1. Packages
  2. AWS Classic
  3. API Docs
  4. iam
  5. Role

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

aws.iam.Role

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

    Provides an IAM role.

    NOTE: If policies are attached to the role via the aws.iam.PolicyAttachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.RolePolicyAttachment resource (recommended) does not have this requirement.

    NOTE: If you use this resource’s managed_policy_arns argument or inline_policy configuration blocks, this resource will take over exclusive management of the role’s respective policy types (e.g., both policy types if both arguments are used). These arguments are incompatible with other ways of managing a role’s policies, such as aws.iam.PolicyAttachment, aws.iam.RolePolicyAttachment, and aws.iam.RolePolicy. If you attempt to manage a role’s policies by multiple means, you will get resource cycling and/or errors.

    Example Usage

    Basic Example

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const testRole = new aws.iam.Role("test_role", {
        name: "test_role",
        assumeRolePolicy: JSON.stringify({
            version: "2012-10-17",
            statement: [{
                action: "sts:AssumeRole",
                effect: "Allow",
                sid: "",
                principal: {
                    service: "ec2.amazonaws.com",
                },
            }],
        }),
        tags: {
            "tag-key": "tag-value",
        },
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    test_role = aws.iam.Role("test_role",
        name="test_role",
        assume_role_policy=json.dumps({
            "version": "2012-10-17",
            "statement": [{
                "action": "sts:AssumeRole",
                "effect": "Allow",
                "sid": "",
                "principal": {
                    "service": "ec2.amazonaws.com",
                },
            }],
        }),
        tags={
            "tag-key": "tag-value",
        })
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"version": "2012-10-17",
    			"statement": []map[string]interface{}{
    				map[string]interface{}{
    					"action": "sts:AssumeRole",
    					"effect": "Allow",
    					"sid":    "",
    					"principal": map[string]interface{}{
    						"service": "ec2.amazonaws.com",
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = iam.NewRole(ctx, "test_role", &iam.RoleArgs{
    			Name:             pulumi.String("test_role"),
    			AssumeRolePolicy: pulumi.String(json0),
    			Tags: pulumi.StringMap{
    				"tag-key": pulumi.String("tag-value"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var testRole = new Aws.Iam.Role("test_role", new()
        {
            Name = "test_role",
            AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["version"] = "2012-10-17",
                ["statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["action"] = "sts:AssumeRole",
                        ["effect"] = "Allow",
                        ["sid"] = "",
                        ["principal"] = new Dictionary<string, object?>
                        {
                            ["service"] = "ec2.amazonaws.com",
                        },
                    },
                },
            }),
            Tags = 
            {
                { "tag-key", "tag-value" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var testRole = new Role("testRole", RoleArgs.builder()        
                .name("test_role")
                .assumeRolePolicy(serializeJson(
                    jsonObject(
                        jsonProperty("version", "2012-10-17"),
                        jsonProperty("statement", jsonArray(jsonObject(
                            jsonProperty("action", "sts:AssumeRole"),
                            jsonProperty("effect", "Allow"),
                            jsonProperty("sid", ""),
                            jsonProperty("principal", jsonObject(
                                jsonProperty("service", "ec2.amazonaws.com")
                            ))
                        )))
                    )))
                .tags(Map.of("tag-key", "tag-value"))
                .build());
    
        }
    }
    
    resources:
      testRole:
        type: aws:iam:Role
        name: test_role
        properties:
          name: test_role
          assumeRolePolicy:
            fn::toJSON:
              version: 2012-10-17
              statement:
                - action: sts:AssumeRole
                  effect: Allow
                  sid:
                  principal:
                    service: ec2.amazonaws.com
          tags:
            tag-key: tag-value
    

    Example of Using Data Source for Assume Role Policy

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const instanceAssumeRolePolicy = aws.iam.getPolicyDocument({
        statements: [{
            actions: ["sts:AssumeRole"],
            principals: [{
                type: "Service",
                identifiers: ["ec2.amazonaws.com"],
            }],
        }],
    });
    const instance = new aws.iam.Role("instance", {
        name: "instance_role",
        path: "/system/",
        assumeRolePolicy: instanceAssumeRolePolicy.then(instanceAssumeRolePolicy => instanceAssumeRolePolicy.json),
    });
    
    import pulumi
    import pulumi_aws as aws
    
    instance_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        actions=["sts:AssumeRole"],
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["ec2.amazonaws.com"],
        )],
    )])
    instance = aws.iam.Role("instance",
        name="instance_role",
        path="/system/",
        assume_role_policy=instance_assume_role_policy.json)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		instanceAssumeRolePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Actions: []string{
    						"sts:AssumeRole",
    					},
    					Principals: []iam.GetPolicyDocumentStatementPrincipal{
    						{
    							Type: "Service",
    							Identifiers: []string{
    								"ec2.amazonaws.com",
    							},
    						},
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewRole(ctx, "instance", &iam.RoleArgs{
    			Name:             pulumi.String("instance_role"),
    			Path:             pulumi.String("/system/"),
    			AssumeRolePolicy: pulumi.String(instanceAssumeRolePolicy.Json),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var instanceAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "ec2.amazonaws.com",
                            },
                        },
                    },
                },
            },
        });
    
        var instance = new Aws.Iam.Role("instance", new()
        {
            Name = "instance_role",
            Path = "/system/",
            AssumeRolePolicy = instanceAssumeRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var instanceAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions("sts:AssumeRole")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("ec2.amazonaws.com")
                        .build())
                    .build())
                .build());
    
            var instance = new Role("instance", RoleArgs.builder()        
                .name("instance_role")
                .path("/system/")
                .assumeRolePolicy(instanceAssumeRolePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    resources:
      instance:
        type: aws:iam:Role
        properties:
          name: instance_role
          path: /system/
          assumeRolePolicy: ${instanceAssumeRolePolicy.json}
    variables:
      instanceAssumeRolePolicy:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - sts:AssumeRole
                principals:
                  - type: Service
                    identifiers:
                      - ec2.amazonaws.com
    

    Example of Exclusive Inline Policies

    This example creates an IAM role with two inline IAM policies. If someone adds another inline policy out-of-band, on the next apply, this provider will remove that policy. If someone deletes these policies out-of-band, this provider will recreate them.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const inlinePolicy = aws.iam.getPolicyDocument({
        statements: [{
            actions: ["ec2:DescribeAccountAttributes"],
            resources: ["*"],
        }],
    });
    const example = new aws.iam.Role("example", {
        name: "yak_role",
        assumeRolePolicy: instanceAssumeRolePolicy.json,
        inlinePolicies: [
            {
                name: "my_inline_policy",
                policy: JSON.stringify({
                    version: "2012-10-17",
                    statement: [{
                        action: ["ec2:Describe*"],
                        effect: "Allow",
                        resource: "*",
                    }],
                }),
            },
            {
                name: "policy-8675309",
                policy: inlinePolicy.then(inlinePolicy => inlinePolicy.json),
            },
        ],
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    inline_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        actions=["ec2:DescribeAccountAttributes"],
        resources=["*"],
    )])
    example = aws.iam.Role("example",
        name="yak_role",
        assume_role_policy=instance_assume_role_policy["json"],
        inline_policies=[
            aws.iam.RoleInlinePolicyArgs(
                name="my_inline_policy",
                policy=json.dumps({
                    "version": "2012-10-17",
                    "statement": [{
                        "action": ["ec2:Describe*"],
                        "effect": "Allow",
                        "resource": "*",
                    }],
                }),
            ),
            aws.iam.RoleInlinePolicyArgs(
                name="policy-8675309",
                policy=inline_policy.json,
            ),
        ])
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		inlinePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Actions: []string{
    						"ec2:DescribeAccountAttributes",
    					},
    					Resources: []string{
    						"*",
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"version": "2012-10-17",
    			"statement": []map[string]interface{}{
    				map[string]interface{}{
    					"action": []string{
    						"ec2:Describe*",
    					},
    					"effect":   "Allow",
    					"resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
    			Name:             pulumi.String("yak_role"),
    			AssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),
    			InlinePolicies: iam.RoleInlinePolicyArray{
    				&iam.RoleInlinePolicyArgs{
    					Name:   pulumi.String("my_inline_policy"),
    					Policy: pulumi.String(json0),
    				},
    				&iam.RoleInlinePolicyArgs{
    					Name:   pulumi.String("policy-8675309"),
    					Policy: pulumi.String(inlinePolicy.Json),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var inlinePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "ec2:DescribeAccountAttributes",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var example = new Aws.Iam.Role("example", new()
        {
            Name = "yak_role",
            AssumeRolePolicy = instanceAssumeRolePolicy.Json,
            InlinePolicies = new[]
            {
                new Aws.Iam.Inputs.RoleInlinePolicyArgs
                {
                    Name = "my_inline_policy",
                    Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
                    {
                        ["version"] = "2012-10-17",
                        ["statement"] = new[]
                        {
                            new Dictionary<string, object?>
                            {
                                ["action"] = new[]
                                {
                                    "ec2:Describe*",
                                },
                                ["effect"] = "Allow",
                                ["resource"] = "*",
                            },
                        },
                    }),
                },
                new Aws.Iam.Inputs.RoleInlinePolicyArgs
                {
                    Name = "policy-8675309",
                    Policy = inlinePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var inlinePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions("ec2:DescribeAccountAttributes")
                    .resources("*")
                    .build())
                .build());
    
