getRole

athenz 1.0.49, Oct 6 25

Viewing docs for athenz 1.0.49
published on Monday, Oct 6, 2025 by athenz

Schema (JSON)

athenz/terraform-provider-athenz

Viewing docs for athenz 1.0.49
published on Monday, Oct 6, 2025 by athenz

Schema (JSON)

athenz/terraform-provider-athenz

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as athenz from "@pulumi/athenz";

const config = new pulumi.Config();
const roleName = config.require("roleName");
const selected = athenz.getRole({
    name: roleName,
    domain: "some_domain",
});

import pulumi
import pulumi_athenz as athenz

config = pulumi.Config()
role_name = config.require("roleName")
selected = athenz.get_role(name=role_name,
    domain="some_domain")

package main

import (
	"github.com/pulumi/pulumi-terraform-provider/sdks/go/athenz/athenz"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		cfg := config.New(ctx, "")
		roleName := cfg.Require("roleName")
		_, err := athenz.LookupRole(ctx, &athenz.LookupRoleArgs{
			Name:   roleName,
			Domain: "some_domain",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Athenz = Pulumi.Athenz;

return await Deployment.RunAsync(() => 
{
    var config = new Config();
    var roleName = config.Require("roleName");
    var selected = Athenz.GetRole.Invoke(new()
    {
        Name = roleName,
        Domain = "some_domain",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.athenz.AthenzFunctions;
import com.pulumi.athenz.inputs.GetRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var config = ctx.config();
        final var roleName = config.get("roleName");
        final var selected = AthenzFunctions.getRole(GetRoleArgs.builder()
            .name(roleName)
            .domain("some_domain")
            .build());

    }
}

configuration:
  roleName:
    type: string
variables:
  selected:
    fn::invoke:
      function: athenz:getRole
      arguments:
        name: ${roleName}
        domain: some_domain

Using getRole

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getRole(args: GetRoleArgs, opts?: InvokeOptions): Promise<GetRoleResult>
function getRoleOutput(args: GetRoleOutputArgs, opts?: InvokeOptions): Output<GetRoleResult>

def get_role(audit_enabled: Optional[bool] = None,
             delete_protection: Optional[bool] = None,
             description: Optional[str] = None,
             domain: Optional[str] = None,
             id: Optional[str] = None,
             last_reviewed_date: Optional[str] = None,
             members: Optional[Sequence[GetRoleMember]] = None,
             name: Optional[str] = None,
             notify_details: Optional[str] = None,
             notify_roles: Optional[str] = None,
             principal_domain_filter: Optional[str] = None,
             review_enabled: Optional[bool] = None,
             self_renew: Optional[bool] = None,
             self_renew_mins: Optional[float] = None,
             self_serve: Optional[bool] = None,
             settings: Optional[GetRoleSettings] = None,
             sign_algorithm: Optional[str] = None,
             tags: Optional[Mapping[str, str]] = None,
             trust: Optional[str] = None,
             user_authority_expiration: Optional[str] = None,
             user_authority_filter: Optional[str] = None,
             opts: Optional[InvokeOptions] = None) -> GetRoleResult
def get_role_output(audit_enabled: Optional[pulumi.Input[bool]] = None,
             delete_protection: Optional[pulumi.Input[bool]] = None,
             description: Optional[pulumi.Input[str]] = None,
             domain: Optional[pulumi.Input[str]] = None,
             id: Optional[pulumi.Input[str]] = None,
             last_reviewed_date: Optional[pulumi.Input[str]] = None,
             members: Optional[pulumi.Input[Sequence[pulumi.Input[GetRoleMemberArgs]]]] = None,
             name: Optional[pulumi.Input[str]] = None,
             notify_details: Optional[pulumi.Input[str]] = None,
             notify_roles: Optional[pulumi.Input[str]] = None,
             principal_domain_filter: Optional[pulumi.Input[str]] = None,
             review_enabled: Optional[pulumi.Input[bool]] = None,
             self_renew: Optional[pulumi.Input[bool]] = None,
             self_renew_mins: Optional[pulumi.Input[float]] = None,
             self_serve: Optional[pulumi.Input[bool]] = None,
             settings: Optional[pulumi.Input[GetRoleSettingsArgs]] = None,
             sign_algorithm: Optional[pulumi.Input[str]] = None,
             tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             trust: Optional[pulumi.Input[str]] = None,
             user_authority_expiration: Optional[pulumi.Input[str]] = None,
             user_authority_filter: Optional[pulumi.Input[str]] = None,
             opts: Optional[InvokeOptions] = None) -> Output[GetRoleResult]

func LookupRole(ctx *Context, args *LookupRoleArgs, opts ...InvokeOption) (*LookupRoleResult, error)
func LookupRoleOutput(ctx *Context, args *LookupRoleOutputArgs, opts ...InvokeOption) LookupRoleResultOutput

> Note: This function is named LookupRole in the Go SDK.

public static class GetRole 
{
    public static Task<GetRoleResult> InvokeAsync(GetRoleArgs args, InvokeOptions? opts = null)
    public static Output<GetRoleResult> Invoke(GetRoleInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetRoleResult> getRole(GetRoleArgs args, InvokeOptions options)
public static Output<GetRoleResult> getRole(GetRoleArgs args, InvokeOptions options)

fn::invoke:
  function: athenz:index/getRole:getRole
  arguments:
    # arguments dictionary

The following arguments are supported:

Domain string

The Athenz domain name.

Name string

The name of the specific Athenz role.

AuditEnabled bool

audit enabled flag for the role

DeleteProtection bool

If true, ask for delete confirmation in audit and review enabled roles

Description string

description for the role

Id string

The ID of this resource.

LastReviewedDate string

Last reviewed date for the role

Members List<GetRoleMember>

Athenz principal to be added as members

NotifyDetails string

Set of instructions included in notifications for review and audit enabled roles

NotifyRoles string

comma seperated list of roles whose members should be notified for member review/approval

PrincipalDomainFilter string

comma seperated list of domains to enforce principal membership

ReviewEnabled bool

Flag indicates whether role updates require another review and approval

SelfRenew bool

Flag indicates whether to allow expired members to renew their membership

SelfRenewMins double

Number of minutes members can renew their membership if self review option is enabled

SelfServe bool

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

Settings GetRoleSettings

Advanced settings

SignAlgorithm string

sign algorithm to be used for tokens issued for this role: rsa or ec

Tags Dictionary<string, string>

map of role tags

Trust string

The domain, which this role is trusted to

UserAuthorityExpiration string

expiration enforced by a user authority configured attribute

UserAuthorityFilter string

membership filtered based on user authority configured attributes

Domain string

The Athenz domain name.

Name string

The name of the specific Athenz role.

AuditEnabled bool

audit enabled flag for the role

DeleteProtection bool

If true, ask for delete confirmation in audit and review enabled roles

Description string

description for the role

Id string

The ID of this resource.

LastReviewedDate string

Last reviewed date for the role

Members []GetRoleMember

Athenz principal to be added as members

NotifyDetails string

Set of instructions included in notifications for review and audit enabled roles

NotifyRoles string

comma seperated list of roles whose members should be notified for member review/approval

PrincipalDomainFilter string

comma seperated list of domains to enforce principal membership

ReviewEnabled bool

Flag indicates whether role updates require another review and approval

SelfRenew bool

Flag indicates whether to allow expired members to renew their membership

SelfRenewMins float64

Number of minutes members can renew their membership if self review option is enabled

SelfServe bool

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

Settings GetRoleSettings

Advanced settings

SignAlgorithm string

sign algorithm to be used for tokens issued for this role: rsa or ec

Tags map[string]string

map of role tags

Trust string

The domain, which this role is trusted to

UserAuthorityExpiration string

expiration enforced by a user authority configured attribute

UserAuthorityFilter string

membership filtered based on user authority configured attributes

domain String

The Athenz domain name.

