AWS IAM

Pulumi Official
Package maintained by Pulumi
v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

AssumableRoles

This resource helps you create predefined IAM roles (admin, poweruser, and readonly) which can be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts and Users.

Example Usage

using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;

class MyStack : Stack
{
    public MyStack()
    {
        var assumableRoles = new AssumableRoles("assumable-roles", new AssumableRolesArgs
        {
            TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"},
            Admin = new AdminRoleWithMFAArgs(),
            Poweruser = new PoweruserRoleWithMFAArgs
            {
                Name = "developer",
            },
            Readonly = new ReadonlyRoleWithMFAArgs
            {
                RequiresMfa = true,
            },
        });

        this.AssumableRoles = Output.Create<AssumableRoles>(assumableRoles);
    }

    [Output]
    public Output<AssumableRoles> AssumableRoles { get; set; }
}
package main

import (
    iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        assumableRoles, err := iam.NewAssumableRoles(ctx, "assumable-roles", &iam.AssumableRolesArgs{
            TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}),
            Admin:           iam.AdminRoleWithMFAArgs{},
            Poweruser: iam.PoweruserRoleWithMFAArgs{
                Name: pulumi.String("developer"),
            },
            Readonly: iam.ReadonlyRoleWithMFAArgs{
                RequiresMfa: pulumi.BoolPtr(true),
            },
        })
        if err != nil {
            return err
        }

        ctx.Export("assumableRoles", assumableRoles)

        return nil
    })
}

Coming soon!

import pulumi
import pulumi_aws_iam as iam

assumable_roles = iam.AssumableRoles(
    'assumable_roles',
    trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],
    admin=iam.AdminRoleArgs(),
    poweruser=iam.PoweruserRoleArgs(
        name='developer',
    ),
    readonly=iam.ReadonlyRoleWithMFAArgs(
        requires_mfa=True,
    ),
)

pulumi.export('assumable_roles', assumable_roles)
import * as iam from "@pulumi/aws-iam";

export const assumableRoles = new iam.AssumableRoles("aws-iam-example-assumable-roles", {
    trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ],
    admin: {},
    poweruser: {
        name: "developer",
    },
    readonly: {
        requiresMfa: true,
    },
});
name: awsiam-yaml
runtime: yaml
resources:
    assumableRoles:
        type: "aws-iam:index:AssumableRoles"
        properties:
            trustedRoleArns:
                - "arn:aws:iam::307990089504:root"
                - "arn:aws:iam::835367859851:user/pulumipus"
            poweruser:
                name: "developer"
            readonly:
                requiresMfa: true
outputs:
    assumableRoles: ${assumableRoles}

Create a AssumableRoles Resource

new AssumableRoles(name: string, args: AssumableRolesArgs, opts?: CustomResourceOptions);
@overload
def AssumableRoles(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   admin: Optional[AdminRoleWithMFAArgs] = None,
                   force_detach_policies: Optional[bool] = None,
                   max_session_duration: Optional[int] = None,
                   mfa_age: Optional[int] = None,
                   poweruser: Optional[PoweruserRoleWithMFAArgs] = None,
                   readonly: Optional[ReadonlyRoleWithMFAArgs] = None,
                   trusted_role_arns: Optional[Sequence[str]] = None,
                   trusted_role_services: Optional[Sequence[str]] = None)
@overload
def AssumableRoles(resource_name: str,
                   args: AssumableRolesArgs,
                   opts: Optional[ResourceOptions] = None)
func NewAssumableRoles(ctx *Context, name string, args AssumableRolesArgs, opts ...ResourceOption) (*AssumableRoles, error)
public AssumableRoles(string name, AssumableRolesArgs args, CustomResourceOptions? opts = null)
public AssumableRoles(String name, AssumableRolesArgs args)
public AssumableRoles(String name, AssumableRolesArgs args, CustomResourceOptions options)
type: aws-iam:AssumableRoles
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AssumableRolesArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AssumableRolesArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AssumableRolesArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AssumableRolesArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AssumableRolesArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AssumableRoles Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AssumableRoles resource accepts the following input properties:

Admin Pulumi.AwsIam.Inputs.AdminRoleWithMFAArgs
ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

MfaAge int

Max age of valid MFA (in seconds) for roles which require MFA.