            var example = new Role("example", RoleArgs.builder()        
                .name("yak_role")
                .assumeRolePolicy(instanceAssumeRolePolicy.json())
                .inlinePolicies(            
                    RoleInlinePolicyArgs.builder()
                        .name("my_inline_policy")
                        .policy(serializeJson(
                            jsonObject(
                                jsonProperty("version", "2012-10-17"),
                                jsonProperty("statement", jsonArray(jsonObject(
                                    jsonProperty("action", jsonArray("ec2:Describe*")),
                                    jsonProperty("effect", "Allow"),
                                    jsonProperty("resource", "*")
                                )))
                            )))
                        .build(),
                    RoleInlinePolicyArgs.builder()
                        .name("policy-8675309")
                        .policy(inlinePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                        .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:iam:Role
        properties:
          name: yak_role
          assumeRolePolicy: ${instanceAssumeRolePolicy.json}
          inlinePolicies:
            - name: my_inline_policy
              policy:
                fn::toJSON:
                  version: 2012-10-17
                  statement:
                    - action:
                        - ec2:Describe*
                      effect: Allow
                      resource: '*'
            - name: policy-8675309
              policy: ${inlinePolicy.json}
    variables:
      inlinePolicy:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - ec2:DescribeAccountAttributes
                resources:
                  - '*'
    

    Example of Removing Inline Policies

    This example creates an IAM role with what appears to be empty IAM inline_policy argument instead of using inline_policy as a configuration block. The result is that if someone were to add an inline policy out-of-band, on the next apply, this provider will remove that policy.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.iam.Role("example", {
        inlinePolicies: [{}],
        name: "yak_role",
        assumeRolePolicy: instanceAssumeRolePolicy.json,
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.iam.Role("example",
        inline_policies=[aws.iam.RoleInlinePolicyArgs()],
        name="yak_role",
        assume_role_policy=instance_assume_role_policy["json"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
    			InlinePolicies: iam.RoleInlinePolicyArray{
    				nil,
    			},
    			Name:             pulumi.String("yak_role"),
    			AssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Iam.Role("example", new()
        {
            InlinePolicies = new[]
            {
                null,
            },
            Name = "yak_role",
            AssumeRolePolicy = instanceAssumeRolePolicy.Json,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Role("example", RoleArgs.builder()        
                .inlinePolicies()
                .name("yak_role")
                .assumeRolePolicy(instanceAssumeRolePolicy.json())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:iam:Role
        properties:
          inlinePolicies:
            - {}
          name: yak_role
          assumeRolePolicy: ${instanceAssumeRolePolicy.json}
    

