Role

Provides an IAM role.

NOTE: If policies are attached to the role via the aws.iam.PolicyAttachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.RolePolicyAttachment resource does not have this requirement.

NOTE: If you use this resource’s managed_policy_arns argument or inline_policy configuration blocks, this resource will take over exclusive management of the role’s respective policy types (e.g., both policy types if both arguments are used). These arguments are incompatible with other ways of managing a role’s policies, such as aws.iam.PolicyAttachment, aws.iam.RolePolicyAttachment, and aws.iam.RolePolicy. If you attempt to manage a role’s policies by multiple means, you will get resource cycling and/or errors.

Example Usage

Basic Example

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                { "Version", "2012-10-17" },
                { "Statement", new[]
                    {
                        new Dictionary<string, object?>
                        {
                            { "Action", "sts:AssumeRole" },
                            { "Effect", "Allow" },
                            { "Sid", "" },
                            { "Principal", new Dictionary<string, object?>
                            {
                                { "Service", "ec2.amazonaws.com" },
                            } },
                        },
                    }
                 },
            }),
            Tags = 
            {
                { "tag-key", "tag-value" },
            },
        });
    }

}
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Sid":    "",
					"Principal": map[string]interface{}{
						"Service": "ec2.amazonaws.com",
					},
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err := iam.NewRole(ctx, "testRole", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.String(json0),
			Tags: pulumi.StringMap{
				"tag-key": pulumi.String("tag-value"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import json
import pulumi_aws as aws

test_role = aws.iam.Role("testRole",
    assume_role_policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Sid": "",
            "Principal": {
                "Service": "ec2.amazonaws.com",
            },
        }],
    }),
    tags={
        "tag-key": "tag-value",
    })
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testRole = new aws.iam.Role("testRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Effect: "Allow",
            Sid: "",
            Principal: {
                Service: "ec2.amazonaws.com",
            },
        }],
    }),
    tags: {
        "tag-key": "tag-value",
    },
});

Example of Using Data Source for Assume Role Policy

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var instance_assume_role_policy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "sts:AssumeRole",
                    },
                    Principals = 
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Service",
                            Identifiers = 
                            {
                                "ec2.amazonaws.com",
                            },
                        },
                    },
                },
            },
        }));
        var instance = new Aws.Iam.Role("instance", new Aws.Iam.RoleArgs
        {
            Path = "/system/",
            AssumeRolePolicy = instance_assume_role_policy.Apply(instance_assume_role_policy => instance_assume_role_policy.Json),
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		instance_assume_role_policy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Actions: []string{
						"sts:AssumeRole",
					},
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						iam.GetPolicyDocumentStatementPrincipal{
							Type: "Service",
							Identifiers: []string{
								"ec2.amazonaws.com",
							},
						},
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "instance", &iam.RoleArgs{
			Path:             pulumi.String("/system/"),
			AssumeRolePolicy: pulumi.String(instance_assume_role_policy.Json),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

instance_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    actions=["sts:AssumeRole"],
    principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
        type="Service",
        identifiers=["ec2.amazonaws.com"],
    )],
)])
instance = aws.iam.Role("instance",
    path="/system/",
    assume_role_policy=instance_assume_role_policy.json)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const instance-assume-role-policy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRole"],
        principals: [{
            type: "Service",
            identifiers: ["ec2.amazonaws.com"],
        }],
    }],
});
const instance = new aws.iam.Role("instance", {
    path: "/system/",
    assumeRolePolicy: instance_assume_role_policy.then(instance_assume_role_policy => instance_assume_role_policy.json),
});

Example of Exclusive Inline Policies

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var inlinePolicy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "ec2:DescribeAccountAttributes",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var example = new Aws.Iam.Role("example", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
            InlinePolicies = 
            {
                new Aws.Iam.Inputs.RoleInlinePolicyArgs
                {
                    Name = "my_inline_policy",
                    Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
                    {
                        { "Version", "2012-10-17" },
                        { "Statement", new[]
                            {
                                new Dictionary<string, object?>
                                {
                                    { "Action", new[]
                                        {
                                            "ec2:Describe*",
                                        }
                                     },
                                    { "Effect", "Allow" },
                                    { "Resource", "*" },
                                },
                            }
                         },
                    }),
                },
                new Aws.Iam.Inputs.RoleInlinePolicyArgs
                {
                    Name = "policy-8675309",
                    Policy = inlinePolicy.Apply(inlinePolicy => inlinePolicy.Json),
                },
            },
        });
    }

}

Coming soon!

import pulumi
import json
import pulumi_aws as aws

inline_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    actions=["ec2:DescribeAccountAttributes"],
    resources=["*"],
)])
example = aws.iam.Role("example",
    assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
    inline_policies=[
        aws.iam.RoleInlinePolicyArgs(
            name="my_inline_policy",
            policy=json.dumps({
                "Version": "2012-10-17",
                "Statement": [{
                    "Action": ["ec2:Describe*"],
                    "Effect": "Allow",
                    "Resource": "*",
                }],
            }),
        ),
        aws.iam.RoleInlinePolicyArgs(
            name="policy-8675309",
            policy=inline_policy.json,
        ),
    ])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const inlinePolicy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["ec2:DescribeAccountAttributes"],
        resources: ["*"],
    }],
});
const example = new aws.iam.Role("example", {
    assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
    inlinePolicies: [
        {
            name: "my_inline_policy",
            policy: JSON.stringify({
                Version: "2012-10-17",
                Statement: [{
                    Action: ["ec2:Describe*"],
                    Effect: "Allow",
                    Resource: "*",
                }],
            }),
        },
        {
            name: "policy-8675309",
            policy: inlinePolicy.then(inlinePolicy => inlinePolicy.json),
        },
    ],
});

Example of Removing Inline Policies

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.Iam.Role("example", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
            InlinePolicies = 
            {
                ,
            },
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
			InlinePolicies: iam.RoleInlinePolicyArray{
				nil,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

example = aws.iam.Role("example",
    assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
    inline_policies=[aws.iam.RoleInlinePolicyArgs()])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.iam.Role("example", {
    assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
    inlinePolicies: [{}],
});

Example of Exclusive Managed Policies

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var policyOne = new Aws.Iam.Policy("policyOne", new Aws.Iam.PolicyArgs
        {
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                { "Version", "2012-10-17" },
                { "Statement", new[]
                    {
                        new Dictionary<string, object?>
                        {
                            { "Action", new[]
                                {
                                    "ec2:Describe*",
                                }
                             },
                            { "Effect", "Allow" },
                            { "Resource", "*" },
                        },
                    }
                 },
            }),
        });
        var policyTwo = new Aws.Iam.Policy("policyTwo", new Aws.Iam.PolicyArgs
        {
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                { "Version", "2012-10-17" },
                { "Statement", new[]
                    {
                        new Dictionary<string, object?>
                        {
                            { "Action", new[]
                                {
                                    "s3:ListAllMyBuckets",
                                    "s3:ListBucket",
                                    "s3:HeadBucket",
                                }
                             },
                            { "Effect", "Allow" },
                            { "Resource", "*" },
                        },
                    }
                 },
            }),
        });
        var example = new Aws.Iam.Role("example", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
            ManagedPolicyArns = 
            {
                policyOne.Arn,
                policyTwo.Arn,
            },
        });
    }

}
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": []string{
						"ec2:Describe*",
					},
					"Effect":   "Allow",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		policyOne, err := iam.NewPolicy(ctx, "policyOne", &iam.PolicyArgs{
			Policy: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		tmpJSON1, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": []string{
						"s3:ListAllMyBuckets",
						"s3:ListBucket",
						"s3:HeadBucket",
					},
					"Effect":   "Allow",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json1 := string(tmpJSON1)
		policyTwo, err := iam.NewPolicy(ctx, "policyTwo", &iam.PolicyArgs{
			Policy: pulumi.String(json1),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
			ManagedPolicyArns: pulumi.StringArray{
				policyOne.Arn,
				policyTwo.Arn,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import json
import pulumi_aws as aws

policy_one = aws.iam.Policy("policyOne", policy=json.dumps({
    "Version": "2012-10-17",
    "Statement": [{
        "Action": ["ec2:Describe*"],
        "Effect": "Allow",
        "Resource": "*",
    }],
}))
policy_two = aws.iam.Policy("policyTwo", policy=json.dumps({
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:HeadBucket",
        ],
        "Effect": "Allow",
        "Resource": "*",
    }],
}))
example = aws.iam.Role("example",
    assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
    managed_policy_arns=[
        policy_one.arn,
        policy_two.arn,
    ])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const policyOne = new aws.iam.Policy("policyOne", {policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
        Action: ["ec2:Describe*"],
        Effect: "Allow",
        Resource: "*",
    }],
})});
const policyTwo = new aws.iam.Policy("policyTwo", {policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
        Action: [
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:HeadBucket",
        ],
        Effect: "Allow",
        Resource: "*",
    }],
})});
const example = new aws.iam.Role("example", {
    assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
    managedPolicyArns: [
        policyOne.arn,
        policyTwo.arn,
    ],
});

