AWS IAM

v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

EKSRole

This resource helps you create an IAM role that can be assumed by one or more EKS ServiceAccounts, in one or more EKS Clusters. With this resource:

  • You do not need any knowledge of cluster OIDC information.
  • You can assume the role from multiple EKS clusters, for example used in DR or when a workload is spread across clusters.
  • You can support multiple ServiceAccount in the same cluster, for example when a workload runs in multiple namespaces.

Notes:

  • The EKS cluster needs to exist first, in the current AWS account and region
  • The key in the Cluster Service Accounts is the exact name of the EKS cluster.

Example Usage

With this resource you can provision an IAM Role named

using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
using System.Collections.Immutable;

class MyStack : Stack
{
    public MyStack()
    {
        var eksRole = new EKSRole("eks-role", new EKSRoleArgs
        {
            Role = new RoleArgs
            {
                Name = "eks-role",
                PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
            },
            Tags = new InputMap<string>
            {
                {"Name", "eks-role"},
            },
            Uncomment the below and replace actual cluster values.
            ClusterServiceAccounts = {
                {"staging-main-1", ImmutableArray.Create<string>(new string[] {"default:my-app-staging"})},
                {"staging-backup-1", ImmutableArray.Create<string>(new string[] {"default:my-app-staging"})}
            },
        });

        this.EksRole = Output.Create<EKSRole>(eksRole);
    }

    [Output]
    public Output<EKSRole> EksRole { get; set; }
}
package main

import (
    iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        eksRole, err := iam.NewEKSRole(ctx, "eks-role", &iam.EKSRoleArgs{
            Role: iam.RoleArgs{
                Name:       pulumi.String("eks-role"),
                PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
            },
            Tags: pulumi.ToStringMap(map[string]string{
                "Role": "eks-role",
            }),
            Uncomment the below and replace actual cluster values.
            ClusterServiceAccounts: pulumi.ToStringArrayMap(map[string][]string{
                "staging-main-1": {"default:my-app-staging"},
                "staging-backup-1": {"default:my-app-staging"},
            }),
        })
        if err != nil {
            return err
        }

        ctx.Export("eksRole", eksRole)

        return nil
    })
}

Coming soon!

import pulumi
import pulumi_aws_iam as iam

eks_role = iam.EKSRole(
    'eks_role',
    role=iam.RoleArgs(
        name='eks-role',
        policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'],
    ),
    tags={
        'Name': 'eks-role',
    },
    cluster_service_acccounts={
        'staging-main-1': [ 'default:my-app-staging' ],
        'staging-backup-1': [ 'default:my-app-staging' ],
    },
)
import * as iam from "@pulumi/aws-iam";

export const eksRole = new iam.EKSRole("aws-iam-example-eks-role", {
    role: {
        name: "eks-role",
        policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ],
    },
    tags: {
        Name: "eks-role",
    },
    clusterServiceAccounts: {
        "staging-main-1": [ "default:my-app-staging" ],
        "staging-backup-1": [ "default:my-app-staging" ],
    },
});
name: awsiam-yaml
runtime: yaml
resources:
    eksRole:
        type: "aws-iam:index:EKSRole"
        properties:
            role:
                name: "eks-role"
                policyArns:
                    - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
            tags:
                Name: "eks-role"
            clusterServiceAccounts:
                "staging-main-1":
                    - "default:my-app-staging"
                "staging-backup-1":
                    - "default:my-app-staging"
outputs:
    eksRole: ${eksRole}

Create EKSRole Resource

new EKSRole(name: string, args?: EKSRoleArgs, opts?: CustomResourceOptions);
@overload
def EKSRole(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            cluster_service_accounts: Optional[Mapping[str, Sequence[str]]] = None,
            force_detach_policies: Optional[bool] = None,
            max_session_duration: Optional[int] = None,
            provider_url_sa_pairs: Optional[Mapping[str, Sequence[str]]] = None,
            role: Optional[RoleArgs] = None,
            role_policy_arns: Optional[Sequence[str]] = None,
            tags: Optional[Mapping[str, str]] = None)
@overload
def EKSRole(resource_name: str,
            args: Optional[EKSRoleArgs] = None,
            opts: Optional[ResourceOptions] = None)
func NewEKSRole(ctx *Context, name string, args *EKSRoleArgs, opts ...ResourceOption) (*EKSRole, error)
public EKSRole(string name, EKSRoleArgs? args = null, CustomResourceOptions? opts = null)
public EKSRole(String name, EKSRoleArgs args)
public EKSRole(String name, EKSRoleArgs args, CustomResourceOptions options)
type: aws-iam:EKSRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args EKSRoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args EKSRoleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args EKSRoleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args EKSRoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args EKSRoleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

EKSRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The EKSRole resource accepts the following input properties:

ClusterServiceAccounts Dictionary<string, ImmutableArray<string>>

EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details

ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

ProviderUrlSaPairs Dictionary<string, ImmutableArray<string>>

OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used

Role Pulumi.AwsIam.Inputs.RoleArgs
RolePolicyArns List<string>

ARNs of any policies to attach to the IAM role.

Tags Dictionary<string, string>

A map of tags to add.

ClusterServiceAccounts map[string][]string

EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details

ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

ProviderUrlSaPairs map[string][]string

OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used

Role RoleArgs
RolePolicyArns []string

ARNs of any policies to attach to the IAM role.

Tags map[string]string

A map of tags to add.

clusterServiceAccounts Map<String,List<String>>

EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details

forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Integer

Maximum CLI/API session duration in seconds between 3600 and 43200.

providerUrlSaPairs Map<String,List<String>>

OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used

role RoleArgs
rolePolicyArns List<String>

ARNs of any policies to attach to the IAM role.

tags Map<String,String>

A map of tags to add.

clusterServiceAccounts {[key: string]: string[]}

EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details

forceDetachPolicies boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration number

Maximum CLI/API session duration in seconds between 3600 and 43200.

providerUrlSaPairs {[key: string]: string[]}

OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used

role RoleArgs
rolePolicyArns string[]

ARNs of any policies to attach to the IAM role.

tags {[key: string]: string}

A map of tags to add.

cluster_service_accounts Mapping[str, Sequence[str]]

EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details

force_detach_policies bool

Whether policies should be detached from this role when destroying.

max_session_duration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

provider_url_sa_pairs Mapping[str, Sequence[str]]

OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used

role RoleArgs
role_policy_arns Sequence[str]

ARNs of any policies to attach to the IAM role.

tags Mapping[str, str]

A map of tags to add.

clusterServiceAccounts Map<List<String>>

EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details

forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Number

Maximum CLI/API session duration in seconds between 3600 and 43200.

providerUrlSaPairs Map<List<String>>

OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used

role Property Map
rolePolicyArns List<String>

ARNs of any policies to attach to the IAM role.

tags Map<String>

A map of tags to add.

Outputs

All input properties are implicitly available as output properties. Additionally, the EKSRole resource produces the following output properties:

Arn string

ARN of IAM role.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Name of IAM role.

Path string

Path of IAM role.

UniqueId string

Unique ID of IAM role.

Arn string

ARN of IAM role.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Name of IAM role.

Path string

Path of IAM role.

UniqueId string

Unique ID of IAM role.

arn String

ARN of IAM role.

id String

The provider-assigned unique ID for this managed resource.

name String

Name of IAM role.

path String

Path of IAM role.

uniqueId String

Unique ID of IAM role.

arn string

ARN of IAM role.

id string

The provider-assigned unique ID for this managed resource.

name string

Name of IAM role.

path string

Path of IAM role.

uniqueId string

Unique ID of IAM role.

arn str

ARN of IAM role.

id str

The provider-assigned unique ID for this managed resource.

name str

Name of IAM role.

path str

Path of IAM role.

unique_id str

Unique ID of IAM role.

arn String

ARN of IAM role.

id String

The provider-assigned unique ID for this managed resource.

name String

Name of IAM role.

path String

Path of IAM role.

uniqueId String

Unique ID of IAM role.

Supporting Types

Role

Name string

IAM role name.

NamePrefix string

IAM role name prefix.

Path string

Path of admin IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for the role.

PolicyArns List<string>

List of policy ARNs to use for the role.

Name string

IAM role name.

NamePrefix string

IAM role name prefix.

Path string

Path of admin IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for the role.

PolicyArns []string

List of policy ARNs to use for the role.

name String

IAM role name.

namePrefix String

IAM role name prefix.

path String

Path of admin IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for the role.

policyArns List<String>

List of policy ARNs to use for the role.

name string

IAM role name.

namePrefix string

IAM role name prefix.

path string

Path of admin IAM role.

permissionsBoundaryArn string

Permissions boundary ARN to use for the role.

policyArns string[]

List of policy ARNs to use for the role.

name str

IAM role name.

name_prefix str

IAM role name prefix.

path str

Path of admin IAM role.

permissions_boundary_arn str

Permissions boundary ARN to use for the role.

policy_arns Sequence[str]

List of policy ARNs to use for the role.

name String

IAM role name.

namePrefix String

IAM role name prefix.

path String

Path of admin IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for the role.

policyArns List<String>

List of policy ARNs to use for the role.

Package Details

Repository
License