Use Pulumi's new import command to generate code from existing cloud resources. Learn More

Role

Provides an IAM role.

NOTE: If policies are attached to the role via the aws.iam.PolicyAttachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.RolePolicyAttachment resource (recommended) does not have this requirement.

Example of Using Data Source for Assume Role Policy

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const instance-assume-role-policy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRole"],
        principals: [{
            type: "Service",
            identifiers: ["ec2.amazonaws.com"],
        }],
    }],
});
const instance = new aws.iam.Role("instance", {
    path: "/system/",
    assumeRolePolicy: instance_assume_role_policy.then(instance_assume_role_policy => instance_assume_role_policy.json),
});
import pulumi
import pulumi_aws as aws

instance_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    actions=["sts:AssumeRole"],
    principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
        type="Service",
        identifiers=["ec2.amazonaws.com"],
    )],
)])
instance = aws.iam.Role("instance",
    path="/system/",
    assume_role_policy=instance_assume_role_policy.json)
using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var instance_assume_role_policy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "sts:AssumeRole",
                    },
                    Principals = 
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Service",
                            Identifiers = 
                            {
                                "ec2.amazonaws.com",
                            },
                        },
                    },
                },
            },
        }));
        var instance = new Aws.Iam.Role("instance", new Aws.Iam.RoleArgs
        {
            Path = "/system/",
            AssumeRolePolicy = instance_assume_role_policy.Apply(instance_assume_role_policy => instance_assume_role_policy.Json),
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		instance_assume_role_policy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Actions: []string{
						"sts:AssumeRole",
					},
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						iam.GetPolicyDocumentStatementPrincipal{
							Type: "Service",
							Identifiers: []string{
								"ec2.amazonaws.com",
							},
						},
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "instance", &iam.RoleArgs{
			Path:             pulumi.String("/system/"),
			AssumeRolePolicy: pulumi.String(instance_assume_role_policy.Json),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""ec2.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
            Tags = 
            {
                { "tag-key", "tag-value" },
            },
        });
    }

}
package main

import (
    "fmt"

    "github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := iam.NewRole(ctx, "testRole", &iam.RoleArgs{
            AssumeRolePolicy: pulumi.String(fmt.Sprintf("%v%v%v%v%v%v%v%v%v%v%v%v%v%v", "{\n", "  \"Version\": \"2012-10-17\",\n", "  \"Statement\": [\n", "    {\n", "      \"Action\": \"sts:AssumeRole\",\n", "      \"Principal\": {\n", "        \"Service\": \"ec2.amazonaws.com\"\n", "      },\n", "      \"Effect\": \"Allow\",\n", "      \"Sid\": \"\"\n", "    }\n", "  ]\n", "}\n", "\n")),
            Tags: pulumi.StringMap{
                "tag-key": pulumi.String("tag-value"),
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}
import pulumi
import pulumi_aws as aws

test_role = aws.iam.Role("testRole",
    assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""",
    tags={
        "tag-key": "tag-value",
    })
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testRole = new aws.iam.Role("test_role", {
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
    tags: {
        "tag-key": "tag-value",
    },
});

Create a Role Resource

new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);
def Role(resource_name: str, opts: Optional[ResourceOptions] = None, assume_role_policy: Optional[str] = None, description: Optional[str] = None, force_detach_policies: Optional[bool] = None, max_session_duration: Optional[int] = None, name: Optional[str] = None, name_prefix: Optional[str] = None, path: Optional[str] = None, permissions_boundary: Optional[str] = None, tags: Optional[Mapping[str, str]] = None)
func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)
public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

Role Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Role resource accepts the following input properties:

AssumeRolePolicy string | string

The policy that grants an entity permission to assume the role.

Description string

The description of the role.

ForceDetachPolicies bool

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

MaxSessionDuration int

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

Name string

The name of the role. If omitted, this provider will assign a random, unique name.

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

Path string

The path to the role. See IAM Identifiers for more information.

PermissionsBoundary string

The ARN of the policy that is used to set the permissions boundary for the role.

Tags Dictionary<string, string>

Key-value map of tags for the IAM role

AssumeRolePolicy string | string

The policy that grants an entity permission to assume the role.

Description string

The description of the role.

ForceDetachPolicies bool

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

MaxSessionDuration int

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

Name string

The name of the role. If omitted, this provider will assign a random, unique name.

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

Path string

The path to the role. See IAM Identifiers for more information.

PermissionsBoundary string

The ARN of the policy that is used to set the permissions boundary for the role.

Tags map[string]string

Key-value map of tags for the IAM role

assumeRolePolicy string | PolicyDocument

The policy that grants an entity permission to assume the role.

description string

The description of the role.

forceDetachPolicies boolean

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

maxSessionDuration number

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name string

The name of the role. If omitted, this provider will assign a random, unique name.

namePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

path string

The path to the role. See IAM Identifiers for more information.

permissionsBoundary string

The ARN of the policy that is used to set the permissions boundary for the role.

tags {[key: string]: string}

Key-value map of tags for the IAM role

assume_role_policy str | str

The policy that grants an entity permission to assume the role.

description str

The description of the role.

force_detach_policies bool

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

max_session_duration int

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name str

The name of the role. If omitted, this provider will assign a random, unique name.

name_prefix str

Creates a unique name beginning with the specified prefix. Conflicts with name.

path str

The path to the role. See IAM Identifiers for more information.

permissions_boundary str

The ARN of the policy that is used to set the permissions boundary for the role.

tags Mapping[str, str]

Key-value map of tags for the IAM role

Outputs

All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:

Arn string

The Amazon Resource Name (ARN) specifying the role.

CreateDate string

The creation date of the IAM role.

Id string
The provider-assigned unique ID for this managed resource.
UniqueId string

The stable and unique string identifying the role.

Arn string

The Amazon Resource Name (ARN) specifying the role.

CreateDate string

The creation date of the IAM role.

Id string
The provider-assigned unique ID for this managed resource.
UniqueId string

The stable and unique string identifying the role.

arn string

The Amazon Resource Name (ARN) specifying the role.

createDate string

The creation date of the IAM role.

id string
The provider-assigned unique ID for this managed resource.
uniqueId string

The stable and unique string identifying the role.

arn str

The Amazon Resource Name (ARN) specifying the role.

create_date str

The creation date of the IAM role.

id str
The provider-assigned unique ID for this managed resource.
unique_id str

The stable and unique string identifying the role.

Look up an Existing Role Resource

Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, arn: Optional[str] = None, assume_role_policy: Optional[str] = None, create_date: Optional[str] = None, description: Optional[str] = None, force_detach_policies: Optional[bool] = None, max_session_duration: Optional[int] = None, name: Optional[str] = None, name_prefix: Optional[str] = None, path: Optional[str] = None, permissions_boundary: Optional[str] = None, tags: Optional[Mapping[str, str]] = None, unique_id: Optional[str] = None) -> Role
func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)
public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string

The Amazon Resource Name (ARN) specifying the role.

AssumeRolePolicy string | string

The policy that grants an entity permission to assume the role.

CreateDate string

The creation date of the IAM role.

Description string

The description of the role.

ForceDetachPolicies bool

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

MaxSessionDuration int

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

Name string

The name of the role. If omitted, this provider will assign a random, unique name.

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

Path string

The path to the role. See IAM Identifiers for more information.

PermissionsBoundary string

The ARN of the policy that is used to set the permissions boundary for the role.

Tags Dictionary<string, string>

Key-value map of tags for the IAM role

UniqueId string

The stable and unique string identifying the role.

Arn string

The Amazon Resource Name (ARN) specifying the role.

AssumeRolePolicy string | string

The policy that grants an entity permission to assume the role.

CreateDate string

The creation date of the IAM role.

Description string

The description of the role.

ForceDetachPolicies bool

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

MaxSessionDuration int

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

Name string

The name of the role. If omitted, this provider will assign a random, unique name.

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

Path string

The path to the role. See IAM Identifiers for more information.

PermissionsBoundary string

The ARN of the policy that is used to set the permissions boundary for the role.

Tags map[string]string

Key-value map of tags for the IAM role

UniqueId string

The stable and unique string identifying the role.

arn string

The Amazon Resource Name (ARN) specifying the role.

assumeRolePolicy string | PolicyDocument

The policy that grants an entity permission to assume the role.

createDate string

The creation date of the IAM role.

description string

The description of the role.

forceDetachPolicies boolean

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

maxSessionDuration number

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name string

The name of the role. If omitted, this provider will assign a random, unique name.

namePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

path string

The path to the role. See IAM Identifiers for more information.

permissionsBoundary string

The ARN of the policy that is used to set the permissions boundary for the role.

tags {[key: string]: string}

Key-value map of tags for the IAM role

uniqueId string

The stable and unique string identifying the role.

arn str

The Amazon Resource Name (ARN) specifying the role.

assume_role_policy str | str

The policy that grants an entity permission to assume the role.

create_date str

The creation date of the IAM role.

description str

The description of the role.

force_detach_policies bool

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

max_session_duration int

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name str

The name of the role. If omitted, this provider will assign a random, unique name.

name_prefix str

Creates a unique name beginning with the specified prefix. Conflicts with name.

path str

The path to the role. See IAM Identifiers for more information.

permissions_boundary str

The ARN of the policy that is used to set the permissions boundary for the role.

tags Mapping[str, str]

Key-value map of tags for the IAM role

unique_id str

The stable and unique string identifying the role.

Import

IAM Roles can be imported using the name, e.g.

 $ pulumi import aws:iam/role:Role developer developer_name

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.