Example of Removing Managed Policies

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.Iam.Role("example", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
            ManagedPolicyArns = {},
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
			AssumeRolePolicy:  pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
			ManagedPolicyArns: []interface{}{},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

example = aws.iam.Role("example",
    assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
    managed_policy_arns=[])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.iam.Role("example", {
    assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
    managedPolicyArns: [],
});

Create a Role Resource

new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);
@overload
def Role(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         assume_role_policy: Optional[str] = None,
         description: Optional[str] = None,
         force_detach_policies: Optional[bool] = None,
         inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
         managed_policy_arns: Optional[Sequence[str]] = None,
         max_session_duration: Optional[int] = None,
         name: Optional[str] = None,
         name_prefix: Optional[str] = None,
         path: Optional[str] = None,
         permissions_boundary: Optional[str] = None,
         tags: Optional[Mapping[str, str]] = None,
         tags_all: Optional[Mapping[str, str]] = None)
@overload
def Role(resource_name: str,
         args: RoleArgs,
         opts: Optional[ResourceOptions] = None)
func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)
public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

Role Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Role resource accepts the following input properties:

AssumeRolePolicy string | string
Policy that grants an entity permission to assume the role.
Description string
Description of the role.
ForceDetachPolicies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
InlinePolicies List<RoleInlinePolicyArgs>
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. Defined below. If no blocks are configured, the provider will ignore any managing any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies.
ManagedPolicyArns List<string>
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, the provider will ignore policy attachments to this resource. When configured, the provider will align the role’s managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause the provider to remove all managed policy attachments.
MaxSessionDuration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name string
Name of the role policy.
NamePrefix string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
Path string
Path to the role. See IAM Identifiers for more information.
PermissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
Tags Dictionary<string, string>
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider .
AssumeRolePolicy string | string
Policy that grants an entity permission to assume the role.
Description string
Description of the role.
ForceDetachPolicies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
InlinePolicies []RoleInlinePolicy
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. Defined below. If no blocks are configured, the provider will ignore any managing any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies.
ManagedPolicyArns []string
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, the provider will ignore policy attachments to this resource. When configured, the provider will align the role’s managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause the provider to remove all managed policy attachments.
MaxSessionDuration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name string
Name of the role policy.
NamePrefix string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
Path string
Path to the role. See IAM Identifiers for more information.
PermissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
Tags map[string]string
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string
A map of tags assigned to the resource, including those inherited from the provider .
assumeRolePolicy string | PolicyDocument
Policy that grants an entity permission to assume the role.
description string
Description of the role.
forceDetachPolicies boolean
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inlinePolicies RoleInlinePolicyArgs[]
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. Defined below. If no blocks are configured, the provider will ignore any managing any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies.
managedPolicyArns string[]
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, the provider will ignore policy attachments to this resource. When configured, the provider will align the role’s managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause the provider to remove all managed policy attachments.
maxSessionDuration number
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name string
Name of the role policy.
namePrefix string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path string
Path to the role. See IAM Identifiers for more information.
permissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
tags {[key: string]: string}
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider .
assume_role_policy str | str
Policy that grants an entity permission to assume the role.
description str
Description of the role.
force_detach_policies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inline_policies Sequence[RoleInlinePolicyArgs]
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. Defined below. If no blocks are configured, the provider will ignore any managing any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies.
managed_policy_arns Sequence[str]
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, the provider will ignore policy attachments to this resource. When configured, the provider will align the role’s managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause the provider to remove all managed policy attachments.
max_session_duration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name str
Name of the role policy.
name_prefix str
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path str
Path to the role. See IAM Identifiers for more information.
permissions_boundary str
ARN of the policy that is used to set the permissions boundary for the role.
tags Mapping[str, str]
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider .

Outputs

All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:

Arn string
Amazon Resource Name (ARN) specifying the role.
CreateDate string
Creation date of the IAM role.
Id string
The provider-assigned unique ID for this managed resource.
UniqueId string
Stable and unique string identifying the role.
Arn string
Amazon Resource Name (ARN) specifying the role.
CreateDate string
Creation date of the IAM role.
Id string
The provider-assigned unique ID for this managed resource.
UniqueId string
Stable and unique string identifying the role.
arn string
Amazon Resource Name (ARN) specifying the role.
createDate string
Creation date of the IAM role.
id string
The provider-assigned unique ID for this managed resource.
uniqueId string
Stable and unique string identifying the role.
arn str
Amazon Resource Name (ARN) specifying the role.
create_date str
Creation date of the IAM role.
id str
The provider-assigned unique ID for this managed resource.
unique_id str
Stable and unique string identifying the role.

Look up an Existing Role Resource

Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        assume_role_policy: Optional[str] = None,
        create_date: Optional[str] = None,
        description: Optional[str] = None,
        force_detach_policies: Optional[bool] = None,
        inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
        managed_policy_arns: Optional[Sequence[str]] = None,
        max_session_duration: Optional[int] = None,
        name: Optional[str] = None,
        name_prefix: Optional[str] = None,
        path: Optional[str] = None,
        permissions_boundary: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        unique_id: Optional[str] = None) -> Role
func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)
public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string
Amazon Resource Name (ARN) specifying the role.
AssumeRolePolicy string | string
Policy that grants an entity permission to assume the role.
CreateDate string
Creation date of the IAM role.
Description string
Description of the role.
ForceDetachPolicies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
InlinePolicies List<RoleInlinePolicyArgs>
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. Defined below. If no blocks are configured, the provider will ignore any managing any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies.
ManagedPolicyArns List<string>
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, the provider will ignore policy attachments to this resource. When configured, the provider will align the role’s managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause the provider to remove all managed policy attachments.
MaxSessionDuration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name string
Name of the role policy.
NamePrefix string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
Path string
Path to the role. See IAM Identifiers for more information.
PermissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
Tags Dictionary<string, string>
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider .
UniqueId string
Stable and unique string identifying the role.
Arn string
Amazon Resource Name (ARN) specifying the role.
AssumeRolePolicy string | string
Policy that grants an entity permission to assume the role.
CreateDate string
Creation date of the IAM role.
Description string
Description of the role.
ForceDetachPolicies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
InlinePolicies []RoleInlinePolicy
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. Defined below. If no blocks are configured, the provider will ignore any managing any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies.
ManagedPolicyArns []string
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, the provider will ignore policy attachments to this resource. When configured, the provider will align the role’s managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause the provider to remove all managed policy attachments.
MaxSessionDuration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name string
Name of the role policy.
NamePrefix string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
Path string
Path to the role. See IAM Identifiers for more information.
PermissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
Tags map[string]string
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string
A map of tags assigned to the resource, including those inherited from the provider .
UniqueId string
Stable and unique string identifying the role.
arn string
Amazon Resource Name (ARN) specifying the role.
assumeRolePolicy string | PolicyDocument
Policy that grants an entity permission to assume the role.
createDate string
Creation date of the IAM role.
description string
Description of the role.
forceDetachPolicies boolean
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inlinePolicies RoleInlinePolicyArgs[]
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. Defined below. If no blocks are configured, the provider will ignore any managing any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies.
managedPolicyArns string[]
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, the provider will ignore policy attachments to this resource. When configured, the provider will align the role’s managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause the provider to remove all managed policy attachments.
maxSessionDuration number
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name string
Name of the role policy.
namePrefix string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path string
Path to the role. See IAM Identifiers for more information.
permissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
tags {[key: string]: string}
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider .
uniqueId string
Stable and unique string identifying the role.
arn str
Amazon Resource Name (ARN) specifying the role.
assume_role_policy str | str
Policy that grants an entity permission to assume the role.
create_date str
Creation date of the IAM role.
description str
Description of the role.
force_detach_policies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inline_policies Sequence[RoleInlinePolicyArgs]
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. Defined below. If no blocks are configured, the provider will ignore any managing any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies.
managed_policy_arns Sequence[str]
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, the provider will ignore policy attachments to this resource. When configured, the provider will align the role’s managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause the provider to remove all managed policy attachments.
max_session_duration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name str
Name of the role policy.
name_prefix str
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path str
Path to the role. See IAM Identifiers for more information.
permissions_boundary str
ARN of the policy that is used to set the permissions boundary for the role.
tags Mapping[str, str]
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider .
unique_id str
Stable and unique string identifying the role.

Supporting Types

RoleInlinePolicy

Name string
Name of the role policy.
Policy string
Policy document as a JSON formatted string.
Name string
Name of the role policy.
Policy string
Policy document as a JSON formatted string.
name string
Name of the role policy.
policy string
Policy document as a JSON formatted string.
name str
Name of the role policy.
policy str
Policy document as a JSON formatted string.

Import

IAM Roles can be imported using the name, e.g.

 $ pulumi import aws:iam/role:Role developer developer_name

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.