-role-with-saml", { providerIds: [ "arn:aws:iam::235367859851:saml-provider/idp_saml" ], admin: {}, poweruser: { name: "developer", }, readonly: {}, }); ``` ```python import pulumi import pulumi_aws_iam as iam assumable_roles_with_saml = iam.AssumableRolesWithSAML( 'assumable_roles_with_saml', provider_ids=['arn:aws:iam::235367859851:saml-provider/idp_saml'], admin=iam.AdminRoleArgs(), readonly=iam.ReadonlyRoleArgs(), poweruser=iam.PoweruserRoleArgs( name='developer', ), ) pulumi.export('assumable_roles_with_saml', assumable_roles_with_saml) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { assumableRolesWithSAML, err := iam.NewAssumableRolesWithSAML(ctx, "assumable-roles-with-saml", &iam.AssumableRolesWithSAMLArgs{ ProviderIds: pulumi.ToStringArray([]string{"arn:aws:iam::235367859851:saml-provider/idp_saml"}), Admin: iam.AdminRoleArgs{}, Readonly: iam.ReadonlyRoleArgs{}, Poweruser: iam.PoweruserRoleArgs{ Name: pulumi.String("developer"), }, }) if err != nil { return err } ctx.Export("assumableRolesWithSAML", assumableRolesWithSAML) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var assumableRolesWithSaml = new AssumableRolesWithSAML("assumable-roles-with-saml", new AssumableRolesWithSAMLArgs { ProviderIds = {"arn:aws:iam::235367859851:saml-provider/idp_saml"}, Admin = new AdminRoleArgs(), Readonly = new ReadonlyRoleArgs(), Poweruser = new PoweruserRoleArgs { Name = "developer", }, }); this.AssumableRolesWithSaml = Output.Create(assumableRolesWithSaml); } [Output] public Output AssumableRolesWithSaml { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: assumableRolesWithSaml: type: "aws-iam:index:AssumableRolesWithSAML" properties: providerIds: - "arn:aws:iam::235367859851:saml-provider/idp_saml" poweruser: name: "developer" outputs: assumableRolesWithSaml: ${assumableRolesWithSaml} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: providerIds: type: array description: List of SAML Provider IDs. items: type: string awsSamlEndpoint: type: string description: AWS SAML Endpoint. default: https://signin.aws.amazon.com/saml admin: $ref: "#/types/aws-iam:index:AdminRole" poweruser: $ref: "#/types/aws-iam:index:PoweruserRole" readonly: $ref: "#/types/aws-iam:index:ReadonlyRole" maxSessionDuration: type: integer description: Maximum CLI/API session duration in seconds between 3600 and 43200. default: 3600 forceDetachPolicies: type: boolean description: Whether policies should be detached from this role when destroying. default: false requiredInputs: [] properties: admin: type: object properties: roleArn: type: string description: ARN of admin IAM role. roleName: type: string description: Name of admin IAM role. rolePath: type: string description: Path of admin IAM role. roleUniqueId: type: string description: Unique ID of IAM role poweruser: type: object properties: roleArn: type: string description: ARN of poweruser IAM role. roleName: type: string description: Name of poweruser IAM role. rolePath: type: string description: Path of poweruser IAM role. roleUniqueId: type: string description: Unique ID of IAM role readonly: type: object properties: roleArn: type: string description: ARN of readonly IAM role. roleName: type: string description: Name of readonly IAM role. rolePath: type: string description: Path of readonly IAM role. roleUniqueId: type: string description: Unique ID of IAM role required: - admin "aws-iam:index:AssumableRole": description: | This resource helps you create a single IAM Role which can be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts and Users. {{% examples %}} ## Example Usage {{% example %}} ## Assumable Role ```typescript import * as iam from "@pulumi/aws-iam"; export const assumableRole = new iam.AssumableRole("aws-iam-example-assumable-role", { trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ], role: { name: "custom", requiresMfa: true, policyArns: [ "arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" ], }, }); ``` ```python import pulumi import pulumi_aws_iam as iam assumable_role = iam.AssumableRole( 'assumable_role', trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'], role=iam.RoleWithMFAArgs( name='custom', requires_mfa=True, policy_arns=['arn:aws:iam::aws:policy/AmazonCognitoReadOnly','arn:aws:iam::aws:policy/AlexaForBusinessFullAccess'], ), ) pulumi.export('assumable_role', assumable_role) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { assumableRole, err := iam.NewAssumableRole(ctx, "assumable-role", &iam.AssumableRoleArgs{ TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}), Role: &iam.RoleWithMFAArgs{ Name: pulumi.String("custom"), RequiresMfa: pulumi.BoolPtr(true), PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}), }, }) if err != nil { return err } ctx.Export("assumableRole", assumableRole) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var assumableRole = new AssumableRole("assumable-role", new AssumableRoleArgs { TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}, Role = new RoleWithMFAArgs { Name = "custom", RequiresMfa = true, PolicyArns = {"arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}, }, }); this.AssumableRole = Output.Create(assumableRole); } [Output] public Output AssumableRole { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: assumableRole: type: "aws-iam:index:AssumableRole" properties: trustedRoleArns: - "arn:aws:iam::307990089504:root" - "arn:aws:iam::835367859851:user/pulumipus" role: name: "custom" requiresMfa: true policyArns: - "arn:aws:iam::aws:policy/AmazonCognitoReadOnly" - "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" outputs: assumableRole: ${assumableRole} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: trustedRoleActions: type: array description: Actions of STS. items: type: string trustedRoleArns: type: array description: ARNs of AWS entities who can assume these roles. items: type: string trustedRoleServices: type: array description: AWS Services that can assume these roles. items: type: string mfaAge: type: integer description: Max age of valid MFA (in seconds) for roles which require MFA. default: 86400 maxSessionDuration: type: integer description: Maximum CLI/API session duration in seconds between 3600 and 43200. default: 3600 role: description: An IAM role that requires MFA. $ref: "#/types/aws-iam:index:RoleWithMFA" tags: type: object description: A map of tags to add. additionalProperties: type: string customRoleTrustPolicy: type: string description: A custom role trust policy. default: "" attachAdminPolicy: type: boolean description: Whether to attach an admin policy to a role. default: false attachPoweruserPolicy: type: boolean description: Whether to attach a poweruser policy to a role. default: false attachReadonlyPolicy: type: boolean description: Whether to attach a readonly policy to a role. default: false forceDetachPolicies: type: boolean description: Whether policies should be detached from this role when destroying. default: false roleStsExternalIds: type: array description: STS ExternalId condition values to use with a role (when MFA is not required). items: type: string requiredInputs: [] properties: role: type: object properties: arn: type: string description: ARN of IAM role. name: type: string description: Name of IAM role. path: type: string description: Path of IAM role. uniqueId: type: string description: Unique ID of IAM role. requiresMfa: type: boolean description: Whether IAM role requires MFA. stsExternalId: description: "STS ExternalId condition value to use with a role." type: string instanceProfile: type: object properties: arn: type: string description: ARN of IAM instance profile. name: description: "Name of IAM instance profile" type: string id: description: "IAM Instance profile's ID." type: string path: description: "Path of IAM instance profile." type: string required: - role - instanceProfile "aws-iam:index:AssumableRoleWithSAML": description: | This resource helps you create a single IAM Role which can be assumed by trusted resources using SAML Federated Users. {{% examples %}} ## Example Usage {{% example %}} ## Assumable Role With SAML ```typescript import * as iam from "@pulumi/aws-iam"; export const assumableRoleWithSaml = new iam.AssumableRoleWithSAML("aws-iam-example-assumable-role-with-saml", { providerIds: [ "arn:aws:iam::235367859851:saml-provider/idp_saml" ], role: { name: "saml-role", policyArns: [ "arn:aws:iam::aws:policy/ReadOnlyAccess" ], }, tags: { Role: "saml-role", }, }); ``` ```python import pulumi import pulumi_aws_iam as iam assumable_role_with_saml = iam.AssumableRoleWithSAML( 'assumable_role_with_saml', role=iam.RoleArgs( name='saml-role', policy_arns=['arn:aws:iam::aws:policy/ReadOnlyAccess'], ), tags={ 'Role': 'saml-role', }, provider_ids=['arn:aws:iam::235367859851:saml-provider/idp_saml'] ) pulumi.export('assumable_role_with_saml', assumable_role_with_saml) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { assumableRoleWithSAML, err := iam.NewAssumableRoleWithSAML(ctx, "assumable-role-with-saml", &iam.AssumableRoleWithSAMLArgs{ Role: iam.RoleArgs{ Name: pulumi.String("saml-role"), PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/ReadOnlyAccess"}), }, Tags: pulumi.ToStringMap(map[string]string{ "Role": "saml-role", }), ProviderIds: pulumi.ToStringArray([]string{"arn:aws:iam::235367859851:saml-provider/idp_saml"}), }) if err != nil { return err } ctx.Export("assumableRoleWithSAML", assumableRoleWithSAML) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var assumableRoleWithSaml = new AssumableRoleWithSAML("assumable-role-with-saml", new AssumableRoleWithSAMLArgs { Role = new RoleArgs { Name = "saml-role", PolicyArns = {"arn:aws:iam::aws:policy/ReadOnlyAccess"}, }, Tags = new InputMap { {"Role", "saml-role"}, }, ProviderIds = {"arn:aws:iam::235367859851:saml-provider/idp_saml"}, }); this.AssumableRoleWithSaml = Output.Create(assumableRoleWithSaml); } [Output] public Output AssumableRoleWithSaml { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: assumableRoleWithSaml: type: "aws-iam:index:AssumableRoleWithSAML" properties: role: name: "saml-role" policyArns: - "arn:aws:iam::aws:policy/ReadOnlyAccess" tags: Role: "saml-role" providerIds: - "arn:aws:iam::235367859851:saml-provider/idp_saml" outputs: assumableRoleWithSaml: ${assumableRoleWithSaml} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: tags: type: object description: A map of tags to add. additionalProperties: type: string role: $ref: "#/types/aws-iam:index:Role" providerIds: type: array description: List of SAML Provider IDs. items: type: string awsSamlEndpoint: type: string description: AWS SAML Endpoint. default: https://signin.aws.amazon.com/saml maxSessionDuration: type: integer description: Maximum CLI/API session duration in seconds between 3600 and 43200. default: 3600 forceDetachPolicies: type: boolean description: Whether policies should be detached from this role when destroying. default: false requiredInputs: [] properties: roleArn: type: string description: ARN of IAM role. roleName: type: string description: Name of IAM role. rolePath: type: string description: Path of IAM role. roleUniqueId: type: string description: Unique ID of IAM role. required: - roleArn - roleName - rolePath - roleUniqueId "aws-iam:index:AssumableRoleWithOIDC": description: | This resources helps you create a single IAM role which can be assume by trusted resources using OpenID Connect Federated Users. {{% examples %}} ## Example Usage {{% example %}} ## Assumable Role With OIDC ```typescript import * as iam from "@pulumi/aws-iam"; export const assumableRoleWithOidc = new iam.AssumableRoleWithOIDC("aws-iam-example-assumable-role-with-oidc", { providerUrls: ["oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"], role: { name: "oidc-role", policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ], }, tags: { Role: "oidc-role", }, }); ``` ```python import pulumi import pulumi_aws_iam as iam assumable_role_with_oidc = iam.AssumableRoleWithOIDC( 'assumable_role_with_oidc', role=iam.RoleArgs( name='oidc-role', policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'] ), tags={ 'Role': 'oidc-role', }, provider_urls=['oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8'] ) pulumi.export('assumable_role_with_oidc', assumable_role_with_oidc) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { assumableRoleWithOIDC, err := iam.NewAssumableRoleWithOIDC(ctx, "assumable-role-with-oidc", &iam.AssumableRoleWithOIDCArgs{ Role: iam.RoleArgs{ Name: pulumi.String("oidc-role"), PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}), }, Tags: pulumi.ToStringMap(map[string]string{ "Role": "oidc-role", }), ProviderUrls: pulumi.ToStringArray([]string{"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"}), }) if err != nil { return err } ctx.Export("assumableRoleWithOIDC", assumableRoleWithOIDC) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var assumableRoleWithOidc = new AssumableRoleWithOIDC("assumable-role-with-oidc", new AssumableRoleWithOIDCArgs { Role = new RoleArgs { Name = "oidc-role", PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}, }, Tags = new InputMap { {"Role", "odic-role"}, }, ProviderUrls = {"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"}, }); this.AssumableRoleWithOidc = Output.Create(assumableRoleWithOidc); } [Output] public Output AssumableRoleWithOidc { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: assumableRoleWithOidc: type: "aws-iam:index:AssumableRoleWithOIDC" properties: role: name: "oidc-role" policyArns: - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" tags: Role: "oidc-role" providerUrls: - "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8" outputs: assumableRoleWithOidc: ${assumableRoleWithOidc} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: tags: type: object description: A map of tags to add. additionalProperties: type: string providerUrls: type: array description: List of URLs of the OIDC Providers. items: type: string awsAccountId: type: string description: The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider. default: "" role: description: The IAM role. $ref: "#/types/aws-iam:index:Role" maxSessionDuration: type: integer description: Maximum CLI/API session duration in seconds between 3600 and 43200. default: 3600 forceDetachPolicies: type: boolean description: Whether policies should be detached from this role when destroying. default: false oidcFullyQualifiedSubjects: type: array description: The fully qualified OIDC subjects to be added to the role policy. items: type: string oidcSubjectsWithWildcards: type: array description: The OIDC subject using wildcards to be added to the role policy. items: type: string oidcFullyQualifiedAudiences: type: array description: The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. items: type: string requiredInputs: [] properties: arn: type: string description: ARN of IAM role. name: type: string description: Name of IAM role. path: type: string description: Path of IAM role. uniqueId: type: string description: Unique ID of IAM role. required: - arn - name - path - uniqueId "aws-iam:index:Account": description: | This resource helps you manage an Iam Account's Alias and Password Policy. If your IAM Account Alias was previously set (either via the AWS console or when AWS created your Account) you will see an error like the below: ``` * Aws_iam_account_alias.this: Error creating account alias with name my-account-alias ``` If you want to manage you Alias using Pulumi you will need to import this resource. {{% examples %}} ## Example Usage {{% example %}} ## Account ```typescript import * as iam from "@pulumi/aws-iam"; export const account = new iam.Account("account", { accountAlias: "cool-alias", passwordPolicy: { minimumLength: 37, requireNumbers: false, allowUsersToChange: true, hardExpiry: true, requireSymbols: true, requireLowercaseCharacters: true, requireUppercaseCharacters: true, }, }); ``` ```python import pulumi import pulumi_aws_iam as iam account = iam.Account( 'account', account_alias='cool-alias', password_policy=iam.AccountPasswordPolicyArgs( minimum_length=37, require_numbers=False, allow_users_to_change=True, hard_expiry=True, require_symbols=True, require_lowercase_characters=True, require_uppercase_characters=True, ) ) pulumi.export('account', account) ``` ```go package main import ( iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { account, err := iam.NewAccount(ctx, "account", &iam.AccountArgs{ AccountAlias: pulumi.String("cool-alias"), PasswordPolicy: iam.AccountPasswordPolicyArgs{ MinimumLength: pulumi.IntPtr(37), RequireNumbers: pulumi.Bool(false), AllowUsersToChange: pulumi.Bool(true), HardExpiry: pulumi.Bool(true), RequireSymbols: pulumi.Bool(true), RequireLowercaseCharacters: pulumi.Bool(true), RequireUppercaseCharacters: pulumi.Bool(true), }, }) if err != nil { return err } ctx.Export("account", account) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var account = new Account("account", new AccountArgs { AccountAlias = "cool-alias", PasswordPolicy=new AccountPasswordPolicyArgs { MinimumLength = 37, RequireNumbers = false, AllowUsersToChange = true, HardExpiry = true, RequireSymbols = true, RequireLowercaseCharacters = true, RequireUppercaseCharacters = true, } }); this.Account = Output.Create(account); } [Output] public Output Account { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: account: type: "aws-iam:index:Account" properties: accountAlias: "cool-alias" passwordPolicy: minimumLength: 37 requireNumbers: false allowUsersToChange: true hardExpiry: true requireSymbols: true requireLowercaseCharacters: true requireUppercaseCharacters: true outputs: account: ${account} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: accountAlias: type: string description: AWS IAM account alias for this account. passwordPolicy: $ref: "#/types/aws-iam:index:AccountPasswordPolicy" description: | Options to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. If left empty the default AWS password policy will be applied. requiredInputs: - accountAlias - passwordPolicy properties: id: type: string description: | The AWS Account ID number of the account that owns or contains the calling entity. arn: type: string description: | The AWS ARN associated with the calling entity. userId: type: string description: | The unique identifier of the calling entity. passwordPolicyExpirePasswords: type: boolean description: | Indicates whether passwords in the account expire. Returns true if max password age contains a value greater than 0. Returns false if it is 0 or not present. required: - id - arn - userId - passwordPolicyExpirePasswords "aws-iam:index:Policy": description: | This resource helps you create an IAM policy. {{% examples %}} ## Example Usage {{% example %}} ## Policy ```typescript import * as iam from "@pulumi/aws-iam"; export const policy = new iam.Policy("aws-iam-example-policy", { name: "aws-iam-example-policy", path: "/", description: "My example policy", policyDocument: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }`, }); ``` ```python import json import pulumi import pulumi_aws_iam as iam policy = iam.Policy( 'policy', name='example', path='/', description='My example policy', policy_document=json.dumps({ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }) ) ``` ```go package main import ( "encoding/json" iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { policyJSON, err := json.Marshal(map[string]interface{}{ "Version": "2012-10-17", "Statement": []interface{}{ map[string]interface{}{ "Effect": "Allow", "Action": []string{"ec2:Describe"}, "Resource": []string{"*"}, }, }, }) if err != nil { return err } policy, err := iam.NewPolicy(ctx, "policy", &iam.PolicyArgs{ Name: pulumi.String("example"), Path: pulumi.String("/"), Description: pulumi.String("My example policy"), PolicyDocument: pulumi.String(string(policyJSON)), }) if err != nil { return err } ctx.Export("policy", policy) return nil }) } ``` ```csharp using Pulumi; using Pulumi.AwsIam; using Pulumi.AwsIam.Inputs; class MyStack : Stack { public MyStack() { var policy = new Policy("policy", new PolicyArgs { Name = "example", Path = "/", Description = "My example policy", PolicyDocument = @"{ ""Version"": ""2012-10-17"", ""Statement"": [ { ""Action"": [ ""ec2:Describe*"" ], ""Effect"": ""Allow"", ""Resource"": ""*"" } ] }" }); } [Output] public Output Policy { get; set; } } ``` ```yaml name: awsiam-yaml runtime: yaml resources: policy: type: "aws-iam:index:Policy" properties: name: "example" path: "/" description: "My example policy" policyDocument: | { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Effect": "Allow", "Resource": "*" } ] } outputs: policy: ${policy} ``` {{ /example }} {{% examples %}} isComponent: true inputProperties: name: type: string description: The name of the policy. path: type: string description: The path of the policy in IAM. default: "/" description: type: string description: The description of the policy. default: IAM Policy policyDocument: type: string description: The policy document. tags: type: object description: A map of tags to add. additionalProperties: type: string requiredInputs: - name - policyDocument properties: id: type: string description: The policy's ID. arn: type: string description: The ARN assigned by AWS to this policy. description: type: string description: The description of the policy. name: type: string description: The name of the policy. path: type: string description: The path of the policy in IAM. policyDocument: type: string description: The policy document. required: - id - arn - description - name - path - policyDocument language: java: artifactId: "awsiam" buildFiles: "gradle" csharp: namespaces: "aws-iam": "AwsIam" packageReferences: Pulumi: 3.* Pulumi.Aws: 5.* go: generateResourceContainerTypes: true importBasePath: github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam nodejs: dependencies: "@pulumi/aws": "^5.0.0" devDependencies: typescript: "^3.7.0" python: requires: pulumi: ">=3.0.0,<4.0.0" pulumi-aws: ">=5.0.0,<6.0.0"