    Example of Exclusive Managed Policies

    This example creates an IAM role and attaches two managed IAM policies. If someone attaches another managed policy out-of-band, on the next apply, this provider will detach that policy. If someone detaches these policies out-of-band, this provider will attach them again.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const policyOne = new aws.iam.Policy("policy_one", {
        name: "policy-618033",
        policy: JSON.stringify({
            version: "2012-10-17",
            statement: [{
                action: ["ec2:Describe*"],
                effect: "Allow",
                resource: "*",
            }],
        }),
    });
    const policyTwo = new aws.iam.Policy("policy_two", {
        name: "policy-381966",
        policy: JSON.stringify({
            version: "2012-10-17",
            statement: [{
                action: [
                    "s3:ListAllMyBuckets",
                    "s3:ListBucket",
                    "s3:HeadBucket",
                ],
                effect: "Allow",
                resource: "*",
            }],
        }),
    });
    const example = new aws.iam.Role("example", {
        name: "yak_role",
        assumeRolePolicy: instanceAssumeRolePolicy.json,
        managedPolicyArns: [
            policyOne.arn,
            policyTwo.arn,
        ],
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    policy_one = aws.iam.Policy("policy_one",
        name="policy-618033",
        policy=json.dumps({
            "version": "2012-10-17",
            "statement": [{
                "action": ["ec2:Describe*"],
                "effect": "Allow",
                "resource": "*",
            }],
        }))
    policy_two = aws.iam.Policy("policy_two",
        name="policy-381966",
        policy=json.dumps({
            "version": "2012-10-17",
            "statement": [{
                "action": [
                    "s3:ListAllMyBuckets",
                    "s3:ListBucket",
                    "s3:HeadBucket",
                ],
                "effect": "Allow",
                "resource": "*",
            }],
        }))
    example = aws.iam.Role("example",
        name="yak_role",
        assume_role_policy=instance_assume_role_policy["json"],
        managed_policy_arns=[
            policy_one.arn,
            policy_two.arn,
        ])
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"version": "2012-10-17",
    			"statement": []map[string]interface{}{
    				map[string]interface{}{
    					"action": []string{
    						"ec2:Describe*",
    					},
    					"effect":   "Allow",
    					"resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		policyOne, err := iam.NewPolicy(ctx, "policy_one", &iam.PolicyArgs{
    			Name:   pulumi.String("policy-618033"),
    			Policy: pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		tmpJSON1, err := json.Marshal(map[string]interface{}{
    			"version": "2012-10-17",
    			"statement": []map[string]interface{}{
    				map[string]interface{}{
    					"action": []string{
    						"s3:ListAllMyBuckets",
    						"s3:ListBucket",
    						"s3:HeadBucket",
    					},
    					"effect":   "Allow",
    					"resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json1 := string(tmpJSON1)
    		policyTwo, err := iam.NewPolicy(ctx, "policy_two", &iam.PolicyArgs{
    			Name:   pulumi.String("policy-381966"),
    			Policy: pulumi.String(json1),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
    			Name:             pulumi.String("yak_role"),
    			AssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),
    			ManagedPolicyArns: pulumi.StringArray{
    				policyOne.Arn,
    				policyTwo.Arn,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var policyOne = new Aws.Iam.Policy("policy_one", new()
        {
            Name = "policy-618033",
            PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["version"] = "2012-10-17",
                ["statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["action"] = new[]
                        {
                            "ec2:Describe*",
                        },
                        ["effect"] = "Allow",
                        ["resource"] = "*",
                    },
                },
            }),
        });
    
        var policyTwo = new Aws.Iam.Policy("policy_two", new()
        {
            Name = "policy-381966",
            PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["version"] = "2012-10-17",
                ["statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["action"] = new[]
                        {
                            "s3:ListAllMyBuckets",
                            "s3:ListBucket",
                            "s3:HeadBucket",
                        },
                        ["effect"] = "Allow",
                        ["resource"] = "*",
                    },
                },
            }),
        });
    
        var example = new Aws.Iam.Role("example", new()
        {
            Name = "yak_role",
            AssumeRolePolicy = instanceAssumeRolePolicy.Json,
            ManagedPolicyArns = new[]
            {
                policyOne.Arn,
                policyTwo.Arn,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Policy;
    import com.pulumi.aws.iam.PolicyArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var policyOne = new Policy("policyOne", PolicyArgs.builder()        
                .name("policy-618033")
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("version", "2012-10-17"),
                        jsonProperty("statement", jsonArray(jsonObject(
                            jsonProperty("action", jsonArray("ec2:Describe*")),
                            jsonProperty("effect", "Allow"),
                            jsonProperty("resource", "*")
                        )))
                    )))
                .build());
    
            var policyTwo = new Policy("policyTwo", PolicyArgs.builder()        
                .name("policy-381966")
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("version", "2012-10-17"),
                        jsonProperty("statement", jsonArray(jsonObject(
                            jsonProperty("action", jsonArray(
                                "s3:ListAllMyBuckets", 
                                "s3:ListBucket", 
                                "s3:HeadBucket"
                            )),
                            jsonProperty("effect", "Allow"),
                            jsonProperty("resource", "*")
                        )))
                    )))
                .build());
    
            var example = new Role("example", RoleArgs.builder()        
                .name("yak_role")
                .assumeRolePolicy(instanceAssumeRolePolicy.json())
                .managedPolicyArns(            
                    policyOne.arn(),
                    policyTwo.arn())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:iam:Role
        properties:
          name: yak_role
          assumeRolePolicy: ${instanceAssumeRolePolicy.json}
          managedPolicyArns:
            - ${policyOne.arn}
            - ${policyTwo.arn}
      policyOne:
        type: aws:iam:Policy
        name: policy_one
        properties:
          name: policy-618033
          policy:
            fn::toJSON:
              version: 2012-10-17
              statement:
                - action:
                    - ec2:Describe*
                  effect: Allow
                  resource: '*'
      policyTwo:
        type: aws:iam:Policy
        name: policy_two
        properties:
          name: policy-381966
          policy:
            fn::toJSON:
              version: 2012-10-17
              statement:
                - action:
                    - s3:ListAllMyBuckets
                    - s3:ListBucket
                    - s3:HeadBucket
                  effect: Allow
                  resource: '*'
    

    Example of Removing Managed Policies

    This example creates an IAM role with an empty managed_policy_arns argument. If someone attaches a policy out-of-band, on the next apply, this provider will detach that policy.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.iam.Role("example", {
        name: "yak_role",
        assumeRolePolicy: instanceAssumeRolePolicy.json,
        managedPolicyArns: [],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.iam.Role("example",
        name="yak_role",
        assume_role_policy=instance_assume_role_policy["json"],
        managed_policy_arns=[])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
    			Name:              pulumi.String("yak_role"),
    			AssumeRolePolicy:  pulumi.Any(instanceAssumeRolePolicy.Json),
    			ManagedPolicyArns: pulumi.StringArray{},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Iam.Role("example", new()
        {
            Name = "yak_role",
            AssumeRolePolicy = instanceAssumeRolePolicy.Json,
            ManagedPolicyArns = new[] {},
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Role("example", RoleArgs.builder()        
                .name("yak_role")
                .assumeRolePolicy(instanceAssumeRolePolicy.json())
                .managedPolicyArns()
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:iam:Role
        properties:
          name: yak_role
          assumeRolePolicy: ${instanceAssumeRolePolicy.json}
          managedPolicyArns: []
    

    Create Role Resource

    new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);
    @overload
    def Role(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             assume_role_policy: Optional[str] = None,
             description: Optional[str] = None,
             force_detach_policies: Optional[bool] = None,
             inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
             managed_policy_arns: Optional[Sequence[str]] = None,
             max_session_duration: Optional[int] = None,
             name: Optional[str] = None,
             name_prefix: Optional[str] = None,
             path: Optional[str] = None,
             permissions_boundary: Optional[str] = None,
             tags: Optional[Mapping[str, str]] = None)
    @overload
    def Role(resource_name: str,
             args: RoleArgs,
             opts: Optional[ResourceOptions] = None)
    func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)
    public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)
    public Role(String name, RoleArgs args)
    public Role(String name, RoleArgs args, CustomResourceOptions options)
    
    type: aws:iam:Role
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Role Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Role resource accepts the following input properties:

    AssumeRolePolicy string | string

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    Description string
    Description of the role.
    ForceDetachPolicies bool
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    InlinePolicies List<RoleInlinePolicy>
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    ManagedPolicyArns List<string>
    MaxSessionDuration int
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    Name string
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    NamePrefix string
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    Path string
    Path to the role. See IAM Identifiers for more information.
    PermissionsBoundary string
    ARN of the policy that is used to set the permissions boundary for the role.
    Tags Dictionary<string, string>
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    AssumeRolePolicy string | string

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    Description string
    Description of the role.
    ForceDetachPolicies bool
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    InlinePolicies []RoleInlinePolicyArgs
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    ManagedPolicyArns []string
    MaxSessionDuration int
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    Name string
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    NamePrefix string
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    Path string
    Path to the role. See IAM Identifiers for more information.
    PermissionsBoundary string
    ARN of the policy that is used to set the permissions boundary for the role.
    Tags map[string]string
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    assumeRolePolicy String | String

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    description String
    Description of the role.
    forceDetachPolicies Boolean
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    inlinePolicies List<RoleInlinePolicy>
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    managedPolicyArns List<String>
    maxSessionDuration Integer
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    name String
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    namePrefix String
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    path String
    Path to the role. See IAM Identifiers for more information.
    permissionsBoundary String
    ARN of the policy that is used to set the permissions boundary for the role.
    tags Map<String,String>
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    assumeRolePolicy string | PolicyDocument

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    description string
    Description of the role.
    forceDetachPolicies boolean
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    inlinePolicies RoleInlinePolicy[]
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    managedPolicyArns string[]
    maxSessionDuration number
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    name string
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    namePrefix string
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    path string
    Path to the role. See IAM Identifiers for more information.
    permissionsBoundary string
    ARN of the policy that is used to set the permissions boundary for the role.
    tags {[key: string]: string}
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    assume_role_policy str | str

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    description str
    Description of the role.
    force_detach_policies bool
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    inline_policies Sequence[RoleInlinePolicyArgs]
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    managed_policy_arns Sequence[str]
    max_session_duration int
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    name str
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    name_prefix str
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    path str
    Path to the role. See IAM Identifiers for more information.
    permissions_boundary str
    ARN of the policy that is used to set the permissions boundary for the role.
    tags Mapping[str, str]
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    assumeRolePolicy String |

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    description String
    Description of the role.
    forceDetachPolicies Boolean
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    inlinePolicies List<Property Map>
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    managedPolicyArns List<String>
    maxSessionDuration Number
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    name String
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    namePrefix String
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    path String
    Path to the role. See IAM Identifiers for more information.
    permissionsBoundary String
    ARN of the policy that is used to set the permissions boundary for the role.
    tags Map<String>
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:

    Arn string
    Amazon Resource Name (ARN) specifying the role.
    CreateDate string
    Creation date of the IAM role.
    Id string
    The provider-assigned unique ID for this managed resource.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    UniqueId string
    Stable and unique string identifying the role.
    Arn string
    Amazon Resource Name (ARN) specifying the role.
    CreateDate string
    Creation date of the IAM role.
    Id string
    The provider-assigned unique ID for this managed resource.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    UniqueId string
    Stable and unique string identifying the role.
    arn String
    Amazon Resource Name (ARN) specifying the role.
    createDate String
    Creation date of the IAM role.
    id String
    The provider-assigned unique ID for this managed resource.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    uniqueId String
    Stable and unique string identifying the role.
    arn string
    Amazon Resource Name (ARN) specifying the role.
    createDate string
    Creation date of the IAM role.
    id string
    The provider-assigned unique ID for this managed resource.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    uniqueId string
    Stable and unique string identifying the role.
    arn str
    Amazon Resource Name (ARN) specifying the role.
    create_date str
    Creation date of the IAM role.
    id str
    The provider-assigned unique ID for this managed resource.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    unique_id str
    Stable and unique string identifying the role.
    arn String
    Amazon Resource Name (ARN) specifying the role.
    createDate String
    Creation date of the IAM role.
    id String
    The provider-assigned unique ID for this managed resource.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    uniqueId String
    Stable and unique string identifying the role.

    Look up Existing Role Resource

    Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            assume_role_policy: Optional[str] = None,
            create_date: Optional[str] = None,
            description: Optional[str] = None,
            force_detach_policies: Optional[bool] = None,
            inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
            managed_policy_arns: Optional[Sequence[str]] = None,
            max_session_duration: Optional[int] = None,
            name: Optional[str] = None,
            name_prefix: Optional[str] = None,
            path: Optional[str] = None,
            permissions_boundary: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            unique_id: Optional[str] = None) -> Role
    func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)
    public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)
    public static Role get(String name, Output<String> id, RoleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    Amazon Resource Name (ARN) specifying the role.
    AssumeRolePolicy string | string

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    CreateDate string
    Creation date of the IAM role.
    Description string
    Description of the role.
    ForceDetachPolicies bool
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    InlinePolicies List<RoleInlinePolicy>
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    ManagedPolicyArns List<string>
    MaxSessionDuration int
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    Name string
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    NamePrefix string
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    Path string
    Path to the role. See IAM Identifiers for more information.
    PermissionsBoundary string
    ARN of the policy that is used to set the permissions boundary for the role.
    Tags Dictionary<string, string>
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    UniqueId string
    Stable and unique string identifying the role.
    Arn string
    Amazon Resource Name (ARN) specifying the role.
    AssumeRolePolicy string | string

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    CreateDate string
    Creation date of the IAM role.
    Description string
    Description of the role.
    ForceDetachPolicies bool
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    InlinePolicies []RoleInlinePolicyArgs
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    ManagedPolicyArns []string
    MaxSessionDuration int
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    Name string
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    NamePrefix string
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    Path string
    Path to the role. See IAM Identifiers for more information.
    PermissionsBoundary string
    ARN of the policy that is used to set the permissions boundary for the role.
    Tags map[string]string
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    UniqueId string
    Stable and unique string identifying the role.
    arn String
    Amazon Resource Name (ARN) specifying the role.
    assumeRolePolicy String | String

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    createDate String
    Creation date of the IAM role.
    description String
    Description of the role.
    forceDetachPolicies Boolean
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    inlinePolicies List<RoleInlinePolicy>
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    managedPolicyArns List<String>
    maxSessionDuration Integer
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    name String
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    namePrefix String
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    path String
    Path to the role. See IAM Identifiers for more information.
    permissionsBoundary String
    ARN of the policy that is used to set the permissions boundary for the role.
    tags Map<String,String>
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    uniqueId String
    Stable and unique string identifying the role.
    arn string
    Amazon Resource Name (ARN) specifying the role.
    assumeRolePolicy string | PolicyDocument

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    createDate string
    Creation date of the IAM role.
    description string
    Description of the role.
    forceDetachPolicies boolean
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    inlinePolicies RoleInlinePolicy[]
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    managedPolicyArns string[]
    maxSessionDuration number
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    name string
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    namePrefix string
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    path string
    Path to the role. See IAM Identifiers for more information.
    permissionsBoundary string
    ARN of the policy that is used to set the permissions boundary for the role.
    tags {[key: string]: string}
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    uniqueId string
    Stable and unique string identifying the role.
    arn str
    Amazon Resource Name (ARN) specifying the role.
    assume_role_policy str | str

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    create_date str
    Creation date of the IAM role.
    description str
    Description of the role.
    force_detach_policies bool
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    inline_policies Sequence[RoleInlinePolicyArgs]
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    managed_policy_arns Sequence[str]
    max_session_duration int
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    name str
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    name_prefix str
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    path str
    Path to the role. See IAM Identifiers for more information.
    permissions_boundary str
    ARN of the policy that is used to set the permissions boundary for the role.
    tags Mapping[str, str]
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    unique_id str
    Stable and unique string identifying the role.
    arn String
    Amazon Resource Name (ARN) specifying the role.
    assumeRolePolicy String |

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    createDate String
    Creation date of the IAM role.
    description String
    Description of the role.
    forceDetachPolicies Boolean
    Whether to force detaching any policies the role has before destroying it. Defaults to false.
    inlinePolicies List<Property Map>
    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.
    managedPolicyArns List<String>
    maxSessionDuration Number
    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
    name String
    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
    namePrefix String
    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
    path String
    Path to the role. See IAM Identifiers for more information.
    permissionsBoundary String
    ARN of the policy that is used to set the permissions boundary for the role.
    tags Map<String>
    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    uniqueId String
    Stable and unique string identifying the role.

    Supporting Types

    RoleInlinePolicy, RoleInlinePolicyArgs

    Name string
    Name of the role policy.
    Policy string
    Policy document as a JSON formatted string.
    Name string
    Name of the role policy.
    Policy string
    Policy document as a JSON formatted string.
    name String
    Name of the role policy.
    policy String
    Policy document as a JSON formatted string.
    name string
    Name of the role policy.
    policy string
    Policy document as a JSON formatted string.
    name str
    Name of the role policy.
    policy str
    Policy document as a JSON formatted string.
    name String
    Name of the role policy.
    policy String
    Policy document as a JSON formatted string.

    Import

    Using pulumi import, import IAM Roles using the name. For example:

    $ pulumi import aws:iam/role:Role developer developer_name
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi