1. Packages
  2. AWS IAM
  3. API Docs
  4. AssumableRole
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

aws-iam.AssumableRole

Explore with Pulumi AI

aws-iam logo
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

    This resource helps you create a single IAM Role which can be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts and Users.

    Example Usage

    using Pulumi;
    using Pulumi.AwsIam;
    using Pulumi.AwsIam.Inputs;
    
    class MyStack : Stack
    {
        public MyStack()
        {
            var assumableRole = new AssumableRole("assumable-role", new AssumableRoleArgs
            {
                TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"},
                Role = new RoleWithMFAArgs
                {
                    Name = "custom",
                    RequiresMfa = true,
                    PolicyArns = {"arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"},
                },
            });
    
            this.AssumableRole = Output.Create<AssumableRole>(assumableRole);
        }
    
        [Output]
        public Output<AssumableRole> AssumableRole { get; set; }
    }
    
    package main
    
    import (
        iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
        "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
        pulumi.Run(func(ctx *pulumi.Context) error {
            assumableRole, err := iam.NewAssumableRole(ctx, "assumable-role", &iam.AssumableRoleArgs{
                TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}),
                Role: &iam.RoleWithMFAArgs{
                    Name:        pulumi.String("custom"),
                    RequiresMfa: pulumi.BoolPtr(true),
                    PolicyArns:  pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}),
                },
            })
            if err != nil {
                return err
            }
    
            ctx.Export("assumableRole", assumableRole)
    
            return nil
        })
    }
    

    Coming soon!

    import pulumi
    import pulumi_aws_iam as iam
    
    assumable_role = iam.AssumableRole(
        'assumable_role',
        trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],
        role=iam.RoleWithMFAArgs(
            name='custom',
            requires_mfa=True,
            policy_arns=['arn:aws:iam::aws:policy/AmazonCognitoReadOnly','arn:aws:iam::aws:policy/AlexaForBusinessFullAccess'],
        ),
    )
    
    pulumi.export('assumable_role', assumable_role)
    
    import * as iam from "@pulumi/aws-iam";
    
    export const assumableRole = new iam.AssumableRole("aws-iam-example-assumable-role", {
        trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ],
        role: {
            name: "custom",
            requiresMfa: true,
            policyArns: [ "arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" ],
        },
    });
    
    name: awsiam-yaml
    runtime: yaml
    resources:
        assumableRole:
            type: "aws-iam:index:AssumableRole"
            properties:
                trustedRoleArns:
                    - "arn:aws:iam::307990089504:root"
                    - "arn:aws:iam::835367859851:user/pulumipus"
                role:
                    name: "custom"
                    requiresMfa: true
                    policyArns:
                        - "arn:aws:iam::aws:policy/AmazonCognitoReadOnly"
                        - "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"
    outputs:
        assumableRole: ${assumableRole}
    

    Create AssumableRole Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AssumableRole(name: string, args?: AssumableRoleArgs, opts?: CustomResourceOptions);
    @overload
    def AssumableRole(resource_name: str,
                      args: Optional[AssumableRoleArgs] = None,
                      opts: Optional[ResourceOptions] = None)
    
    @overload
    def AssumableRole(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      attach_admin_policy: Optional[bool] = None,
                      attach_poweruser_policy: Optional[bool] = None,
                      attach_readonly_policy: Optional[bool] = None,
                      custom_role_trust_policy: Optional[str] = None,
                      force_detach_policies: Optional[bool] = None,
                      max_session_duration: Optional[int] = None,
                      mfa_age: Optional[int] = None,
                      role: Optional[RoleWithMFAArgs] = None,
                      role_sts_external_ids: Optional[Sequence[str]] = None,
                      tags: Optional[Mapping[str, str]] = None,
                      trusted_role_actions: Optional[Sequence[str]] = None,
                      trusted_role_arns: Optional[Sequence[str]] = None,
                      trusted_role_services: Optional[Sequence[str]] = None)
    func NewAssumableRole(ctx *Context, name string, args *AssumableRoleArgs, opts ...ResourceOption) (*AssumableRole, error)
    public AssumableRole(string name, AssumableRoleArgs? args = null, CustomResourceOptions? opts = null)
    public AssumableRole(String name, AssumableRoleArgs args)
    public AssumableRole(String name, AssumableRoleArgs args, CustomResourceOptions options)
    
    type: aws-iam:AssumableRole
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args AssumableRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AssumableRoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AssumableRoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AssumableRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AssumableRoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var assumableRoleResource = new AwsIam.AssumableRole("assumableRoleResource", new()
    {
        AttachAdminPolicy = false,
        AttachPoweruserPolicy = false,
        AttachReadonlyPolicy = false,
        CustomRoleTrustPolicy = "string",
        ForceDetachPolicies = false,
        MaxSessionDuration = 0,
        MfaAge = 0,
        Role = new AwsIam.Inputs.RoleWithMFAArgs
        {
            Name = "string",
            Path = "string",
            PermissionsBoundaryArn = "string",
            PolicyArns = new[]
            {
                "string",
            },
            RequiresMfa = false,
            Tags = 
            {
                { "string", "string" },
            },
        },
        RoleStsExternalIds = new[]
        {
            "string",
        },
        Tags = 
        {
            { "string", "string" },
        },
        TrustedRoleActions = new[]
        {
            "string",
        },
        TrustedRoleArns = new[]
        {
            "string",
        },
        TrustedRoleServices = new[]
        {
            "string",
        },
    });
    
    example, err := awsiam.NewAssumableRole(ctx, "assumableRoleResource", &awsiam.AssumableRoleArgs{
    	AttachAdminPolicy:     pulumi.Bool(false),
    	AttachPoweruserPolicy: pulumi.Bool(false),
    	AttachReadonlyPolicy:  pulumi.Bool(false),
    	CustomRoleTrustPolicy: pulumi.String("string"),
    	ForceDetachPolicies:   pulumi.Bool(false),
    	MaxSessionDuration:    pulumi.Int(0),
    	MfaAge:                pulumi.Int(0),
    	Role: &awsiam.RoleWithMFAArgs{
    		Name:                   pulumi.String("string"),
    		Path:                   pulumi.String("string"),
    		PermissionsBoundaryArn: pulumi.String("string"),
    		PolicyArns: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		RequiresMfa: pulumi.Bool(false),
    		Tags: pulumi.StringMap{
    			"string": pulumi.String("string"),
    		},
    	},
    	RoleStsExternalIds: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	TrustedRoleActions: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TrustedRoleArns: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TrustedRoleServices: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    })
    
    var assumableRoleResource = new AssumableRole("assumableRoleResource", AssumableRoleArgs.builder()
        .attachAdminPolicy(false)
        .attachPoweruserPolicy(false)
        .attachReadonlyPolicy(false)
        .customRoleTrustPolicy("string")
        .forceDetachPolicies(false)
        .maxSessionDuration(0)
        .mfaAge(0)
        .role(RoleWithMFAArgs.builder()
            .name("string")
            .path("string")
            .permissionsBoundaryArn("string")
            .policyArns("string")
            .requiresMfa(false)
            .tags(Map.of("string", "string"))
            .build())
        .roleStsExternalIds("string")
        .tags(Map.of("string", "string"))
        .trustedRoleActions("string")
        .trustedRoleArns("string")
        .trustedRoleServices("string")
        .build());
    
    assumable_role_resource = aws_iam.AssumableRole("assumableRoleResource",
        attach_admin_policy=False,
        attach_poweruser_policy=False,
        attach_readonly_policy=False,
        custom_role_trust_policy="string",
        force_detach_policies=False,
        max_session_duration=0,
        mfa_age=0,
        role=aws_iam.RoleWithMFAArgs(
            name="string",
            path="string",
            permissions_boundary_arn="string",
            policy_arns=["string"],
            requires_mfa=False,
            tags={
                "string": "string",
            },
        ),
        role_sts_external_ids=["string"],
        tags={
            "string": "string",
        },
        trusted_role_actions=["string"],
        trusted_role_arns=["string"],
        trusted_role_services=["string"])
    
    const assumableRoleResource = new aws_iam.AssumableRole("assumableRoleResource", {
        attachAdminPolicy: false,
        attachPoweruserPolicy: false,
        attachReadonlyPolicy: false,
        customRoleTrustPolicy: "string",
        forceDetachPolicies: false,
        maxSessionDuration: 0,
        mfaAge: 0,
        role: {
            name: "string",
            path: "string",
            permissionsBoundaryArn: "string",
            policyArns: ["string"],
            requiresMfa: false,
            tags: {
                string: "string",
            },
        },
        roleStsExternalIds: ["string"],
        tags: {
            string: "string",
        },
        trustedRoleActions: ["string"],
        trustedRoleArns: ["string"],
        trustedRoleServices: ["string"],
    });
    
    type: aws-iam:AssumableRole
    properties:
        attachAdminPolicy: false
        attachPoweruserPolicy: false
        attachReadonlyPolicy: false
        customRoleTrustPolicy: string
        forceDetachPolicies: false
        maxSessionDuration: 0
        mfaAge: 0
        role:
            name: string
            path: string
            permissionsBoundaryArn: string
            policyArns:
                - string
            requiresMfa: false
            tags:
                string: string
        roleStsExternalIds:
            - string
        tags:
            string: string
        trustedRoleActions:
            - string
        trustedRoleArns:
            - string
        trustedRoleServices:
            - string
    

    AssumableRole Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The AssumableRole resource accepts the following input properties:

    AttachAdminPolicy bool
    Whether to attach an admin policy to a role.
    AttachPoweruserPolicy bool
    Whether to attach a poweruser policy to a role.
    AttachReadonlyPolicy bool
    Whether to attach a readonly policy to a role.
    CustomRoleTrustPolicy string
    A custom role trust policy.
    ForceDetachPolicies bool
    Whether policies should be detached from this role when destroying.
    MaxSessionDuration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    MfaAge int
    Max age of valid MFA (in seconds) for roles which require MFA.
    Role Pulumi.AwsIam.Inputs.RoleWithMFA
    An IAM role that requires MFA.
    RoleStsExternalIds List<string>
    STS ExternalId condition values to use with a role (when MFA is not required).
    Tags Dictionary<string, string>
    A map of tags to add.
    TrustedRoleActions List<string>
    Actions of STS.
    TrustedRoleArns List<string>
    ARNs of AWS entities who can assume these roles.
    TrustedRoleServices List<string>
    AWS Services that can assume these roles.
    AttachAdminPolicy bool
    Whether to attach an admin policy to a role.
    AttachPoweruserPolicy bool
    Whether to attach a poweruser policy to a role.
    AttachReadonlyPolicy bool
    Whether to attach a readonly policy to a role.
    CustomRoleTrustPolicy string
    A custom role trust policy.
    ForceDetachPolicies bool
    Whether policies should be detached from this role when destroying.
    MaxSessionDuration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    MfaAge int
    Max age of valid MFA (in seconds) for roles which require MFA.
    Role RoleWithMFAArgs
    An IAM role that requires MFA.
    RoleStsExternalIds []string
    STS ExternalId condition values to use with a role (when MFA is not required).
    Tags map[string]string
    A map of tags to add.
    TrustedRoleActions []string
    Actions of STS.
    TrustedRoleArns []string
    ARNs of AWS entities who can assume these roles.
    TrustedRoleServices []string
    AWS Services that can assume these roles.
    attachAdminPolicy Boolean
    Whether to attach an admin policy to a role.
    attachPoweruserPolicy Boolean
    Whether to attach a poweruser policy to a role.
    attachReadonlyPolicy Boolean
    Whether to attach a readonly policy to a role.
    customRoleTrustPolicy String
    A custom role trust policy.
    forceDetachPolicies Boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration Integer
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    mfaAge Integer
    Max age of valid MFA (in seconds) for roles which require MFA.
    role RoleWithMFA
    An IAM role that requires MFA.
    roleStsExternalIds List<String>
    STS ExternalId condition values to use with a role (when MFA is not required).
    tags Map<String,String>
    A map of tags to add.
    trustedRoleActions List<String>
    Actions of STS.
    trustedRoleArns List<String>
    ARNs of AWS entities who can assume these roles.
    trustedRoleServices List<String>
    AWS Services that can assume these roles.
    attachAdminPolicy boolean
    Whether to attach an admin policy to a role.
    attachPoweruserPolicy boolean
    Whether to attach a poweruser policy to a role.
    attachReadonlyPolicy boolean
    Whether to attach a readonly policy to a role.
    customRoleTrustPolicy string
    A custom role trust policy.
    forceDetachPolicies boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration number
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    mfaAge number
    Max age of valid MFA (in seconds) for roles which require MFA.
    role RoleWithMFA
    An IAM role that requires MFA.
    roleStsExternalIds string[]
    STS ExternalId condition values to use with a role (when MFA is not required).
    tags {[key: string]: string}
    A map of tags to add.
    trustedRoleActions string[]
    Actions of STS.
    trustedRoleArns string[]
    ARNs of AWS entities who can assume these roles.
    trustedRoleServices string[]
    AWS Services that can assume these roles.
    attach_admin_policy bool
    Whether to attach an admin policy to a role.
    attach_poweruser_policy bool
    Whether to attach a poweruser policy to a role.
    attach_readonly_policy bool
    Whether to attach a readonly policy to a role.
    custom_role_trust_policy str
    A custom role trust policy.
    force_detach_policies bool
    Whether policies should be detached from this role when destroying.
    max_session_duration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    mfa_age int
    Max age of valid MFA (in seconds) for roles which require MFA.
    role RoleWithMFAArgs
    An IAM role that requires MFA.
    role_sts_external_ids Sequence[str]
    STS ExternalId condition values to use with a role (when MFA is not required).
    tags Mapping[str, str]
    A map of tags to add.
    trusted_role_actions Sequence[str]
    Actions of STS.
    trusted_role_arns Sequence[str]
    ARNs of AWS entities who can assume these roles.
    trusted_role_services Sequence[str]
    AWS Services that can assume these roles.
    attachAdminPolicy Boolean
    Whether to attach an admin policy to a role.
    attachPoweruserPolicy Boolean
    Whether to attach a poweruser policy to a role.
    attachReadonlyPolicy Boolean
    Whether to attach a readonly policy to a role.
    customRoleTrustPolicy String
    A custom role trust policy.
    forceDetachPolicies Boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration Number
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    mfaAge Number
    Max age of valid MFA (in seconds) for roles which require MFA.
    role Property Map
    An IAM role that requires MFA.
    roleStsExternalIds List<String>
    STS ExternalId condition values to use with a role (when MFA is not required).
    tags Map<String>
    A map of tags to add.
    trustedRoleActions List<String>
    Actions of STS.
    trustedRoleArns List<String>
    ARNs of AWS entities who can assume these roles.
    trustedRoleServices List<String>
    AWS Services that can assume these roles.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AssumableRole resource produces the following output properties:

    InstanceProfile Dictionary<string, string>
    InstanceProfile map[string]string
    instanceProfile Map<String,String>
    instanceProfile {[key: string]: string}
    instance_profile Mapping[str, str]
    instanceProfile Map<String>

    Supporting Types

    RoleWithMFA, RoleWithMFAArgs

    Name string
    IAM role with the access.
    Path string
    Path of the IAM role.
    PermissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    PolicyArns List<string>
    List of policy ARNs to use for the role.
    RequiresMfa bool
    Whether the role requires MFA.
    Tags Dictionary<string, string>
    A map of tags to add.
    Name string
    IAM role with the access.
    Path string
    Path of the IAM role.
    PermissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    PolicyArns []string
    List of policy ARNs to use for the role.
    RequiresMfa bool
    Whether the role requires MFA.
    Tags map[string]string
    A map of tags to add.
    name String
    IAM role with the access.
    path String
    Path of the IAM role.
    permissionsBoundaryArn String
    Permissions boundary ARN to use for the role.
    policyArns List<String>
    List of policy ARNs to use for the role.
    requiresMfa Boolean
    Whether the role requires MFA.
    tags Map<String,String>
    A map of tags to add.
    name string
    IAM role with the access.
    path string
    Path of the IAM role.
    permissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    policyArns string[]
    List of policy ARNs to use for the role.
    requiresMfa boolean
    Whether the role requires MFA.
    tags {[key: string]: string}
    A map of tags to add.
    name str
    IAM role with the access.
    path str
    Path of the IAM role.
    permissions_boundary_arn str
    Permissions boundary ARN to use for the role.
    policy_arns Sequence[str]
    List of policy ARNs to use for the role.
    requires_mfa bool
    Whether the role requires MFA.
    tags Mapping[str, str]
    A map of tags to add.
    name String
    IAM role with the access.
    path String
    Path of the IAM role.
    permissionsBoundaryArn String
    Permissions boundary ARN to use for the role.
    policyArns List<String>
    List of policy ARNs to use for the role.
    requiresMfa Boolean
    Whether the role requires MFA.
    tags Map<String>
    A map of tags to add.

    Package Details

    Repository
    aws-iam
    License
    aws-iam logo
    AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi