aws-iam.EKSRole
Explore with Pulumi AI
This resource helps you create an IAM role that can be assumed by one or more EKS ServiceAccounts, in one or more EKS Clusters. With this resource:
- You do not need any knowledge of cluster OIDC information.
- You can assume the role from multiple EKS clusters, for example used in DR or when a workload is spread across clusters.
- You can support multiple ServiceAccount in the same cluster, for example when a workload runs in multiple namespaces.
Notes:
- The EKS cluster needs to exist first, in the current AWS account and region
- The key in the
Cluster Service Accounts
is the exact name of the EKS cluster.
Example Usage
With this resource you can provision an IAM Role named
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
using System.Collections.Immutable;
class MyStack : Stack
{
public MyStack()
{
var eksRole = new EKSRole("eks-role", new EKSRoleArgs
{
Role = new RoleArgs
{
Name = "eks-role",
PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
},
Tags = new InputMap<string>
{
{"Name", "eks-role"},
},
Uncomment the below and replace actual cluster values.
ClusterServiceAccounts = {
{"staging-main-1", ImmutableArray.Create<string>(new string[] {"default:my-app-staging"})},
{"staging-backup-1", ImmutableArray.Create<string>(new string[] {"default:my-app-staging"})}
},
});
this.EksRole = Output.Create<EKSRole>(eksRole);
}
[Output]
public Output<EKSRole> EksRole { get; set; }
}
package main
import (
iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
eksRole, err := iam.NewEKSRole(ctx, "eks-role", &iam.EKSRoleArgs{
Role: iam.RoleArgs{
Name: pulumi.String("eks-role"),
PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
},
Tags: pulumi.ToStringMap(map[string]string{
"Role": "eks-role",
}),
Uncomment the below and replace actual cluster values.
ClusterServiceAccounts: pulumi.ToStringArrayMap(map[string][]string{
"staging-main-1": {"default:my-app-staging"},
"staging-backup-1": {"default:my-app-staging"},
}),
})
if err != nil {
return err
}
ctx.Export("eksRole", eksRole)
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_iam as iam
eks_role = iam.EKSRole(
'eks_role',
role=iam.RoleArgs(
name='eks-role',
policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'],
),
tags={
'Name': 'eks-role',
},
cluster_service_acccounts={
'staging-main-1': [ 'default:my-app-staging' ],
'staging-backup-1': [ 'default:my-app-staging' ],
},
)
import * as iam from "@pulumi/aws-iam";
export const eksRole = new iam.EKSRole("aws-iam-example-eks-role", {
role: {
name: "eks-role",
policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ],
},
tags: {
Name: "eks-role",
},
clusterServiceAccounts: {
"staging-main-1": [ "default:my-app-staging" ],
"staging-backup-1": [ "default:my-app-staging" ],
},
});
name: awsiam-yaml
runtime: yaml
resources:
eksRole:
type: "aws-iam:index:EKSRole"
properties:
role:
name: "eks-role"
policyArns:
- "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
tags:
Name: "eks-role"
clusterServiceAccounts:
"staging-main-1":
- "default:my-app-staging"
"staging-backup-1":
- "default:my-app-staging"
outputs:
eksRole: ${eksRole}
Create EKSRole Resource
new EKSRole(name: string, args?: EKSRoleArgs, opts?: CustomResourceOptions);
@overload
def EKSRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
cluster_service_accounts: Optional[Mapping[str, Sequence[str]]] = None,
force_detach_policies: Optional[bool] = None,
max_session_duration: Optional[int] = None,
provider_url_sa_pairs: Optional[Mapping[str, Sequence[str]]] = None,
role: Optional[RoleArgs] = None,
role_policy_arns: Optional[Sequence[str]] = None,
tags: Optional[Mapping[str, str]] = None)
@overload
def EKSRole(resource_name: str,
args: Optional[EKSRoleArgs] = None,
opts: Optional[ResourceOptions] = None)
func NewEKSRole(ctx *Context, name string, args *EKSRoleArgs, opts ...ResourceOption) (*EKSRole, error)
public EKSRole(string name, EKSRoleArgs? args = null, CustomResourceOptions? opts = null)
public EKSRole(String name, EKSRoleArgs args)
public EKSRole(String name, EKSRoleArgs args, CustomResourceOptions options)
type: aws-iam:EKSRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args EKSRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
EKSRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The EKSRole resource accepts the following input properties:
- Cluster
Service Dictionary<string, ImmutableAccounts Array<string>> EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- Force
Detach boolPolicies Whether policies should be detached from this role when destroying.
- Max
Session intDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- Provider
Url Dictionary<string, ImmutableSa Pairs Array<string>> OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- Role
Pulumi.
Aws Iam. Inputs. Role Args - Role
Policy List<string>Arns ARNs of any policies to attach to the IAM role.
- Dictionary<string, string>
A map of tags to add.
- Cluster
Service map[string][]stringAccounts EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- Force
Detach boolPolicies Whether policies should be detached from this role when destroying.
- Max
Session intDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- Provider
Url map[string][]stringSa Pairs OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- Role
Role
Args - Role
Policy []stringArns ARNs of any policies to attach to the IAM role.
- map[string]string
A map of tags to add.
- cluster
Service Map<String,List<String>>Accounts EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- force
Detach BooleanPolicies Whether policies should be detached from this role when destroying.
- max
Session IntegerDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- provider
Url Map<String,List<String>>Sa Pairs OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- role
Role
Args - role
Policy List<String>Arns ARNs of any policies to attach to the IAM role.
- Map<String,String>
A map of tags to add.
- cluster
Service {[key: string]: string[]}Accounts EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- force
Detach booleanPolicies Whether policies should be detached from this role when destroying.
- max
Session numberDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- provider
Url {[key: string]: string[]}Sa Pairs OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- role
Role
Args - role
Policy string[]Arns ARNs of any policies to attach to the IAM role.
- {[key: string]: string}
A map of tags to add.
- cluster_
service_ Mapping[str, Sequence[str]]accounts EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- force_
detach_ boolpolicies Whether policies should be detached from this role when destroying.
- max_
session_ intduration Maximum CLI/API session duration in seconds between 3600 and 43200.
- provider_
url_ Mapping[str, Sequence[str]]sa_ pairs OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- role
Role
Args - role_
policy_ Sequence[str]arns ARNs of any policies to attach to the IAM role.
- Mapping[str, str]
A map of tags to add.
- cluster
Service Map<List<String>>Accounts EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details
- force
Detach BooleanPolicies Whether policies should be detached from this role when destroying.
- max
Session NumberDuration Maximum CLI/API session duration in seconds between 3600 and 43200.
- provider
Url Map<List<String>>Sa Pairs OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used
- role Property Map
- role
Policy List<String>Arns ARNs of any policies to attach to the IAM role.
- Map<String>
A map of tags to add.
Outputs
All input properties are implicitly available as output properties. Additionally, the EKSRole resource produces the following output properties:
Supporting Types
Role
- Name string
IAM role name.
- Name
Prefix string IAM role name prefix.
- Path string
Path of admin IAM role.
- Permissions
Boundary stringArn Permissions boundary ARN to use for the role.
- Policy
Arns List<string> List of policy ARNs to use for the role.
- Name string
IAM role name.
- Name
Prefix string IAM role name prefix.
- Path string
Path of admin IAM role.
- Permissions
Boundary stringArn Permissions boundary ARN to use for the role.
- Policy
Arns []string List of policy ARNs to use for the role.
- name String
IAM role name.
- name
Prefix String IAM role name prefix.
- path String
Path of admin IAM role.
- permissions
Boundary StringArn Permissions boundary ARN to use for the role.
- policy
Arns List<String> List of policy ARNs to use for the role.
- name string
IAM role name.
- name
Prefix string IAM role name prefix.
- path string
Path of admin IAM role.
- permissions
Boundary stringArn Permissions boundary ARN to use for the role.
- policy
Arns string[] List of policy ARNs to use for the role.
- name str
IAM role name.
- name_
prefix str IAM role name prefix.
- path str
Path of admin IAM role.
- permissions_
boundary_ strarn Permissions boundary ARN to use for the role.
- policy_
arns Sequence[str] List of policy ARNs to use for the role.
- name String
IAM role name.
- name
Prefix String IAM role name prefix.
- path String
Path of admin IAM role.
- permissions
Boundary StringArn Permissions boundary ARN to use for the role.
- policy
Arns List<String> List of policy ARNs to use for the role.
Package Details
- Repository
- aws-iam
- License