Role
Provides an IAM role.
NOTE: If policies are attached to the role via the
aws.iam.PolicyAttachment
resource and you are modifying the rolename
orpath
, theforce_detach_policies
argument must be set totrue
and applied before attempting the operation otherwise you will encounter aDeleteConflict
error. Theaws.iam.RolePolicyAttachment
resource (recommended) does not have this requirement.Example of Using Data Source for Assume Role Policy
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const instance-assume-role-policy = aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
principals: [{
type: "Service",
identifiers: ["ec2.amazonaws.com"],
}],
}],
});
const instance = new aws.iam.Role("instance", {
path: "/system/",
assumeRolePolicy: instance_assume_role_policy.then(instance_assume_role_policy => instance_assume_role_policy.json),
});
import pulumi
import pulumi_aws as aws
instance_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRole"],
principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=["ec2.amazonaws.com"],
)],
)])
instance = aws.iam.Role("instance",
path="/system/",
assume_role_policy=instance_assume_role_policy.json)
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var instance_assume_role_policy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"sts:AssumeRole",
},
Principals =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Type = "Service",
Identifiers =
{
"ec2.amazonaws.com",
},
},
},
},
},
}));
var instance = new Aws.Iam.Role("instance", new Aws.Iam.RoleArgs
{
Path = "/system/",
AssumeRolePolicy = instance_assume_role_policy.Apply(instance_assume_role_policy => instance_assume_role_policy.Json),
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
instance_assume_role_policy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"sts:AssumeRole",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
iam.GetPolicyDocumentStatementPrincipal{
Type: "Service",
Identifiers: []string{
"ec2.amazonaws.com",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewRole(ctx, "instance", &iam.RoleArgs{
Path: pulumi.String("/system/"),
AssumeRolePolicy: pulumi.String(instance_assume_role_policy.Json),
})
if err != nil {
return err
}
return nil
})
}
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": ""sts:AssumeRole"",
""Principal"": {
""Service"": ""ec2.amazonaws.com""
},
""Effect"": ""Allow"",
""Sid"": """"
}
]
}
",
Tags =
{
{ "tag-key", "tag-value" },
},
});
}
}
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.NewRole(ctx, "testRole", &iam.RoleArgs{
AssumeRolePolicy: pulumi.String(fmt.Sprintf("%v%v%v%v%v%v%v%v%v%v%v%v%v%v", "{\n", " \"Version\": \"2012-10-17\",\n", " \"Statement\": [\n", " {\n", " \"Action\": \"sts:AssumeRole\",\n", " \"Principal\": {\n", " \"Service\": \"ec2.amazonaws.com\"\n", " },\n", " \"Effect\": \"Allow\",\n", " \"Sid\": \"\"\n", " }\n", " ]\n", "}\n", "\n")),
Tags: pulumi.StringMap{
"tag-key": pulumi.String("tag-value"),
},
})
if err != nil {
return err
}
return nil
})
}
import pulumi
import pulumi_aws as aws
test_role = aws.iam.Role("testRole",
assume_role_policy="""{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
""",
tags={
"tag-key": "tag-value",
})
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const testRole = new aws.iam.Role("test_role", {
assumeRolePolicy: `{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
`,
tags: {
"tag-key": "tag-value",
},
});
Create a Role Resource
new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);
def Role(resource_name: str, opts: Optional[ResourceOptions] = None, assume_role_policy: Optional[str] = None, description: Optional[str] = None, force_detach_policies: Optional[bool] = None, max_session_duration: Optional[int] = None, name: Optional[str] = None, name_prefix: Optional[str] = None, path: Optional[str] = None, permissions_boundary: Optional[str] = None, tags: Optional[Mapping[str, str]] = None)
func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)
public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
Role Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The Role resource accepts the following input properties:
- Assume
Role string | stringPolicy The policy that grants an entity permission to assume the role.
- Description string
The description of the role.
- Force
Detach boolPolicies Specifies to force detaching any policies the role has before destroying it. Defaults to
false
.- Max
Session intDuration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
- Name string
The name of the role. If omitted, this provider will assign a random, unique name.
- Name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- Path string
The path to the role. See IAM Identifiers for more information.
- Permissions
Boundary string The ARN of the policy that is used to set the permissions boundary for the role.
- Dictionary<string, string>
Key-value map of tags for the IAM role
- Assume
Role string | stringPolicy The policy that grants an entity permission to assume the role.
- Description string
The description of the role.
- Force
Detach boolPolicies Specifies to force detaching any policies the role has before destroying it. Defaults to
false
.- Max
Session intDuration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
- Name string
The name of the role. If omitted, this provider will assign a random, unique name.
- Name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- Path string
The path to the role. See IAM Identifiers for more information.
- Permissions
Boundary string The ARN of the policy that is used to set the permissions boundary for the role.
- map[string]string
Key-value map of tags for the IAM role
- assume
Role string | PolicyPolicy Document The policy that grants an entity permission to assume the role.
- description string
The description of the role.
- force
Detach booleanPolicies Specifies to force detaching any policies the role has before destroying it. Defaults to
false
.- max
Session numberDuration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
- name string
The name of the role. If omitted, this provider will assign a random, unique name.
- name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- path string
The path to the role. See IAM Identifiers for more information.
- permissions
Boundary string The ARN of the policy that is used to set the permissions boundary for the role.
- {[key: string]: string}
Key-value map of tags for the IAM role
- assume_
role_ str | strpolicy The policy that grants an entity permission to assume the role.
- description str
The description of the role.
- force_
detach_ boolpolicies Specifies to force detaching any policies the role has before destroying it. Defaults to
false
.- max_
session_ intduration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
- name str
The name of the role. If omitted, this provider will assign a random, unique name.
- name_
prefix str Creates a unique name beginning with the specified prefix. Conflicts with
name
.- path str
The path to the role. See IAM Identifiers for more information.
- permissions_
boundary str The ARN of the policy that is used to set the permissions boundary for the role.
- Mapping[str, str]
Key-value map of tags for the IAM role
Outputs
All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:
- Arn string
The Amazon Resource Name (ARN) specifying the role.
- Create
Date string The creation date of the IAM role.
- Id string
- The provider-assigned unique ID for this managed resource.
- Unique
Id string The stable and unique string identifying the role.
- Arn string
The Amazon Resource Name (ARN) specifying the role.
- Create
Date string The creation date of the IAM role.
- Id string
- The provider-assigned unique ID for this managed resource.
- Unique
Id string The stable and unique string identifying the role.
- arn string
The Amazon Resource Name (ARN) specifying the role.
- create
Date string The creation date of the IAM role.
- id string
- The provider-assigned unique ID for this managed resource.
- unique
Id string The stable and unique string identifying the role.
- arn str
The Amazon Resource Name (ARN) specifying the role.
- create_
date str The creation date of the IAM role.
- id str
- The provider-assigned unique ID for this managed resource.
- unique_
id str The stable and unique string identifying the role.
Look up an Existing Role Resource
Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, arn: Optional[str] = None, assume_role_policy: Optional[str] = None, create_date: Optional[str] = None, description: Optional[str] = None, force_detach_policies: Optional[bool] = None, max_session_duration: Optional[int] = None, name: Optional[str] = None, name_prefix: Optional[str] = None, path: Optional[str] = None, permissions_boundary: Optional[str] = None, tags: Optional[Mapping[str, str]] = None, unique_id: Optional[str] = None) -> Role
func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)
public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Arn string
The Amazon Resource Name (ARN) specifying the role.
- Assume
Role string | stringPolicy The policy that grants an entity permission to assume the role.
- Create
Date string The creation date of the IAM role.
- Description string
The description of the role.
- Force
Detach boolPolicies Specifies to force detaching any policies the role has before destroying it. Defaults to
false
.- Max
Session intDuration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
- Name string
The name of the role. If omitted, this provider will assign a random, unique name.
- Name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- Path string
The path to the role. See IAM Identifiers for more information.
- Permissions
Boundary string The ARN of the policy that is used to set the permissions boundary for the role.
- Dictionary<string, string>
Key-value map of tags for the IAM role
- Unique
Id string The stable and unique string identifying the role.
- Arn string
The Amazon Resource Name (ARN) specifying the role.
- Assume
Role string | stringPolicy The policy that grants an entity permission to assume the role.
- Create
Date string The creation date of the IAM role.
- Description string
The description of the role.
- Force
Detach boolPolicies Specifies to force detaching any policies the role has before destroying it. Defaults to
false
.- Max
Session intDuration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
- Name string
The name of the role. If omitted, this provider will assign a random, unique name.
- Name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- Path string
The path to the role. See IAM Identifiers for more information.
- Permissions
Boundary string The ARN of the policy that is used to set the permissions boundary for the role.
- map[string]string
Key-value map of tags for the IAM role
- Unique
Id string The stable and unique string identifying the role.
- arn string
The Amazon Resource Name (ARN) specifying the role.
- assume
Role string | PolicyPolicy Document The policy that grants an entity permission to assume the role.
- create
Date string The creation date of the IAM role.
- description string
The description of the role.
- force
Detach booleanPolicies Specifies to force detaching any policies the role has before destroying it. Defaults to
false
.- max
Session numberDuration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
- name string
The name of the role. If omitted, this provider will assign a random, unique name.
- name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- path string
The path to the role. See IAM Identifiers for more information.
- permissions
Boundary string The ARN of the policy that is used to set the permissions boundary for the role.
- {[key: string]: string}
Key-value map of tags for the IAM role
- unique
Id string The stable and unique string identifying the role.
- arn str
The Amazon Resource Name (ARN) specifying the role.
- assume_
role_ str | strpolicy The policy that grants an entity permission to assume the role.
- create_
date str The creation date of the IAM role.
- description str
The description of the role.
- force_
detach_ boolpolicies Specifies to force detaching any policies the role has before destroying it. Defaults to
false
.- max_
session_ intduration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
- name str
The name of the role. If omitted, this provider will assign a random, unique name.
- name_
prefix str Creates a unique name beginning with the specified prefix. Conflicts with
name
.- path str
The path to the role. See IAM Identifiers for more information.
- permissions_
boundary str The ARN of the policy that is used to set the permissions boundary for the role.
- Mapping[str, str]
Key-value map of tags for the IAM role
- unique_
id str The stable and unique string identifying the role.
Import
IAM Roles can be imported using the name
, e.g.
$ pulumi import aws:iam/role:Role developer developer_name
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aws
Terraform Provider.