Use Pulumi's new import command to generate code from existing cloud resources. Learn More

Module iam

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

namespace ManagedPolicies

namespace Principals

Resources

Functions

Others

namespace ManagedPolicies

const AdministratorAccess

const AdministratorAccess: ARN = "arn:aws:iam::aws:policy/AdministratorAccess";

Use ManagedPolicy.AdministratorAccess instead.

const AmazonAPIGatewayAdministrator

const AmazonAPIGatewayAdministrator: ARN = "arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator";

Use ManagedPolicy.AmazonAPIGatewayAdministrator instead.

const AmazonAPIGatewayInvokeFullAccess

const AmazonAPIGatewayInvokeFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess";

Use ManagedPolicy.AmazonAPIGatewayInvokeFullAccess instead.

const AmazonAPIGatewayPushToCloudWatchLogs

const AmazonAPIGatewayPushToCloudWatchLogs: ARN = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs";

Use ManagedPolicy.AmazonAPIGatewayPushToCloudWatchLogs instead.

const AmazonAppStreamFullAccess

const AmazonAppStreamFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonAppStreamFullAccess";

Use ManagedPolicy.AmazonAppStreamFullAccess instead.

const AmazonAppStreamReadOnlyAccess

const AmazonAppStreamReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonAppStreamReadOnlyAccess";

Use ManagedPolicy.AmazonAppStreamReadOnlyAccess instead.

const AmazonAppStreamServiceAccess

const AmazonAppStreamServiceAccess: ARN = "arn:aws:iam::aws:policy/service-role/AmazonAppStreamServiceAccess";

Use ManagedPolicy.AmazonAppStreamServiceAccess instead.

const AmazonAthenaFullAccess

const AmazonAthenaFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonAthenaFullAccess";

Use ManagedPolicy.AmazonAthenaFullAccess instead.

const AmazonCloudDirectoryFullAccess

const AmazonCloudDirectoryFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonCloudDirectoryFullAccess";

Use ManagedPolicy.AmazonCloudDirectoryFullAccess instead.

const AmazonCloudDirectoryReadOnlyAccess

const AmazonCloudDirectoryReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonCloudDirectoryReadOnlyAccess";

Use ManagedPolicy.AmazonCloudDirectoryReadOnlyAccess instead.

const AmazonCognitoDeveloperAuthenticatedIdentities

const AmazonCognitoDeveloperAuthenticatedIdentities: ARN = "arn:aws:iam::aws:policy/AmazonCognitoDeveloperAuthenticatedIdentities";

Use ManagedPolicy.AmazonCognitoDeveloperAuthenticatedIdentities instead.

const AmazonCognitoPowerUser

const AmazonCognitoPowerUser: ARN = "arn:aws:iam::aws:policy/AmazonCognitoPowerUser";

Use ManagedPolicy.AmazonCognitoPowerUser instead.

const AmazonCognitoReadOnly

const AmazonCognitoReadOnly: ARN = "arn:aws:iam::aws:policy/AmazonCognitoReadOnly";

Use ManagedPolicy.AmazonCognitoReadOnly instead.

const AmazonDMSCloudWatchLogsRole

const AmazonDMSCloudWatchLogsRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole";

Use ManagedPolicy.AmazonDMSCloudWatchLogsRole instead.

const AmazonDMSRedshiftS3Role

const AmazonDMSRedshiftS3Role: ARN = "arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role";

Use ManagedPolicy.AmazonDMSRedshiftS3Role instead.

const AmazonDMSVPCManagementRole

const AmazonDMSVPCManagementRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole";

Use ManagedPolicy.AmazonDMSVPCManagementRole instead.

const AmazonDRSVPCManagement

const AmazonDRSVPCManagement: ARN = "arn:aws:iam::aws:policy/AmazonDRSVPCManagement";

Use ManagedPolicy.AmazonDRSVPCManagement instead.

const AmazonDynamoDBFullAccess

const AmazonDynamoDBFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess";

Use ManagedPolicy.AmazonDynamoDBFullAccess instead.

const AmazonDynamoDBFullAccesswithDataPipeline

const AmazonDynamoDBFullAccesswithDataPipeline: ARN = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccesswithDataPipeline";

Use ManagedPolicy.AmazonDynamoDBFullAccesswithDataPipeline instead.

const AmazonDynamoDBReadOnlyAccess

const AmazonDynamoDBReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess";

Use ManagedPolicy.AmazonDynamoDBReadOnlyAccess instead.

const AmazonEC2ContainerRegistryFullAccess

const AmazonEC2ContainerRegistryFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess";

Use ManagedPolicy.AmazonEC2ContainerRegistryFullAccess instead.

const AmazonEC2ContainerRegistryPowerUser

const AmazonEC2ContainerRegistryPowerUser: ARN = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser";

Use ManagedPolicy.AmazonEC2ContainerRegistryPowerUser instead.

const AmazonEC2ContainerRegistryReadOnly

const AmazonEC2ContainerRegistryReadOnly: ARN = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly";

Use ManagedPolicy.AmazonEC2ContainerRegistryReadOnly instead.

const AmazonEC2ContainerServiceAutoscaleRole

const AmazonEC2ContainerServiceAutoscaleRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole";

Use ManagedPolicy.AmazonEC2ContainerServiceAutoscaleRole instead.

const AmazonEC2ContainerServiceforEC2Role

const AmazonEC2ContainerServiceforEC2Role: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role";

Use ManagedPolicy.AmazonEC2ContainerServiceforEC2Role instead.

const AmazonEC2ContainerServiceFullAccess

const AmazonEC2ContainerServiceFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess";

Use ManagedPolicy.AmazonEC2ContainerServiceFullAccess instead.

const AmazonEC2ContainerServiceRole

const AmazonEC2ContainerServiceRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole";

Use ManagedPolicy.AmazonEC2ContainerServiceRole instead.

const AmazonEC2FullAccess

const AmazonEC2FullAccess: ARN = "arn:aws:iam::aws:policy/AmazonEC2FullAccess";

Use ManagedPolicy.AmazonEC2FullAccess instead.

const AmazonEC2ReadOnlyAccess

const AmazonEC2ReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess";

Use ManagedPolicy.AmazonEC2ReadOnlyAccess instead.

const AmazonEC2ReportsAccess

const AmazonEC2ReportsAccess: ARN = "arn:aws:iam::aws:policy/AmazonEC2ReportsAccess";

Use ManagedPolicy.AmazonEC2ReportsAccess instead.

const AmazonEC2RoleforAWSCodeDeploy

const AmazonEC2RoleforAWSCodeDeploy: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy";

Use ManagedPolicy.AmazonEC2RoleforAWSCodeDeploy instead.

const AmazonEC2RoleforDataPipelineRole

const AmazonEC2RoleforDataPipelineRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforDataPipelineRole";

Use ManagedPolicy.AmazonEC2RoleforDataPipelineRole instead.

const AmazonEC2RoleforSSM

const AmazonEC2RoleforSSM: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM";

Use ManagedPolicy.AmazonEC2RoleforSSM instead.

const AmazonEC2SpotFleetAutoscaleRole

const AmazonEC2SpotFleetAutoscaleRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetAutoscaleRole";

Use ManagedPolicy.AmazonEC2SpotFleetAutoscaleRole instead.

const AmazonEC2SpotFleetRole

const AmazonEC2SpotFleetRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetRole";

Use ManagedPolicy.AmazonEC2SpotFleetRole instead.

const AmazonEC2SpotFleetTaggingRole

const AmazonEC2SpotFleetTaggingRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole";

Use ManagedPolicy.AmazonEC2SpotFleetTaggingRole instead.

const AmazonElastiCacheFullAccess

const AmazonElastiCacheFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonElastiCacheFullAccess";

Use ManagedPolicy.AmazonElastiCacheFullAccess instead.

const AmazonElastiCacheReadOnlyAccess

const AmazonElastiCacheReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess";

Use ManagedPolicy.AmazonElastiCacheReadOnlyAccess instead.

const AmazonElasticFileSystemFullAccess

const AmazonElasticFileSystemFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess";

Use ManagedPolicy.AmazonElasticFileSystemFullAccess instead.

const AmazonElasticFileSystemReadOnlyAccess

const AmazonElasticFileSystemReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess";

Use ManagedPolicy.AmazonElasticFileSystemReadOnlyAccess instead.

const AmazonElasticMapReduceforAutoScalingRole

const AmazonElasticMapReduceforAutoScalingRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole";

Use ManagedPolicy.AmazonElasticMapReduceforAutoScalingRole instead.

const AmazonElasticMapReduceforEC2Role

const AmazonElasticMapReduceforEC2Role: ARN = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role";

Use ManagedPolicy.AmazonElasticMapReduceforEC2Role instead.

const AmazonElasticMapReduceFullAccess

const AmazonElasticMapReduceFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess";

Use ManagedPolicy.AmazonElasticMapReduceFullAccess instead.

const AmazonElasticMapReduceReadOnlyAccess

const AmazonElasticMapReduceReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonElasticMapReduceReadOnlyAccess";

Use ManagedPolicy.AmazonElasticMapReduceReadOnlyAccess instead.

const AmazonElasticMapReduceRole

const AmazonElasticMapReduceRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole";

Use ManagedPolicy.AmazonElasticMapReduceRole instead.

const AmazonElasticTranscoderFullAccess

const AmazonElasticTranscoderFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess";

Use ManagedPolicy.AmazonElasticTranscoderFullAccess instead.

const AmazonElasticTranscoderJobsSubmitter

const AmazonElasticTranscoderJobsSubmitter: ARN = "arn:aws:iam::aws:policy/AmazonElasticTranscoderJobsSubmitter";

Use ManagedPolicy.AmazonElasticTranscoderJobsSubmitter instead.

const AmazonElasticTranscoderReadOnlyAccess

const AmazonElasticTranscoderReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonElasticTranscoderReadOnlyAccess";

Use ManagedPolicy.AmazonElasticTranscoderReadOnlyAccess instead.

const AmazonElasticTranscoderRole

const AmazonElasticTranscoderRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonElasticTranscoderRole";

Use ManagedPolicy.AmazonElasticTranscoderRole instead.

const AmazonESFullAccess

const AmazonESFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonESFullAccess";

Use ManagedPolicy.AmazonESFullAccess instead.

const AmazonESReadOnlyAccess

const AmazonESReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonESReadOnlyAccess";

Use ManagedPolicy.AmazonESReadOnlyAccess instead.

const AmazonGlacierFullAccess

const AmazonGlacierFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonGlacierFullAccess";

Use ManagedPolicy.AmazonGlacierFullAccess instead.

const AmazonGlacierReadOnlyAccess

const AmazonGlacierReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess";

Use ManagedPolicy.AmazonGlacierReadOnlyAccess instead.

const AmazonInspectorFullAccess

const AmazonInspectorFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonInspectorFullAccess";

Use ManagedPolicy.AmazonInspectorFullAccess instead.

const AmazonInspectorReadOnlyAccess

const AmazonInspectorReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonInspectorReadOnlyAccess";

Use ManagedPolicy.AmazonInspectorReadOnlyAccess instead.

const AmazonKinesisAnalyticsFullAccess

const AmazonKinesisAnalyticsFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonKinesisAnalyticsFullAccess";

Use ManagedPolicy.AmazonKinesisAnalyticsFullAccess instead.

const AmazonKinesisAnalyticsReadOnly

const AmazonKinesisAnalyticsReadOnly: ARN = "arn:aws:iam::aws:policy/AmazonKinesisAnalyticsReadOnly";

Use ManagedPolicy.AmazonKinesisAnalyticsReadOnly instead.

const AmazonKinesisFirehoseFullAccess

const AmazonKinesisFirehoseFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess";

Use ManagedPolicy.AmazonKinesisFirehoseFullAccess instead.

const AmazonKinesisFirehoseReadOnlyAccess

const AmazonKinesisFirehoseReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonKinesisFirehoseReadOnlyAccess";

Use ManagedPolicy.AmazonKinesisFirehoseReadOnlyAccess instead.

const AmazonKinesisFullAccess

const AmazonKinesisFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess";

Use ManagedPolicy.AmazonKinesisFullAccess instead.

const AmazonKinesisReadOnlyAccess

const AmazonKinesisReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonKinesisReadOnlyAccess";

Use ManagedPolicy.AmazonKinesisReadOnlyAccess instead.

const AmazonLexFullAccess

const AmazonLexFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonLexFullAccess";

Use ManagedPolicy.AmazonLexFullAccess instead.

const AmazonLexReadOnly

const AmazonLexReadOnly: ARN = "arn:aws:iam::aws:policy/AmazonLexReadOnly";

Use ManagedPolicy.AmazonLexReadOnly instead.

const AmazonLexRunBotsOnly

const AmazonLexRunBotsOnly: ARN = "arn:aws:iam::aws:policy/AmazonLexRunBotsOnly";

Use ManagedPolicy.AmazonLexRunBotsOnly instead.

const AmazonMachineLearningBatchPredictionsAccess

const AmazonMachineLearningBatchPredictionsAccess: ARN = "arn:aws:iam::aws:policy/AmazonMachineLearningBatchPredictionsAccess";

Use ManagedPolicy.AmazonMachineLearningBatchPredictionsAccess instead.

const AmazonMachineLearningCreateOnlyAccess

const AmazonMachineLearningCreateOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonMachineLearningCreateOnlyAccess";

Use ManagedPolicy.AmazonMachineLearningCreateOnlyAccess instead.

const AmazonMachineLearningFullAccess

const AmazonMachineLearningFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonMachineLearningFullAccess";

Use ManagedPolicy.AmazonMachineLearningFullAccess instead.

const AmazonMachineLearningManageRealTimeEndpointOnlyAccess

const AmazonMachineLearningManageRealTimeEndpointOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonMachineLearningManageRealTimeEndpointOnlyAccess";

Use ManagedPolicy.AmazonMachineLearningManageRealTimeEndpointOnlyAccess instead.

const AmazonMachineLearningReadOnlyAccess

const AmazonMachineLearningReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonMachineLearningReadOnlyAccess";

Use ManagedPolicy.AmazonMachineLearningReadOnlyAccess instead.

const AmazonMachineLearningRealTimePredictionOnlyAccess

const AmazonMachineLearningRealTimePredictionOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonMachineLearningRealTimePredictionOnlyAccess";

Use ManagedPolicy.AmazonMachineLearningRealTimePredictionOnlyAccess instead.

const AmazonMachineLearningRoleforRedshiftDataSource

const AmazonMachineLearningRoleforRedshiftDataSource: ARN = "arn:aws:iam::aws:policy/service-role/AmazonMachineLearningRoleforRedshiftDataSource";

Use ManagedPolicy.AmazonMachineLearningRoleforRedshiftDataSource instead.

const AmazonMechanicalTurkFullAccess

const AmazonMechanicalTurkFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonMechanicalTurkFullAccess";

Use ManagedPolicy.AmazonMechanicalTurkFullAccess instead.

const AmazonMechanicalTurkReadOnly

const AmazonMechanicalTurkReadOnly: ARN = "arn:aws:iam::aws:policy/AmazonMechanicalTurkReadOnly";

Use ManagedPolicy.AmazonMechanicalTurkReadOnly instead.

const AmazonMobileAnalyticsFinancialReportAccess

const AmazonMobileAnalyticsFinancialReportAccess: ARN = "arn:aws:iam::aws:policy/AmazonMobileAnalyticsFinancialReportAccess";

Use ManagedPolicy.AmazonMobileAnalyticsFinancialReportAccess instead.

const AmazonMobileAnalyticsFullAccess

const AmazonMobileAnalyticsFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonMobileAnalyticsFullAccess";

Use ManagedPolicy.AmazonMobileAnalyticsFullAccess instead.

const AmazonMobileAnalyticsNonfinancialReportAccess

const AmazonMobileAnalyticsNonfinancialReportAccess: ARN = "arn:aws:iam::aws:policy/AmazonMobileAnalyticsNon-financialReportAccess";

Use ManagedPolicy.AmazonMobileAnalyticsNonfinancialReportAccess instead.

const AmazonMobileAnalyticsWriteOnlyAccess

const AmazonMobileAnalyticsWriteOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonMobileAnalyticsWriteOnlyAccess";

Use ManagedPolicy.AmazonMobileAnalyticsWriteOnlyAccess instead.

const AmazonPollyFullAccess

const AmazonPollyFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonPollyFullAccess";

Use ManagedPolicy.AmazonPollyFullAccess instead.

const AmazonPollyReadOnlyAccess

const AmazonPollyReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonPollyReadOnlyAccess";

Use ManagedPolicy.AmazonPollyReadOnlyAccess instead.

const AmazonRDSDataFullAccess

const AmazonRDSDataFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonRDSDataFullAccess";

Use ManagedPolicy.AmazonRDSDataFullAccess instead.

const AmazonRDSDirectoryServiceAccess

const AmazonRDSDirectoryServiceAccess: ARN = "arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess";

Use ManagedPolicy.AmazonRDSDirectoryServiceAccess instead.

const AmazonRDSEnhancedMonitoringRole

const AmazonRDSEnhancedMonitoringRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole";

Use ManagedPolicy.AmazonRDSEnhancedMonitoringRole instead.

const AmazonRDSFullAccess

const AmazonRDSFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonRDSFullAccess";

