AWS IAM

v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

AssumableRole

This resource helps you create a single IAM Role which can be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts and Users.

Example Usage

using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;

class MyStack : Stack
{
    public MyStack()
    {
        var assumableRole = new AssumableRole("assumable-role", new AssumableRoleArgs
        {
            TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"},
            Role = new RoleWithMFAArgs
            {
                Name = "custom",
                RequiresMfa = true,
                PolicyArns = {"arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"},
            },
        });

        this.AssumableRole = Output.Create<AssumableRole>(assumableRole);
    }

    [Output]
    public Output<AssumableRole> AssumableRole { get; set; }
}
package main

import (
    iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        assumableRole, err := iam.NewAssumableRole(ctx, "assumable-role", &iam.AssumableRoleArgs{
            TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}),
            Role: &iam.RoleWithMFAArgs{
                Name:        pulumi.String("custom"),
                RequiresMfa: pulumi.BoolPtr(true),
                PolicyArns:  pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}),
            },
        })
        if err != nil {
            return err
        }

        ctx.Export("assumableRole", assumableRole)

        return nil
    })
}

Coming soon!

import pulumi
import pulumi_aws_iam as iam

assumable_role = iam.AssumableRole(
    'assumable_role',
    trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],
    role=iam.RoleWithMFAArgs(
        name='custom',
        requires_mfa=True,
        policy_arns=['arn:aws:iam::aws:policy/AmazonCognitoReadOnly','arn:aws:iam::aws:policy/AlexaForBusinessFullAccess'],
    ),
)

pulumi.export('assumable_role', assumable_role)
import * as iam from "@pulumi/aws-iam";

export const assumableRole = new iam.AssumableRole("aws-iam-example-assumable-role", {
    trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ],
    role: {
        name: "custom",
        requiresMfa: true,
        policyArns: [ "arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" ],
    },
});
name: awsiam-yaml
runtime: yaml
resources:
    assumableRole:
        type: "aws-iam:index:AssumableRole"
        properties:
            trustedRoleArns:
                - "arn:aws:iam::307990089504:root"
                - "arn:aws:iam::835367859851:user/pulumipus"
            role:
                name: "custom"
                requiresMfa: true
                policyArns:
                    - "arn:aws:iam::aws:policy/AmazonCognitoReadOnly"
                    - "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"
outputs:
    assumableRole: ${assumableRole}

Create AssumableRole Resource

new AssumableRole(name: string, args?: AssumableRoleArgs, opts?: CustomResourceOptions);
@overload
def AssumableRole(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  attach_admin_policy: Optional[bool] = None,
                  attach_poweruser_policy: Optional[bool] = None,
                  attach_readonly_policy: Optional[bool] = None,
                  custom_role_trust_policy: Optional[str] = None,
                  force_detach_policies: Optional[bool] = None,
                  max_session_duration: Optional[int] = None,
                  mfa_age: Optional[int] = None,
                  role: Optional[RoleWithMFAArgs] = None,
                  role_sts_external_ids: Optional[Sequence[str]] = None,
                  tags: Optional[Mapping[str, str]] = None,
                  trusted_role_actions: Optional[Sequence[str]] = None,
                  trusted_role_arns: Optional[Sequence[str]] = None,
                  trusted_role_services: Optional[Sequence[str]] = None)
@overload
def AssumableRole(resource_name: str,
                  args: Optional[AssumableRoleArgs] = None,
                  opts: Optional[ResourceOptions] = None)
func NewAssumableRole(ctx *Context, name string, args *AssumableRoleArgs, opts ...ResourceOption) (*AssumableRole, error)
public AssumableRole(string name, AssumableRoleArgs? args = null, CustomResourceOptions? opts = null)
public AssumableRole(String name, AssumableRoleArgs args)
public AssumableRole(String name, AssumableRoleArgs args, CustomResourceOptions options)
type: aws-iam:AssumableRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AssumableRoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AssumableRoleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AssumableRoleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AssumableRoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AssumableRoleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AssumableRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AssumableRole resource accepts the following input properties:

AttachAdminPolicy bool

Whether to attach an admin policy to a role.

AttachPoweruserPolicy bool

Whether to attach a poweruser policy to a role.

AttachReadonlyPolicy bool

Whether to attach a readonly policy to a role.

CustomRoleTrustPolicy string

A custom role trust policy.

ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

MfaAge int

Max age of valid MFA (in seconds) for roles which require MFA.

Role Pulumi.AwsIam.Inputs.RoleWithMFAArgs

An IAM role that requires MFA.

RoleStsExternalIds List<string>

STS ExternalId condition values to use with a role (when MFA is not required).

Tags Dictionary<string, string>

A map of tags to add.

TrustedRoleActions List<string>

Actions of STS.

TrustedRoleArns List<string>

ARNs of AWS entities who can assume these roles.

TrustedRoleServices List<string>

AWS Services that can assume these roles.

AttachAdminPolicy bool

Whether to attach an admin policy to a role.

AttachPoweruserPolicy bool

Whether to attach a poweruser policy to a role.

AttachReadonlyPolicy bool

Whether to attach a readonly policy to a role.

CustomRoleTrustPolicy string

A custom role trust policy.

ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

MfaAge int

Max age of valid MFA (in seconds) for roles which require MFA.

Role RoleWithMFAArgs

An IAM role that requires MFA.

RoleStsExternalIds []string

STS ExternalId condition values to use with a role (when MFA is not required).

Tags map[string]string

A map of tags to add.

TrustedRoleActions []string

Actions of STS.

TrustedRoleArns []string

ARNs of AWS entities who can assume these roles.

TrustedRoleServices []string

AWS Services that can assume these roles.

attachAdminPolicy Boolean

Whether to attach an admin policy to a role.

attachPoweruserPolicy Boolean

Whether to attach a poweruser policy to a role.

attachReadonlyPolicy Boolean

Whether to attach a readonly policy to a role.

customRoleTrustPolicy String

A custom role trust policy.

forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Integer

Maximum CLI/API session duration in seconds between 3600 and 43200.

mfaAge Integer

Max age of valid MFA (in seconds) for roles which require MFA.

role RoleWithMFAArgs

An IAM role that requires MFA.

roleStsExternalIds List<String>

STS ExternalId condition values to use with a role (when MFA is not required).

tags Map<String,String>

A map of tags to add.

trustedRoleActions List<String>

Actions of STS.

trustedRoleArns List<String>

ARNs of AWS entities who can assume these roles.

trustedRoleServices List<String>

AWS Services that can assume these roles.

attachAdminPolicy boolean

Whether to attach an admin policy to a role.

attachPoweruserPolicy boolean

Whether to attach a poweruser policy to a role.

attachReadonlyPolicy boolean

Whether to attach a readonly policy to a role.

customRoleTrustPolicy string

A custom role trust policy.

forceDetachPolicies boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration number

Maximum CLI/API session duration in seconds between 3600 and 43200.

mfaAge number

Max age of valid MFA (in seconds) for roles which require MFA.

role RoleWithMFAArgs

An IAM role that requires MFA.

roleStsExternalIds string[]

STS ExternalId condition values to use with a role (when MFA is not required).

tags {[key: string]: string}

A map of tags to add.

trustedRoleActions string[]

Actions of STS.

trustedRoleArns string[]

ARNs of AWS entities who can assume these roles.

trustedRoleServices string[]

AWS Services that can assume these roles.

attach_admin_policy bool

Whether to attach an admin policy to a role.

attach_poweruser_policy bool

Whether to attach a poweruser policy to a role.

attach_readonly_policy bool

Whether to attach a readonly policy to a role.

custom_role_trust_policy str

A custom role trust policy.

force_detach_policies bool

Whether policies should be detached from this role when destroying.

max_session_duration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

mfa_age int

Max age of valid MFA (in seconds) for roles which require MFA.

role RoleWithMFAArgs

An IAM role that requires MFA.

role_sts_external_ids Sequence[str]

STS ExternalId condition values to use with a role (when MFA is not required).

tags Mapping[str, str]

A map of tags to add.

trusted_role_actions Sequence[str]

Actions of STS.

trusted_role_arns Sequence[str]

ARNs of AWS entities who can assume these roles.

trusted_role_services Sequence[str]

AWS Services that can assume these roles.

attachAdminPolicy Boolean

Whether to attach an admin policy to a role.

attachPoweruserPolicy Boolean

Whether to attach a poweruser policy to a role.

attachReadonlyPolicy Boolean

Whether to attach a readonly policy to a role.

customRoleTrustPolicy String

A custom role trust policy.

forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Number

Maximum CLI/API session duration in seconds between 3600 and 43200.

mfaAge Number

Max age of valid MFA (in seconds) for roles which require MFA.

role Property Map

An IAM role that requires MFA.

roleStsExternalIds List<String>

STS ExternalId condition values to use with a role (when MFA is not required).

tags Map<String>

A map of tags to add.

trustedRoleActions List<String>

Actions of STS.

trustedRoleArns List<String>

ARNs of AWS entities who can assume these roles.

trustedRoleServices List<String>

AWS Services that can assume these roles.

Outputs

All input properties are implicitly available as output properties. Additionally, the AssumableRole resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

InstanceProfile Dictionary<string, string>
Id string

The provider-assigned unique ID for this managed resource.

InstanceProfile map[string]string
id String

The provider-assigned unique ID for this managed resource.

instanceProfile Map<String,String>
id string

The provider-assigned unique ID for this managed resource.

instanceProfile {[key: string]: string}
id str

The provider-assigned unique ID for this managed resource.

instance_profile Mapping[str, str]
id String

The provider-assigned unique ID for this managed resource.

instanceProfile Map<String>

Supporting Types

RoleWithMFA

Name string

IAM role with the access.

Path string

Path of the IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for the role.

PolicyArns List<string>

List of policy ARNs to use for the role.

RequiresMfa bool

Whether the role requires MFA.

Tags Dictionary<string, string>

A map of tags to add.

Name string

IAM role with the access.

Path string

Path of the IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for the role.

PolicyArns []string

List of policy ARNs to use for the role.

RequiresMfa bool

Whether the role requires MFA.

Tags map[string]string

A map of tags to add.

name String

IAM role with the access.

path String

Path of the IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for the role.

policyArns List<String>

List of policy ARNs to use for the role.

requiresMfa Boolean

Whether the role requires MFA.

tags Map<String,String>

A map of tags to add.

name string

IAM role with the access.

path string

Path of the IAM role.

permissionsBoundaryArn string

Permissions boundary ARN to use for the role.

policyArns string[]

List of policy ARNs to use for the role.

requiresMfa boolean

Whether the role requires MFA.

tags {[key: string]: string}

A map of tags to add.

name str

IAM role with the access.

path str

Path of the IAM role.

permissions_boundary_arn str

Permissions boundary ARN to use for the role.

policy_arns Sequence[str]

List of policy ARNs to use for the role.

requires_mfa bool

Whether the role requires MFA.

tags Mapping[str, str]

A map of tags to add.

name String

IAM role with the access.

path String

Path of the IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for the role.

policyArns List<String>

List of policy ARNs to use for the role.

requiresMfa Boolean

Whether the role requires MFA.

tags Map<String>

A map of tags to add.

Package Details

Repository
License