Docs
Packagesaws-iam.AssumableRole
Explore with Pulumi AI
This resource helps you create a single IAM Role which can be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts and Users.
Example Usage
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
class MyStack : Stack
{
public MyStack()
{
var assumableRole = new AssumableRole("assumable-role", new AssumableRoleArgs
{
TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"},
Role = new RoleWithMFAArgs
{
Name = "custom",
RequiresMfa = true,
PolicyArns = {"arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"},
},
});
this.AssumableRole = Output.Create<AssumableRole>(assumableRole);
}
[Output]
public Output<AssumableRole> AssumableRole { get; set; }
}
package main
import (
iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
assumableRole, err := iam.NewAssumableRole(ctx, "assumable-role", &iam.AssumableRoleArgs{
TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}),
Role: &iam.RoleWithMFAArgs{
Name: pulumi.String("custom"),
RequiresMfa: pulumi.BoolPtr(true),
PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}),
},
})
if err != nil {
return err
}
ctx.Export("assumableRole", assumableRole)
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_iam as iam
assumable_role = iam.AssumableRole(
'assumable_role',
trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],
role=iam.RoleWithMFAArgs(
name='custom',
requires_mfa=True,
policy_arns=['arn:aws:iam::aws:policy/AmazonCognitoReadOnly','arn:aws:iam::aws:policy/AlexaForBusinessFullAccess'],
),
)
pulumi.export('assumable_role', assumable_role)
import * as iam from "@pulumi/aws-iam";
export const assumableRole = new iam.AssumableRole("aws-iam-example-assumable-role", {
trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ],
role: {
name: "custom",
requiresMfa: true,
policyArns: [ "arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" ],
},
});
name: awsiam-yaml
runtime: yaml
resources:
assumableRole:
type: "aws-iam:index:AssumableRole"
properties:
trustedRoleArns:
- "arn:aws:iam::307990089504:root"
- "arn:aws:iam::835367859851:user/pulumipus"
role:
name: "custom"
requiresMfa: true
policyArns:
- "arn:aws:iam::aws:policy/AmazonCognitoReadOnly"
- "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"
outputs:
assumableRole: ${assumableRole}
Create AssumableRole Resource
new AssumableRole(name: string, args?: AssumableRoleArgs, opts?: CustomResourceOptions);@overload
def AssumableRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
attach_admin_policy: Optional[bool] = None,
attach_poweruser_policy: Optional[bool] = None,
attach_readonly_policy: Optional[bool] = None,
custom_role_trust_policy: Optional[str] = None,
force_detach_policies: Optional[bool] = None,
max_session_duration: Optional[int] = None,
mfa_age: Optional[int] = None,
role: Optional[RoleWithMFAArgs] = None,
role_sts_external_ids: Optional[Sequence[str]] = None,
tags: Optional[Mapping[str, str]] = None,
trusted_role_actions: Optional[Sequence[str]] = None,
trusted_role_arns: Optional[Sequence[str]] = None,
trusted_role_services: Optional[Sequence[str]] = None)
@overload
def AssumableRole(resource_name: str,
args: Optional[AssumableRoleArgs] = None,
opts: Optional[ResourceOptions] = None)func NewAssumableRole(ctx *Context, name string, args *AssumableRoleArgs, opts ...ResourceOption) (*AssumableRole, error)public AssumableRole(string name, AssumableRoleArgs? args = null, CustomResourceOptions? opts = null)
public AssumableRole(String name, AssumableRoleArgs args)
public AssumableRole(String name, AssumableRoleArgs args, CustomResourceOptions options)
type: aws-iam:AssumableRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
AssumableRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AssumableRole resource accepts the following input properties:
- Attach
Admin boolPolicy Whether to attach an admin policy to a role.
- Attach
Poweruser boolPolicy Whether to attach a poweruser policy to a role.
- Attach
Readonly boolPolicy Whether to attach a readonly policy to a role.
- Custom
Role stringTrust Policy A custom role trust policy.
- Force
Detach boolPolicies Whether policies should be detached from this role when destroying.
- Max
Session intDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- Mfa
Age int Max age of valid MFA (in seconds) for roles which require MFA.
- Role
Pulumi.
Aws Iam. Inputs. Role With MFA An IAM role that requires MFA.
- Role
Sts List<string>External Ids STS ExternalId condition values to use with a role (when MFA is not required).
- Dictionary<string, string>
A map of tags to add.
- Trusted
Role List<string>Actions Actions of STS.
- Trusted
Role List<string>Arns ARNs of AWS entities who can assume these roles.
- Trusted
Role List<string>Services AWS Services that can assume these roles.
- Attach
Admin boolPolicy Whether to attach an admin policy to a role.
- Attach
Poweruser boolPolicy Whether to attach a poweruser policy to a role.
- Attach
Readonly boolPolicy Whether to attach a readonly policy to a role.
- Custom
Role stringTrust Policy A custom role trust policy.
- Force
Detach boolPolicies Whether policies should be detached from this role when destroying.
- Max
Session intDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- Mfa
Age int Max age of valid MFA (in seconds) for roles which require MFA.
- Role
Role
With MFAArgs An IAM role that requires MFA.
- Role
Sts []stringExternal Ids STS ExternalId condition values to use with a role (when MFA is not required).
- map[string]string
A map of tags to add.
- Trusted
Role []stringActions Actions of STS.
- Trusted
Role []stringArns ARNs of AWS entities who can assume these roles.
- Trusted
Role []stringServices AWS Services that can assume these roles.
- attach
Admin BooleanPolicy Whether to attach an admin policy to a role.
- attach
Poweruser BooleanPolicy Whether to attach a poweruser policy to a role.
- attach
Readonly BooleanPolicy Whether to attach a readonly policy to a role.
- custom
Role StringTrust Policy A custom role trust policy.
- force
Detach BooleanPolicies Whether policies should be detached from this role when destroying.
- max
Session IntegerDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age Integer Max age of valid MFA (in seconds) for roles which require MFA.
- role
Role
With MFA An IAM role that requires MFA.
- role
Sts List<String>External Ids STS ExternalId condition values to use with a role (when MFA is not required).
- Map<String,String>
A map of tags to add.
- trusted
Role List<String>Actions Actions of STS.
- trusted
Role List<String>Arns ARNs of AWS entities who can assume these roles.
- trusted
Role List<String>Services AWS Services that can assume these roles.
- attach
Admin booleanPolicy Whether to attach an admin policy to a role.
- attach
Poweruser booleanPolicy Whether to attach a poweruser policy to a role.
- attach
Readonly booleanPolicy Whether to attach a readonly policy to a role.
- custom
Role stringTrust Policy A custom role trust policy.
- force
Detach booleanPolicies Whether policies should be detached from this role when destroying.
- max
Session numberDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age number Max age of valid MFA (in seconds) for roles which require MFA.
- role
Role
With MFA An IAM role that requires MFA.
- role
Sts string[]External Ids STS ExternalId condition values to use with a role (when MFA is not required).
- {[key: string]: string}
A map of tags to add.
- trusted
Role string[]Actions Actions of STS.
- trusted
Role string[]Arns ARNs of AWS entities who can assume these roles.
- trusted
Role string[]Services AWS Services that can assume these roles.
- attach_
admin_ boolpolicy Whether to attach an admin policy to a role.
- attach_
poweruser_ boolpolicy Whether to attach a poweruser policy to a role.
- attach_
readonly_ boolpolicy Whether to attach a readonly policy to a role.
- custom_
role_ strtrust_ policy A custom role trust policy.
- force_
detach_ boolpolicies Whether policies should be detached from this role when destroying.
- max_
session_ intduration Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa_
age int Max age of valid MFA (in seconds) for roles which require MFA.
- role
Role
With MFAArgs An IAM role that requires MFA.
- role_
sts_ Sequence[str]external_ ids STS ExternalId condition values to use with a role (when MFA is not required).
- Mapping[str, str]
A map of tags to add.
- trusted_
role_ Sequence[str]actions Actions of STS.
- trusted_
role_ Sequence[str]arns ARNs of AWS entities who can assume these roles.
- trusted_
role_ Sequence[str]services AWS Services that can assume these roles.
- attach
Admin BooleanPolicy Whether to attach an admin policy to a role.
- attach
Poweruser BooleanPolicy Whether to attach a poweruser policy to a role.
- attach
Readonly BooleanPolicy Whether to attach a readonly policy to a role.
- custom
Role StringTrust Policy A custom role trust policy.
- force
Detach BooleanPolicies Whether policies should be detached from this role when destroying.
- max
Session NumberDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age Number Max age of valid MFA (in seconds) for roles which require MFA.
- role Property Map
An IAM role that requires MFA.
- role
Sts List<String>External Ids STS ExternalId condition values to use with a role (when MFA is not required).
- Map<String>
A map of tags to add.
- trusted
Role List<String>Actions Actions of STS.
- trusted
Role List<String>Arns ARNs of AWS entities who can assume these roles.
- trusted
Role List<String>Services AWS Services that can assume these roles.
Outputs
All input properties are implicitly available as output properties. Additionally, the AssumableRole resource produces the following output properties:
- Instance
Profile Dictionary<string, string>
- Instance
Profile map[string]string
- instance
Profile Map<String,String>
- instance
Profile {[key: string]: string}
- instance_
profile Mapping[str, str]
- instance
Profile Map<String>
Supporting Types
RoleWithMFA, RoleWithMFAArgs
- Name string
IAM role with the access.
- Path string
Path of the IAM role.
- Permissions
Boundary stringArn Permissions boundary ARN to use for the role.
- Policy
Arns List<string> List of policy ARNs to use for the role.
- Requires
Mfa bool Whether the role requires MFA.
- Dictionary<string, string>
A map of tags to add.
- Name string
IAM role with the access.
- Path string
Path of the IAM role.
- Permissions
Boundary stringArn Permissions boundary ARN to use for the role.
- Policy
Arns []string List of policy ARNs to use for the role.
- Requires
Mfa bool Whether the role requires MFA.
- map[string]string
A map of tags to add.
- name String
IAM role with the access.
- path String
Path of the IAM role.
- permissions
Boundary StringArn Permissions boundary ARN to use for the role.
- policy
Arns List<String> List of policy ARNs to use for the role.
- requires
Mfa Boolean Whether the role requires MFA.
- Map<String,String>
A map of tags to add.
- name string
IAM role with the access.
- path string
Path of the IAM role.
- permissions
Boundary stringArn Permissions boundary ARN to use for the role.
- policy
Arns string[] List of policy ARNs to use for the role.
- requires
Mfa boolean Whether the role requires MFA.
- {[key: string]: string}
A map of tags to add.
- name str
IAM role with the access.
- path str
Path of the IAM role.
- permissions_
boundary_ strarn Permissions boundary ARN to use for the role.
- policy_
arns Sequence[str] List of policy ARNs to use for the role.
- requires_
mfa bool Whether the role requires MFA.
- Mapping[str, str]
A map of tags to add.
- name String
IAM role with the access.
- path String
Path of the IAM role.
- permissions
Boundary StringArn Permissions boundary ARN to use for the role.
- policy
Arns List<String> List of policy ARNs to use for the role.
- requires
Mfa Boolean Whether the role requires MFA.
- Map<String>
A map of tags to add.
Package Details
- Repository
- aws-iam
- License