Docs
PackagesAWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi
aws-iam.EKSRole
Explore with Pulumi AI
This resource helps you create an IAM role that can be assumed by one or more EKS ServiceAccounts, in one or more EKS Clusters. With this resource:
- You do not need any knowledge of cluster OIDC information.
- You can assume the role from multiple EKS clusters, for example used in DR or when a workload is spread across clusters.
- You can support multiple ServiceAccount in the same cluster, for example when a workload runs in multiple namespaces.
Notes:
- The EKS cluster needs to exist first, in the current AWS account and region
- The key in the
Cluster Service Accountsis the exact name of the EKS cluster.
Example Usage
With this resource you can provision an IAM Role named
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
using System.Collections.Immutable;
class MyStack : Stack
{
public MyStack()
{
var eksRole = new EKSRole("eks-role", new EKSRoleArgs
{
Role = new RoleArgs
{
Name = "eks-role",
PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
},
Tags = new InputMap<string>
{
{"Name", "eks-role"},
},
Uncomment the below and replace actual cluster values.
ClusterServiceAccounts = {
{"staging-main-1", ImmutableArray.Create<string>(new string[] {"default:my-app-staging"})},
{"staging-backup-1", ImmutableArray.Create<string>(new string[] {"default:my-app-staging"})}
},
});
this.EksRole = Output.Create<EKSRole>(eksRole);
}
[Output]
public Output<EKSRole> EksRole { get; set; }
}
package main
import (
iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
eksRole, err := iam.NewEKSRole(ctx, "eks-role", &iam.EKSRoleArgs{
Role: iam.RoleArgs{
Name: pulumi.String("eks-role"),
PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
},
Tags: pulumi.ToStringMap(map[string]string{
"Role": "eks-role",
}),
Uncomment the below and replace actual cluster values.
ClusterServiceAccounts: pulumi.ToStringArrayMap(map[string][]string{
"staging-main-1": {"default:my-app-staging"},
"staging-backup-1": {"default:my-app-staging"},
}),
})
if err != nil {
return err
}
ctx.Export("eksRole", eksRole)
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_iam as iam
eks_role = iam.EKSRole(
'eks_role',
role=iam.RoleArgs(
name='eks-role',
policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'],
),
tags={
'Name': 'eks-role',
},
cluster_service_acccounts={
'staging-main-1': [ 'default:my-app-staging' ],
'staging-backup-1': [ 'default:my-app-staging' ],
},
)
import * as iam from "@pulumi/aws-iam";
export const eksRole = new iam.EKSRole("aws-iam-example-eks-role", {
role: {
name: "eks-role",
policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ],
},
tags: {
Name: "eks-role",
},
clusterServiceAccounts: {
"staging-main-1": [ "default:my-app-staging" ],
"staging-backup-1": [ "default:my-app-staging" ],
},
});
name: awsiam-yaml
runtime: yaml
resources:
eksRole:
type: "aws-iam:index:EKSRole"
properties:
role:
name: "eks-role"
policyArns:
- "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
tags:
Name: "eks-role"
clusterServiceAccounts:
"staging-main-1":
- "default:my-app-staging"
"staging-backup-1":
- "default:my-app-staging"
outputs:
eksRole: ${eksRole}
Create EKSRole Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new EKSRole(name: string, args?: EKSRoleArgs, opts?: CustomResourceOptions);@overload
def EKSRole(resource_name: str,
args: Optional[EKSRoleArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def EKSRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
cluster_service_accounts: Optional[Mapping[str, Sequence[str]]] = None,
force_detach_policies: Optional[bool] = None,
max_session_duration: Optional[int] = None,
provider_url_sa_pairs: Optional[Mapping[str, Sequence[str]]] = None,
role: Optional[RoleArgs] = None,
role_policy_arns: Optional[Sequence[str]] = None,
tags: Optional[Mapping[str, str]] = None)func NewEKSRole(ctx *Context, name string, args *EKSRoleArgs, opts ...ResourceOption) (*EKSRole, error)public EKSRole(string name, EKSRoleArgs? args = null, CustomResourceOptions? opts = null)
public EKSRole(String name, EKSRoleArgs args)
public EKSRole(String name, EKSRoleArgs args, CustomResourceOptions options)
type: aws-iam:EKSRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var eksroleResource = new AwsIam.EKSRole("eksroleResource", new()
{
ClusterServiceAccounts =
{
{ "string", new[]
{
"string",
} },
},
ForceDetachPolicies = false,
MaxSessionDuration = 0,
ProviderUrlSaPairs =
{
{ "string", new[]
{
"string",
} },
},
Role = new AwsIam.Inputs.RoleArgs
{
Name = "string",
NamePrefix = "string",
Path = "string",
PermissionsBoundaryArn = "string",
PolicyArns = new[]
{
"string",
},
},
RolePolicyArns = new[]
{
"string",
},
Tags =
{
{ "string", "string" },
},
});
example, err := awsiam.NewEKSRole(ctx, "eksroleResource", &awsiam.EKSRoleArgs{
ClusterServiceAccounts: pulumi.StringArrayMap{
"string": pulumi.StringArray{
pulumi.String("string"),
},
},
ForceDetachPolicies: pulumi.Bool(false),
MaxSessionDuration: pulumi.Int(0),
ProviderUrlSaPairs: pulumi.StringArrayMap{
"string": pulumi.StringArray{
pulumi.String("string"),
},
},
Role: &awsiam.RoleArgs{
Name: pulumi.String("string"),
NamePrefix: pulumi.String("string"),
Path: pulumi.String("string"),
PermissionsBoundaryArn: pulumi.String("string"),
PolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
},
RolePolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var eksroleResource = new EKSRole("eksroleResource", EKSRoleArgs.builder()
.clusterServiceAccounts(Map.of("string", "string"))
.forceDetachPolicies(false)
.maxSessionDuration(0)
.providerUrlSaPairs(Map.of("string", "string"))
.role(RoleArgs.builder()
.name("string")
.namePrefix("string")
.path("string")
.permissionsBoundaryArn("string")
.policyArns("string")
.build())
.rolePolicyArns("string")
.tags(Map.of("string", "string"))
.build());
eksrole_resource = aws_iam.EKSRole("eksroleResource",
cluster_service_accounts={
"string": ["string"],
},
force_detach_policies=False,
max_session_duration=0,
provider_url_sa_pairs={
"string": ["string"],
},
role=aws_iam.RoleArgs(
name="string",
name_prefix="string",
path="string",
permissions_boundary_arn="string",
policy_arns=["string"],
),
role_policy_arns=["string"],
tags={
"string": "string",
})
const eksroleResource = new aws_iam.EKSRole("eksroleResource", {
clusterServiceAccounts: {
string: ["string"],
},
forceDetachPolicies: false,
maxSessionDuration: 0,
providerUrlSaPairs: {
string: ["string"],
},
role: {
name: "string",
namePrefix: "string",
path: "string",
permissionsBoundaryArn: "string",
policyArns: ["string"],
},
rolePolicyArns: ["string"],
tags: {
string: "string",
},
});
type: aws-iam:EKSRole
properties:
clusterServiceAccounts:
string:
- string
forceDetachPolicies: false
maxSessionDuration: 0
providerUrlSaPairs:
string:
- string
role:
name: string
namePrefix: string
path: string
permissionsBoundaryArn: string
policyArns:
- string
rolePolicyArns:
- string
tags:
string: string
EKSRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The EKSRole resource accepts the following input properties:
- Cluster
Service Dictionary<string, ImmutableAccounts Array<string>> - EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Provider
Url Dictionary<string, ImmutableSa Pairs Array<string>> - OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- Role
Pulumi.
Aws Iam. Inputs. Role - Role
Policy List<string>Arns - ARNs of any policies to attach to the IAM role.
- Dictionary<string, string>
- A map of tags to add.
- Cluster
Service map[string][]stringAccounts - EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Provider
Url map[string][]stringSa Pairs - OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- Role
Role
Args - Role
Policy []stringArns - ARNs of any policies to attach to the IAM role.
- map[string]string
- A map of tags to add.
- cluster
Service Map<String,List<String>>Accounts - EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session IntegerDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- provider
Url Map<String,List<String>>Sa Pairs - OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- role Role
- role
Policy List<String>Arns - ARNs of any policies to attach to the IAM role.
- Map<String,String>
- A map of tags to add.
- cluster
Service {[key: string]: string[]}Accounts - EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- force
Detach booleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session numberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- provider
Url {[key: string]: string[]}Sa Pairs - OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- role Role
- role
Policy string[]Arns - ARNs of any policies to attach to the IAM role.
- {[key: string]: string}
- A map of tags to add.
- cluster_
service_ Mapping[str, Sequence[str]]accounts - EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- force_
detach_ boolpolicies - Whether policies should be detached from this role when destroying.
- max_
session_ intduration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- provider_
url_ Mapping[str, Sequence[str]]sa_ pairs - OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- role
Role
Args - role_
policy_ Sequence[str]arns - ARNs of any policies to attach to the IAM role.
- Mapping[str, str]
- A map of tags to add.
- cluster
Service Map<List<String>>Accounts - EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session NumberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- provider
Url Map<List<String>>Sa Pairs - OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- role Property Map
- role
Policy List<String>Arns - ARNs of any policies to attach to the IAM role.
- Map<String>
- A map of tags to add.
Outputs
All input properties are implicitly available as output properties. Additionally, the EKSRole resource produces the following output properties:
Supporting Types
Role, RoleArgs
- Name string
- IAM role name.
- Name
Prefix string - IAM role name prefix.
- Path string
- Path of admin IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- Policy
Arns List<string> - List of policy ARNs to use for the role.
- Name string
- IAM role name.
- Name
Prefix string - IAM role name prefix.
- Path string
- Path of admin IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- Policy
Arns []string - List of policy ARNs to use for the role.
- name String
- IAM role name.
- name
Prefix String - IAM role name prefix.
- path String
- Path of admin IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for the role.
- policy
Arns List<String> - List of policy ARNs to use for the role.
- name string
- IAM role name.
- name
Prefix string - IAM role name prefix.
- path string
- Path of admin IAM role.
- permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- policy
Arns string[] - List of policy ARNs to use for the role.
- name str
- IAM role name.
- name_
prefix str - IAM role name prefix.
- path str
- Path of admin IAM role.
- permissions_
boundary_ strarn - Permissions boundary ARN to use for the role.
- policy_
arns Sequence[str] - List of policy ARNs to use for the role.
- name String
- IAM role name.
- name
Prefix String - IAM role name prefix.
- path String
- Path of admin IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for the role.
- policy
Arns List<String> - List of policy ARNs to use for the role.
Package Details
- Repository
- aws-iam
- License