1. Extending the limit on active IAM roles

    TypeScript

    To work with IAM roles and potentially extend the limit on active IAM roles, you'll need to understand how IAM roles are created and managed using Pulumi and AWS. IAM (Identity and Access Management) roles in AWS are a way to delegate permissions that don't require user credentials to make AWS service requests.

    Roles can be assumed by trusted entities, such as AWS services, external users, or other accounts, which is a secure way to grant permissions that only last for a specified duration. In AWS, there is a default limit on the number of IAM roles you can have in an account, but these limits can often be increased upon request to AWS.

    When using Pulumi, just as with AWS in general, you will interact with IAM roles through a specific resource type. Using the aws.iam.Role resource, you can create and manage IAM roles programmatically.

    Below is a basic Pulumi program in TypeScript that demonstrates how to create an IAM role. I will explain this using the aws package, which is a classic Pulumi provider for interacting with AWS resources.

    To start, you'll need to have Pulumi installed with AWS configured with the necessary credentials. This program assumes that you have already set up your Pulumi and AWS CLI with appropriate permissions.

    import * as aws from "@pulumi/aws"; // Creates an IAM role const role = new aws.iam.Role("myRole", { assumeRolePolicy: JSON.stringify({ Version: "2012-10-17", Statement: [{ Action: "sts:AssumeRole", Effect: "Allow", Principal: { Service: "ec2.amazonaws.com" }, }], }), // You can specify the maximum session duration, in seconds, here: maxSessionDuration: 3600, // This is the default value, which is 1 hour. }); // Export the name of the role export const roleName = role.name;

    The assumeRolePolicy attribute defines a policy that grants an entity permission to assume the role. This particular policy allows an EC2 instance to assume the role, which is a common scenario for leveraging roles for AWS resources.

    The maxSessionDuration attribute is set to 3600 seconds by the default, which is the amount of time that you can remain logged into a role before having to request new credentials. The maximum you can set this value to is 43200 seconds (or 12 hours) for most roles, but AWS does support up to 432000 seconds (or 120 hours) for some services.

    To increase the limit above the default Caps, you would need to directly request a service limit increase from AWS. This is outside the scope of what Pulumi can control. However, Pulumi can manage all aspects of IAM roles that are programmatically controllable.

    For more information on AWS IAM roles, including how to request a quota increase, you can visit the AWS IAM Roles documentation.

    For more about Pulumi and how to manage AWS resources, please refer to the Pulumi AWS documentation.