Use ManagedPolicy.AmazonRDSFullAccess instead.

const AmazonRDSReadOnlyAccess

const AmazonRDSReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess";

Use ManagedPolicy.AmazonRDSReadOnlyAccess instead.

const AmazonRedshiftFullAccess

const AmazonRedshiftFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonRedshiftFullAccess";

Use ManagedPolicy.AmazonRedshiftFullAccess instead.

const AmazonRedshiftReadOnlyAccess

const AmazonRedshiftReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess";

Use ManagedPolicy.AmazonRedshiftReadOnlyAccess instead.

const AmazonRekognitionFullAccess

const AmazonRekognitionFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonRekognitionFullAccess";

Use ManagedPolicy.AmazonRekognitionFullAccess instead.

const AmazonRekognitionReadOnlyAccess

const AmazonRekognitionReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonRekognitionReadOnlyAccess";

Use ManagedPolicy.AmazonRekognitionReadOnlyAccess instead.

const AmazonRoute53DomainsFullAccess

const AmazonRoute53DomainsFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonRoute53DomainsFullAccess";

Use ManagedPolicy.AmazonRoute53DomainsFullAccess instead.

const AmazonRoute53DomainsReadOnlyAccess

const AmazonRoute53DomainsReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonRoute53DomainsReadOnlyAccess";

Use ManagedPolicy.AmazonRoute53DomainsReadOnlyAccess instead.

const AmazonRoute53FullAccess

const AmazonRoute53FullAccess: ARN = "arn:aws:iam::aws:policy/AmazonRoute53FullAccess";

Use ManagedPolicy.AmazonRoute53FullAccess instead.

const AmazonRoute53ReadOnlyAccess

const AmazonRoute53ReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess";

Use ManagedPolicy.AmazonRoute53ReadOnlyAccess instead.

const AmazonS3FullAccess

const AmazonS3FullAccess: ARN = "arn:aws:iam::aws:policy/AmazonS3FullAccess";

Use ManagedPolicy.AmazonS3FullAccess instead.

const AmazonS3ReadOnlyAccess

const AmazonS3ReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess";

Use ManagedPolicy.AmazonS3ReadOnlyAccess instead.

const AmazonSESFullAccess

const AmazonSESFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonSESFullAccess";

Use ManagedPolicy.AmazonSESFullAccess instead.

const AmazonSESReadOnlyAccess

const AmazonSESReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonSESReadOnlyAccess";

Use ManagedPolicy.AmazonSESReadOnlyAccess instead.

const AmazonSNSFullAccess

const AmazonSNSFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonSNSFullAccess";

Use ManagedPolicy.AmazonSNSFullAccess instead.

const AmazonSNSReadOnlyAccess

const AmazonSNSReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess";

Use ManagedPolicy.AmazonSNSReadOnlyAccess instead.

const AmazonSNSRole

const AmazonSNSRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonSNSRole";

Use ManagedPolicy.AmazonSNSRole instead.

const AmazonSQSFullAccess

const AmazonSQSFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonSQSFullAccess";

Use ManagedPolicy.AmazonSQSFullAccess instead.

const AmazonSQSReadOnlyAccess

const AmazonSQSReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonSQSReadOnlyAccess";

Use ManagedPolicy.AmazonSQSReadOnlyAccess instead.

const AmazonSSMAutomationRole

const AmazonSSMAutomationRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole";

Use ManagedPolicy.AmazonSSMAutomationRole instead.

const AmazonSSMFullAccess

const AmazonSSMFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonSSMFullAccess";

Use ManagedPolicy.AmazonSSMFullAccess instead.

const AmazonSSMMaintenanceWindowRole

const AmazonSSMMaintenanceWindowRole: ARN = "arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole";

Use ManagedPolicy.AmazonSSMMaintenanceWindowRole instead.

const AmazonSSMManagedInstanceCore

const AmazonSSMManagedInstanceCore: ARN = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore";

Use ManagedPolicy.AmazonSSMManagedInstanceCore instead.

const AmazonSSMReadOnlyAccess

const AmazonSSMReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess";

Use ManagedPolicy.AmazonSSMReadOnlyAccess instead.

const AmazonVPCFullAccess

const AmazonVPCFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonVPCFullAccess";

Use ManagedPolicy.AmazonVPCFullAccess instead.

const AmazonVPCReadOnlyAccess

const AmazonVPCReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess";

Use ManagedPolicy.AmazonVPCReadOnlyAccess instead.

const AmazonWorkMailFullAccess

const AmazonWorkMailFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonWorkMailFullAccess";

Use ManagedPolicy.AmazonWorkMailFullAccess instead.

const AmazonWorkMailReadOnlyAccess

const AmazonWorkMailReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonWorkMailReadOnlyAccess";

Use ManagedPolicy.AmazonWorkMailReadOnlyAccess instead.

const AmazonWorkSpacesAdmin

const AmazonWorkSpacesAdmin: ARN = "arn:aws:iam::aws:policy/AmazonWorkSpacesAdmin";

Use ManagedPolicy.AmazonWorkSpacesAdmin instead.

const AmazonWorkSpacesApplicationManagerAdminAccess

const AmazonWorkSpacesApplicationManagerAdminAccess: ARN = "arn:aws:iam::aws:policy/AmazonWorkSpacesApplicationManagerAdminAccess";

Use ManagedPolicy.AmazonWorkSpacesApplicationManagerAdminAccess instead.

const AmazonZocaloFullAccess

const AmazonZocaloFullAccess: ARN = "arn:aws:iam::aws:policy/AmazonZocaloFullAccess";

Use ManagedPolicy.AmazonZocaloFullAccess instead.

const AmazonZocaloReadOnlyAccess

const AmazonZocaloReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AmazonZocaloReadOnlyAccess";

Use ManagedPolicy.AmazonZocaloReadOnlyAccess instead.

const ApplicationAutoScalingForAmazonAppStreamAccess

const ApplicationAutoScalingForAmazonAppStreamAccess: ARN = "arn:aws:iam::aws:policy/service-role/ApplicationAutoScalingForAmazonAppStreamAccess";

Use ManagedPolicy.ApplicationAutoScalingForAmazonAppStreamAccess instead.

const AutoScalingConsoleFullAccess

const AutoScalingConsoleFullAccess: ARN = "arn:aws:iam::aws:policy/AutoScalingConsoleFullAccess";

Use ManagedPolicy.AutoScalingConsoleFullAccess instead.

const AutoScalingConsoleReadOnlyAccess

const AutoScalingConsoleReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AutoScalingConsoleReadOnlyAccess";

Use ManagedPolicy.AutoScalingConsoleReadOnlyAccess instead.

const AutoScalingFullAccess

const AutoScalingFullAccess: ARN = "arn:aws:iam::aws:policy/AutoScalingFullAccess";

Use ManagedPolicy.AutoScalingFullAccess instead.

const AutoScalingNotificationAccessRole

const AutoScalingNotificationAccessRole: ARN = "arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole";

Use ManagedPolicy.AutoScalingNotificationAccessRole instead.

const AutoScalingReadOnlyAccess

const AutoScalingReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AutoScalingReadOnlyAccess";

Use ManagedPolicy.AutoScalingReadOnlyAccess instead.

const AWSAccountActivityAccess

const AWSAccountActivityAccess: ARN = "arn:aws:iam::aws:policy/AWSAccountActivityAccess";

Use ManagedPolicy.AWSAccountActivityAccess instead.

const AWSAccountUsageReportAccess

const AWSAccountUsageReportAccess: ARN = "arn:aws:iam::aws:policy/AWSAccountUsageReportAccess";

Use ManagedPolicy.AWSAccountUsageReportAccess instead.

const AWSAgentlessDiscoveryService

const AWSAgentlessDiscoveryService: ARN = "arn:aws:iam::aws:policy/AWSAgentlessDiscoveryService";

Use ManagedPolicy.AWSAgentlessDiscoveryService instead.

const AWSApplicationDiscoveryAgentAccess

const AWSApplicationDiscoveryAgentAccess: ARN = "arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentAccess";

Use ManagedPolicy.AWSApplicationDiscoveryAgentAccess instead.

const AWSApplicationDiscoveryServiceFullAccess

const AWSApplicationDiscoveryServiceFullAccess: ARN = "arn:aws:iam::aws:policy/AWSApplicationDiscoveryServiceFullAccess";

Use ManagedPolicy.AWSApplicationDiscoveryServiceFullAccess instead.

const AWSBatchFullAccess

const AWSBatchFullAccess: ARN = "arn:aws:iam::aws:policy/AWSBatchFullAccess";

Use ManagedPolicy.AWSBatchFullAccess instead.

const AWSBatchServiceRole

const AWSBatchServiceRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole";

Use ManagedPolicy.AWSBatchServiceRole instead.

const AWSCertificateManagerFullAccess

const AWSCertificateManagerFullAccess: ARN = "arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess";

Use ManagedPolicy.AWSCertificateManagerFullAccess instead.

const AWSCertificateManagerReadOnly

const AWSCertificateManagerReadOnly: ARN = "arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly";

Use ManagedPolicy.AWSCertificateManagerReadOnly instead.

const AWSCloudFormationReadOnlyAccess

const AWSCloudFormationReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess";

Use ManagedPolicy.AWSCloudFormationReadOnlyAccess instead.

const AWSCloudHSMFullAccess

const AWSCloudHSMFullAccess: ARN = "arn:aws:iam::aws:policy/AWSCloudHSMFullAccess";

Use ManagedPolicy.AWSCloudHSMFullAccess instead.

const AWSCloudHSMReadOnlyAccess

const AWSCloudHSMReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSCloudHSMReadOnlyAccess";

Use ManagedPolicy.AWSCloudHSMReadOnlyAccess instead.

const AWSCloudHSMRole

const AWSCloudHSMRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSCloudHSMRole";

Use ManagedPolicy.AWSCloudHSMRole instead.

const AWSCloudTrailFullAccess

const AWSCloudTrailFullAccess: ARN = "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess";

Use ManagedPolicy.AWSCloudTrailFullAccess instead.

const AWSCloudTrailReadOnlyAccess

const AWSCloudTrailReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess";

Use ManagedPolicy.AWSCloudTrailReadOnlyAccess instead.

const AWSCodeBuildAdminAccess

const AWSCodeBuildAdminAccess: ARN = "arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess";

Use ManagedPolicy.AWSCodeBuildAdminAccess instead.

const AWSCodeBuildDeveloperAccess

const AWSCodeBuildDeveloperAccess: ARN = "arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess";

Use ManagedPolicy.AWSCodeBuildDeveloperAccess instead.

const AWSCodeBuildReadOnlyAccess

const AWSCodeBuildReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSCodeBuildReadOnlyAccess";

Use ManagedPolicy.AWSCodeBuildReadOnlyAccess instead.

const AWSCodeCommitFullAccess

const AWSCodeCommitFullAccess: ARN = "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess";

Use ManagedPolicy.AWSCodeCommitFullAccess instead.

const AWSCodeCommitPowerUser

const AWSCodeCommitPowerUser: ARN = "arn:aws:iam::aws:policy/AWSCodeCommitPowerUser";

Use ManagedPolicy.AWSCodeCommitPowerUser instead.

const AWSCodeCommitReadOnly

const AWSCodeCommitReadOnly: ARN = "arn:aws:iam::aws:policy/AWSCodeCommitReadOnly";

Use ManagedPolicy.AWSCodeCommitReadOnly instead.

const AWSCodeDeployDeployerAccess

const AWSCodeDeployDeployerAccess: ARN = "arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess";

Use ManagedPolicy.AWSCodeDeployDeployerAccess instead.

const AWSCodeDeployFullAccess

const AWSCodeDeployFullAccess: ARN = "arn:aws:iam::aws:policy/AWSCodeDeployFullAccess";

Use ManagedPolicy.AWSCodeDeployFullAccess instead.

const AWSCodeDeployReadOnlyAccess

const AWSCodeDeployReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSCodeDeployReadOnlyAccess";

Use ManagedPolicy.AWSCodeDeployReadOnlyAccess instead.

const AWSCodeDeployRole

const AWSCodeDeployRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole";

Use ManagedPolicy.AWSCodeDeployRole instead.

const AWSCodeDeployRoleForECS

const AWSCodeDeployRoleForECS: ARN = "arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS";

Use ManagedPolicy.AWSCodeDeployRoleForECS instead.

const AWSCodePipelineApproverAccess

const AWSCodePipelineApproverAccess: ARN = "arn:aws:iam::aws:policy/AWSCodePipelineApproverAccess";

Use ManagedPolicy.AWSCodePipelineApproverAccess instead.

const AWSCodePipelineCustomActionAccess

const AWSCodePipelineCustomActionAccess: ARN = "arn:aws:iam::aws:policy/AWSCodePipelineCustomActionAccess";

Use ManagedPolicy.AWSCodePipelineCustomActionAccess instead.

const AWSCodePipelineFullAccess

const AWSCodePipelineFullAccess: ARN = "arn:aws:iam::aws:policy/AWSCodePipelineFullAccess";

Use ManagedPolicy.AWSCodePipelineFullAccess instead.

const AWSCodePipelineReadOnlyAccess

const AWSCodePipelineReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSCodePipelineReadOnlyAccess";

Use ManagedPolicy.AWSCodePipelineReadOnlyAccess instead.

const AWSCodeStarFullAccess

const AWSCodeStarFullAccess: ARN = "arn:aws:iam::aws:policy/AWSCodeStarFullAccess";

Use ManagedPolicy.AWSCodeStarFullAccess instead.

const AWSCodeStarServiceRole

const AWSCodeStarServiceRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSCodeStarServiceRole";

Use ManagedPolicy.AWSCodeStarServiceRole instead.

const AWSConfigRole

const AWSConfigRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSConfigRole";

Use ManagedPolicy.AWSConfigRole instead.

const AWSConfigRulesExecutionRole

const AWSConfigRulesExecutionRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole";

Use ManagedPolicy.AWSConfigRulesExecutionRole instead.

const AWSConfigUserAccess

const AWSConfigUserAccess: ARN = "arn:aws:iam::aws:policy/AWSConfigUserAccess";

Use ManagedPolicy.AWSConfigUserAccess instead.

const AWSConnector

const AWSConnector: ARN = "arn:aws:iam::aws:policy/AWSConnector";

Use ManagedPolicy. AWSConnector instead.

const AWSDataPipeline_FullAccess

const AWSDataPipeline_FullAccess: ARN = "arn:aws:iam::aws:policy/AWSDataPipeline_FullAccess";

Use ManagedPolicy.AWSDataPipeline_FullAccess instead.

const AWSDataPipeline_PowerUser

const AWSDataPipeline_PowerUser: ARN = "arn:aws:iam::aws:policy/AWSDataPipeline_PowerUser";

Use ManagedPolicy.AWSDataPipeline_PowerUser instead.

const AWSDataPipelineRole

const AWSDataPipelineRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSDataPipelineRole";

Use ManagedPolicy.AWSDataPipelineRole instead.

const AWSDeviceFarmFullAccess

const AWSDeviceFarmFullAccess: ARN = "arn:aws:iam::aws:policy/AWSDeviceFarmFullAccess";

Use ManagedPolicy.AWSDeviceFarmFullAccess instead.

const AWSDirectConnectFullAccess

const AWSDirectConnectFullAccess: ARN = "arn:aws:iam::aws:policy/AWSDirectConnectFullAccess";

Use ManagedPolicy.AWSDirectConnectFullAccess instead.

const AWSDirectConnectReadOnlyAccess

const AWSDirectConnectReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess";

Use ManagedPolicy.AWSDirectConnectReadOnlyAccess instead.

const AWSDirectoryServiceFullAccess

const AWSDirectoryServiceFullAccess: ARN = "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess";

Use ManagedPolicy.AWSDirectoryServiceFullAccess instead.

const AWSDirectoryServiceReadOnlyAccess

const AWSDirectoryServiceReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSDirectoryServiceReadOnlyAccess";

Use ManagedPolicy.AWSDirectoryServiceReadOnlyAccess instead.

const AWSElasticBeanstalkCustomPlatformforEC2Role

const AWSElasticBeanstalkCustomPlatformforEC2Role: ARN = "arn:aws:iam::aws:policy/AWSElasticBeanstalkCustomPlatformforEC2Role";

Use ManagedPolicy.AWSElasticBeanstalkCustomPlatformforEC2Role instead.

const AWSElasticBeanstalkEnhancedHealth

const AWSElasticBeanstalkEnhancedHealth: ARN = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth";

Use ManagedPolicy.AWSElasticBeanstalkEnhancedHealth instead.

const AWSElasticBeanstalkFullAccess

const AWSElasticBeanstalkFullAccess: ARN = "arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess";

Use ManagedPolicy.AWSElasticBeanstalkFullAccess instead.

const AWSElasticBeanstalkMulticontainerDocker

const AWSElasticBeanstalkMulticontainerDocker: ARN = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker";

Use ManagedPolicy.AWSElasticBeanstalkMulticontainerDocker instead.

const AWSElasticBeanstalkReadOnlyAccess

const AWSElasticBeanstalkReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSElasticBeanstalkReadOnlyAccess";

Use ManagedPolicy.AWSElasticBeanstalkReadOnlyAccess instead.