name String

The name of the specific Athenz role.

auditEnabled Boolean

audit enabled flag for the role

deleteProtection Boolean

If true, ask for delete confirmation in audit and review enabled roles

description String

description for the role

id String

The ID of this resource.

lastReviewedDate String

Last reviewed date for the role

members List<GetRoleMember>

Athenz principal to be added as members

notifyDetails String

Set of instructions included in notifications for review and audit enabled roles

notifyRoles String

comma seperated list of roles whose members should be notified for member review/approval

principalDomainFilter String

comma seperated list of domains to enforce principal membership

reviewEnabled Boolean

Flag indicates whether role updates require another review and approval

selfRenew Boolean

Flag indicates whether to allow expired members to renew their membership

selfRenewMins Double

Number of minutes members can renew their membership if self review option is enabled

selfServe Boolean

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

settings GetRoleSettings

Advanced settings

signAlgorithm String

sign algorithm to be used for tokens issued for this role: rsa or ec

tags Map<String,String>

map of role tags

trust String

The domain, which this role is trusted to

userAuthorityExpiration String

expiration enforced by a user authority configured attribute

userAuthorityFilter String

membership filtered based on user authority configured attributes

domain string

The Athenz domain name.

name string

The name of the specific Athenz role.

auditEnabled boolean

audit enabled flag for the role

deleteProtection boolean

If true, ask for delete confirmation in audit and review enabled roles

description string

description for the role

id string

The ID of this resource.

lastReviewedDate string

Last reviewed date for the role

members GetRoleMember[]

Athenz principal to be added as members

notifyDetails string

Set of instructions included in notifications for review and audit enabled roles

notifyRoles string

comma seperated list of roles whose members should be notified for member review/approval

principalDomainFilter string

comma seperated list of domains to enforce principal membership

reviewEnabled boolean

Flag indicates whether role updates require another review and approval

selfRenew boolean

Flag indicates whether to allow expired members to renew their membership

selfRenewMins number

Number of minutes members can renew their membership if self review option is enabled

selfServe boolean

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

settings GetRoleSettings

Advanced settings

signAlgorithm string

sign algorithm to be used for tokens issued for this role: rsa or ec

tags {[key: string]: string}

map of role tags

trust string

The domain, which this role is trusted to

userAuthorityExpiration string

expiration enforced by a user authority configured attribute

userAuthorityFilter string

membership filtered based on user authority configured attributes

domain str

The Athenz domain name.

name str

The name of the specific Athenz role.

audit_enabled bool

audit enabled flag for the role

delete_protection bool

If true, ask for delete confirmation in audit and review enabled roles

description str

description for the role

id str

The ID of this resource.

last_reviewed_date str

Last reviewed date for the role

members Sequence[GetRoleMember]

Athenz principal to be added as members

notify_details str

Set of instructions included in notifications for review and audit enabled roles

notify_roles str

comma seperated list of roles whose members should be notified for member review/approval

principal_domain_filter str

comma seperated list of domains to enforce principal membership

review_enabled bool

Flag indicates whether role updates require another review and approval

self_renew bool

Flag indicates whether to allow expired members to renew their membership

self_renew_mins float

Number of minutes members can renew their membership if self review option is enabled

self_serve bool

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

settings GetRoleSettings

Advanced settings

sign_algorithm str

sign algorithm to be used for tokens issued for this role: rsa or ec

tags Mapping[str, str]

map of role tags

trust str

The domain, which this role is trusted to

user_authority_expiration str

expiration enforced by a user authority configured attribute

user_authority_filter str

membership filtered based on user authority configured attributes

domain String

The Athenz domain name.

name String

The name of the specific Athenz role.

auditEnabled Boolean

audit enabled flag for the role

deleteProtection Boolean

If true, ask for delete confirmation in audit and review enabled roles

description String

description for the role

id String

The ID of this resource.

lastReviewedDate String

Last reviewed date for the role

members List<Property Map>

Athenz principal to be added as members

notifyDetails String

Set of instructions included in notifications for review and audit enabled roles

notifyRoles String

comma seperated list of roles whose members should be notified for member review/approval

principalDomainFilter String

comma seperated list of domains to enforce principal membership

reviewEnabled Boolean

Flag indicates whether role updates require another review and approval

selfRenew Boolean

Flag indicates whether to allow expired members to renew their membership

selfRenewMins Number

Number of minutes members can renew their membership if self review option is enabled

selfServe Boolean

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

settings Property Map

Advanced settings

signAlgorithm String

sign algorithm to be used for tokens issued for this role: rsa or ec

tags Map<String>

map of role tags

trust String

The domain, which this role is trusted to

userAuthorityExpiration String

expiration enforced by a user authority configured attribute

userAuthorityFilter String

membership filtered based on user authority configured attributes

getRole Result

The following output properties are available:

Domain string

The Athenz domain name.

Id string

The ID of this resource.

Name string

The name of the specific Athenz role.

AuditEnabled bool

audit enabled flag for the role

DeleteProtection bool

If true, ask for delete confirmation in audit and review enabled roles

Description string

description for the role

LastReviewedDate string

Last reviewed date for the role

Members List<GetRoleMember>

Athenz principal to be added as members

NotifyDetails string

Set of instructions included in notifications for review and audit enabled roles

NotifyRoles string

comma seperated list of roles whose members should be notified for member review/approval

PrincipalDomainFilter string

comma seperated list of domains to enforce principal membership

ReviewEnabled bool

Flag indicates whether role updates require another review and approval

SelfRenew bool

Flag indicates whether to allow expired members to renew their membership

SelfRenewMins double

Number of minutes members can renew their membership if self review option is enabled

SelfServe bool

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

Settings GetRoleSettings

Advanced settings

SignAlgorithm string

sign algorithm to be used for tokens issued for this role: rsa or ec

Tags Dictionary<string, string>

map of role tags

Trust string

The domain, which this role is trusted to

UserAuthorityExpiration string

expiration enforced by a user authority configured attribute

UserAuthorityFilter string

membership filtered based on user authority configured attributes

Domain string

The Athenz domain name.

Id string

The ID of this resource.

Name string

The name of the specific Athenz role.

AuditEnabled bool

audit enabled flag for the role

DeleteProtection bool

If true, ask for delete confirmation in audit and review enabled roles

Description string

description for the role

LastReviewedDate string

Last reviewed date for the role

Members []GetRoleMember

Athenz principal to be added as members

NotifyDetails string

Set of instructions included in notifications for review and audit enabled roles

NotifyRoles string

comma seperated list of roles whose members should be notified for member review/approval

PrincipalDomainFilter string

comma seperated list of domains to enforce principal membership

ReviewEnabled bool

Flag indicates whether role updates require another review and approval

SelfRenew bool

Flag indicates whether to allow expired members to renew their membership

SelfRenewMins float64

Number of minutes members can renew their membership if self review option is enabled

SelfServe bool

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

Settings GetRoleSettings

Advanced settings

SignAlgorithm string

sign algorithm to be used for tokens issued for this role: rsa or ec

Tags map[string]string

map of role tags

Trust string

The domain, which this role is trusted to

UserAuthorityExpiration string

expiration enforced by a user authority configured attribute

UserAuthorityFilter string

membership filtered based on user authority configured attributes

domain String

The Athenz domain name.

id String

The ID of this resource.

name String

The name of the specific Athenz role.

auditEnabled Boolean

audit enabled flag for the role

deleteProtection Boolean

If true, ask for delete confirmation in audit and review enabled roles

description String

description for the role

lastReviewedDate String

Last reviewed date for the role

members List<GetRoleMember>

Athenz principal to be added as members

notifyDetails String

Set of instructions included in notifications for review and audit enabled roles

notifyRoles String

comma seperated list of roles whose members should be notified for member review/approval

principalDomainFilter String

comma seperated list of domains to enforce principal membership

reviewEnabled Boolean

Flag indicates whether role updates require another review and approval

selfRenew Boolean

Flag indicates whether to allow expired members to renew their membership

selfRenewMins Double

Number of minutes members can renew their membership if self review option is enabled

selfServe Boolean

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

settings GetRoleSettings

Advanced settings

signAlgorithm String

sign algorithm to be used for tokens issued for this role: rsa or ec

tags Map<String,String>

map of role tags

trust String

The domain, which this role is trusted to

userAuthorityExpiration String

expiration enforced by a user authority configured attribute

userAuthorityFilter String

membership filtered based on user authority configured attributes

domain string

The Athenz domain name.

id string

The ID of this resource.

name string

The name of the specific Athenz role.

auditEnabled boolean

audit enabled flag for the role

deleteProtection boolean

If true, ask for delete confirmation in audit and review enabled roles

description string

description for the role

lastReviewedDate string

Last reviewed date for the role

members GetRoleMember[]

Athenz principal to be added as members

notifyDetails string

Set of instructions included in notifications for review and audit enabled roles

notifyRoles string

comma seperated list of roles whose members should be notified for member review/approval

principalDomainFilter string

comma seperated list of domains to enforce principal membership

reviewEnabled boolean

Flag indicates whether role updates require another review and approval

selfRenew boolean

Flag indicates whether to allow expired members to renew their membership

selfRenewMins number

Number of minutes members can renew their membership if self review option is enabled

selfServe boolean

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

settings GetRoleSettings

Advanced settings

signAlgorithm string

sign algorithm to be used for tokens issued for this role: rsa or ec

tags {[key: string]: string}

map of role tags

trust string

The domain, which this role is trusted to

userAuthorityExpiration string

expiration enforced by a user authority configured attribute

userAuthorityFilter string

membership filtered based on user authority configured attributes

domain str

The Athenz domain name.

id str

The ID of this resource.

name str

The name of the specific Athenz role.

audit_enabled bool

audit enabled flag for the role

delete_protection bool

If true, ask for delete confirmation in audit and review enabled roles

description str

description for the role

last_reviewed_date str

Last reviewed date for the role

members Sequence[GetRoleMember]

Athenz principal to be added as members

notify_details str

Set of instructions included in notifications for review and audit enabled roles

notify_roles str

comma seperated list of roles whose members should be notified for member review/approval

principal_domain_filter str

comma seperated list of domains to enforce principal membership

review_enabled bool

Flag indicates whether role updates require another review and approval

self_renew bool

Flag indicates whether to allow expired members to renew their membership

self_renew_mins float

Number of minutes members can renew their membership if self review option is enabled

self_serve bool

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

settings GetRoleSettings

Advanced settings

sign_algorithm str

sign algorithm to be used for tokens issued for this role: rsa or ec

tags Mapping[str, str]

map of role tags

trust str

The domain, which this role is trusted to

user_authority_expiration str

expiration enforced by a user authority configured attribute

user_authority_filter str

membership filtered based on user authority configured attributes

domain String

The Athenz domain name.

id String

The ID of this resource.

name String

The name of the specific Athenz role.

auditEnabled Boolean

audit enabled flag for the role

deleteProtection Boolean

If true, ask for delete confirmation in audit and review enabled roles

description String

description for the role

lastReviewedDate String

Last reviewed date for the role

members List<Property Map>

Athenz principal to be added as members

notifyDetails String

Set of instructions included in notifications for review and audit enabled roles

notifyRoles String

comma seperated list of roles whose members should be notified for member review/approval

principalDomainFilter String

comma seperated list of domains to enforce principal membership

reviewEnabled Boolean

Flag indicates whether role updates require another review and approval

selfRenew Boolean

Flag indicates whether to allow expired members to renew their membership

selfRenewMins Number

Number of minutes members can renew their membership if self review option is enabled

selfServe Boolean

Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.

settings Property Map

Advanced settings

signAlgorithm String

sign algorithm to be used for tokens issued for this role: rsa or ec

tags Map<String>

map of role tags

trust String

The domain, which this role is trusted to

userAuthorityExpiration String

expiration enforced by a user authority configured attribute

userAuthorityFilter String

membership filtered based on user authority configured attributes

Supporting Types

GetRoleMember

Name string
Expiration string
Review string

Name string
Expiration string
Review string

name String
expiration String
review String

name string
expiration string
review string

name str
expiration str
review str

name String
expiration String
review String

GetRoleSettings

CertExpiryMins double: certs issued for this role will have specified max timeout in mins
GroupExpiryDays double: all group members in the role will have specified max expiry days
GroupReviewDays double: all group members in the role will have specified max review reminder days
MaxMembers double: Max number of principals in the role
ServiceExpiryDays double: all services in the role will have specified max expiry days
ServiceReviewDays double: all service members in the role will have specified max review reminder days
TokenExpiryMins double: tokens issued for this role will have specified max timeout in mins
UserExpiryDays double: all user members in the role will have specified max expiry days
UserReviewDays double: all user members in the role will have specified max review reminder days

CertExpiryMins float64: certs issued for this role will have specified max timeout in mins
GroupExpiryDays float64: all group members in the role will have specified max expiry days
GroupReviewDays float64: all group members in the role will have specified max review reminder days
MaxMembers float64: Max number of principals in the role
ServiceExpiryDays float64: all services in the role will have specified max expiry days
ServiceReviewDays float64: all service members in the role will have specified max review reminder days
TokenExpiryMins float64: tokens issued for this role will have specified max timeout in mins
UserExpiryDays float64: all user members in the role will have specified max expiry days
UserReviewDays float64: all user members in the role will have specified max review reminder days

certExpiryMins Double: certs issued for this role will have specified max timeout in mins
groupExpiryDays Double: all group members in the role will have specified max expiry days
groupReviewDays Double: all group members in the role will have specified max review reminder days
maxMembers Double: Max number of principals in the role
serviceExpiryDays Double: all services in the role will have specified max expiry days
serviceReviewDays Double: all service members in the role will have specified max review reminder days
tokenExpiryMins Double: tokens issued for this role will have specified max timeout in mins
userExpiryDays Double: all user members in the role will have specified max expiry days
userReviewDays Double: all user members in the role will have specified max review reminder days

certExpiryMins number: certs issued for this role will have specified max timeout in mins
groupExpiryDays number: all group members in the role will have specified max expiry days
groupReviewDays number: all group members in the role will have specified max review reminder days
maxMembers number: Max number of principals in the role
serviceExpiryDays number: all services in the role will have specified max expiry days
serviceReviewDays number: all service members in the role will have specified max review reminder days
tokenExpiryMins number: tokens issued for this role will have specified max timeout in mins
userExpiryDays number: all user members in the role will have specified max expiry days
userReviewDays number: all user members in the role will have specified max review reminder days

cert_expiry_mins float: certs issued for this role will have specified max timeout in mins
group_expiry_days float: all group members in the role will have specified max expiry days
group_review_days float: all group members in the role will have specified max review reminder days
max_members float: Max number of principals in the role
service_expiry_days float: all services in the role will have specified max expiry days
service_review_days float: all service members in the role will have specified max review reminder days
token_expiry_mins float: tokens issued for this role will have specified max timeout in mins
user_expiry_days float: all user members in the role will have specified max expiry days
user_review_days float: all user members in the role will have specified max review reminder days

certExpiryMins Number: certs issued for this role will have specified max timeout in mins
groupExpiryDays Number: all group members in the role will have specified max expiry days
groupReviewDays Number: all group members in the role will have specified max review reminder days
maxMembers Number: Max number of principals in the role
serviceExpiryDays Number: all services in the role will have specified max expiry days
serviceReviewDays Number: all service members in the role will have specified max review reminder days
tokenExpiryMins Number: tokens issued for this role will have specified max timeout in mins
userExpiryDays Number: all user members in the role will have specified max expiry days
userReviewDays Number: all user members in the role will have specified max review reminder days