Poweruser Pulumi.AwsIam.Inputs.PoweruserRoleWithMFAArgs
Readonly Pulumi.AwsIam.Inputs.ReadonlyRoleWithMFAArgs
TrustedRoleArns List<string>

ARNs of AWS entities who can assume these roles.

TrustedRoleServices List<string>

AWS Services that can assume these roles.

Admin AdminRoleWithMFAArgs
ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

MfaAge int

Max age of valid MFA (in seconds) for roles which require MFA.

Poweruser PoweruserRoleWithMFAArgs
Readonly ReadonlyRoleWithMFAArgs
TrustedRoleArns []string

ARNs of AWS entities who can assume these roles.

TrustedRoleServices []string

AWS Services that can assume these roles.

admin AdminRoleWithMFAArgs
forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Integer

Maximum CLI/API session duration in seconds between 3600 and 43200.

mfaAge Integer

Max age of valid MFA (in seconds) for roles which require MFA.

poweruser PoweruserRoleWithMFAArgs
readonly ReadonlyRoleWithMFAArgs
trustedRoleArns List<String>

ARNs of AWS entities who can assume these roles.

trustedRoleServices List<String>

AWS Services that can assume these roles.

admin AdminRoleWithMFAArgs
forceDetachPolicies boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration number

Maximum CLI/API session duration in seconds between 3600 and 43200.

mfaAge number

Max age of valid MFA (in seconds) for roles which require MFA.

poweruser PoweruserRoleWithMFAArgs
readonly ReadonlyRoleWithMFAArgs
trustedRoleArns string[]

ARNs of AWS entities who can assume these roles.

trustedRoleServices string[]

AWS Services that can assume these roles.

admin AdminRoleWithMFAArgs
force_detach_policies bool

Whether policies should be detached from this role when destroying.

max_session_duration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

mfa_age int

Max age of valid MFA (in seconds) for roles which require MFA.

poweruser PoweruserRoleWithMFAArgs
readonly ReadonlyRoleWithMFAArgs
trusted_role_arns Sequence[str]

ARNs of AWS entities who can assume these roles.

trusted_role_services Sequence[str]

AWS Services that can assume these roles.

admin Property Map
forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Number

Maximum CLI/API session duration in seconds between 3600 and 43200.

mfaAge Number

Max age of valid MFA (in seconds) for roles which require MFA.

poweruser Property Map
readonly Property Map
trustedRoleArns List<String>

ARNs of AWS entities who can assume these roles.

trustedRoleServices List<String>

AWS Services that can assume these roles.

Outputs

All input properties are implicitly available as output properties. Additionally, the AssumableRoles resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Supporting Types

AdminRoleWithMFA

Name string

IAM role with admin access.

Path string

Path of admin IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for admin role.

PolicyArns List<string>

List of policy ARNs to use for admin role.

RequiresMfa bool

Whether admin role requires MFA.

Tags Dictionary<string, string>

A map of tags to add.

Name string

IAM role with admin access.

Path string

Path of admin IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for admin role.

PolicyArns []string

List of policy ARNs to use for admin role.

RequiresMfa bool

Whether admin role requires MFA.

Tags map[string]string

A map of tags to add.

name String

IAM role with admin access.

path String

Path of admin IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for admin role.

policyArns List<String>

List of policy ARNs to use for admin role.

requiresMfa Boolean

Whether admin role requires MFA.

tags Map<String,String>

A map of tags to add.

name string

IAM role with admin access.

path string

Path of admin IAM role.

permissionsBoundaryArn string

Permissions boundary ARN to use for admin role.

policyArns string[]

List of policy ARNs to use for admin role.

requiresMfa boolean

Whether admin role requires MFA.

tags {[key: string]: string}

A map of tags to add.

name str

IAM role with admin access.

path str

Path of admin IAM role.

permissions_boundary_arn str

Permissions boundary ARN to use for admin role.

policy_arns Sequence[str]

List of policy ARNs to use for admin role.

requires_mfa bool

Whether admin role requires MFA.

tags Mapping[str, str]

A map of tags to add.

name String

IAM role with admin access.

path String

Path of admin IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for admin role.

policyArns List<String>

List of policy ARNs to use for admin role.

requiresMfa Boolean

Whether admin role requires MFA.

tags Map<String>

A map of tags to add.

PoweruserRoleWithMFA

Name string

IAM role with poweruser access.

Path string

Path of poweruser IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for poweruser role.

PolicyArns List<string>

List of policy ARNs to use for poweruser role.

RequiresMfa bool

Whether admin role requires MFA.

Tags Dictionary<string, string>

A map of tags to add.

Name string

IAM role with poweruser access.

Path string

Path of poweruser IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for poweruser role.

PolicyArns []string

List of policy ARNs to use for poweruser role.

RequiresMfa bool

Whether admin role requires MFA.

Tags map[string]string

A map of tags to add.

name String

IAM role with poweruser access.

path String

Path of poweruser IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for poweruser role.

policyArns List<String>

List of policy ARNs to use for poweruser role.

requiresMfa Boolean

Whether admin role requires MFA.

tags Map<String,String>

A map of tags to add.

name string

IAM role with poweruser access.

path string

Path of poweruser IAM role.

permissionsBoundaryArn string

Permissions boundary ARN to use for poweruser role.

policyArns string[]

List of policy ARNs to use for poweruser role.

requiresMfa boolean

Whether admin role requires MFA.

tags {[key: string]: string}

A map of tags to add.

name str

IAM role with poweruser access.

path str

Path of poweruser IAM role.

permissions_boundary_arn str

Permissions boundary ARN to use for poweruser role.

policy_arns Sequence[str]

List of policy ARNs to use for poweruser role.

requires_mfa bool

Whether admin role requires MFA.

tags Mapping[str, str]

A map of tags to add.

name String

IAM role with poweruser access.

path String

Path of poweruser IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for poweruser role.

policyArns List<String>

List of policy ARNs to use for poweruser role.

requiresMfa Boolean

Whether admin role requires MFA.

tags Map<String>

A map of tags to add.

ReadonlyRoleWithMFA

Name string

IAM role with readonly access.

Path string

Path of readonly IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for readonly role.

PolicyArns List<string>

List of policy ARNs to use for readonly role.

RequiresMfa bool

Whether admin role requires MFA.

Tags Dictionary<string, string>

A map of tags to add.

Name string

IAM role with readonly access.

Path string

Path of readonly IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for readonly role.

PolicyArns []string

List of policy ARNs to use for readonly role.

RequiresMfa bool

Whether admin role requires MFA.

Tags map[string]string

A map of tags to add.

name String

IAM role with readonly access.

path String

Path of readonly IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for readonly role.

policyArns List<String>

List of policy ARNs to use for readonly role.

requiresMfa Boolean

Whether admin role requires MFA.

tags Map<String,String>

A map of tags to add.

name string

IAM role with readonly access.

path string

Path of readonly IAM role.

permissionsBoundaryArn string

Permissions boundary ARN to use for readonly role.

policyArns string[]

List of policy ARNs to use for readonly role.

requiresMfa boolean

Whether admin role requires MFA.

tags {[key: string]: string}

A map of tags to add.

name str

IAM role with readonly access.

path str

Path of readonly IAM role.

permissions_boundary_arn str

Permissions boundary ARN to use for readonly role.

policy_arns Sequence[str]

List of policy ARNs to use for readonly role.

requires_mfa bool

Whether admin role requires MFA.

tags Mapping[str, str]

A map of tags to add.

name String

IAM role with readonly access.

path String

Path of readonly IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for readonly role.

policyArns List<String>

List of policy ARNs to use for readonly role.

requiresMfa Boolean

Whether admin role requires MFA.

tags Map<String>

A map of tags to add.

Package Details

Repository
License