Role

Provides an IAM role.

NOTE: If policies are attached to the role via the aws.iam.PolicyAttachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.RolePolicyAttachment resource (recommended) does not have this requirement.
Example of Using Data Source for Assume Role Policy

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const instance-assume-role-policy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRole"],
        principals: [{
            type: "Service",
            identifiers: ["ec2.amazonaws.com"],
        }],
    }],
});
const instance = new aws.iam.Role("instance", {
    path: "/system/",
    assumeRolePolicy: instance_assume_role_policy.then(instance_assume_role_policy => instance_assume_role_policy.json),
});

import pulumi
import pulumi_aws as aws

instance_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    actions=["sts:AssumeRole"],
    principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
        type="Service",
        identifiers=["ec2.amazonaws.com"],
    )],
)])
instance = aws.iam.Role("instance",
    path="/system/",
    assume_role_policy=instance_assume_role_policy.json)

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var instance_assume_role_policy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "sts:AssumeRole",
                    },
                    Principals = 
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Service",
                            Identifiers = 
                            {
                                "ec2.amazonaws.com",
                            },
                        },
                    },
                },
            },
        }));
        var instance = new Aws.Iam.Role("instance", new Aws.Iam.RoleArgs
        {
            Path = "/system/",
            AssumeRolePolicy = instance_assume_role_policy.Apply(instance_assume_role_policy => instance_assume_role_policy.Json),
        });
    }

}

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		instance_assume_role_policy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Actions: []string{
						"sts:AssumeRole",
					},
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						iam.GetPolicyDocumentStatementPrincipal{
							Type: "Service",
							Identifiers: []string{
								"ec2.amazonaws.com",
							},
						},
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "instance", &iam.RoleArgs{
			Path:             pulumi.String("/system/"),
			AssumeRolePolicy: pulumi.String(instance_assume_role_policy.Json),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""ec2.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
            Tags = 
            {
                { "tag-key", "tag-value" },
            },
        });
    }

}

package main

import (
    "fmt"

    "github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := iam.NewRole(ctx, "testRole", &iam.RoleArgs{
            AssumeRolePolicy: pulumi.String(fmt.Sprintf("%v%v%v%v%v%v%v%v%v%v%v%v%v%v", "{\n", "  \"Version\": \"2012-10-17\",\n", "  \"Statement\": [\n", "    {\n", "      \"Action\": \"sts:AssumeRole\",\n", "      \"Principal\": {\n", "        \"Service\": \"ec2.amazonaws.com\"\n", "      },\n", "      \"Effect\": \"Allow\",\n", "      \"Sid\": \"\"\n", "    }\n", "  ]\n", "}\n", "\n")),
            Tags: pulumi.StringMap{
                "tag-key": pulumi.String("tag-value"),
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

test_role = aws.iam.Role("testRole",
    assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""",
    tags={
        "tag-key": "tag-value",
    })

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testRole = new aws.iam.Role("test_role", {
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
    tags: {
        "tag-key": "tag-value",
    },
});

Create a Role Resource

new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);

def Role(resource_name: str, opts: Optional[ResourceOptions] = None, assume_role_policy: Optional[str] = None, description: Optional[str] = None, force_detach_policies: Optional[bool] = None, max_session_duration: Optional[int] = None, name: Optional[str] = None, name_prefix: Optional[str] = None, path: Optional[str] = None, permissions_boundary: Optional[str] = None, tags: Optional[Mapping[str, str]] = None)

func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)

public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args RoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args RoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Role Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Role resource accepts the following input properties:

AssumeRolePolicy string | string: The policy that grants an entity permission to assume the role.
Description string: The description of the role.
ForceDetachPolicies bool: Specifies to force detaching any policies the role has before destroying it. Defaults to false.
MaxSessionDuration int: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name string: The name of the role. If omitted, this provider will assign a random, unique name.
NamePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
Path string: The path to the role. See IAM Identifiers for more information.
PermissionsBoundary string: The ARN of the policy that is used to set the permissions boundary for the role.
Tags Dictionary<string, string>: Key-value map of tags for the IAM role

AssumeRolePolicy string | string: The policy that grants an entity permission to assume the role.
Description string: The description of the role.
ForceDetachPolicies bool: Specifies to force detaching any policies the role has before destroying it. Defaults to false.
MaxSessionDuration int: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name string: The name of the role. If omitted, this provider will assign a random, unique name.
NamePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
Path string: The path to the role. See IAM Identifiers for more information.
PermissionsBoundary string: The ARN of the policy that is used to set the permissions boundary for the role.
Tags map[string]string: Key-value map of tags for the IAM role

assumeRolePolicy string | PolicyDocument: The policy that grants an entity permission to assume the role.
description string: The description of the role.
forceDetachPolicies boolean: Specifies to force detaching any policies the role has before destroying it. Defaults to false.
maxSessionDuration number: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name string: The name of the role. If omitted, this provider will assign a random, unique name.
namePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
path string: The path to the role. See IAM Identifiers for more information.
permissionsBoundary string: The ARN of the policy that is used to set the permissions boundary for the role.
tags {[key: string]: string}: Key-value map of tags for the IAM role

assume_role_policy str | str: The policy that grants an entity permission to assume the role.
description str: The description of the role.
force_detach_policies bool: Specifies to force detaching any policies the role has before destroying it. Defaults to false.
max_session_duration int: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name str: The name of the role. If omitted, this provider will assign a random, unique name.
name_prefix str: Creates a unique name beginning with the specified prefix. Conflicts with name.
path str: The path to the role. See IAM Identifiers for more information.
permissions_boundary str: The ARN of the policy that is used to set the permissions boundary for the role.
tags Mapping[str, str]: Key-value map of tags for the IAM role

Outputs

All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:

Arn string: The Amazon Resource Name (ARN) specifying the role.
CreateDate string: The creation date of the IAM role.
Id string: The provider-assigned unique ID for this managed resource.
UniqueId string: The stable and unique string identifying the role.

Arn string: The Amazon Resource Name (ARN) specifying the role.
CreateDate string: The creation date of the IAM role.
Id string: The provider-assigned unique ID for this managed resource.
UniqueId string: The stable and unique string identifying the role.

arn string: The Amazon Resource Name (ARN) specifying the role.
createDate string: The creation date of the IAM role.
id string: The provider-assigned unique ID for this managed resource.
uniqueId string: The stable and unique string identifying the role.

arn str: The Amazon Resource Name (ARN) specifying the role.
create_date str: The creation date of the IAM role.
id str: The provider-assigned unique ID for this managed resource.
unique_id str: The stable and unique string identifying the role.

Look up an Existing Role Resource

Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role

@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, arn: Optional[str] = None, assume_role_policy: Optional[str] = None, create_date: Optional[str] = None, description: Optional[str] = None, force_detach_policies: Optional[bool] = None, max_session_duration: Optional[int] = None, name: Optional[str] = None, name_prefix: Optional[str] = None, path: Optional[str] = None, permissions_boundary: Optional[str] = None, tags: Optional[Mapping[str, str]] = None, unique_id: Optional[str] = None) -> Role

func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)

public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: The Amazon Resource Name (ARN) specifying the role.
AssumeRolePolicy string | string: The policy that grants an entity permission to assume the role.
CreateDate string: The creation date of the IAM role.
Description string: The description of the role.
ForceDetachPolicies bool: Specifies to force detaching any policies the role has before destroying it. Defaults to false.
MaxSessionDuration int: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name string: The name of the role. If omitted, this provider will assign a random, unique name.
NamePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
Path string: The path to the role. See IAM Identifiers for more information.
PermissionsBoundary string: The ARN of the policy that is used to set the permissions boundary for the role.
Tags Dictionary<string, string>: Key-value map of tags for the IAM role
UniqueId string: The stable and unique string identifying the role.

Arn string: The Amazon Resource Name (ARN) specifying the role.
AssumeRolePolicy string | string: The policy that grants an entity permission to assume the role.
CreateDate string: The creation date of the IAM role.
Description string: The description of the role.
ForceDetachPolicies bool: Specifies to force detaching any policies the role has before destroying it. Defaults to false.
MaxSessionDuration int: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name string: The name of the role. If omitted, this provider will assign a random, unique name.
NamePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
Path string: The path to the role. See IAM Identifiers for more information.
PermissionsBoundary string: The ARN of the policy that is used to set the permissions boundary for the role.
Tags map[string]string: Key-value map of tags for the IAM role
UniqueId string: The stable and unique string identifying the role.

arn string: The Amazon Resource Name (ARN) specifying the role.
assumeRolePolicy string | PolicyDocument: The policy that grants an entity permission to assume the role.
createDate string: The creation date of the IAM role.
description string: The description of the role.
forceDetachPolicies boolean: Specifies to force detaching any policies the role has before destroying it. Defaults to false.
maxSessionDuration number: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name string: The name of the role. If omitted, this provider will assign a random, unique name.
namePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
path string: The path to the role. See IAM Identifiers for more information.
permissionsBoundary string: The ARN of the policy that is used to set the permissions boundary for the role.
tags {[key: string]: string}: Key-value map of tags for the IAM role
uniqueId string: The stable and unique string identifying the role.

arn str: The Amazon Resource Name (ARN) specifying the role.
assume_role_policy str | str: The policy that grants an entity permission to assume the role.
create_date str: The creation date of the IAM role.
description str: The description of the role.
force_detach_policies bool: Specifies to force detaching any policies the role has before destroying it. Defaults to false.
max_session_duration int: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name str: The name of the role. If omitted, this provider will assign a random, unique name.
name_prefix str: Creates a unique name beginning with the specified prefix. Conflicts with name.
path str: The path to the role. See IAM Identifiers for more information.
permissions_boundary str: The ARN of the policy that is used to set the permissions boundary for the role.
tags Mapping[str, str]: Key-value map of tags for the IAM role
unique_id str: The stable and unique string identifying the role.

Import

IAM Roles can be imported using the name, e.g.

 $ pulumi import aws:iam/role:Role developer developer_name

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud