AWS IAM

Pulumi Official
Package maintained by Pulumi
v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

AssumableRoleWithOIDC

This resources helps you create a single IAM role which can be assume by trusted resources using OpenID Connect Federated Users.

Example Usage

using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;

class MyStack : Stack
{
    public MyStack()
    {
        var assumableRoleWithOidc = new AssumableRoleWithOIDC("assumable-role-with-oidc", new AssumableRoleWithOIDCArgs
        {
            Role = new RoleArgs
            {
                Name = "oidc-role",
                PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
            },
            Tags = new InputMap<string>
            {
                {"Role", "odic-role"},
            },
            ProviderUrls = {"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"},
        });

        this.AssumableRoleWithOidc = Output.Create<AssumableRoleWithOIDC>(assumableRoleWithOidc);
    }

    [Output]
    public Output<AssumableRoleWithOIDC> AssumableRoleWithOidc { get; set; }
}
package main

import (
    iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        assumableRoleWithOIDC, err := iam.NewAssumableRoleWithOIDC(ctx, "assumable-role-with-oidc", &iam.AssumableRoleWithOIDCArgs{
            Role: iam.RoleArgs{
                Name:       pulumi.String("oidc-role"),
                PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
            },
            Tags: pulumi.ToStringMap(map[string]string{
                "Role": "oidc-role",
            }),
            ProviderUrls: pulumi.ToStringArray([]string{"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"}),
        })
        if err != nil {
            return err
        }

        ctx.Export("assumableRoleWithOIDC", assumableRoleWithOIDC)

        return nil
    })
}

Coming soon!

import pulumi
import pulumi_aws_iam as iam

assumable_role_with_oidc = iam.AssumableRoleWithOIDC(
    'assumable_role_with_oidc',
    role=iam.RoleArgs(
        name='oidc-role',
        policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy']
    ),
    tags={
        'Role': 'oidc-role',
    },
    provider_urls=['oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8']
)

pulumi.export('assumable_role_with_oidc', assumable_role_with_oidc)
import * as iam from "@pulumi/aws-iam";

export const assumableRoleWithOidc = new iam.AssumableRoleWithOIDC("aws-iam-example-assumable-role-with-oidc", {
    providerUrls: ["oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"],
    role: {
        name: "oidc-role",
        policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ],
    },
    tags: {
        Role: "oidc-role",
    },
});
name: awsiam-yaml
runtime: yaml
resources:
    assumableRoleWithOidc:
        type: "aws-iam:index:AssumableRoleWithOIDC"
        properties:
            role:
                name: "oidc-role"
                policyArns:
                    - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
            tags:
                Role: "oidc-role"
            providerUrls:
                - "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
outputs:
    assumableRoleWithOidc: ${assumableRoleWithOidc}

Create a AssumableRoleWithOIDC Resource

new AssumableRoleWithOIDC(name: string, args?: AssumableRoleWithOIDCArgs, opts?: CustomResourceOptions);
@overload
def AssumableRoleWithOIDC(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          aws_account_id: Optional[str] = None,
                          force_detach_policies: Optional[bool] = None,
                          max_session_duration: Optional[int] = None,
                          oidc_fully_qualified_audiences: Optional[Sequence[str]] = None,
                          oidc_fully_qualified_subjects: Optional[Sequence[str]] = None,
                          oidc_subjects_with_wildcards: Optional[Sequence[str]] = None,
                          provider_urls: Optional[Sequence[str]] = None,
                          role: Optional[RoleArgs] = None,
                          tags: Optional[Mapping[str, str]] = None)
@overload
def AssumableRoleWithOIDC(resource_name: str,
                          args: Optional[AssumableRoleWithOIDCArgs] = None,
                          opts: Optional[ResourceOptions] = None)
func NewAssumableRoleWithOIDC(ctx *Context, name string, args *AssumableRoleWithOIDCArgs, opts ...ResourceOption) (*AssumableRoleWithOIDC, error)
public AssumableRoleWithOIDC(string name, AssumableRoleWithOIDCArgs? args = null, CustomResourceOptions? opts = null)
public AssumableRoleWithOIDC(String name, AssumableRoleWithOIDCArgs args)
public AssumableRoleWithOIDC(String name, AssumableRoleWithOIDCArgs args, CustomResourceOptions options)
type: aws-iam:AssumableRoleWithOIDC
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AssumableRoleWithOIDCArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AssumableRoleWithOIDCArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AssumableRoleWithOIDCArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AssumableRoleWithOIDCArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AssumableRoleWithOIDCArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AssumableRoleWithOIDC Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AssumableRoleWithOIDC resource accepts the following input properties:

AwsAccountId string

The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.

ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

OidcFullyQualifiedAudiences List<string>

The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.

OidcFullyQualifiedSubjects List<string>

The fully qualified OIDC subjects to be added to the role policy.

OidcSubjectsWithWildcards List<string>

The OIDC subject using wildcards to be added to the role policy.

ProviderUrls List<string>

List of URLs of the OIDC Providers.

Role Pulumi.AwsIam.Inputs.RoleArgs

The IAM role.

Tags Dictionary<string, string>

A map of tags to add.

AwsAccountId string

The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.

ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

OidcFullyQualifiedAudiences []string

The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.

OidcFullyQualifiedSubjects []string

The fully qualified OIDC subjects to be added to the role policy.

OidcSubjectsWithWildcards []string

The OIDC subject using wildcards to be added to the role policy.

ProviderUrls []string

List of URLs of the OIDC Providers.

Role RoleArgs

The IAM role.

Tags map[string]string

A map of tags to add.

awsAccountId String

The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.

forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Integer

Maximum CLI/API session duration in seconds between 3600 and 43200.

oidcFullyQualifiedAudiences List<String>

The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.

oidcFullyQualifiedSubjects List<String>

The fully qualified OIDC subjects to be added to the role policy.

oidcSubjectsWithWildcards List<String>

The OIDC subject using wildcards to be added to the role policy.

providerUrls List<String>

List of URLs of the OIDC Providers.

role RoleArgs

The IAM role.

tags Map<String,String>

A map of tags to add.

awsAccountId string

The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.

forceDetachPolicies boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration number

Maximum CLI/API session duration in seconds between 3600 and 43200.

oidcFullyQualifiedAudiences string[]

The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.

oidcFullyQualifiedSubjects string[]

The fully qualified OIDC subjects to be added to the role policy.

oidcSubjectsWithWildcards string[]

The OIDC subject using wildcards to be added to the role policy.

providerUrls string[]

List of URLs of the OIDC Providers.

role RoleArgs

The IAM role.

tags {[key: string]: string}

A map of tags to add.

aws_account_id str

The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.

force_detach_policies bool

Whether policies should be detached from this role when destroying.

max_session_duration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

oidc_fully_qualified_audiences Sequence[str]

The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.

oidc_fully_qualified_subjects Sequence[str]

The fully qualified OIDC subjects to be added to the role policy.

oidc_subjects_with_wildcards Sequence[str]

The OIDC subject using wildcards to be added to the role policy.

provider_urls Sequence[str]

List of URLs of the OIDC Providers.

role RoleArgs

The IAM role.

tags Mapping[str, str]

A map of tags to add.

awsAccountId String

The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.

forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Number

Maximum CLI/API session duration in seconds between 3600 and 43200.

oidcFullyQualifiedAudiences List<String>

The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.

oidcFullyQualifiedSubjects List<String>

The fully qualified OIDC subjects to be added to the role policy.

oidcSubjectsWithWildcards List<String>

The OIDC subject using wildcards to be added to the role policy.

providerUrls List<String>

List of URLs of the OIDC Providers.

role Property Map

The IAM role.

tags Map<String>

A map of tags to add.

Outputs

All input properties are implicitly available as output properties. Additionally, the AssumableRoleWithOIDC resource produces the following output properties:

Arn string

ARN of IAM role.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Name of IAM role.

Path string

Path of IAM role.

UniqueId string

Unique ID of IAM role.

Arn string

ARN of IAM role.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Name of IAM role.

Path string

Path of IAM role.

UniqueId string

Unique ID of IAM role.

arn String

ARN of IAM role.

id String

The provider-assigned unique ID for this managed resource.

name String

Name of IAM role.

path String

Path of IAM role.

uniqueId String

Unique ID of IAM role.

arn string

ARN of IAM role.

id string

The provider-assigned unique ID for this managed resource.

name string

Name of IAM role.

path string

Path of IAM role.

uniqueId string

Unique ID of IAM role.

arn str

ARN of IAM role.

id str

The provider-assigned unique ID for this managed resource.

name str

Name of IAM role.

path str

Path of IAM role.

unique_id str

Unique ID of IAM role.

arn String

ARN of IAM role.

id String

The provider-assigned unique ID for this managed resource.

name String

Name of IAM role.

path String

Path of IAM role.

uniqueId String

Unique ID of IAM role.

Supporting Types

Role

Name string

IAM role name.

NamePrefix string

IAM role name prefix.

Path string

Path of admin IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for the role.

PolicyArns List<string>

List of policy ARNs to use for the role.

Name string

IAM role name.

NamePrefix string

IAM role name prefix.

Path string

Path of admin IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for the role.

PolicyArns []string

List of policy ARNs to use for the role.

name String

IAM role name.

namePrefix String

IAM role name prefix.

path String

Path of admin IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for the role.

policyArns List<String>

List of policy ARNs to use for the role.

name string

IAM role name.

namePrefix string

IAM role name prefix.

path string

Path of admin IAM role.

permissionsBoundaryArn string

Permissions boundary ARN to use for the role.

policyArns string[]

List of policy ARNs to use for the role.

name str

IAM role name.

name_prefix str

IAM role name prefix.

path str

Path of admin IAM role.

permissions_boundary_arn str

Permissions boundary ARN to use for the role.

policy_arns Sequence[str]

List of policy ARNs to use for the role.

name String

IAM role name.

namePrefix String

IAM role name prefix.

path String

Path of admin IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for the role.

policyArns List<String>

List of policy ARNs to use for the role.

Package Details

Repository
License