const AWSElasticBeanstalkService

const AWSElasticBeanstalkService: ARN = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService";

Use ManagedPolicy.AWSElasticBeanstalkService instead.

const AWSElasticBeanstalkWebTier

const AWSElasticBeanstalkWebTier: ARN = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier";

Use ManagedPolicy.AWSElasticBeanstalkWebTier instead.

const AWSElasticBeanstalkWorkerTier

const AWSElasticBeanstalkWorkerTier: ARN = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier";

Use ManagedPolicy.AWSElasticBeanstalkWorkerTier instead.

const AWSGreengrassFullAccess

const AWSGreengrassFullAccess: ARN = "arn:aws:iam::aws:policy/AWSGreengrassFullAccess";

Use ManagedPolicy.AWSGreengrassFullAccess instead.

const AWSGreengrassResourceAccessRolePolicy

const AWSGreengrassResourceAccessRolePolicy: ARN = "arn:aws:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy";

Use ManagedPolicy.AWSGreengrassResourceAccessRolePolicy instead.

const AWSHealthFullAccess

const AWSHealthFullAccess: ARN = "arn:aws:iam::aws:policy/AWSHealthFullAccess";

Use ManagedPolicy.AWSHealthFullAccess instead.

const AWSImportExportFullAccess

const AWSImportExportFullAccess: ARN = "arn:aws:iam::aws:policy/AWSImportExportFullAccess";

Use ManagedPolicy.AWSImportExportFullAccess instead.

const AWSImportExportReadOnlyAccess

const AWSImportExportReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSImportExportReadOnlyAccess";

Use ManagedPolicy.AWSImportExportReadOnlyAccess instead.

const AWSIoTConfigAccess

const AWSIoTConfigAccess: ARN = "arn:aws:iam::aws:policy/AWSIoTConfigAccess";

Use ManagedPolicy.AWSIoTConfigAccess instead.

const AWSIoTConfigReadOnlyAccess

const AWSIoTConfigReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSIoTConfigReadOnlyAccess";

Use ManagedPolicy.AWSIoTConfigReadOnlyAccess instead.

const AWSIoTDataAccess

const AWSIoTDataAccess: ARN = "arn:aws:iam::aws:policy/AWSIoTDataAccess";

Use ManagedPolicy.AWSIoTDataAccess instead.

const AWSIoTFullAccess

const AWSIoTFullAccess: ARN = "arn:aws:iam::aws:policy/AWSIoTFullAccess";

Use ManagedPolicy.AWSIoTFullAccess instead.

const AWSIoTLogging

const AWSIoTLogging: ARN = "arn:aws:iam::aws:policy/service-role/AWSIoTLogging";

Use ManagedPolicy.AWSIoTLogging instead.

const AWSIoTRuleActions

const AWSIoTRuleActions: ARN = "arn:aws:iam::aws:policy/service-role/AWSIoTRuleActions";

Use ManagedPolicy.AWSIoTRuleActions instead.

const AWSKeyManagementServicePowerUser

const AWSKeyManagementServicePowerUser: ARN = "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser";

Use ManagedPolicy.AWSKeyManagementServicePowerUser instead.

const AWSLambdaBasicExecutionRole

const AWSLambdaBasicExecutionRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole";

Use ManagedPolicy.AWSLambdaBasicExecutionRole instead.

const AWSLambdaDynamoDBExecutionRole

const AWSLambdaDynamoDBExecutionRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole";

Use ManagedPolicy.AWSLambdaDynamoDBExecutionRole instead.

const AWSLambdaENIManagementAccess

const AWSLambdaENIManagementAccess: ARN = "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess";

Use ManagedPolicy.AWSLambdaENIManagementAccess instead.

const AWSLambdaExecute

const AWSLambdaExecute: ARN = "arn:aws:iam::aws:policy/AWSLambdaExecute";

Use ManagedPolicy.AWSLambdaExecute instead.

const AWSLambdaFullAccess

const AWSLambdaFullAccess: ARN = "arn:aws:iam::aws:policy/AWSLambdaFullAccess";

Use ManagedPolicy.AWSLambdaFullAccess instead.

const AWSLambdaInvocationDynamoDB

const AWSLambdaInvocationDynamoDB: ARN = "arn:aws:iam::aws:policy/AWSLambdaInvocation-DynamoDB";

Use ManagedPolicy.AWSLambdaInvocationDynamoDB instead.

const AWSLambdaKinesisExecutionRole

const AWSLambdaKinesisExecutionRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole";

Use ManagedPolicy.AWSLambdaKinesisExecutionRole instead.

const AWSLambdaReadOnlyAccess

const AWSLambdaReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess";

Use ManagedPolicy.AWSLambdaReadOnlyAccess instead.

const AWSLambdaRole

const AWSLambdaRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSLambdaRole";

Use ManagedPolicy.AWSLambdaRole instead.

const AWSLambdaVPCAccessExecutionRole

const AWSLambdaVPCAccessExecutionRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole";

Use ManagedPolicy.AWSLambdaVPCAccessExecutionRole instead.

const AWSMarketplaceFullAccess

const AWSMarketplaceFullAccess: ARN = "arn:aws:iam::aws:policy/AWSMarketplaceFullAccess";

Use ManagedPolicy.AWSMarketplaceFullAccess instead.

const AWSMarketplaceGetEntitlements

const AWSMarketplaceGetEntitlements: ARN = "arn:aws:iam::aws:policy/AWSMarketplaceGetEntitlements";

Use ManagedPolicy.AWSMarketplaceGetEntitlements instead.

const AWSMarketplaceManageSubscriptions

const AWSMarketplaceManageSubscriptions: ARN = "arn:aws:iam::aws:policy/AWSMarketplaceManageSubscriptions";

Use ManagedPolicy.AWSMarketplaceManageSubscriptions instead.

const AWSMarketplaceMeteringFullAccess

const AWSMarketplaceMeteringFullAccess: ARN = "arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess";

Use ManagedPolicy.AWSMarketplaceMeteringFullAccess instead.

const AWSMarketplaceReadonly

const AWSMarketplaceReadonly: ARN = "arn:aws:iam::aws:policy/AWSMarketplaceRead-only";

Use ManagedPolicy.AWSMarketplaceReadonly instead.

const AWSMobileHub_FullAccess

const AWSMobileHub_FullAccess: ARN = "arn:aws:iam::aws:policy/AWSMobileHub_FullAccess";

Use ManagedPolicy.AWSMobileHub_FullAccess instead.

const AWSMobileHub_ReadOnly

const AWSMobileHub_ReadOnly: ARN = "arn:aws:iam::aws:policy/AWSMobileHub_ReadOnly";

Use ManagedPolicy.AWSMobileHub_ReadOnly instead.

const AWSMobileHub_ServiceUseOnly

const AWSMobileHub_ServiceUseOnly: ARN = "arn:aws:iam::aws:policy/service-role/AWSMobileHub_ServiceUseOnly";

Use ManagedPolicy.AWSMobileHub_ServiceUseOnly instead.

const AWSOpsWorksCloudWatchLogs

const AWSOpsWorksCloudWatchLogs: ARN = "arn:aws:iam::aws:policy/AWSOpsWorksCloudWatchLogs";

Use ManagedPolicy.AWSOpsWorksCloudWatchLogs instead.

const AWSOpsWorksCMInstanceProfileRole

const AWSOpsWorksCMInstanceProfileRole: ARN = "arn:aws:iam::aws:policy/AWSOpsWorksCMInstanceProfileRole";

Use ManagedPolicy.AWSOpsWorksCMInstanceProfileRole instead.

const AWSOpsWorksCMServiceRole

const AWSOpsWorksCMServiceRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSOpsWorksCMServiceRole";

Use ManagedPolicy.AWSOpsWorksCMServiceRole instead.

const AWSOpsWorksFullAccess

const AWSOpsWorksFullAccess: ARN = "arn:aws:iam::aws:policy/AWSOpsWorksFullAccess";

Use ManagedPolicy.AWSOpsWorksFullAccess instead.

const AWSOpsWorksInstanceRegistration

const AWSOpsWorksInstanceRegistration: ARN = "arn:aws:iam::aws:policy/AWSOpsWorksInstanceRegistration";

Use ManagedPolicy.AWSOpsWorksInstanceRegistration instead.

const AWSOpsWorksRegisterCLI

const AWSOpsWorksRegisterCLI: ARN = "arn:aws:iam::aws:policy/AWSOpsWorksRegisterCLI";

Use ManagedPolicy.AWSOpsWorksRegisterCLI instead.

const AWSOpsWorksRole

const AWSOpsWorksRole: ARN = "arn:aws:iam::aws:policy/service-role/AWSOpsWorksRole";

Use ManagedPolicy.AWSOpsWorksRole instead.

const AWSQuicksightAthenaAccess

const AWSQuicksightAthenaAccess: ARN = "arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess";

Use ManagedPolicy.AWSQuicksightAthenaAccess instead.

const AWSQuickSightDescribeRDS

const AWSQuickSightDescribeRDS: ARN = "arn:aws:iam::aws:policy/service-role/AWSQuickSightDescribeRDS";

Use ManagedPolicy.AWSQuickSightDescribeRDS instead.

const AWSQuickSightDescribeRedshift

const AWSQuickSightDescribeRedshift: ARN = "arn:aws:iam::aws:policy/service-role/AWSQuickSightDescribeRedshift";

Use ManagedPolicy.AWSQuickSightDescribeRedshift instead.

const AWSQuickSightListIAM

const AWSQuickSightListIAM: ARN = "arn:aws:iam::aws:policy/service-role/AWSQuickSightListIAM";

Use ManagedPolicy.AWSQuickSightListIAM instead.

const AWSStepFunctionsConsoleFullAccess

const AWSStepFunctionsConsoleFullAccess: ARN = "arn:aws:iam::aws:policy/AWSStepFunctionsConsoleFullAccess";

Use ManagedPolicy.AWSStepFunctionsConsoleFullAccess instead.

const AWSStepFunctionsFullAccess

const AWSStepFunctionsFullAccess: ARN = "arn:aws:iam::aws:policy/AWSStepFunctionsFullAccess";

Use ManagedPolicy.AWSStepFunctionsFullAccess instead.

const AWSStepFunctionsReadOnlyAccess

const AWSStepFunctionsReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSStepFunctionsReadOnlyAccess";

Use ManagedPolicy.AWSStepFunctionsReadOnlyAccess instead.

const AWSStorageGatewayFullAccess

const AWSStorageGatewayFullAccess: ARN = "arn:aws:iam::aws:policy/AWSStorageGatewayFullAccess";

Use ManagedPolicy.AWSStorageGatewayFullAccess instead.

const AWSStorageGatewayReadOnlyAccess

const AWSStorageGatewayReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSStorageGatewayReadOnlyAccess";

Use ManagedPolicy.AWSStorageGatewayReadOnlyAccess instead.

const AWSSupportAccess

const AWSSupportAccess: ARN = "arn:aws:iam::aws:policy/AWSSupportAccess";

Use ManagedPolicy.AWSSupportAccess instead.

const AWSWAFFullAccess

const AWSWAFFullAccess: ARN = "arn:aws:iam::aws:policy/AWSWAFFullAccess";

Use ManagedPolicy.AWSWAFFullAccess instead.

const AWSWAFReadOnlyAccess

const AWSWAFReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess";

Use ManagedPolicy.AWSWAFReadOnlyAccess instead.

const AWSXRayDaemonWriteAccess

const AWSXRayDaemonWriteAccess: ARN = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess";

Use ManagedPolicy.AWSXRayDaemonWriteAccess instead.

const AWSXrayFullAccess

const AWSXrayFullAccess: ARN = "arn:aws:iam::aws:policy/AWSXrayFullAccess";

Use ManagedPolicy.AWSXrayFullAccess instead.

const AWSXrayReadOnlyAccess

const AWSXrayReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess";

Use ManagedPolicy.AWSXrayReadOnlyAccess instead.

const AWSXrayWriteOnlyAccess

const AWSXrayWriteOnlyAccess: ARN = "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess";

Use ManagedPolicy.AWSXrayWriteOnlyAccess instead.

const Billing

const Billing: ARN = "arn:aws:iam::aws:policy/job-function/Billing";

Use ManagedPolicy. Billing instead.

const CloudFrontFullAccess

const CloudFrontFullAccess: ARN = "arn:aws:iam::aws:policy/CloudFrontFullAccess";

Use ManagedPolicy.CloudFrontFullAccess instead.

const CloudFrontReadOnlyAccess

const CloudFrontReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/CloudFrontReadOnlyAccess";

Use ManagedPolicy.CloudFrontReadOnlyAccess instead.

const CloudSearchFullAccess

const CloudSearchFullAccess: ARN = "arn:aws:iam::aws:policy/CloudSearchFullAccess";

Use ManagedPolicy.CloudSearchFullAccess instead.

const CloudSearchReadOnlyAccess

const CloudSearchReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/CloudSearchReadOnlyAccess";

Use ManagedPolicy.CloudSearchReadOnlyAccess instead.

const CloudWatchActionsEC2Access

const CloudWatchActionsEC2Access: ARN = "arn:aws:iam::aws:policy/CloudWatchActionsEC2Access";

Use ManagedPolicy.CloudWatchActionsEC2Access instead.

const CloudWatchEventsBuiltInTargetExecutionAccess

const CloudWatchEventsBuiltInTargetExecutionAccess: ARN = "arn:aws:iam::aws:policy/service-role/CloudWatchEventsBuiltInTargetExecutionAccess";

Use ManagedPolicy.CloudWatchEventsBuiltInTargetExecutionAccess instead.

const CloudWatchEventsFullAccess

const CloudWatchEventsFullAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess";

Use ManagedPolicy.CloudWatchEventsFullAccess instead.

const CloudWatchEventsInvocationAccess

const CloudWatchEventsInvocationAccess: ARN = "arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess";

Use ManagedPolicy.CloudWatchEventsInvocationAccess instead.

const CloudWatchEventsReadOnlyAccess

const CloudWatchEventsReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess";

Use ManagedPolicy.CloudWatchEventsReadOnlyAccess instead.

const CloudWatchFullAccess

const CloudWatchFullAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchFullAccess";

Use ManagedPolicy.CloudWatchFullAccess instead.

const CloudWatchLogsFullAccess

const CloudWatchLogsFullAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess";

Use ManagedPolicy.CloudWatchLogsFullAccess instead.

const CloudWatchLogsReadOnlyAccess

const CloudWatchLogsReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess";

Use ManagedPolicy.CloudWatchLogsReadOnlyAccess instead.

const CloudWatchReadOnlyAccess

const CloudWatchReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess";

Use ManagedPolicy.CloudWatchReadOnlyAccess instead.

const DatabaseAdministrator

const DatabaseAdministrator: ARN = "arn:aws:iam::aws:policy/job-function/DatabaseAdministrator";

Use ManagedPolicy.DatabaseAdministrator instead.

const DataScientist

const DataScientist: ARN = "arn:aws:iam::aws:policy/job-function/DataScientist";

Use ManagedPolicy.DataScientist instead.

const IAMFullAccess

const IAMFullAccess: ARN = "arn:aws:iam::aws:policy/IAMFullAccess";

Use ManagedPolicy.IAMFullAccess instead.

const IAMReadOnlyAccess

const IAMReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/IAMReadOnlyAccess";

Use ManagedPolicy.IAMReadOnlyAccess instead.

const IAMSelfManageServiceSpecificCredentials

const IAMSelfManageServiceSpecificCredentials: ARN = "arn:aws:iam::aws:policy/IAMSelfManageServiceSpecificCredentials";

Use ManagedPolicy.IAMSelfManageServiceSpecificCredentials instead.

const IAMUserChangePassword

const IAMUserChangePassword: ARN = "arn:aws:iam::aws:policy/IAMUserChangePassword";

Use ManagedPolicy.IAMUserChangePassword instead.

const IAMUserSSHKeys

const IAMUserSSHKeys: ARN = "arn:aws:iam::aws:policy/IAMUserSSHKeys";

Use ManagedPolicy.IAMUserSSHKeys instead.

const NetworkAdministrator

const NetworkAdministrator: ARN = "arn:aws:iam::aws:policy/job-function/NetworkAdministrator";

Use ManagedPolicy.NetworkAdministrator instead.

const PowerUserAccess

const PowerUserAccess: ARN = "arn:aws:iam::aws:policy/PowerUserAccess";

Use ManagedPolicy.PowerUserAccess instead.

const RDSCloudHsmAuthorizationRole

const RDSCloudHsmAuthorizationRole: ARN = "arn:aws:iam::aws:policy/service-role/RDSCloudHsmAuthorizationRole";

Use ManagedPolicy.RDSCloudHsmAuthorizationRole instead.

const ReadOnlyAccess

const ReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/ReadOnlyAccess";

Use ManagedPolicy.ReadOnlyAccess instead.

const ResourceGroupsandTagEditorFullAccess

const ResourceGroupsandTagEditorFullAccess: ARN = "arn:aws:iam::aws:policy/ResourceGroupsandTagEditorFullAccess";

Use ManagedPolicy.ResourceGroupsandTagEditorFullAccess instead.

const ResourceGroupsandTagEditorReadOnlyAccess

const ResourceGroupsandTagEditorReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/ResourceGroupsandTagEditorReadOnlyAccess";

Use ManagedPolicy.ResourceGroupsandTagEditorReadOnlyAccess instead.

const SecurityAudit

const SecurityAudit: ARN = "arn:aws:iam::aws:policy/SecurityAudit";

Use ManagedPolicy.SecurityAudit instead.

const ServerMigrationConnector

const ServerMigrationConnector: ARN = "arn:aws:iam::aws:policy/ServerMigrationConnector";

Use ManagedPolicy.ServerMigrationConnector instead.

const ServerMigrationServiceRole

const ServerMigrationServiceRole: ARN = "arn:aws:iam::aws:policy/service-role/ServerMigrationServiceRole";

Use ManagedPolicy.ServerMigrationServiceRole instead.

const ServiceCatalogAdminFullAccess

const ServiceCatalogAdminFullAccess: ARN = "arn:aws:iam::aws:policy/ServiceCatalogAdminFullAccess";

Use ManagedPolicy.ServiceCatalogAdminFullAccess instead.

const ServiceCatalogAdminReadOnlyAccess

const ServiceCatalogAdminReadOnlyAccess: ARN = "arn:aws:iam::aws:policy/ServiceCatalogAdminReadOnlyAccess";

Use ManagedPolicy.ServiceCatalogAdminReadOnlyAccess instead.

const ServiceCatalogEndUserAccess

const ServiceCatalogEndUserAccess: ARN = "arn:aws:iam::aws:policy/ServiceCatalogEndUserAccess";

Use ManagedPolicy.ServiceCatalogEndUserAccess instead.

const ServiceCatalogEndUserFullAccess

const ServiceCatalogEndUserFullAccess: ARN = "arn:aws:iam::aws:policy/ServiceCatalogEndUserFullAccess";

Use ManagedPolicy.ServiceCatalogEndUserFullAccess instead.

const SimpleWorkflowFullAccess

const SimpleWorkflowFullAccess: ARN = "arn:aws:iam::aws:policy/SimpleWorkflowFullAccess";

Use ManagedPolicy.SimpleWorkflowFullAccess instead.

const SupportUser

const SupportUser: ARN = "arn:aws:iam::aws:policy/job-function/SupportUser";

Use ManagedPolicy. SupportUser instead.

const SystemAdministrator

const SystemAdministrator: ARN = "arn:aws:iam::aws:policy/job-function/SystemAdministrator";

Use ManagedPolicy.SystemAdministrator instead.

const ViewOnlyAccess

const ViewOnlyAccess: ARN = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess";

Use ManagedPolicy.ViewOnlyAccess instead.

const VMImportExportRoleForAWSConnector

const VMImportExportRoleForAWSConnector: ARN = "arn:aws:iam::aws:policy/service-role/VMImportExportRoleForAWSConnector";

Use ManagedPolicy.VMImportExportRoleForAWSConnector instead.

namespace Principals

const AcmServicePrincipal

Service Principal for Amazon Certificate Manager

let Service

let Service: string = "acm.amazonaws.com";

const ApiGatewayPrincipal

Service Principal for API Gateway

let Service

let Service: string = "apigateway.amazonaws.com";

const AthenaPrincipal

Service Principal for Athena

let Service

let Service: string = "athena.amazonaws.com";

const AutoscalingPrincipal

Service Principal for Autoscaling

let Service

let Service: string = "autoscaling.amazonaws.com";

const BatchPrincipal

Service Principal for Batch

let Service

let Service: string = "batch.amazonaws.com";

const CloudDirectoryPrincipal

Service Principal for Cloud Directory

let Service

let Service: string = "clouddirectory.amazonaws.com";

const CloudformationPrincipal

Service Principal for Cloudformation

let Service

let Service: string = "cloudformation.amazonaws.com";

const CloudfrontPrincipal

Service Principal for Cloudfront

let Service

let Service: string = "cloudfront.amazonaws.com";

const CloudSearchPrincipal

Service Principal for Cloud Search

let Service

let Service: string = "cloudsearch.amazonaws.com";

const CloudtrailPrincipal

Service Principal for Cloudtrail

let Service

let Service: string = "cloudtrail.amazonaws.com";

const CodeBuildPrincipal

Service Principal for CodeBuild

let Service

let Service: string = "codebuild.amazonaws.com";

const CodeCommitPrincipal

Service Principal for CodeCommit

let Service

let Service: string = "codecommit.amazonaws.com";

const CodeDeployPrincipal

Service Principal for CodeDeploy

let Service

let Service: string = "codedeploy.amazonaws.com";

const CodePipelinePrincipal

Service Principal for CodePipeline

let Service

let Service: string = "codepipeline.amazonaws.com";

const ConfigPrincipal

Service Principal for EC2 Config Service

let Service

let Service: string = "config.amazonaws.com";

const DataPipelinePrincipal

Service Principal for Data Pipeline

let Service

let Service: string = "datapipeline.amazonaws.com";

const DirectConnectPrincipal

Service Principal for DirectConnect

let Service

let Service: string = "directconnect.amazonaws.com";

const DirectoryServicesPrincipal

Service Principal for Directory Services

let Service

let Service: string = "ds.amazonaws.com";

const DynamoDbPrincipal

Service Principal for DynamoDB

let Service

let Service: string = "dynamodb.amazonaws.com";

const Ec2Principal

Service Principal for EC2

let Service

let Service: string = "ec2.amazonaws.com";

const EcrPrincipal

Service Principal for Elastic Container Registry

let Service

let Service: string = "ecr.amazonaws.com";

const EcsPrincipal

Service Principal for Elastic Container Service

let Service

let Service: string = "ecs.amazonaws.com";

const EcsTasksPrincipal

Service Principal for Elastic Container Service Tasks Usage: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

let Service

let Service: string = "ecs-tasks.amazonaws.com";

const EdgeLambdaPrincipal

Service Principal for Edge Lambda

let Service

let Service: string = "edgelambda.amazonaws.com";

const ElasticachePrincipal

Service Principal for Elasticache

let Service

let Service: string = "elasticache.amazonaws.com";

const ElasticBeanstalkPrincipal

Service Principal for Elastic Beanstalk

let Service

let Service: string = "elasticbeanstalk.amazonaws.com";

const ElasticFileSystemPrincipal

Service Principal for Elastic File System

let Service

let Service: string = "elasticfilesystem.amazonaws.com";

const ElasticLoadBalancingPrincipal

Service Principal for Elastic Load Balancing

let Service

let Service: string = "elasticloadbalancing.amazonaws.com";

const ElasticMapReducePrincipal

Service Principal for Elastic MapReduce

let Service

let Service: string = "elasticmapreduce.amazonaws.com";

const EventsPrincipal

Service Principal for Events

let Service

let Service: string = "events.amazonaws.com";

const HealthPrincipal

Service Principal for Health

let Service

let Service: string = "health.amazonaws.com";

const IamPrincipal

Service Principal for IAM

let Service

let Service: string = "iam.amazonaws.com";

const InspectorPrincipal

Service Principal for AWS Inspector

let Service

let Service: string = "inspector.amazonaws.com";

const KinesisPrincipal

Service Principal for Kinesis

let Service

let Service: string = "kinesis.amazonaws.com";

const KmsPrincipal

Service Principal for Key Mangaement Service

let Service

let Service: string = "kms.amazonaws.com";

const LambdaPrincipal

Service Principal for Lambda

let Service

let Service: string = "lambda.amazonaws.com";

const LightsailPrincipal

Service Principal for Lightsail

let Service

let Service: string = "lightsail.amazonaws.com";

const LogsPrincipal

Service Principal for Cloudwatch Logs

let Service

let Service: string = "logs.amazonaws.com";

const MonitoringPrincipal

Service Principal for Cloudwatch Monitoring

let Service

let Service: string = "monitoring.amazonaws.com";

const OpsworksPrincipal

Service Principal for Opsworks

let Service

let Service: string = "opsworks.amazonaws.com";

const OrganizationsPrincipal

Service Principal for Organizations

let Service

let Service: string = "organizations.amazonaws.com";

const RdsPrincipal

Service Principal for Relational Database Service

let Service

let Service: string = "rds.amazonaws.com";

const RedshiftPrincipal

Service Principal for Redshift

let Service

let Service: string = "redshift.amazonaws.com";

const Route53Principal

Service Principal for Route 53

let Service

let Service: string = "route53.amazonaws.com";

const S3Principal

Service Principal for S3

let Service

let Service: string = "s3.amazonaws.com";

const ServiceCatalogPrincipal

Service Principal for Service Catalog

let Service

let Service: string = "servicecatalog.amazonaws.com";

const SesPrincipal

Service Principal for Simple Email Service

let Service

let Service: string = "ses.amazonaws.com";

const SigninPrincipal

Service Principal for Signin Service

let Service

let Service: string = "signin.amazonaws.com";

const SnsPrincipal

Service Principal for Simple Notification Service

let Service

let Service: string = "sns.amazonaws.com";

const SpotFleetPrincipal

Service Principal for Spot Fleet

let Service

let Service: string = "spotfleet.amazonaws.com";

const SqsPrincipal

Service Principal for Simple Queue Service

let Service

let Service: string = "sqs.amazonaws.com";

const SsmPrincipal

Service Principal for Systems Manager

let Service

let Service: string = "ssm.amazonaws.com";

const StorageGatewayPrincipal

Service Principal for Storage Gateway

let Service

let Service: string = "storagegateway.amazonaws.com";

const StsPrincipal

Service Principal for Security Token Service

let Service

let Service: string = "sts.amazonaws.com";

const SupportPrincipal

Service Principal for AWS Support

let Service

let Service: string = "support.amazonaws.com";

const VmiePrincipal

Service Principal for VM Import/Export

let Service

let Service: string = "vmie.amazonaws.com";

const VpcFlowLogsPrincipal

Service Principal for VPC Flow Logs

let Service

let Service: string = "vpc-flow-logs.amazonaws.com";

const WafPrincipal

Service Principal for Web Application Firewall

let Service

let Service: string = "waf.amazonaws.com";

const WorkDocsPrincipal

Service Principal for WorkDocs

let Service

let Service: string = "workdocs.amazonaws.com";

const WorkspacesPrincipal

Service Principal for Workspaces

let Service

let Service: string = "workspaces.amazonaws.com";

Resources

Resource AccessKey

class AccessKey extends CustomResource

Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const lbUser = new aws.iam.User("lbUser", {path: "/system/"});
const lbAccessKey = new aws.iam.AccessKey("lbAccessKey", {
    user: lbUser.name,
    pgpKey: "keybase:some_person_that_exists",
});
const lbRo = new aws.iam.UserPolicy("lbRo", {
    user: lbUser.name,
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});
export const secret = lbAccessKey.encryptedSecret;
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testUser = new aws.iam.User("testUser", {path: "/test/"});
const testAccessKey = new aws.iam.AccessKey("testAccessKey", {user: testUser.name});
export const awsIamSmtpPasswordV4 = testAccessKey.sesSmtpPasswordV4;

constructor

new AccessKey(name: string, args: AccessKeyArgs, opts?: pulumi.CustomResourceOptions)

Create a AccessKey resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccessKeyState, opts?: pulumi.CustomResourceOptions): AccessKey

Get an existing AccessKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AccessKey

Returns true if the given object is an instance of AccessKey. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property encryptedSecret

public encryptedSecret: pulumi.Output<string>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyFingerprint

public keyFingerprint: pulumi.Output<string>;

The fingerprint of the PGP key used to encrypt the secret

property pgpKey

public pgpKey: pulumi.Output<string | undefined>;

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encryptedSecret output attribute.

property secret

public secret: pulumi.Output<string>;

The secret access key. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgpKey instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

property sesSmtpPasswordV4

public sesSmtpPasswordV4: pulumi.Output<string>;

The secret access key converted into an SES SMTP password by applying AWS’s documented Sigv4 conversion algorithm. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions

property status

public status: pulumi.Output<string>;

The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property user

public user: pulumi.Output<string>;

The IAM user to associate with this access key.

Resource AccountAlias

class AccountAlias extends CustomResource

Note: There is only a single account alias per AWS account.

Manages the account alias for the AWS Account.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const alias = new aws.iam.AccountAlias("alias", {
    accountAlias: "my-account-alias",
});

Import

The current Account Alias can be imported using the account_alias, e.g.

 $ pulumi import aws:iam/accountAlias:AccountAlias alias my-account-alias

constructor

new AccountAlias(name: string, args: AccountAliasArgs, opts?: pulumi.CustomResourceOptions)

Create a AccountAlias resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountAliasState, opts?: pulumi.CustomResourceOptions): AccountAlias

Get an existing AccountAlias resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AccountAlias

Returns true if the given object is an instance of AccountAlias. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accountAlias

public accountAlias: pulumi.Output<string>;

The account alias

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AccountPasswordPolicy

class AccountPasswordPolicy extends CustomResource

Note: There is only a single policy allowed per AWS account. An existing policy will be lost when using this resource as an effect of this limitation.

Manages Password Policy for the AWS Account. See more about Account Password Policy in the official AWS docs.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const strict = new aws.iam.AccountPasswordPolicy("strict", {
    allowUsersToChangePassword: true,
    minimumPasswordLength: 8,
    requireLowercaseCharacters: true,
    requireNumbers: true,
    requireSymbols: true,
    requireUppercaseCharacters: true,
});

Import

IAM Account Password Policy can be imported using the word iam-account-password-policy, e.g.

 $ pulumi import aws:iam/accountPasswordPolicy:AccountPasswordPolicy strict iam-account-password-policy

constructor

new AccountPasswordPolicy(name: string, args?: AccountPasswordPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a AccountPasswordPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountPasswordPolicyState, opts?: pulumi.CustomResourceOptions): AccountPasswordPolicy

Get an existing AccountPasswordPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AccountPasswordPolicy

Returns true if the given object is an instance of AccountPasswordPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property allowUsersToChangePassword

public allowUsersToChangePassword: pulumi.Output<boolean | undefined>;

Whether to allow users to change their own password

property expirePasswords

public expirePasswords: pulumi.Output<boolean>;

Indicates whether passwords in the account expire. Returns true if maxPasswordAge contains a value greater than 0. Returns false if it is 0 or not present.

property hardExpiry

public hardExpiry: pulumi.Output<boolean>;

Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property maxPasswordAge

public maxPasswordAge: pulumi.Output<number>;

The number of days that an user password is valid.

property minimumPasswordLength

public minimumPasswordLength: pulumi.Output<number | undefined>;

Minimum length to require for user passwords.

property passwordReusePrevention

public passwordReusePrevention: pulumi.Output<number>;

The number of previous passwords that users are prevented from reusing.

property requireLowercaseCharacters

public requireLowercaseCharacters: pulumi.Output<boolean>;

Whether to require lowercase characters for user passwords.

property requireNumbers

public requireNumbers: pulumi.Output<boolean>;

Whether to require numbers for user passwords.

property requireSymbols

public requireSymbols: pulumi.Output<boolean>;

Whether to require symbols for user passwords.

property requireUppercaseCharacters

public requireUppercaseCharacters: pulumi.Output<boolean>;

Whether to require uppercase characters for user passwords.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Group

class Group extends CustomResource

Provides an IAM group.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const developers = new aws.iam.Group("developers", {
    path: "/users/",
});

Import

IAM Groups can be imported using the name, e.g.

 $ pulumi import aws:iam/group:Group developers developers

constructor

new Group(name: string, args?: GroupArgs, opts?: pulumi.CustomResourceOptions)

Create a Group resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupState, opts?: pulumi.CustomResourceOptions): Group

Get an existing Group resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Group

Returns true if the given object is an instance of Group. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN assigned by AWS for this group.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The group’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. Group names are not distinguished by case. For example, you cannot create groups named both “ADMINS” and “admins”.

property path

public path: pulumi.Output<string | undefined>;

Path in which to create the group.

property uniqueId

public uniqueId: pulumi.Output<string>;

The [unique ID][1] assigned by AWS.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource GroupMembership

class GroupMembership extends CustomResource

WARNING: Multiple aws.iam.GroupMembership resources with the same group name will produce inconsistent behavior!

Provides a top level resource to manage IAM Group membership for IAM Users. For more information on managing IAM Groups or IAM Users, see IAM Groups or IAM Users

Note: aws.iam.GroupMembership will conflict with itself if used more than once with the same group. To non-exclusively manage the users in a group, see the [aws.iam.UserGroupMembership resource][3].

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const group = new aws.iam.Group("group", {});
const userOne = new aws.iam.User("userOne", {});
const userTwo = new aws.iam.User("userTwo", {});
const team = new aws.iam.GroupMembership("team", {
    users: [
        userOne.name,
        userTwo.name,
    ],
    group: group.name,
});

constructor

new GroupMembership(name: string, args: GroupMembershipArgs, opts?: pulumi.CustomResourceOptions)

Create a GroupMembership resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupMembershipState, opts?: pulumi.CustomResourceOptions): GroupMembership

Get an existing GroupMembership resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is GroupMembership

Returns true if the given object is an instance of GroupMembership. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property group

public group: pulumi.Output<string>;

The IAM Group name to attach the list of users to

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name to identify the Group Membership

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property users

public users: pulumi.Output<string[]>;

A list of IAM User names to associate with the Group

Resource GroupPolicy

class GroupPolicy extends CustomResource

Provides an IAM policy attached to a group.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const myDevelopers = new aws.iam.Group("myDevelopers", {path: "/users/"});
const myDeveloperPolicy = new aws.iam.GroupPolicy("myDeveloperPolicy", {
    group: myDevelopers.name,
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});

Import

IAM Group Policies can be imported using the group_name:group_policy_name, e.g.

 $ pulumi import aws:iam/groupPolicy:GroupPolicy mypolicy group_of_mypolicy_name:mypolicy_name

constructor

new GroupPolicy(name: string, args: GroupPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a GroupPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupPolicyState, opts?: pulumi.CustomResourceOptions): GroupPolicy

Get an existing GroupPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is GroupPolicy

Returns true if the given object is an instance of GroupPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property group

public group: pulumi.Output<string>;

The IAM group to attach to the policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

public policy: pulumi.Output<string>;

The policy document. This is a JSON formatted string.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource GroupPolicyAttachment

class GroupPolicyAttachment extends CustomResource

Attaches a Managed IAM Policy to an IAM group

NOTE: The usage of this resource conflicts with the aws.iam.PolicyAttachment resource and will permanently show a difference if both are defined.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const group = new aws.iam.Group("group", {});
const policy = new aws.iam.Policy("policy", {
    description: "A test policy",
    policy: "{ ... policy JSON ... }",
});
const test_attach = new aws.iam.GroupPolicyAttachment("test-attach", {
    group: group.name,
    policyArn: policy.arn,
});

Import

IAM group policy attachments can be imported using the group name and policy arn separated by /.

 $ pulumi import aws:iam/groupPolicyAttachment:GroupPolicyAttachment test-attach test-group/arn:aws:iam::xxxxxxxxxxxx:policy/test-policy

constructor

new GroupPolicyAttachment(name: string, args: GroupPolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions)

Create a GroupPolicyAttachment resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupPolicyAttachmentState, opts?: pulumi.CustomResourceOptions): GroupPolicyAttachment

Get an existing GroupPolicyAttachment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is GroupPolicyAttachment

Returns true if the given object is an instance of GroupPolicyAttachment. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property group

public group: pulumi.Output<string>;

The group the policy should be applied to

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyArn

public policyArn: pulumi.Output<ARN>;

The ARN of the policy you want to apply

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource InstanceProfile

class InstanceProfile extends CustomResource

Provides an IAM instance profile.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const role = new aws.iam.Role("role", {
    path: "/",
    assumeRolePolicy: `{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "ec2.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
`,
});
const testProfile = new aws.iam.InstanceProfile("testProfile", {role: role.name});

Import

Instance Profiles can be imported using the name, e.g.

 $ pulumi import aws:iam/instanceProfile:InstanceProfile test_profile app-instance-profile-1

constructor

new InstanceProfile(name: string, args?: InstanceProfileArgs, opts?: pulumi.CustomResourceOptions)

Create a InstanceProfile resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: InstanceProfileState, opts?: pulumi.CustomResourceOptions): InstanceProfile

Get an existing InstanceProfile resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is InstanceProfile

Returns true if the given object is an instance of InstanceProfile. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN assigned by AWS to the instance profile.

property createDate

public createDate: pulumi.Output<string>;

The creation timestamp of the instance profile.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The profile’s name. If omitted, this provider will assign a random, unique name.

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

public path: pulumi.Output<string | undefined>;

Path in which to create the profile.

property role

public role: pulumi.Output<string | undefined>;

The role name to include in the profile.

property uniqueId

public uniqueId: pulumi.Output<string>;

The [unique ID][1] assigned by AWS.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource OpenIdConnectProvider

class OpenIdConnectProvider extends CustomResource

Provides an IAM OpenID Connect provider.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const defaultOpenIdConnectProvider = new aws.iam.OpenIdConnectProvider("default", {
    clientIdLists: ["266362248691-342342xasdasdasda-apps.googleusercontent.com"],
    thumbprintLists: [],
    url: "https://accounts.google.com",
});

Import

IAM OpenID Connect Providers can be imported using the arn, e.g.

 $ pulumi import aws:iam/openIdConnectProvider:OpenIdConnectProvider default arn:aws:iam::123456789012:oidc-provider/accounts.google.com

constructor

new OpenIdConnectProvider(name: string, args: OpenIdConnectProviderArgs, opts?: pulumi.CustomResourceOptions)

Create a OpenIdConnectProvider resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OpenIdConnectProviderState, opts?: pulumi.CustomResourceOptions): OpenIdConnectProvider

Get an existing OpenIdConnectProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is OpenIdConnectProvider

Returns true if the given object is an instance of OpenIdConnectProvider. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN assigned by AWS for this provider.

property clientIdLists

public clientIdLists: pulumi.Output<string[]>;

A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that’s sent as the clientId parameter on OAuth requests.)

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property thumbprintLists

public thumbprintLists: pulumi.Output<string[]>;

A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider’s server certificate(s).

property url

public url: pulumi.Output<string>;

The URL of the identity provider. Corresponds to the iss claim.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Policy

class Policy extends CustomResource

Provides an IAM policy.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const policy = new aws.iam.Policy("policy", {
    description: "My test policy",
    path: "/",
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});

Import

IAM Policies can be imported using the arn, e.g.

 $ pulumi import aws:iam/policy:Policy administrator arn:aws:iam::123456789012:policy/UsersManageOwnCredentials

constructor

new Policy(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a Policy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Policy

Returns true if the given object is an instance of Policy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN assigned by AWS to this policy.

property description

public description: pulumi.Output<string | undefined>;

Description of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

public path: pulumi.Output<string | undefined>;

Path in which to create the policy. See IAM Identifiers for more information.

property policy

public policy: pulumi.Output<string>;

The policy document. This is a JSON formatted string.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource PolicyAttachment

class PolicyAttachment extends CustomResource

Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)

!> WARNING: The aws.iam.PolicyAttachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws.iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider aws.iam.RolePolicyAttachment, aws.iam.UserPolicyAttachment, or aws.iam.GroupPolicyAttachment instead. These resources do not enforce exclusive attachment of an IAM policy.

NOTE: The usage of this resource conflicts with the aws.iam.GroupPolicyAttachment, aws.iam.RolePolicyAttachment, and aws.iam.UserPolicyAttachment resources and will permanently show a difference if both are defined.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const user = new aws.iam.User("user", {});
const role = new aws.iam.Role("role", {assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`});
const group = new aws.iam.Group("group", {});
const policy = new aws.iam.Policy("policy", {
    description: "A test policy",
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});
const test_attach = new aws.iam.PolicyAttachment("test-attach", {
    users: [user.name],
    roles: [role.name],
    groups: [group.name],
    policyArn: policy.arn,
});

constructor

new PolicyAttachment(name: string, args: PolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions)

Create a PolicyAttachment resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyAttachmentState, opts?: pulumi.CustomResourceOptions): PolicyAttachment

Get an existing PolicyAttachment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is PolicyAttachment

Returns true if the given object is an instance of PolicyAttachment. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property groups

public groups: pulumi.Output<string[] | undefined>;

The group(s) the policy should be applied to

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the attachment. This cannot be an empty string.

property policyArn

public policyArn: pulumi.Output<ARN>;

The ARN of the policy you want to apply

property roles

public roles: pulumi.Output<string[] | undefined>;

The role(s) the policy should be applied to

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property users

public users: pulumi.Output<string[] | undefined>;

The user(s) the policy should be applied to

Resource Role

class Role extends CustomResource

Provides an IAM role.

NOTE: If policies are attached to the role via the aws.iam.PolicyAttachment resource and you are modifying the role name or path, the forceDetachPolicies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.RolePolicyAttachment resource (recommended) does not have this requirement.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testRole = new aws.iam.Role("test_role", {
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
    tags: {
        "tag-key": "tag-value",
    },
});

Example of Using Data Source for Assume Role Policy

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const instance-assume-role-policy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRole"],
        principals: [{
            type: "Service",
            identifiers: ["ec2.amazonaws.com"],
        }],
    }],
});
const instance = new aws.iam.Role("instance", {
    path: "/system/",
    assumeRolePolicy: instance_assume_role_policy.then(instance_assume_role_policy => instance_assume_role_policy.json),
});

Import

IAM Roles can be imported using the name, e.g.

 $ pulumi import aws:iam/role:Role developer developer_name

constructor

new Role(name: string, args: RoleArgs, opts?: pulumi.CustomResourceOptions)

Create a Role resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RoleState, opts?: pulumi.CustomResourceOptions): Role

Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Role

Returns true if the given object is an instance of Role. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) specifying the role.

property assumeRolePolicy

public assumeRolePolicy: pulumi.Output<string>;

The policy that grants an entity permission to assume the role.

property createDate

public createDate: pulumi.Output<string>;

The creation date of the IAM role.

property description

public description: pulumi.Output<string | undefined>;

The description of the role.

property forceDetachPolicies

public forceDetachPolicies: pulumi.Output<boolean | undefined>;

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property maxSessionDuration

public maxSessionDuration: pulumi.Output<number | undefined>;

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

property name

public name: pulumi.Output<string>;

The name of the role. If omitted, this provider will assign a random, unique name.

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

public path: pulumi.Output<string | undefined>;

The path to the role. See IAM Identifiers for more information.

property permissionsBoundary

public permissionsBoundary: pulumi.Output<string | undefined>;

The ARN of the policy that is used to set the permissions boundary for the role.

property tags

public tags: pulumi.Output<{[key: string]: string} | undefined>;

Key-value map of tags for the IAM role

property uniqueId

public uniqueId: pulumi.Output<string>;

The stable and unique string identifying the role.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource RolePolicy

class RolePolicy extends CustomResource

Provides an IAM role inline policy.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testRole = new aws.iam.Role("testRole", {assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`});
const testPolicy = new aws.iam.RolePolicy("testPolicy", {
    role: testRole.id,
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});

Import

IAM Role Policies can be imported using the role_name:role_policy_name, e.g.

 $ pulumi import aws:iam/rolePolicy:RolePolicy mypolicy role_of_mypolicy_name:mypolicy_name

constructor

new RolePolicy(name: string, args: RolePolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a RolePolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RolePolicyState, opts?: pulumi.CustomResourceOptions): RolePolicy

Get an existing RolePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is RolePolicy

Returns true if the given object is an instance of RolePolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the role policy. If omitted, this provider will assign a random, unique name.

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

public policy: pulumi.Output<string>;

The policy document. This is a JSON formatted string.

property role

public role: pulumi.Output<string>;

The IAM role to attach to the policy.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource RolePolicyAttachment

class RolePolicyAttachment extends CustomResource

Attaches a Managed IAM Policy to an IAM role

NOTE: The usage of this resource conflicts with the aws.iam.PolicyAttachment resource and will permanently show a difference if both are defined.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const role = new aws.iam.Role("role", {assumeRolePolicy: `    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Effect": "Allow",
          "Sid": ""
        }
      ]
    }
`});
const policy = new aws.iam.Policy("policy", {
    description: "A test policy",
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});
const test_attach = new aws.iam.RolePolicyAttachment("test-attach", {
    role: role.name,
    policyArn: policy.arn,
});

Import

IAM role policy attachments can be imported using the role name and policy arn separated by /.

 $ pulumi import aws:iam/rolePolicyAttachment:RolePolicyAttachment test-attach test-role/arn:aws:iam::xxxxxxxxxxxx:policy/test-policy

constructor

new RolePolicyAttachment(name: string, args: RolePolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions)

Create a RolePolicyAttachment resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RolePolicyAttachmentState, opts?: pulumi.CustomResourceOptions): RolePolicyAttachment

Get an existing RolePolicyAttachment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is RolePolicyAttachment

Returns true if the given object is an instance of RolePolicyAttachment. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyArn

public policyArn: pulumi.Output<ARN>;

The ARN of the policy you want to apply

property role

public role: pulumi.Output<string>;

The role the policy should be applied to

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SamlProvider

class SamlProvider extends CustomResource

Provides an IAM SAML provider.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * from "fs";

const _default = new aws.iam.SamlProvider("default", {samlMetadataDocument: fs.readFileSync("saml-metadata.xml")});

Import

IAM SAML Providers can be imported using the arn, e.g.

 $ pulumi import aws:iam/samlProvider:SamlProvider default arn:aws:iam::123456789012:saml-provider/SAMLADFS

constructor

new SamlProvider(name: string, args: SamlProviderArgs, opts?: pulumi.CustomResourceOptions)

Create a SamlProvider resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SamlProviderState, opts?: pulumi.CustomResourceOptions): SamlProvider

Get an existing SamlProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SamlProvider

Returns true if the given object is an instance of SamlProvider. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN assigned by AWS for this provider.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the provider to create.

property samlMetadataDocument

public samlMetadataDocument: pulumi.Output<string>;

An XML document generated by an identity provider that supports SAML 2.0.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validUntil

public validUntil: pulumi.Output<string>;

The expiration date and time for the SAML provider in RFC1123 format, e.g. Mon, 02 Jan 2006 15:04:05 MST.

Resource ServerCertificate

class ServerCertificate extends CustomResource

Provides an IAM Server Certificate resource to upload Server Certificates. Certs uploaded to IAM can easily work with other AWS services such as:

  • AWS Elastic Beanstalk
  • Elastic Load Balancing
  • CloudFront
  • AWS OpsWorks

For information about server certificates in IAM, see [Managing Server Certificates][2] in AWS Documentation.

Note: All arguments including the private key will be stored in the raw state as plain-text.

Example Usage

Using certs on file:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * from "fs";

const testCert = new aws.iam.ServerCertificate("testCert", {
    certificateBody: fs.readFileSync("self-ca-cert.pem"),
    privateKey: fs.readFileSync("test-key.pem"),
});

Example with cert in-line:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testCertAlt = new aws.iam.ServerCertificate("test_cert_alt", {
    certificateBody: `-----BEGIN CERTIFICATE-----
[......] # cert contents
-----END CERTIFICATE-----
`,
    privateKey: `-----BEGIN RSA PRIVATE KEY-----
[......] # cert contents
-----END RSA PRIVATE KEY-----
`,
});

Use in combination with an AWS ELB resource:

Some properties of an IAM Server Certificates cannot be updated while they are in use. In order for this provider to effectively manage a Certificate in this situation, it is recommended you utilize the namePrefix attribute and enable the createBeforeDestroy [lifecycle block][lifecycle]. This will allow this provider to create a new, updated aws.iam.ServerCertificate resource and replace it in dependant resources before attempting to destroy the old version.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * from "fs";

const testCert = new aws.iam.ServerCertificate("testCert", {
    namePrefix: "example-cert",
    certificateBody: fs.readFileSync("self-ca-cert.pem"),
    privateKey: fs.readFileSync("test-key.pem"),
});
const ourapp = new aws.elb.LoadBalancer("ourapp", {
    availabilityZones: ["us-west-2a"],
    crossZoneLoadBalancing: true,
    listeners: [{
        instancePort: 8000,
        instanceProtocol: "http",
        lbPort: 443,
        lbProtocol: "https",
        sslCertificateId: testCert.arn,
    }],
});

Import

IAM Server Certificates can be imported using the name, e.g.

 $ pulumi import aws:iam/serverCertificate:ServerCertificate certificate example.com-certificate-until-2018

[1]https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html [2]https://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingServerCerts.html [lifecycle]/docs/configuration/resources.html

constructor

new ServerCertificate(name: string, args: ServerCertificateArgs, opts?: pulumi.CustomResourceOptions)

Create a ServerCertificate resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ServerCertificateState, opts?: pulumi.CustomResourceOptions): ServerCertificate

Get an existing ServerCertificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is ServerCertificate

Returns true if the given object is an instance of ServerCertificate. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) specifying the server certificate.

property certificateBody

public certificateBody: pulumi.Output<string>;

The contents of the public key certificate in PEM-encoded format.

property certificateChain

public certificateChain: pulumi.Output<string | undefined>;

The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the Server Certificate. Do not include the path in this value. If omitted, this provider will assign a random, unique name.

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

public path: pulumi.Output<string | undefined>;

The IAM path for the server certificate. If it is not included, it defaults to a slash (/). If this certificate is for use with AWS CloudFront, the path must be in format /cloudfront/your_path_here. See IAM Identifiers for more details on IAM Paths.

property privateKey

public privateKey: pulumi.Output<string>;

The contents of the private key in PEM-encoded format.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource ServiceLinkedRole

class ServiceLinkedRole extends CustomResource

Provides an IAM service-linked role.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const elasticbeanstalk = new aws.iam.ServiceLinkedRole("elasticbeanstalk", {
    awsServiceName: "elasticbeanstalk.amazonaws.com",
});

Import

IAM service-linked roles can be imported using role ARN, e.g.

 $ pulumi import aws:iam/serviceLinkedRole:ServiceLinkedRole elasticbeanstalk arn:aws:iam::123456789012:role/aws-service-role/elasticbeanstalk.amazonaws.com/AWSServiceRoleForElasticBeanstalk

constructor

new ServiceLinkedRole(name: string, args: ServiceLinkedRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a ServiceLinkedRole resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ServiceLinkedRoleState, opts?: pulumi.CustomResourceOptions): ServiceLinkedRole

Get an existing ServiceLinkedRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is ServiceLinkedRole

Returns true if the given object is an instance of ServiceLinkedRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) specifying the role.

property awsServiceName

public awsServiceName: pulumi.Output<string>;

The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com. To find the full list of services that support service-linked roles, check the docs.

property createDate

public createDate: pulumi.Output<string>;

The creation date of the IAM role.

property customSuffix

public customSuffix: pulumi.Output<string | undefined>;

Additional string appended to the role name. Not all AWS services support custom suffixes.

property description

public description: pulumi.Output<string | undefined>;

The description of the role.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the role.

property path

public path: pulumi.Output<string>;

The path of the role.

property uniqueId

public uniqueId: pulumi.Output<string>;

The stable and unique string identifying the role.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SshKey

class SshKey extends CustomResource

Uploads an SSH public key and associates it with the specified IAM user.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const userUser = new aws.iam.User("userUser", {path: "/"});
const userSshKey = new aws.iam.SshKey("userSshKey", {
    username: userUser.name,
    encoding: "SSH",
    publicKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 mytest@mydomain.com",
});

Import

SSH public keys can be imported using the username, ssh_public_key_id, and encoding e.g.

 $ pulumi import aws:iam/sshKey:SshKey user user:APKAJNCNNJICVN7CFKCA:SSH

constructor

new SshKey(name: string, args: SshKeyArgs, opts?: pulumi.CustomResourceOptions)

Create a SshKey resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SshKeyState, opts?: pulumi.CustomResourceOptions): SshKey

Get an existing SshKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SshKey

Returns true if the given object is an instance of SshKey. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property encoding

public encoding: pulumi.Output<string>;

Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.

property fingerprint

public fingerprint: pulumi.Output<string>;

The MD5 message digest of the SSH public key.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property publicKey

public publicKey: pulumi.Output<string>;

The SSH public key. The public key must be encoded in ssh-rsa format or PEM format.

property sshPublicKeyId

public sshPublicKeyId: pulumi.Output<string>;

The unique identifier for the SSH public key.

property status

public status: pulumi.Output<string>;

The status to assign to the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used. Default is active.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property username

public username: pulumi.Output<string>;

The name of the IAM user to associate the SSH public key with.

Resource User

class User extends CustomResource

Provides an IAM user.

NOTE: If policies are attached to the user via the aws.iam.PolicyAttachment resource and you are modifying the user name or path, the forceDestroy argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.UserPolicyAttachment resource (recommended) does not have this requirement.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const lbUser = new aws.iam.User("lbUser", {
    path: "/system/",
    tags: {
        "tag-key": "tag-value",
    },
});
const lbAccessKey = new aws.iam.AccessKey("lbAccessKey", {user: lbUser.name});
const lbRo = new aws.iam.UserPolicy("lbRo", {
    user: lbUser.name,
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});

Import

IAM Users can be imported using the name, e.g.

 $ pulumi import aws:iam/user:User lb loadbalancer

constructor

new User(name: string, args?: UserArgs, opts?: pulumi.CustomResourceOptions)

Create a User resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserState, opts?: pulumi.CustomResourceOptions): User

Get an existing User resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is User

Returns true if the given object is an instance of User. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN assigned by AWS for this user.

property forceDestroy

public forceDestroy: pulumi.Output<boolean | undefined>;

When destroying this user, destroy even if it has non-provider-managed IAM access keys, login profile or MFA devices. Without forceDestroy a user with non-provider-managed access keys and login profile will fail to be destroyed.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The user’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both “TESTUSER” and “testuser”.

property path

public path: pulumi.Output<string | undefined>;

Path in which to create the user.

property permissionsBoundary

public permissionsBoundary: pulumi.Output<string | undefined>;

The ARN of the policy that is used to set the permissions boundary for the user.

property tags

public tags: pulumi.Output<{[key: string]: string} | undefined>;

Key-value mapping of tags for the IAM user

property uniqueId

public uniqueId: pulumi.Output<string>;

The [unique ID][1] assigned by AWS.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource UserGroupMembership

class UserGroupMembership extends CustomResource

Provides a resource for adding an IAM User to IAM Groups. This resource can be used multiple times with the same user for non-overlapping groups.

To exclusively manage the users in a group, see the [aws.iam.GroupMembership resource][3].

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const user1 = new aws.iam.User("user1", {});
const group1 = new aws.iam.Group("group1", {});
const group2 = new aws.iam.Group("group2", {});
const example1 = new aws.iam.UserGroupMembership("example1", {
    user: user1.name,
    groups: [
        group1.name,
        group2.name,
    ],
});
const group3 = new aws.iam.Group("group3", {});
const example2 = new aws.iam.UserGroupMembership("example2", {
    user: user1.name,
    groups: [group3.name],
});

Import

IAM user group membership can be imported using the user name and group names separated by /.

 $ pulumi import aws:iam/userGroupMembership:UserGroupMembership example1 user1/group1/group2

constructor

new UserGroupMembership(name: string, args: UserGroupMembershipArgs, opts?: pulumi.CustomResourceOptions)

Create a UserGroupMembership resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserGroupMembershipState, opts?: pulumi.CustomResourceOptions): UserGroupMembership

Get an existing UserGroupMembership resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserGroupMembership

Returns true if the given object is an instance of UserGroupMembership. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property groups

public groups: pulumi.Output<string[]>;

A list of IAM Groups to add the user to

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property user

public user: pulumi.Output<string>;

The name of the IAM User to add to groups

Resource UserLoginProfile

class UserLoginProfile extends CustomResource

Manages an IAM User Login Profile with limited support for password creation during this provider resource creation. Uses PGP to encrypt the password for safe transport to the user. PGP keys can be obtained from Keybase.

To reset an IAM User login password via this provider, you can use delete and recreate this resource or change any of the arguments.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleUser = new aws.iam.User("exampleUser", {
    path: "/",
    forceDestroy: true,
});
const exampleUserLoginProfile = new aws.iam.UserLoginProfile("exampleUserLoginProfile", {
    user: exampleUser.name,
    pgpKey: "keybase:some_person_that_exists",
});
export const password = exampleUserLoginProfile.encryptedPassword;

Import

IAM User Login Profiles can be imported without password information support via the IAM User name, e.g.

 $ pulumi import aws:iam/userLoginProfile:UserLoginProfile example myusername

Since this provider has no method to read the PGP or password information during import, use ignore_changes argument to ignore them unless password recreation is desired. e.g. hcl resource “aws_iam_user_login_profile” “example” {

… other configuration …

lifecycle {

ignore_changes = [

password_length,

password_reset_required,

pgp_key,

]

} }

constructor

new UserLoginProfile(name: string, args: UserLoginProfileArgs, opts?: pulumi.CustomResourceOptions)

Create a UserLoginProfile resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserLoginProfileState, opts?: pulumi.CustomResourceOptions): UserLoginProfile

Get an existing UserLoginProfile resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserLoginProfile

Returns true if the given object is an instance of UserLoginProfile. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property encryptedPassword

public encryptedPassword: pulumi.Output<string>;

The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyFingerprint

public keyFingerprint: pulumi.Output<string>;

The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.

property passwordLength

public passwordLength: pulumi.Output<number | undefined>;

The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

property passwordResetRequired

public passwordResetRequired: pulumi.Output<boolean | undefined>;

Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

property pgpKey

public pgpKey: pulumi.Output<string>;

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property user

public user: pulumi.Output<string>;

The IAM user’s name.

Resource UserPolicy

class UserPolicy extends CustomResource

Provides an IAM policy attached to a user.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const lbUser = new aws.iam.User("lbUser", {path: "/system/"});
const lbRo = new aws.iam.UserPolicy("lbRo", {
    user: lbUser.name,
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});
const lbAccessKey = new aws.iam.AccessKey("lbAccessKey", {user: lbUser.name});

Import

IAM User Policies can be imported using the user_name:user_policy_name, e.g.

 $ pulumi import aws:iam/userPolicy:UserPolicy mypolicy user_of_mypolicy_name:mypolicy_name

constructor

new UserPolicy(name: string, args: UserPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a UserPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserPolicyState, opts?: pulumi.CustomResourceOptions): UserPolicy

Get an existing UserPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserPolicy

Returns true if the given object is an instance of UserPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

public policy: pulumi.Output<string>;

The policy document. This is a JSON formatted string.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property user

public user: pulumi.Output<string>;

IAM user to which to attach this policy.

Resource UserPolicyAttachment

class UserPolicyAttachment extends CustomResource

Attaches a Managed IAM Policy to an IAM user

NOTE: The usage of this resource conflicts with the aws.iam.PolicyAttachment resource and will permanently show a difference if both are defined.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const user = new aws.iam.User("user", {});
const policy = new aws.iam.Policy("policy", {
    description: "A test policy",
    policy: "{ ... policy JSON ... }",
});
const test_attach = new aws.iam.UserPolicyAttachment("test-attach", {
    user: user.name,
    policyArn: policy.arn,
});

Import

IAM user policy attachments can be imported using the user name and policy arn separated by /.

 $ pulumi import aws:iam/userPolicyAttachment:UserPolicyAttachment test-attach test-user/arn:aws:iam::xxxxxxxxxxxx:policy/test-policy

constructor

new UserPolicyAttachment(name: string, args: UserPolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions)

Create a UserPolicyAttachment resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserPolicyAttachmentState, opts?: pulumi.CustomResourceOptions): UserPolicyAttachment

Get an existing UserPolicyAttachment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserPolicyAttachment

Returns true if the given object is an instance of UserPolicyAttachment. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyArn

public policyArn: pulumi.Output<ARN>;

The ARN of the policy you want to apply

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property user

public user: pulumi.Output<string>;

The user the policy should be applied to

Functions

Function getAccountAlias

getAccountAlias(opts?: pulumi.InvokeOptions): Promise<GetAccountAliasResult>

The IAM Account Alias data source allows access to the account alias for the effective account in which this provider is working.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const current = aws.iam.getAccountAlias({});
export const accountId = current.then(current => current.accountAlias);

Function getGroup

getGroup(args: GetGroupArgs, opts?: pulumi.InvokeOptions): Promise<GetGroupResult>

This data source can be used to fetch information about a specific IAM group. By using this data source, you can reference IAM group properties without having to hard code ARNs as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = pulumi.output(aws.iam.getGroup({
    groupName: "an_example_group_name",
}, { async: true }));

Function getInstanceProfile

getInstanceProfile(args: GetInstanceProfileArgs, opts?: pulumi.InvokeOptions): Promise<GetInstanceProfileResult>

This data source can be used to fetch information about a specific IAM instance profile. By using this data source, you can reference IAM instance profile properties without having to hard code ARNs as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = pulumi.output(aws.iam.getInstanceProfile({
    name: "an_example_instance_profile_name",
}, { async: true }));

Function getPolicy

getPolicy(args: GetPolicyArgs, opts?: pulumi.InvokeOptions): Promise<GetPolicyResult>

This data source can be used to fetch information about a specific IAM policy.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = pulumi.output(aws.iam.getPolicy({
    arn: "arn:aws:iam::123456789012:policy/UsersManageOwnCredentials",
}, { async: true }));

Function getPolicyDocument

getPolicyDocument(args?: GetPolicyDocumentArgs, opts?: pulumi.InvokeOptions): Promise<GetPolicyDocumentResult>

Generates an IAM policy document in JSON format.

This is a data source which can be used to construct a JSON representation of an IAM policy document, for use with resources which expect policy documents, such as the aws.iam.Policy resource.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const examplePolicyDocument = aws.iam.getPolicyDocument({
    statements: [
        {
            sid: "1",
            actions: [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
            ],
            resources: ["arn:aws:s3:::*"],
        },
        {
            actions: ["s3:ListBucket"],
            resources: [`arn:aws:s3:::${_var.s3_bucket_name}`],
            conditions: [{
                test: "StringLike",
                variable: "s3:prefix",
                values: [
                    "",
                    "home/",
                    "home/&{aws:username}/",
                ],
            }],
        },
        {
            actions: ["s3:*"],
            resources: [
                `arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}`,
                `arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}/*`,
            ],
        },
    ],
});
const examplePolicy = new aws.iam.Policy("examplePolicy", {
    path: "/",
    policy: examplePolicyDocument.then(examplePolicyDocument => examplePolicyDocument.json),
});

Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings within your configuration, or to use the file interpolation function to read a raw JSON policy document from a file.

Context Variable Interpolation

The IAM policy document format allows context variables to be interpolated into various strings within a statement. The native IAM policy document format uses ${...}-style syntax that is in conflict with interpolation syntax, so this data source instead uses &{...} syntax for interpolations that should be processed by AWS rather than by this provider.

Wildcard Principal

In order to define wildcard principal (a.k.a. anonymous user) use type = "*" and identifiers = ["*"]. In that case the rendered json will contain "Principal": "*". Note, that even though the IAM Documentation states that "Principal": "*" and "Principal": {"AWS": "*"} are equivalent, those principals have different behavior for IAM Role Trust Policy. Therefore this provider will normalize the principal field only in above-mentioned case and principals like type = "AWS" and identifiers = ["*"] will be rendered as "Principal": {"AWS": "*"}.

Example with Multiple Principals

Showing how you can use this as an assume role policy as well as showing how you can specify multiple principal blocks with different types.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const eventStreamBucketRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRole"],
        principals: [
            {
                type: "Service",
                identifiers: ["firehose.amazonaws.com"],
            },
            {
                type: "AWS",
                identifiers: [_var.trusted_role_arn],
            },
            {
                type: "Federated",
                identifiers: [
                    `arn:aws:iam::${_var.account_id}:saml-provider/${_var.provider_name}`,
                    "cognito-identity.amazonaws.com",
                ],
            },
        ],
    }],
});

Example with Source and Override

Showing how you can use sourceJson and overrideJson

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const source = aws.iam.getPolicyDocument({
    statements: [
        {
            actions: ["ec2:*"],
            resources: ["*"],
        },
        {
            sid: "SidToOverwrite",
            actions: ["s3:*"],
            resources: ["*"],
        },
    ],
});
const sourceJsonExample = source.then(source => aws.iam.getPolicyDocument({
    sourceJson: source.json,
    statements: [{
        sid: "SidToOverwrite",
        actions: ["s3:*"],
        resources: [
            "arn:aws:s3:::somebucket",
            "arn:aws:s3:::somebucket/*",
        ],
    }],
}));
const override = aws.iam.getPolicyDocument({
    statements: [{
        sid: "SidToOverwrite",
        actions: ["s3:*"],
        resources: ["*"],
    }],
});
const overrideJsonExample = override.then(override => aws.iam.getPolicyDocument({
    overrideJson: override.json,
    statements: [
        {
            actions: ["ec2:*"],
            resources: ["*"],
        },
        {
            sid: "SidToOverwrite",
            actions: ["s3:*"],
            resources: [
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ],
        },
    ],
}));

data.aws_iam_policy_document.source_json_example.json will evaluate to:

import * as pulumi from "@pulumi/pulumi";

data.aws_iam_policy_document.override_json_example.json will evaluate to:

import * as pulumi from "@pulumi/pulumi";

You can also combine sourceJson and overrideJson in the same document.

Example without Statement

Use without a statement:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const source = aws.iam.getPolicyDocument({
    statements: [{
        sid: "OverridePlaceholder",
        actions: ["ec2:DescribeAccountAttributes"],
        resources: ["*"],
    }],
});
const override = aws.iam.getPolicyDocument({
    statements: [{
        sid: "OverridePlaceholder",
        actions: ["s3:GetObject"],
        resources: ["*"],
    }],
});
const politik = Promise.all([source, override]).then(([source, override]) => aws.iam.getPolicyDocument({
    sourceJson: source.json,
    overrideJson: override.json,
}));

data.aws_iam_policy_document.politik.json will evaluate to:

import * as pulumi from "@pulumi/pulumi";

Function getRole

getRole(args: GetRoleArgs, opts?: pulumi.InvokeOptions): Promise<GetRoleResult>

This data source can be used to fetch information about a specific IAM role. By using this data source, you can reference IAM role properties without having to hard code ARNs as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = pulumi.output(aws.iam.getRole({
    name: "an_example_role_name",
}, { async: true }));

Function getServerCertificate

getServerCertificate(args?: GetServerCertificateArgs, opts?: pulumi.InvokeOptions): Promise<GetServerCertificateResult>

Use this data source to lookup information about IAM Server Certificates.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const my-domain = aws.iam.getServerCertificate({
    namePrefix: "my-domain.org",
    latest: true,
});
const elb = new aws.elb.LoadBalancer("elb", {listeners: [{
    instancePort: 8000,
    instanceProtocol: "https",
    lbPort: 443,
    lbProtocol: "https",
    sslCertificateId: my_domain.then(my_domain => my_domain.arn),
}]});

Function getUser

getUser(args: GetUserArgs, opts?: pulumi.InvokeOptions): Promise<GetUserResult>

This data source can be used to fetch information about a specific IAM user. By using this data source, you can reference IAM user properties without having to hard code ARNs or unique IDs as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = pulumi.output(aws.iam.getUser({
    userName: "an_example_user_name",
}, { async: true }));

Others

interface AccessKeyArgs

interface AccessKeyArgs

The set of arguments for constructing a AccessKey resource.

property pgpKey

pgpKey?: pulumi.Input<string>;

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encryptedSecret output attribute.

property status

status?: pulumi.Input<string>;

The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

property user

user: pulumi.Input<string>;

The IAM user to associate with this access key.

interface AccessKeyState

interface AccessKeyState

Input properties used for looking up and filtering AccessKey resources.

property encryptedSecret

encryptedSecret?: pulumi.Input<string>;

property keyFingerprint

keyFingerprint?: pulumi.Input<string>;

The fingerprint of the PGP key used to encrypt the secret

property pgpKey

pgpKey?: pulumi.Input<string>;

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encryptedSecret output attribute.

property secret

secret?: pulumi.Input<string>;

The secret access key. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgpKey instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

property sesSmtpPasswordV4

sesSmtpPasswordV4?: pulumi.Input<string>;

The secret access key converted into an SES SMTP password by applying AWS’s documented Sigv4 conversion algorithm. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions

property status

status?: pulumi.Input<string>;

The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

property user

user?: pulumi.Input<string>;

The IAM user to associate with this access key.

interface AccountAliasArgs

interface AccountAliasArgs

The set of arguments for constructing a AccountAlias resource.

property accountAlias

accountAlias: pulumi.Input<string>;

The account alias

interface AccountAliasState

interface AccountAliasState

Input properties used for looking up and filtering AccountAlias resources.

property accountAlias

accountAlias?: pulumi.Input<string>;

The account alias

interface AccountPasswordPolicyArgs

interface AccountPasswordPolicyArgs

The set of arguments for constructing a AccountPasswordPolicy resource.

property allowUsersToChangePassword

allowUsersToChangePassword?: pulumi.Input<boolean>;

Whether to allow users to change their own password

property hardExpiry

hardExpiry?: pulumi.Input<boolean>;

Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)

property maxPasswordAge

maxPasswordAge?: pulumi.Input<number>;

The number of days that an user password is valid.

property minimumPasswordLength

minimumPasswordLength?: pulumi.Input<number>;

Minimum length to require for user passwords.

property passwordReusePrevention

passwordReusePrevention?: pulumi.Input<number>;

The number of previous passwords that users are prevented from reusing.

property requireLowercaseCharacters

requireLowercaseCharacters?: pulumi.Input<boolean>;

Whether to require lowercase characters for user passwords.

property requireNumbers

requireNumbers?: pulumi.Input<boolean>;

Whether to require numbers for user passwords.

property requireSymbols

requireSymbols?: pulumi.Input<boolean>;

Whether to require symbols for user passwords.

property requireUppercaseCharacters

requireUppercaseCharacters?: pulumi.Input<boolean>;

Whether to require uppercase characters for user passwords.

interface AccountPasswordPolicyState

interface AccountPasswordPolicyState

Input properties used for looking up and filtering AccountPasswordPolicy resources.

property allowUsersToChangePassword

allowUsersToChangePassword?: pulumi.Input<boolean>;

Whether to allow users to change their own password

property expirePasswords

expirePasswords?: pulumi.Input<boolean>;

Indicates whether passwords in the account expire. Returns true if maxPasswordAge contains a value greater than 0. Returns false if it is 0 or not present.

property hardExpiry

hardExpiry?: pulumi.Input<boolean>;

Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)

property maxPasswordAge

maxPasswordAge?: pulumi.Input<number>;

The number of days that an user password is valid.

property minimumPasswordLength

minimumPasswordLength?: pulumi.Input<number>;

Minimum length to require for user passwords.

property passwordReusePrevention

passwordReusePrevention?: pulumi.Input<number>;

The number of previous passwords that users are prevented from reusing.

property requireLowercaseCharacters

requireLowercaseCharacters?: pulumi.Input<boolean>;

Whether to require lowercase characters for user passwords.

property requireNumbers

requireNumbers?: pulumi.Input<boolean>;

Whether to require numbers for user passwords.

property requireSymbols

requireSymbols?: pulumi.Input<boolean>;

Whether to require symbols for user passwords.

property requireUppercaseCharacters

requireUppercaseCharacters?: pulumi.Input<boolean>;

Whether to require uppercase characters for user passwords.

function assumeRolePolicyForPrincipal

assumeRolePolicyForPrincipal(principal: Principal): PolicyDocument

assumeRolePolicyForPrincipal returns a well-formed policy document which can be used to control which principals may assume an IAM Role, by granting the sts:AssumeRole action to those principals.

interface AWSPrincipal

interface AWSPrincipal

When you use an AWS account identifier as the principal in a policy, the permissions in the policy statement can be granted to all identities contained in that account. This includes IAM users and roles in that account. When you specify an AWS account, you can use the account ARN (arn:aws:iam::AWS-account-ID:root), or a shortened form that consists of the AWS: prefix followed by the account ID.

property AWS

AWS: Input<string> | Input<Input<string>[]>;

interface ConditionArguments

interface ConditionArguments

interface Conditions

interface Conditions

The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. The Condition element is optional. In the Condition element, you build expressions in which you use condition operators (equal, less than, etc.) to match the condition in the policy against values in the request. Condition values can include date, time, the IP address of the requester, the ARN of the request source, the user name, user ID, and the user agent of the requester. Some services let you specify additional values in conditions; for example, Amazon S3 lets you write a condition using the s3:VersionId key, which is unique to that service.

interface FederatedPrincipal

interface FederatedPrincipal

property Federated

Federated: Input<string> | Input<Input<string>[]>;

interface GetAccountAliasResult

interface GetAccountAliasResult

A collection of values returned by getAccountAlias.

property accountAlias

accountAlias: string;

The alias associated with the AWS account.

property id

id: string;

The provider-assigned unique ID for this managed resource.

interface GetGroupArgs

interface GetGroupArgs

A collection of arguments for invoking getGroup.

property groupName

groupName: string;

The friendly IAM group name to match.

interface GetGroupResult

interface GetGroupResult

A collection of values returned by getGroup.

property arn

arn: string;

The Amazon Resource Name (ARN) specifying the iam user.

property groupId

groupId: string;

The stable and unique string identifying the group.

property groupName

groupName: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property path

path: string;

The path to the iam user.

property users

users: GetGroupUser[];

List of objects containing group member information. See supported fields below.

interface GetInstanceProfileArgs

interface GetInstanceProfileArgs

A collection of arguments for invoking getInstanceProfile.

property name

name: string;

The friendly IAM instance profile name to match.

interface GetInstanceProfileResult

interface GetInstanceProfileResult

A collection of values returned by getInstanceProfile.

property arn

arn: string;

The Amazon Resource Name (ARN) specifying the instance profile.

property createDate

createDate: string;

The string representation of the date the instance profile was created.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

property path

path: string;

The path to the instance profile.

property roleArn

roleArn: string;

The role arn associated with this instance profile.

property roleId

roleId: string;

The role id associated with this instance profile.

property roleName

roleName: string;

The role name associated with this instance profile.

interface GetPolicyArgs

interface GetPolicyArgs

A collection of arguments for invoking getPolicy.

property arn

arn: string;

ARN of the IAM policy.

interface GetPolicyDocumentArgs

interface GetPolicyDocumentArgs

A collection of arguments for invoking getPolicyDocument.

property overrideJson

overrideJson?: undefined | string;

An IAM policy document to import and override the current policy document. Statements with non-blank sids in the override document will overwrite statements with the same sid in the current document. Statements without an sid cannot be overwritten.

property policyId

policyId?: undefined | string;

An ID for the policy document.

property sourceJson

sourceJson?: undefined | string;

An IAM policy document to import as a base for the current policy document. Statements with non-blank sids in the current policy document will overwrite statements with the same sid in the source json. Statements without an sid cannot be overwritten.

property statements

statements?: GetPolicyDocumentStatement[];

A nested configuration block (described below) configuring one statement to be included in the policy document.

property version

version?: undefined | string;

IAM policy document version. Valid values: 2008-10-17, 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.

interface GetPolicyDocumentResult

interface GetPolicyDocumentResult

A collection of values returned by getPolicyDocument.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property json

json: string;

The above arguments serialized as a standard JSON policy document.

property overrideJson

overrideJson?: undefined | string;

property policyId

policyId?: undefined | string;

property sourceJson

sourceJson?: undefined | string;

property statements

statements?: GetPolicyDocumentStatement[];

property version

version?: undefined | string;

interface GetPolicyResult

interface GetPolicyResult

A collection of values returned by getPolicy.

property arn

arn: string;

The Amazon Resource Name (ARN) specifying the policy.

property description

description: string;

The description of the policy.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

The name of the IAM policy.

property path

path: string;

The path to the policy.

property policy

policy: string;

The policy document of the policy.

interface GetRoleArgs

interface GetRoleArgs

A collection of arguments for invoking getRole.

property name

name: string;

The friendly IAM role name to match.

property tags

tags?: undefined | {[key: string]: string};

The tags attached to the role.

interface GetRoleResult

interface GetRoleResult

A collection of values returned by getRole.

property arn

arn: string;

The Amazon Resource Name (ARN) specifying the role.

property assumeRolePolicy

assumeRolePolicy: string;

The policy document associated with the role.

property createDate

createDate: string;

Creation date of the role in RFC 3339 format.

property description

description: string;

Description for the role.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property maxSessionDuration

maxSessionDuration: number;

Maximum session duration.

property name

name: string;

property path

path: string;

The path to the role.

property permissionsBoundary

permissionsBoundary: string;

The ARN of the policy that is used to set the permissions boundary for the role.

property tags

tags: {[key: string]: string};

The tags attached to the role.

property uniqueId

uniqueId: string;

The stable and unique string identifying the role.

interface GetServerCertificateArgs

interface GetServerCertificateArgs

A collection of arguments for invoking getServerCertificate.

property latest

latest?: undefined | false | true;

sort results by expiration date. returns the certificate with expiration date in furthest in the future.

property name

name?: undefined | string;

exact name of the cert to lookup

property namePrefix

namePrefix?: undefined | string;

prefix of cert to filter by

property pathPrefix

pathPrefix?: undefined | string;

prefix of path to filter by

interface GetServerCertificateResult

interface GetServerCertificateResult

A collection of values returned by getServerCertificate.

property arn

arn: string;

property certificateBody

certificateBody: string;

property certificateChain

certificateChain: string;

property expirationDate

expirationDate: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property latest

latest?: undefined | false | true;

property name

name: string;

property namePrefix

namePrefix?: undefined | string;

property path

path: string;

property pathPrefix

pathPrefix?: undefined | string;

property uploadDate

uploadDate: string;

interface GetUserArgs

interface GetUserArgs

A collection of arguments for invoking getUser.

property userName

userName: string;

The friendly IAM user name to match.

interface GetUserResult

interface GetUserResult

A collection of values returned by getUser.

property arn

arn: string;

The Amazon Resource Name (ARN) assigned by AWS for this user.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property path

path: string;

Path in which this user was created.

property permissionsBoundary

permissionsBoundary: string;

The ARN of the policy that is used to set the permissions boundary for the user.

property userId

userId: string;

The unique ID assigned by AWS for this user.

property userName

userName: string;

The name associated to this User

interface GroupArgs

interface GroupArgs

The set of arguments for constructing a Group resource.

property name

name?: pulumi.Input<string>;

The group’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. Group names are not distinguished by case. For example, you cannot create groups named both “ADMINS” and “admins”.

property path

path?: pulumi.Input<string>;

Path in which to create the group.

interface GroupMembershipArgs

interface GroupMembershipArgs

The set of arguments for constructing a GroupMembership resource.

property group

group: pulumi.Input<string>;

The IAM Group name to attach the list of users to

property name

name?: pulumi.Input<string>;

The name to identify the Group Membership

property users

users: pulumi.Input<pulumi.Input<string>[]>;

A list of IAM User names to associate with the Group

interface GroupMembershipState

interface GroupMembershipState

Input properties used for looking up and filtering GroupMembership resources.

property group

group?: pulumi.Input<string>;

The IAM Group name to attach the list of users to

property name

name?: pulumi.Input<string>;

The name to identify the Group Membership

property users

users?: pulumi.Input<pulumi.Input<string>[]>;

A list of IAM User names to associate with the Group

interface GroupPolicyArgs

interface GroupPolicyArgs

The set of arguments for constructing a GroupPolicy resource.

property group

group: pulumi.Input<string>;

The IAM group to attach to the policy.

property name

name?: pulumi.Input<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy: pulumi.Input<string | PolicyDocument>;

The policy document. This is a JSON formatted string.

interface GroupPolicyAttachmentArgs

interface GroupPolicyAttachmentArgs

The set of arguments for constructing a GroupPolicyAttachment resource.

property group

group: pulumi.Input<string | Group>;

The group the policy should be applied to

property policyArn

policyArn: pulumi.Input<ARN>;

The ARN of the policy you want to apply

interface GroupPolicyAttachmentState

interface GroupPolicyAttachmentState

Input properties used for looking up and filtering GroupPolicyAttachment resources.

property group

group?: pulumi.Input<string | Group>;

The group the policy should be applied to

property policyArn

policyArn?: pulumi.Input<ARN>;

The ARN of the policy you want to apply

interface GroupPolicyState

interface GroupPolicyState

Input properties used for looking up and filtering GroupPolicy resources.

property group

group?: pulumi.Input<string>;

The IAM group to attach to the policy.

property name

name?: pulumi.Input<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy?: pulumi.Input<string | PolicyDocument>;

The policy document. This is a JSON formatted string.

interface GroupState

interface GroupState

Input properties used for looking up and filtering Group resources.

property arn

arn?: pulumi.Input<string>;

The ARN assigned by AWS for this group.

property name

name?: pulumi.Input<string>;

The group’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. Group names are not distinguished by case. For example, you cannot create groups named both “ADMINS” and “admins”.

property path

path?: pulumi.Input<string>;

Path in which to create the group.

property uniqueId

uniqueId?: pulumi.Input<string>;

The [unique ID][1] assigned by AWS.

interface InstanceProfileArgs

interface InstanceProfileArgs

The set of arguments for constructing a InstanceProfile resource.

property name

name?: pulumi.Input<string>;

The profile’s name. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

path?: pulumi.Input<string>;

Path in which to create the profile.

property role

role?: pulumi.Input<string | Role>;

The role name to include in the profile.

interface InstanceProfileState

interface InstanceProfileState

Input properties used for looking up and filtering InstanceProfile resources.

property arn

arn?: pulumi.Input<string>;

The ARN assigned by AWS to the instance profile.

property createDate

createDate?: pulumi.Input<string>;

The creation timestamp of the instance profile.

property name

name?: pulumi.Input<string>;

The profile’s name. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

path?: pulumi.Input<string>;

Path in which to create the profile.

property role

role?: pulumi.Input<string | Role>;

The role name to include in the profile.

property uniqueId

uniqueId?: pulumi.Input<string>;

The [unique ID][1] assigned by AWS.

interface OpenIdConnectProviderArgs

interface OpenIdConnectProviderArgs

The set of arguments for constructing a OpenIdConnectProvider resource.

property clientIdLists

clientIdLists: pulumi.Input<pulumi.Input<string>[]>;

A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that’s sent as the clientId parameter on OAuth requests.)

property thumbprintLists

thumbprintLists: pulumi.Input<pulumi.Input<string>[]>;

A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider’s server certificate(s).

property url

url: pulumi.Input<string>;

The URL of the identity provider. Corresponds to the iss claim.

interface OpenIdConnectProviderState

interface OpenIdConnectProviderState

Input properties used for looking up and filtering OpenIdConnectProvider resources.

property arn

arn?: pulumi.Input<string>;

The ARN assigned by AWS for this provider.

property clientIdLists

clientIdLists?: pulumi.Input<pulumi.Input<string>[]>;

A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that’s sent as the clientId parameter on OAuth requests.)

property thumbprintLists

thumbprintLists?: pulumi.Input<pulumi.Input<string>[]>;

A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider’s server certificate(s).

property url

url?: pulumi.Input<string>;

The URL of the identity provider. Corresponds to the iss claim.

interface PolicyArgs

interface PolicyArgs

The set of arguments for constructing a Policy resource.

property description

description?: pulumi.Input<string>;

Description of the IAM policy.

property name

name?: pulumi.Input<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

path?: pulumi.Input<string>;

Path in which to create the policy. See IAM Identifiers for more information.

property policy

policy: pulumi.Input<string | PolicyDocument>;

The policy document. This is a JSON formatted string.

interface PolicyAttachmentArgs

interface PolicyAttachmentArgs

The set of arguments for constructing a PolicyAttachment resource.

property groups

groups?: pulumi.Input<pulumi.Input<string | Group>[]>;

The group(s) the policy should be applied to

property name

name?: pulumi.Input<string>;

The name of the attachment. This cannot be an empty string.

property policyArn

policyArn: pulumi.Input<ARN>;

The ARN of the policy you want to apply

property roles

roles?: pulumi.Input<pulumi.Input<string | Role>[]>;

The role(s) the policy should be applied to

property users

users?: pulumi.Input<pulumi.Input<string | User>[]>;

The user(s) the policy should be applied to

interface PolicyAttachmentState

interface PolicyAttachmentState

Input properties used for looking up and filtering PolicyAttachment resources.

property groups

groups?: pulumi.Input<pulumi.Input<string | Group>[]>;

The group(s) the policy should be applied to

property name

name?: pulumi.Input<string>;

The name of the attachment. This cannot be an empty string.

property policyArn

policyArn?: pulumi.Input<ARN>;

The ARN of the policy you want to apply

property roles

roles?: pulumi.Input<pulumi.Input<string | Role>[]>;

The role(s) the policy should be applied to

property users

users?: pulumi.Input<pulumi.Input<string | User>[]>;

The user(s) the policy should be applied to

interface PolicyDocument

interface PolicyDocument

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied.

IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API. When you create an IAM user, you can set up the user to allow console or programmatic access. The IAM user can sign in to the console using a user name and password. Or they can use access keys to work with the CLI or API.

Most policies are stored in AWS as JSON documents. Identity-based policies, policies used to set boundaries, or AWS STS boundary policies are JSON policy documents that you attach to a user or role. Resource-based policies are JSON policy documents that you attach to a resource. SCPs are JSON policy documents with restricted syntax that you attach to an AWS Organizations organizational unit (OU). ACLs are also attached to a resource, but you must use a different syntax.

A JSON policy document includes these elements:

- Optional policywide information at the top of the document
- One or more individual statements

Each statement includes information about a single permission. If a policy includes multiple statements, AWS applies a logical OR across the statements when evaluating them. If multiple policies apply to a request, AWS applies a logical OR across all of those policies when evaluating them.

For more details about IAM policies, please refer to the AWS documentation online: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

property Id

Id?: Input<string>;

An optional document ID.

property Statement

Statement: Input<Input<PolicyStatement>[]>;

One or more policy statements, describing the effect, principal, action, resource, and condition.

property Version

Version: Input<"2008-10-17" | "2012-10-17">;

The version of the policy language that you want to use. As a best practice, use the latest 2012-10-17 version.

interface PolicyState

interface PolicyState

Input properties used for looking up and filtering Policy resources.

property arn

arn?: pulumi.Input<string>;

The ARN assigned by AWS to this policy.

property description

description?: pulumi.Input<string>;

Description of the IAM policy.

property name

name?: pulumi.Input<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

path?: pulumi.Input<string>;

Path in which to create the policy. See IAM Identifiers for more information.

property policy

policy?: pulumi.Input<string | PolicyDocument>;

The policy document. This is a JSON formatted string.

interface PolicyStatement

interface PolicyStatement

The Statement element is the main element for a policy. This element is required. It can include multiple elements (see the subsequent sections in this page). The Statement element contains an array of individual statements.

property Action

Action?: Input<string> | Input<Input<string>[]>;

Include a list of actions that the policy allows or denies. Required (either Action or NotAction) Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

property Condition

Condition?: Input<Conditions>;

Specify the circumstances under which the policy grants permission.

property Effect

Effect: Input<"Allow" | "Deny">;

Indicate whether the policy allows or denies access.

property NotAction

NotAction?: Input<string> | Input<Input<string>[]>;

Include a list of actions that are not covered by this policy. Required (either Action or NotAction) Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

property NotPrincipal

NotPrincipal?: Input<Principal>;

Indicate the account, user, role, or federated user to which this policy does not apply.

property NotResource

NotResource?: Input<string> | Input<Input<string>[]>;

A list of resources that are specifically excluded by this policy.

property Principal

Principal?: Input<Principal>;

Indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating a policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.

property Resource

Resource?: Input<string> | Input<Input<string>[]>;

A list of resources to which the actions apply.

property Sid

Sid?: Input<string>;

An optional statement ID to differentiate between your statements.

type Principal

type Principal = "*" | AWSPrincipal | ServicePrincipal | FederatedPrincipal;

Use the Principal element to specify the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource. You use the Principal element in the trust policies for IAM roles and in resource-based policies—that is, in policies that you embed directly in a resource. For example, you can embed such policies in an Amazon S3 bucket, an Amazon Glacier vault, an Amazon SNS topic, an Amazon SQS queue, or an AWS KMS customer master key (CMK).

Use the Principal element in these ways:

- In IAM roles, use the Principal element in the role's trust policy to specify who can assume the role. For
  cross-account access, you must specify the 12-digit identifier of the trusted account.

  Note: After you create the role, you can change the account to "*" to allow everyone to assume the role. If
  you do this, we strongly recommend that you limit who can access the role through other means, such as a
  Condition element that limits access to only certain IP addresses. Do not leave your role accessible to
  everyone!

- In resource-based policies, use the Principal element to specify the accounts or users who are allowed to
  access the resource.

Do not use the Principal element in policies that you attach to IAM users and groups. Similarly, you do not specify a principal in the permission policy for an IAM role. In those cases, the principal is implicitly the user that the policy is attached to (for IAM users) or the user who assumes the role (for role access policies). When the policy is attached to an IAM group, the principal is the IAM user in that group who is making the request.

interface RoleArgs

interface RoleArgs

The set of arguments for constructing a Role resource.

property assumeRolePolicy

assumeRolePolicy: pulumi.Input<string | PolicyDocument>;

The policy that grants an entity permission to assume the role.

property description

description?: pulumi.Input<string>;

The description of the role.

property forceDetachPolicies

forceDetachPolicies?: pulumi.Input<boolean>;

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

property maxSessionDuration

maxSessionDuration?: pulumi.Input<number>;

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

property name

name?: pulumi.Input<string>;

The name of the role. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

path?: pulumi.Input<string>;

The path to the role. See IAM Identifiers for more information.

property permissionsBoundary

permissionsBoundary?: pulumi.Input<string>;

The ARN of the policy that is used to set the permissions boundary for the role.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

Key-value map of tags for the IAM role

interface RolePolicyArgs

interface RolePolicyArgs

The set of arguments for constructing a RolePolicy resource.

property name

name?: pulumi.Input<string>;

The name of the role policy. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy: pulumi.Input<string | PolicyDocument>;

The policy document. This is a JSON formatted string.

property role

role: pulumi.Input<string | Role>;

The IAM role to attach to the policy.

interface RolePolicyAttachmentArgs

interface RolePolicyAttachmentArgs

The set of arguments for constructing a RolePolicyAttachment resource.

property policyArn

policyArn: pulumi.Input<ARN>;

The ARN of the policy you want to apply

property role

role: pulumi.Input<string | Role>;

The role the policy should be applied to

interface RolePolicyAttachmentState

interface RolePolicyAttachmentState

Input properties used for looking up and filtering RolePolicyAttachment resources.

property policyArn

policyArn?: pulumi.Input<ARN>;

The ARN of the policy you want to apply

property role

role?: pulumi.Input<string | Role>;

The role the policy should be applied to

interface RolePolicyState

interface RolePolicyState

Input properties used for looking up and filtering RolePolicy resources.

property name

name?: pulumi.Input<string>;

The name of the role policy. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy?: pulumi.Input<string | PolicyDocument>;

The policy document. This is a JSON formatted string.

property role

role?: pulumi.Input<string | Role>;

The IAM role to attach to the policy.

interface RoleState

interface RoleState

Input properties used for looking up and filtering Role resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) specifying the role.

property assumeRolePolicy

assumeRolePolicy?: pulumi.Input<string | PolicyDocument>;

The policy that grants an entity permission to assume the role.

property createDate

createDate?: pulumi.Input<string>;

The creation date of the IAM role.

property description

description?: pulumi.Input<string>;

The description of the role.

property forceDetachPolicies

forceDetachPolicies?: pulumi.Input<boolean>;

Specifies to force detaching any policies the role has before destroying it. Defaults to false.

property maxSessionDuration

maxSessionDuration?: pulumi.Input<number>;

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

property name

name?: pulumi.Input<string>;

The name of the role. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

path?: pulumi.Input<string>;

The path to the role. See IAM Identifiers for more information.

property permissionsBoundary

permissionsBoundary?: pulumi.Input<string>;

The ARN of the policy that is used to set the permissions boundary for the role.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

Key-value map of tags for the IAM role

property uniqueId

uniqueId?: pulumi.Input<string>;

The stable and unique string identifying the role.

interface SamlProviderArgs

interface SamlProviderArgs

The set of arguments for constructing a SamlProvider resource.

property name

name?: pulumi.Input<string>;

The name of the provider to create.

property samlMetadataDocument

samlMetadataDocument: pulumi.Input<string>;

An XML document generated by an identity provider that supports SAML 2.0.

interface SamlProviderState

interface SamlProviderState

Input properties used for looking up and filtering SamlProvider resources.

property arn

arn?: pulumi.Input<string>;

The ARN assigned by AWS for this provider.

property name

name?: pulumi.Input<string>;

The name of the provider to create.

property samlMetadataDocument

samlMetadataDocument?: pulumi.Input<string>;

An XML document generated by an identity provider that supports SAML 2.0.

property validUntil

validUntil?: pulumi.Input<string>;

The expiration date and time for the SAML provider in RFC1123 format, e.g. Mon, 02 Jan 2006 15:04:05 MST.

interface ServerCertificateArgs

interface ServerCertificateArgs

The set of arguments for constructing a ServerCertificate resource.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) specifying the server certificate.

property certificateBody

certificateBody: pulumi.Input<string>;

The contents of the public key certificate in PEM-encoded format.

property certificateChain

certificateChain?: pulumi.Input<string>;

The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.

property name

name?: pulumi.Input<string>;

The name of the Server Certificate. Do not include the path in this value. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

path?: pulumi.Input<string>;

The IAM path for the server certificate. If it is not included, it defaults to a slash (/). If this certificate is for use with AWS CloudFront, the path must be in format /cloudfront/your_path_here. See IAM Identifiers for more details on IAM Paths.

property privateKey

privateKey: pulumi.Input<string>;

The contents of the private key in PEM-encoded format.

interface ServerCertificateState

interface ServerCertificateState

Input properties used for looking up and filtering ServerCertificate resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) specifying the server certificate.

property certificateBody

certificateBody?: pulumi.Input<string>;

The contents of the public key certificate in PEM-encoded format.

property certificateChain

certificateChain?: pulumi.Input<string>;

The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.

property name

name?: pulumi.Input<string>;

The name of the Server Certificate. Do not include the path in this value. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property path

path?: pulumi.Input<string>;

The IAM path for the server certificate. If it is not included, it defaults to a slash (/). If this certificate is for use with AWS CloudFront, the path must be in format /cloudfront/your_path_here. See IAM Identifiers for more details on IAM Paths.

property privateKey

privateKey?: pulumi.Input<string>;

The contents of the private key in PEM-encoded format.

interface ServiceLinkedRoleArgs

interface ServiceLinkedRoleArgs

The set of arguments for constructing a ServiceLinkedRole resource.

property awsServiceName

awsServiceName: pulumi.Input<string>;

The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com. To find the full list of services that support service-linked roles, check the docs.

property customSuffix

customSuffix?: pulumi.Input<string>;

Additional string appended to the role name. Not all AWS services support custom suffixes.

property description

description?: pulumi.Input<string>;

The description of the role.

interface ServiceLinkedRoleState

interface ServiceLinkedRoleState

Input properties used for looking up and filtering ServiceLinkedRole resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) specifying the role.

property awsServiceName

awsServiceName?: pulumi.Input<string>;

The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com. To find the full list of services that support service-linked roles, check the docs.

property createDate

createDate?: pulumi.Input<string>;

The creation date of the IAM role.

property customSuffix

customSuffix?: pulumi.Input<string>;

Additional string appended to the role name. Not all AWS services support custom suffixes.

property description

description?: pulumi.Input<string>;

The description of the role.

property name

name?: pulumi.Input<string>;

The name of the role.

property path

path?: pulumi.Input<string>;

The path of the role.

property uniqueId

uniqueId?: pulumi.Input<string>;

The stable and unique string identifying the role.

interface ServicePrincipal

interface ServicePrincipal

IAM roles that can be assumed by an AWS service are called service roles. Service roles must include a trust policy. Trust policies are resource-based policies that are attached to a role that define which principals can assume the role. Some service role have predefined trust policies. However, in some cases, you must specify the service principal in the trust policy. A service principal is an identifier that is used to grant permissions to a service. The identifier includes the long version of a service name, e.g. long_service_name.amazonaws.com. The service principal is defined by the service. To learn the service principal for a service, see the documentation for that service.

property Service

Service: Input<string> | Input<Input<string>[]>;

interface SshKeyArgs

interface SshKeyArgs

The set of arguments for constructing a SshKey resource.

property encoding

encoding: pulumi.Input<string>;

Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.

property publicKey

publicKey: pulumi.Input<string>;

The SSH public key. The public key must be encoded in ssh-rsa format or PEM format.

property status

status?: pulumi.Input<string>;

The status to assign to the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used. Default is active.

property username

username: pulumi.Input<string>;

The name of the IAM user to associate the SSH public key with.

interface SshKeyState

interface SshKeyState

Input properties used for looking up and filtering SshKey resources.

property encoding

encoding?: pulumi.Input<string>;

Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.

property fingerprint

fingerprint?: pulumi.Input<string>;

The MD5 message digest of the SSH public key.

property publicKey

publicKey?: pulumi.Input<string>;

The SSH public key. The public key must be encoded in ssh-rsa format or PEM format.

property sshPublicKeyId

sshPublicKeyId?: pulumi.Input<string>;

The unique identifier for the SSH public key.

property status

status?: pulumi.Input<string>;

The status to assign to the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used. Default is active.

property username

username?: pulumi.Input<string>;

The name of the IAM user to associate the SSH public key with.

interface UserArgs

interface UserArgs

The set of arguments for constructing a User resource.

property forceDestroy

forceDestroy?: pulumi.Input<boolean>;

When destroying this user, destroy even if it has non-provider-managed IAM access keys, login profile or MFA devices. Without forceDestroy a user with non-provider-managed access keys and login profile will fail to be destroyed.

property name

name?: pulumi.Input<string>;

The user’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both “TESTUSER” and “testuser”.

property path

path?: pulumi.Input<string>;

Path in which to create the user.

property permissionsBoundary

permissionsBoundary?: pulumi.Input<string>;

The ARN of the policy that is used to set the permissions boundary for the user.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

Key-value mapping of tags for the IAM user

interface UserGroupMembershipArgs

interface UserGroupMembershipArgs

The set of arguments for constructing a UserGroupMembership resource.

property groups

groups: pulumi.Input<pulumi.Input<string>[]>;

A list of IAM Groups to add the user to

property user

user: pulumi.Input<string>;

The name of the IAM User to add to groups

interface UserGroupMembershipState

interface UserGroupMembershipState

Input properties used for looking up and filtering UserGroupMembership resources.

property groups

groups?: pulumi.Input<pulumi.Input<string>[]>;

A list of IAM Groups to add the user to

property user

user?: pulumi.Input<string>;

The name of the IAM User to add to groups

interface UserLoginProfileArgs

interface UserLoginProfileArgs

The set of arguments for constructing a UserLoginProfile resource.

property passwordLength

passwordLength?: pulumi.Input<number>;

The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

property passwordResetRequired

passwordResetRequired?: pulumi.Input<boolean>;

Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

property pgpKey

pgpKey: pulumi.Input<string>;

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.

property user

user: pulumi.Input<string>;

The IAM user’s name.

interface UserLoginProfileState

interface UserLoginProfileState

Input properties used for looking up and filtering UserLoginProfile resources.

property encryptedPassword

encryptedPassword?: pulumi.Input<string>;

The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.

property keyFingerprint

keyFingerprint?: pulumi.Input<string>;

The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.

property passwordLength

passwordLength?: pulumi.Input<number>;

The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

property passwordResetRequired

passwordResetRequired?: pulumi.Input<boolean>;

Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

property pgpKey

pgpKey?: pulumi.Input<string>;

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.

property user

user?: pulumi.Input<string>;

The IAM user’s name.

interface UserPolicyArgs

interface UserPolicyArgs

The set of arguments for constructing a UserPolicy resource.

property name

name?: pulumi.Input<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy: pulumi.Input<string | PolicyDocument>;

The policy document. This is a JSON formatted string.

property user

user: pulumi.Input<string>;

IAM user to which to attach this policy.

interface UserPolicyAttachmentArgs

interface UserPolicyAttachmentArgs

The set of arguments for constructing a UserPolicyAttachment resource.

property policyArn

policyArn: pulumi.Input<ARN>;

The ARN of the policy you want to apply

property user

user: pulumi.Input<string | User>;

The user the policy should be applied to

interface UserPolicyAttachmentState

interface UserPolicyAttachmentState

Input properties used for looking up and filtering UserPolicyAttachment resources.

property policyArn

policyArn?: pulumi.Input<ARN>;

The ARN of the policy you want to apply

property user

user?: pulumi.Input<string | User>;

The user the policy should be applied to

interface UserPolicyState

interface UserPolicyState

Input properties used for looking up and filtering UserPolicy resources.

property name

name?: pulumi.Input<string>;

The name of the policy. If omitted, this provider will assign a random, unique name.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy?: pulumi.Input<string | PolicyDocument>;

The policy document. This is a JSON formatted string.

property user

user?: pulumi.Input<string>;

IAM user to which to attach this policy.

interface UserState

interface UserState

Input properties used for looking up and filtering User resources.

property arn

arn?: pulumi.Input<string>;

The ARN assigned by AWS for this user.

property forceDestroy

forceDestroy?: pulumi.Input<boolean>;

When destroying this user, destroy even if it has non-provider-managed IAM access keys, login profile or MFA devices. Without forceDestroy a user with non-provider-managed access keys and login profile will fail to be destroyed.

property name

name?: pulumi.Input<string>;

The user’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both “TESTUSER” and “testuser”.

property path

path?: pulumi.Input<string>;

Path in which to create the user.

property permissionsBoundary

permissionsBoundary?: pulumi.Input<string>;

The ARN of the policy that is used to set the permissions boundary for the user.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

Key-value mapping of tags for the IAM user

property uniqueId

uniqueId?: pulumi.Input<string>;

The [unique ID][1] assigned by AWS.