1. Packages
  2. AWS IAM
  3. API Docs
  4. EKSRole
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

aws-iam.EKSRole

Explore with Pulumi AI

aws-iam logo
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

    This resource helps you create an IAM role that can be assumed by one or more EKS ServiceAccounts, in one or more EKS Clusters. With this resource:

    • You do not need any knowledge of cluster OIDC information.
    • You can assume the role from multiple EKS clusters, for example used in DR or when a workload is spread across clusters.
    • You can support multiple ServiceAccount in the same cluster, for example when a workload runs in multiple namespaces.

    Notes:

    • The EKS cluster needs to exist first, in the current AWS account and region
    • The key in the Cluster Service Accounts is the exact name of the EKS cluster.

    Example Usage

    With this resource you can provision an IAM Role named

    using Pulumi;
    using Pulumi.AwsIam;
    using Pulumi.AwsIam.Inputs;
    using System.Collections.Immutable;
    
    class MyStack : Stack
    {
        public MyStack()
        {
            var eksRole = new EKSRole("eks-role", new EKSRoleArgs
            {
                Role = new RoleArgs
                {
                    Name = "eks-role",
                    PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
                },
                Tags = new InputMap<string>
                {
                    {"Name", "eks-role"},
                },
                Uncomment the below and replace actual cluster values.
                ClusterServiceAccounts = {
                    {"staging-main-1", ImmutableArray.Create<string>(new string[] {"default:my-app-staging"})},
                    {"staging-backup-1", ImmutableArray.Create<string>(new string[] {"default:my-app-staging"})}
                },
            });
    
            this.EksRole = Output.Create<EKSRole>(eksRole);
        }
    
        [Output]
        public Output<EKSRole> EksRole { get; set; }
    }
    
    package main
    
    import (
        iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
        "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
        pulumi.Run(func(ctx *pulumi.Context) error {
            eksRole, err := iam.NewEKSRole(ctx, "eks-role", &iam.EKSRoleArgs{
                Role: iam.RoleArgs{
                    Name:       pulumi.String("eks-role"),
                    PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
                },
                Tags: pulumi.ToStringMap(map[string]string{
                    "Role": "eks-role",
                }),
                Uncomment the below and replace actual cluster values.
                ClusterServiceAccounts: pulumi.ToStringArrayMap(map[string][]string{
                    "staging-main-1": {"default:my-app-staging"},
                    "staging-backup-1": {"default:my-app-staging"},
                }),
            })
            if err != nil {
                return err
            }
    
            ctx.Export("eksRole", eksRole)
    
            return nil
        })
    }
    

    Coming soon!

    import pulumi
    import pulumi_aws_iam as iam
    
    eks_role = iam.EKSRole(
        'eks_role',
        role=iam.RoleArgs(
            name='eks-role',
            policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'],
        ),
        tags={
            'Name': 'eks-role',
        },
        cluster_service_acccounts={
            'staging-main-1': [ 'default:my-app-staging' ],
            'staging-backup-1': [ 'default:my-app-staging' ],
        },
    )
    
    import * as iam from "@pulumi/aws-iam";
    
    export const eksRole = new iam.EKSRole("aws-iam-example-eks-role", {
        role: {
            name: "eks-role",
            policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ],
        },
        tags: {
            Name: "eks-role",
        },
        clusterServiceAccounts: {
            "staging-main-1": [ "default:my-app-staging" ],
            "staging-backup-1": [ "default:my-app-staging" ],
        },
    });
    
    name: awsiam-yaml
    runtime: yaml
    resources:
        eksRole:
            type: "aws-iam:index:EKSRole"
            properties:
                role:
                    name: "eks-role"
                    policyArns:
                        - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
                tags:
                    Name: "eks-role"
                clusterServiceAccounts:
                    "staging-main-1":
                        - "default:my-app-staging"
                    "staging-backup-1":
                        - "default:my-app-staging"
    outputs:
        eksRole: ${eksRole}
    

    Create EKSRole Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new EKSRole(name: string, args?: EKSRoleArgs, opts?: CustomResourceOptions);
    @overload
    def EKSRole(resource_name: str,
                args: Optional[EKSRoleArgs] = None,
                opts: Optional[ResourceOptions] = None)
    
    @overload
    def EKSRole(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                cluster_service_accounts: Optional[Mapping[str, Sequence[str]]] = None,
                force_detach_policies: Optional[bool] = None,
                max_session_duration: Optional[int] = None,
                provider_url_sa_pairs: Optional[Mapping[str, Sequence[str]]] = None,
                role: Optional[RoleArgs] = None,
                role_policy_arns: Optional[Sequence[str]] = None,
                tags: Optional[Mapping[str, str]] = None)
    func NewEKSRole(ctx *Context, name string, args *EKSRoleArgs, opts ...ResourceOption) (*EKSRole, error)
    public EKSRole(string name, EKSRoleArgs? args = null, CustomResourceOptions? opts = null)
    public EKSRole(String name, EKSRoleArgs args)
    public EKSRole(String name, EKSRoleArgs args, CustomResourceOptions options)
    
    type: aws-iam:EKSRole
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args EKSRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args EKSRoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args EKSRoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args EKSRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args EKSRoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var eksroleResource = new AwsIam.EKSRole("eksroleResource", new()
    {
        ClusterServiceAccounts = 
        {
            { "string", new[]
            {
                "string",
            } },
        },
        ForceDetachPolicies = false,
        MaxSessionDuration = 0,
        ProviderUrlSaPairs = 
        {
            { "string", new[]
            {
                "string",
            } },
        },
        Role = new AwsIam.Inputs.RoleArgs
        {
            Name = "string",
            NamePrefix = "string",
            Path = "string",
            PermissionsBoundaryArn = "string",
            PolicyArns = new[]
            {
                "string",
            },
        },
        RolePolicyArns = new[]
        {
            "string",
        },
        Tags = 
        {
            { "string", "string" },
        },
    });
    
    example, err := awsiam.NewEKSRole(ctx, "eksroleResource", &awsiam.EKSRoleArgs{
    	ClusterServiceAccounts: pulumi.StringArrayMap{
    		"string": pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	ForceDetachPolicies: pulumi.Bool(false),
    	MaxSessionDuration:  pulumi.Int(0),
    	ProviderUrlSaPairs: pulumi.StringArrayMap{
    		"string": pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	Role: &awsiam.RoleArgs{
    		Name:                   pulumi.String("string"),
    		NamePrefix:             pulumi.String("string"),
    		Path:                   pulumi.String("string"),
    		PermissionsBoundaryArn: pulumi.String("string"),
    		PolicyArns: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	RolePolicyArns: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    })
    
    var eksroleResource = new EKSRole("eksroleResource", EKSRoleArgs.builder()
        .clusterServiceAccounts(Map.of("string", "string"))
        .forceDetachPolicies(false)
        .maxSessionDuration(0)
        .providerUrlSaPairs(Map.of("string", "string"))
        .role(RoleArgs.builder()
            .name("string")
            .namePrefix("string")
            .path("string")
            .permissionsBoundaryArn("string")
            .policyArns("string")
            .build())
        .rolePolicyArns("string")
        .tags(Map.of("string", "string"))
        .build());
    
    eksrole_resource = aws_iam.EKSRole("eksroleResource",
        cluster_service_accounts={
            "string": ["string"],
        },
        force_detach_policies=False,
        max_session_duration=0,
        provider_url_sa_pairs={
            "string": ["string"],
        },
        role=aws_iam.RoleArgs(
            name="string",
            name_prefix="string",
            path="string",
            permissions_boundary_arn="string",
            policy_arns=["string"],
        ),
        role_policy_arns=["string"],
        tags={
            "string": "string",
        })
    
    const eksroleResource = new aws_iam.EKSRole("eksroleResource", {
        clusterServiceAccounts: {
            string: ["string"],
        },
        forceDetachPolicies: false,
        maxSessionDuration: 0,
        providerUrlSaPairs: {
            string: ["string"],
        },
        role: {
            name: "string",
            namePrefix: "string",
            path: "string",
            permissionsBoundaryArn: "string",
            policyArns: ["string"],
        },
        rolePolicyArns: ["string"],
        tags: {
            string: "string",
        },
    });
    
    type: aws-iam:EKSRole
    properties:
        clusterServiceAccounts:
            string:
                - string
        forceDetachPolicies: false
        maxSessionDuration: 0
        providerUrlSaPairs:
            string:
                - string
        role:
            name: string
            namePrefix: string
            path: string
            permissionsBoundaryArn: string
            policyArns:
                - string
        rolePolicyArns:
            - string
        tags:
            string: string
    

    EKSRole Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The EKSRole resource accepts the following input properties:

    ClusterServiceAccounts Dictionary<string, ImmutableArray<string>>
    EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
    ForceDetachPolicies bool
    Whether policies should be detached from this role when destroying.
    MaxSessionDuration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    ProviderUrlSaPairs Dictionary<string, ImmutableArray<string>>
    OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
    Role Pulumi.AwsIam.Inputs.Role
    RolePolicyArns List<string>
    ARNs of any policies to attach to the IAM role.
    Tags Dictionary<string, string>
    A map of tags to add.
    ClusterServiceAccounts map[string][]string
    EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
    ForceDetachPolicies bool
    Whether policies should be detached from this role when destroying.
    MaxSessionDuration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    ProviderUrlSaPairs map[string][]string
    OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
    Role RoleArgs
    RolePolicyArns []string
    ARNs of any policies to attach to the IAM role.
    Tags map[string]string
    A map of tags to add.
    clusterServiceAccounts Map<String,List<String>>
    EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
    forceDetachPolicies Boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration Integer
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    providerUrlSaPairs Map<String,List<String>>
    OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
    role Role
    rolePolicyArns List<String>
    ARNs of any policies to attach to the IAM role.
    tags Map<String,String>
    A map of tags to add.
    clusterServiceAccounts {[key: string]: string[]}
    EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
    forceDetachPolicies boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration number
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    providerUrlSaPairs {[key: string]: string[]}
    OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
    role Role
    rolePolicyArns string[]
    ARNs of any policies to attach to the IAM role.
    tags {[key: string]: string}
    A map of tags to add.
    cluster_service_accounts Mapping[str, Sequence[str]]
    EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
    force_detach_policies bool
    Whether policies should be detached from this role when destroying.
    max_session_duration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    provider_url_sa_pairs Mapping[str, Sequence[str]]
    OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
    role RoleArgs
    role_policy_arns Sequence[str]
    ARNs of any policies to attach to the IAM role.
    tags Mapping[str, str]
    A map of tags to add.
    clusterServiceAccounts Map<List<String>>
    EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
    forceDetachPolicies Boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration Number
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    providerUrlSaPairs Map<List<String>>
    OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
    role Property Map
    rolePolicyArns List<String>
    ARNs of any policies to attach to the IAM role.
    tags Map<String>
    A map of tags to add.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the EKSRole resource produces the following output properties:

    Arn string
    ARN of IAM role.
    Name string
    Name of IAM role.
    Path string
    Path of IAM role.
    UniqueId string
    Unique ID of IAM role.
    Arn string
    ARN of IAM role.
    Name string
    Name of IAM role.
    Path string
    Path of IAM role.
    UniqueId string
    Unique ID of IAM role.
    arn String
    ARN of IAM role.
    name String
    Name of IAM role.
    path String
    Path of IAM role.
    uniqueId String
    Unique ID of IAM role.
    arn string
    ARN of IAM role.
    name string
    Name of IAM role.
    path string
    Path of IAM role.
    uniqueId string
    Unique ID of IAM role.
    arn str
    ARN of IAM role.
    name str
    Name of IAM role.
    path str
    Path of IAM role.
    unique_id str
    Unique ID of IAM role.
    arn String
    ARN of IAM role.
    name String
    Name of IAM role.
    path String
    Path of IAM role.
    uniqueId String
    Unique ID of IAM role.

    Supporting Types

    Role, RoleArgs

    Name string
    IAM role name.
    NamePrefix string
    IAM role name prefix.
    Path string
    Path of admin IAM role.
    PermissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    PolicyArns List<string>
    List of policy ARNs to use for the role.
    Name string
    IAM role name.
    NamePrefix string
    IAM role name prefix.
    Path string
    Path of admin IAM role.
    PermissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    PolicyArns []string
    List of policy ARNs to use for the role.
    name String
    IAM role name.
    namePrefix String
    IAM role name prefix.
    path String
    Path of admin IAM role.
    permissionsBoundaryArn String
    Permissions boundary ARN to use for the role.
    policyArns List<String>
    List of policy ARNs to use for the role.
    name string
    IAM role name.
    namePrefix string
    IAM role name prefix.
    path string
    Path of admin IAM role.
    permissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    policyArns string[]
    List of policy ARNs to use for the role.
    name str
    IAM role name.
    name_prefix str
    IAM role name prefix.
    path str
    Path of admin IAM role.
    permissions_boundary_arn str
    Permissions boundary ARN to use for the role.
    policy_arns Sequence[str]
    List of policy ARNs to use for the role.
    name String
    IAM role name.
    namePrefix String
    IAM role name prefix.
    path String
    Path of admin IAM role.
    permissionsBoundaryArn String
    Permissions boundary ARN to use for the role.
    policyArns List<String>
    List of policy ARNs to use for the role.

    Package Details

    Repository
    aws-iam
    License
    aws-iam logo
    AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi