AWS IAM v0.0.3, Jun 1 22

aws-iam.RoleForServiceAccountsEks

Explore with Pulumi AI

This resources helps you create an IAM role which can be assumed by AWS EKS ServiceAccounts with optional policies for commonly used controllers/custom resources within EKS. The optional policies you can specify are:

Cert-Manager
Cluster Autoscaler
EBS CSI Driver
EFS CSI Driver
External DNS
External Secrets
FSx for Lustre CSI Driver
Karpenter
Load Balancer Controller
Load Balancer Controller Target Group Binding Only
App Mesh Controller
App Mesh Envoy Proxy
Managed Service for Prometheus
Node Termination Handler
Velero
VPC CNI

Example Usage

using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;

class MyStack : Stack
{
    public MyStack()
    {
        var roleForServiceAccountEks = new RoleForServiceAccountsEks("role-for-service-account-eks", new RoleForServiceAccountsEksArgs
        {
            Role = new EKSServiceAccountRoleArgs
            {
                Name = "vpn-cni",
            },
            Tags = {
                {"Name", "vpc-cni-irsa"},
            },
            OidcProviders = {
                {"main", new OIDCProviderArgs
                {
                    ProviderArn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
                    NamespaceServiceAccounts = {"default:my-app", "canary:my-app"},
                }},
            },
            Policies = new EKSRolePoliciesArgs
            {
                VpnCni = new EKSVPNCNIPolicyArgs
                {
                    Attach = true,
                    EnableIpv4 = true,
                },
            },
        });

        this.RoleForServiceAccountEks = Output.Create<RoleForServiceAccountsEks>(roleForServiceAccountEks);
    }

    [Output]
    public Output<RoleForServiceAccountsEks> RoleForServiceAccountEks { get; set; }
}

package main

import (
    iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        roleForServiceAccountsEKS, err := iam.NewRoleForServiceAccountsEks(ctx, "role-for-service-accounts-eks", &iam.RoleForServiceAccountsEksArgs{
            Role: iam.EKSServiceAccountRolePtr(&iam.EKSServiceAccountRoleArgs{
                Name: pulumi.String("vpc-cni"),
            }),
            Tags: pulumi.ToStringMap(map[string]string{
                "Name": "vpc-cni-irsa",
            }),
            OidcProviders: iam.OIDCProviderMap{
                "main": iam.OIDCProviderArgs{
                    ProviderArn:              pulumi.String("arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"),
                    NamespaceServiceAccounts: pulumi.ToStringArray([]string{"default:my-app", "canary:my-app"}),
                },
            },
            Policies: iam.EKSRolePoliciesPtr(&iam.EKSRolePoliciesArgs{
                VpnCni: iam.EKSVPNCNIPolicyPtr(&iam.EKSVPNCNIPolicyArgs{
                    Attach:     pulumi.Bool(true),
                    EnableIpv4: pulumi.BoolPtr(true),
                }),
            }),
        })
        if err != nil {
            return err
        }

        ctx.Export("roleForServiceAccountsEKS", roleForServiceAccountsEKS)

        return nil
    })
}

Coming soon!

import pulumi
import pulumi_aws_iam as iam

role_for_service_account_eks = iam.RoleForServiceAccountsEks(
    'role_for_service_account_eks',
    role=iam.RoleArgs(
        name='vpc-cni'
    ),
    tags={
        'Name': 'vpc-cni-irsa',
    },
    oidc_providers={
        'main': iam.OIDCProviderArgs(
            provider_arn='arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D',
            namespace_service_accounts=['default:my-app', 'canary:my-app'],
        ),
    },
    policies=iam.EKSRolePoliciesArgs(
        vpn_cni=iam.EKSVPNCNIPolicyArgs(
            attach=True,
            enable_ipv4=True,
        ),
    ),
)

pulumi.export('role_for_service_account_eks', role_for_service_account_eks)

import * as iam from "@pulumi/aws-iam";

export const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks("aws-iam-example-role-for-service-accounts-eks", {
    role: {
        name: "vpc-cni"
    },
    tags: {
        Name: "vpc-cni-irsa",
    },
    oidcProviders: {
        main: {
            providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
            namespaceServiceAccounts: ["default:my-app", "canary:my-app"],
        }
    },
    policies: {
        vpnCni: {
            attach: true,
            enableIpv4: true,
        },
    },
});

name: awsiam-yaml
runtime: yaml
resources:
    roleForServiceAccountsEks:
        type: "aws-iam:index:RoleForServiceAccountsEks"
        properties:
            role:
                name: "vpc-cni"
            tags:
                Name: "vpc-cni-irsa"
            oidcProviders:
                main:
                    providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
                    namespaceServiceAccounts:
                        - "default:my-app"
                        - "canary:my-app"
            policies:
                vpnCni:
                    attach: true
                    enableIpv4: true
outputs:
    roleForServiceAccountsEks: ${roleForServiceAccountsEks}

Create RoleForServiceAccountsEks Resource

new RoleForServiceAccountsEks(name: string, args?: RoleForServiceAccountsEksArgs, opts?: CustomResourceOptions);

@overload
def RoleForServiceAccountsEks(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              assume_role_condition_test: Optional[str] = None,
                              force_detach_policies: Optional[bool] = None,
                              max_session_duration: Optional[int] = None,
                              oidc_providers: Optional[Mapping[str, OIDCProviderArgs]] = None,
                              policies: Optional[EKSRolePoliciesArgs] = None,
                              policy_name_prefix: Optional[str] = None,
                              role: Optional[EKSServiceAccountRoleArgs] = None,
                              tags: Optional[Mapping[str, str]] = None)
@overload
def RoleForServiceAccountsEks(resource_name: str,
                              args: Optional[RoleForServiceAccountsEksArgs] = None,
                              opts: Optional[ResourceOptions] = None)

func NewRoleForServiceAccountsEks(ctx *Context, name string, args *RoleForServiceAccountsEksArgs, opts ...ResourceOption) (*RoleForServiceAccountsEks, error)

public RoleForServiceAccountsEks(string name, RoleForServiceAccountsEksArgs? args = null, CustomResourceOptions? opts = null)

public RoleForServiceAccountsEks(String name, RoleForServiceAccountsEksArgs args)
public RoleForServiceAccountsEks(String name, RoleForServiceAccountsEksArgs args, CustomResourceOptions options)

type: aws-iam:RoleForServiceAccountsEks
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RoleForServiceAccountsEksArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args RoleForServiceAccountsEksArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args RoleForServiceAccountsEksArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RoleForServiceAccountsEksArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args RoleForServiceAccountsEksArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

RoleForServiceAccountsEks Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The RoleForServiceAccountsEks resource accepts the following input properties:

AssumeRoleConditionTest string: Name of the IAM condition operator to evaluate when assuming the role.
ForceDetachPolicies bool: Whether policies should be detached from this role when destroying.
MaxSessionDuration int: Maximum CLI/API session duration in seconds between 3600 and 43200.
OidcProviders Dictionary<string, Pulumi.AwsIam.Inputs.OIDCProviderArgs>: Map of OIDC providers.
Policies Pulumi.AwsIam.Inputs.EKSRolePoliciesArgs
PolicyNamePrefix string: IAM policy name prefix.
Role Pulumi.AwsIam.Inputs.EKSServiceAccountRoleArgs
Tags Dictionary<string, string>: A map of tags to add.

AssumeRoleConditionTest string: Name of the IAM condition operator to evaluate when assuming the role.
ForceDetachPolicies bool: Whether policies should be detached from this role when destroying.
MaxSessionDuration int: Maximum CLI/API session duration in seconds between 3600 and 43200.
OidcProviders map[string]OIDCProviderArgs: Map of OIDC providers.
Policies EKSRolePoliciesArgs
PolicyNamePrefix string: IAM policy name prefix.
Role EKSServiceAccountRoleArgs
Tags map[string]string: A map of tags to add.

assumeRoleConditionTest String: Name of the IAM condition operator to evaluate when assuming the role.
forceDetachPolicies Boolean: Whether policies should be detached from this role when destroying.
maxSessionDuration Integer: Maximum CLI/API session duration in seconds between 3600 and 43200.
oidcProviders Map<String,OIDCProviderArgs>: Map of OIDC providers.
policies EKSRolePoliciesArgs
policyNamePrefix String: IAM policy name prefix.
role EKSServiceAccountRoleArgs
tags Map<String,String>: A map of tags to add.

assumeRoleConditionTest string: Name of the IAM condition operator to evaluate when assuming the role.
forceDetachPolicies boolean: Whether policies should be detached from this role when destroying.
maxSessionDuration number: Maximum CLI/API session duration in seconds between 3600 and 43200.
oidcProviders {[key: string]: OIDCProviderArgs}: Map of OIDC providers.
policies EKSRolePoliciesArgs
policyNamePrefix string: IAM policy name prefix.
role EKSServiceAccountRoleArgs
tags {[key: string]: string}: A map of tags to add.

assume_role_condition_test str: Name of the IAM condition operator to evaluate when assuming the role.
force_detach_policies bool: Whether policies should be detached from this role when destroying.
max_session_duration int: Maximum CLI/API session duration in seconds between 3600 and 43200.
oidc_providers Mapping[str, OIDCProviderArgs]: Map of OIDC providers.
policies EKSRolePoliciesArgs
policy_name_prefix str: IAM policy name prefix.
role EKSServiceAccountRoleArgs
tags Mapping[str, str]: A map of tags to add.

assumeRoleConditionTest String: Name of the IAM condition operator to evaluate when assuming the role.
forceDetachPolicies Boolean: Whether policies should be detached from this role when destroying.
maxSessionDuration Number: Maximum CLI/API session duration in seconds between 3600 and 43200.
oidcProviders Map<Property Map>: Map of OIDC providers.
policies Property Map
policyNamePrefix String: IAM policy name prefix.
role Property Map
tags Map<String>: A map of tags to add.

Outputs

All input properties are implicitly available as output properties. Additionally, the RoleForServiceAccountsEks resource produces the following output properties:

Supporting Types

EKSAmazonManagedServicePrometheusPolicy

Attach bool: Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
WorkspaceArns List<string>: List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

Attach bool: Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
WorkspaceArns []string: List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

attach Boolean: Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
workspaceArns List<String>: List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

attach boolean: Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
workspaceArns string[]: List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

attach bool: Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
workspace_arns Sequence[str]: List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

attach Boolean: Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
workspaceArns List<String>: List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

EKSAppmeshPolicy

Controller bool: Determines whether to attach the Appmesh Controller policy to the role.
EnvoyProxy bool: Determines whether to attach the Appmesh envoy proxy policy to the role.

Controller bool: Determines whether to attach the Appmesh Controller policy to the role.
EnvoyProxy bool: Determines whether to attach the Appmesh envoy proxy policy to the role.

controller Boolean: Determines whether to attach the Appmesh Controller policy to the role.
envoyProxy Boolean: Determines whether to attach the Appmesh envoy proxy policy to the role.

controller boolean: Determines whether to attach the Appmesh Controller policy to the role.
envoyProxy boolean: Determines whether to attach the Appmesh envoy proxy policy to the role.

controller bool: Determines whether to attach the Appmesh Controller policy to the role.
envoy_proxy bool: Determines whether to attach the Appmesh envoy proxy policy to the role.

controller Boolean: Determines whether to attach the Appmesh Controller policy to the role.
envoyProxy Boolean: Determines whether to attach the Appmesh envoy proxy policy to the role.

EKSCertManagerPolicy

Attach bool: Determines whether to attach the Cert Manager IAM policy to the role.
HostedZoneArns List<string>: Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

Attach bool: Determines whether to attach the Cert Manager IAM policy to the role.
HostedZoneArns []string: Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach Boolean: Determines whether to attach the Cert Manager IAM policy to the role.
hostedZoneArns List<String>: Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach boolean: Determines whether to attach the Cert Manager IAM policy to the role.
hostedZoneArns string[]: Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach bool: Determines whether to attach the Cert Manager IAM policy to the role.
hosted_zone_arns Sequence[str]: Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach Boolean: Determines whether to attach the Cert Manager IAM policy to the role.
hostedZoneArns List<String>: Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

EKSClusterAutoscalerPolicy

Attach bool: Determines whether to attach the Cluster Autoscaler IAM policy to the role.
ClusterIds List<string>: List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

Attach bool: Determines whether to attach the Cluster Autoscaler IAM policy to the role.
ClusterIds []string: List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

attach Boolean: Determines whether to attach the Cluster Autoscaler IAM policy to the role.
clusterIds List<String>: List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

attach boolean: Determines whether to attach the Cluster Autoscaler IAM policy to the role.
clusterIds string[]: List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

attach bool: Determines whether to attach the Cluster Autoscaler IAM policy to the role.
cluster_ids Sequence[str]: List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

attach Boolean: Determines whether to attach the Cluster Autoscaler IAM policy to the role.
clusterIds List<String>: List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

EKSEBSCSIPolicy

Attach bool: Determines whether to attach the EBS CSI IAM policy to the role.
KmsCmkIds List<string>: KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

Attach bool: Determines whether to attach the EBS CSI IAM policy to the role.
KmsCmkIds []string: KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

attach Boolean: Determines whether to attach the EBS CSI IAM policy to the role.
kmsCmkIds List<String>: KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

attach boolean: Determines whether to attach the EBS CSI IAM policy to the role.
kmsCmkIds string[]: KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

attach bool: Determines whether to attach the EBS CSI IAM policy to the role.
kms_cmk_ids Sequence[str]: KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

attach Boolean: Determines whether to attach the EBS CSI IAM policy to the role.
kmsCmkIds List<String>: KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

EKSEFSCSIPolicy

Attach bool: Determines whether to attach the EFS CSI IAM policy to the role.

Attach bool: Determines whether to attach the EFS CSI IAM policy to the role.

attach Boolean: Determines whether to attach the EFS CSI IAM policy to the role.

attach boolean: Determines whether to attach the EFS CSI IAM policy to the role.

attach bool: Determines whether to attach the EFS CSI IAM policy to the role.

attach Boolean: Determines whether to attach the EFS CSI IAM policy to the role.

EKSExternalDNSPolicy

Attach bool: Determines whether to attach the External DNS IAM policy to the role.
HostedZoneArns List<string>: Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

Attach bool: Determines whether to attach the External DNS IAM policy to the role.
HostedZoneArns []string: Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach Boolean: Determines whether to attach the External DNS IAM policy to the role.
hostedZoneArns List<String>: Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach boolean: Determines whether to attach the External DNS IAM policy to the role.
hostedZoneArns string[]: Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach bool: Determines whether to attach the External DNS IAM policy to the role.
hosted_zone_arns Sequence[str]: Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach Boolean: Determines whether to attach the External DNS IAM policy to the role.
hostedZoneArns List<String>: Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

EKSExternalSecretsPolicy

Attach bool: Determines whether to attach the External Secrets policy to the role.
SecretsManagerArns List<string>: List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
SsmParameterArns List<string>: List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

Attach bool: Determines whether to attach the External Secrets policy to the role.
SecretsManagerArns []string: List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
SsmParameterArns []string: List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

attach Boolean: Determines whether to attach the External Secrets policy to the role.
secretsManagerArns List<String>: List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
ssmParameterArns List<String>: List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

attach boolean: Determines whether to attach the External Secrets policy to the role.
secretsManagerArns string[]: List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
ssmParameterArns string[]: List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

attach bool: Determines whether to attach the External Secrets policy to the role.
secrets_manager_arns Sequence[str]: List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
ssm_parameter_arns Sequence[str]: List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

attach Boolean: Determines whether to attach the External Secrets policy to the role.
secretsManagerArns List<String>: List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
ssmParameterArns List<String>: List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

EKSKarpenterControllerPolicy

Attach bool: Determines whether to attach the Karpenter Controller policy to the role.
ClusterId string: Cluster ID where the Karpenter controller is provisioned/managing.
NodeIamRoleArns List<string>: List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
SsmParameterArns List<string>: List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
SubnetAccountId string: Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
TagKey string: Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

Attach bool: Determines whether to attach the Karpenter Controller policy to the role.
ClusterId string: Cluster ID where the Karpenter controller is provisioned/managing.
NodeIamRoleArns []string: List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
SsmParameterArns []string: List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
SubnetAccountId string: Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
TagKey string: Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

attach Boolean: Determines whether to attach the Karpenter Controller policy to the role.
clusterId String: Cluster ID where the Karpenter controller is provisioned/managing.
nodeIamRoleArns List<String>: List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
ssmParameterArns List<String>: List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
subnetAccountId String: Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
tagKey String: Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

attach boolean: Determines whether to attach the Karpenter Controller policy to the role.
clusterId string: Cluster ID where the Karpenter controller is provisioned/managing.
nodeIamRoleArns string[]: List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
ssmParameterArns string[]: List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
subnetAccountId string: Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
tagKey string: Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

attach bool: Determines whether to attach the Karpenter Controller policy to the role.
cluster_id str: Cluster ID where the Karpenter controller is provisioned/managing.
node_iam_role_arns Sequence[str]: List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
ssm_parameter_arns Sequence[str]: List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
subnet_account_id str: Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
tag_key str: Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

attach Boolean: Determines whether to attach the Karpenter Controller policy to the role.
clusterId String: Cluster ID where the Karpenter controller is provisioned/managing.
nodeIamRoleArns List<String>: List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
ssmParameterArns List<String>: List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
subnetAccountId String: Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
tagKey String: Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

EKSLoadBalancerPolicy

Controller bool: Determines whether to attach the Load Balancer Controller policy to the role.
TargetGroupBindingOnly bool: Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

Controller bool: Determines whether to attach the Load Balancer Controller policy to the role.
TargetGroupBindingOnly bool: Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

controller Boolean: Determines whether to attach the Load Balancer Controller policy to the role.
targetGroupBindingOnly Boolean: Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

controller boolean: Determines whether to attach the Load Balancer Controller policy to the role.
targetGroupBindingOnly boolean: Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

controller bool: Determines whether to attach the Load Balancer Controller policy to the role.
target_group_binding_only bool: Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

controller Boolean: Determines whether to attach the Load Balancer Controller policy to the role.
targetGroupBindingOnly Boolean: Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

EKSNodeTerminationHandlerPolicy

Attach bool: Determines whether to attach the Node Termination Handler policy to the role.
SqsQueueArns List<string>: List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

Attach bool: Determines whether to attach the Node Termination Handler policy to the role.
SqsQueueArns []string: List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

attach Boolean: Determines whether to attach the Node Termination Handler policy to the role.
sqsQueueArns List<String>: List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

attach boolean: Determines whether to attach the Node Termination Handler policy to the role.
sqsQueueArns string[]: List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

attach bool: Determines whether to attach the Node Termination Handler policy to the role.
sqs_queue_arns Sequence[str]: List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

attach Boolean: Determines whether to attach the Node Termination Handler policy to the role.
sqsQueueArns List<String>: List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

EKSRolePolicies

AmazonManagedServicePrometheus Pulumi.AwsIam.Inputs.EKSAmazonManagedServicePrometheusPolicy: The Amazon Managed Service for Prometheus IAM policy.
Appmesh Pulumi.AwsIam.Inputs.EKSAppmeshPolicy: The Appmesh policies.
CertManager Pulumi.AwsIam.Inputs.EKSCertManagerPolicy: The Cert Manager IAM policy.
ClusterAutoScaling Pulumi.AwsIam.Inputs.EKSClusterAutoscalerPolicy: The Cluster Autoscaler IAM policy.
EbsCsi Pulumi.AwsIam.Inputs.EKSEBSCSIPolicy: The EBS CSI IAM policy.
EfsCsi Pulumi.AwsIam.Inputs.EKSEFSCSIPolicy: The EFS CSI IAM policy.
ExternalDns Pulumi.AwsIam.Inputs.EKSExternalDNSPolicy: The External DNS IAM policy.
ExternalSecrets Pulumi.AwsIam.Inputs.EKSExternalSecretsPolicy: The External Secrets policy.
FsxLustreCsi Pulumi.AwsIam.Inputs.FSxLustreCSIPolicy: The FSx for Lustre CSI Driver IAM policy.
KarpenterController Pulumi.AwsIam.Inputs.EKSKarpenterControllerPolicy: The Karpenter Controller policy.
LoadBalancer Pulumi.AwsIam.Inputs.EKSLoadBalancerPolicy: The Load Balancer policy.
NodeTerminationHandler Pulumi.AwsIam.Inputs.EKSNodeTerminationHandlerPolicy: The Node Termination Handler policy to the role.
Velero Pulumi.AwsIam.Inputs.EKSVeleroPolicy: The Velero IAM policy.
VpnCni Pulumi.AwsIam.Inputs.EKSVPNCNIPolicy: The VPC CNI IAM policy to the role.

AmazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy: The Amazon Managed Service for Prometheus IAM policy.
Appmesh EKSAppmeshPolicy: The Appmesh policies.
CertManager EKSCertManagerPolicy: The Cert Manager IAM policy.
ClusterAutoScaling EKSClusterAutoscalerPolicy: The Cluster Autoscaler IAM policy.
EbsCsi EKSEBSCSIPolicy: The EBS CSI IAM policy.
EfsCsi EKSEFSCSIPolicy: The EFS CSI IAM policy.
ExternalDns EKSExternalDNSPolicy: The External DNS IAM policy.
ExternalSecrets EKSExternalSecretsPolicy: The External Secrets policy.
FsxLustreCsi FSxLustreCSIPolicy: The FSx for Lustre CSI Driver IAM policy.
KarpenterController EKSKarpenterControllerPolicy: The Karpenter Controller policy.
LoadBalancer EKSLoadBalancerPolicy: The Load Balancer policy.
NodeTerminationHandler EKSNodeTerminationHandlerPolicy: The Node Termination Handler policy to the role.
Velero EKSVeleroPolicy: The Velero IAM policy.
VpnCni EKSVPNCNIPolicy: The VPC CNI IAM policy to the role.

amazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy: The Amazon Managed Service for Prometheus IAM policy.
appmesh EKSAppmeshPolicy: The Appmesh policies.
certManager EKSCertManagerPolicy: The Cert Manager IAM policy.
clusterAutoScaling EKSClusterAutoscalerPolicy: The Cluster Autoscaler IAM policy.
ebsCsi EKSEBSCSIPolicy: The EBS CSI IAM policy.
efsCsi EKSEFSCSIPolicy: The EFS CSI IAM policy.
externalDns EKSExternalDNSPolicy: The External DNS IAM policy.
externalSecrets EKSExternalSecretsPolicy: The External Secrets policy.
fsxLustreCsi FSxLustreCSIPolicy: The FSx for Lustre CSI Driver IAM policy.
karpenterController EKSKarpenterControllerPolicy: The Karpenter Controller policy.
loadBalancer EKSLoadBalancerPolicy: The Load Balancer policy.
nodeTerminationHandler EKSNodeTerminationHandlerPolicy: The Node Termination Handler policy to the role.
velero EKSVeleroPolicy: The Velero IAM policy.
vpnCni EKSVPNCNIPolicy: The VPC CNI IAM policy to the role.

amazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy: The Amazon Managed Service for Prometheus IAM policy.
appmesh EKSAppmeshPolicy: The Appmesh policies.
certManager EKSCertManagerPolicy: The Cert Manager IAM policy.
clusterAutoScaling EKSClusterAutoscalerPolicy: The Cluster Autoscaler IAM policy.
ebsCsi EKSEBSCSIPolicy: The EBS CSI IAM policy.
efsCsi EKSEFSCSIPolicy: The EFS CSI IAM policy.
externalDns EKSExternalDNSPolicy: The External DNS IAM policy.
externalSecrets EKSExternalSecretsPolicy: The External Secrets policy.
fsxLustreCsi FSxLustreCSIPolicy: The FSx for Lustre CSI Driver IAM policy.
karpenterController EKSKarpenterControllerPolicy: The Karpenter Controller policy.
loadBalancer EKSLoadBalancerPolicy: The Load Balancer policy.
nodeTerminationHandler EKSNodeTerminationHandlerPolicy: The Node Termination Handler policy to the role.
velero EKSVeleroPolicy: The Velero IAM policy.
vpnCni EKSVPNCNIPolicy: The VPC CNI IAM policy to the role.

amazon_managed_service_prometheus EKSAmazonManagedServicePrometheusPolicy: The Amazon Managed Service for Prometheus IAM policy.
appmesh EKSAppmeshPolicy: The Appmesh policies.
cert_manager EKSCertManagerPolicy: The Cert Manager IAM policy.
cluster_auto_scaling EKSClusterAutoscalerPolicy: The Cluster Autoscaler IAM policy.
ebs_csi EKSEBSCSIPolicy: The EBS CSI IAM policy.
efs_csi EKSEFSCSIPolicy: The EFS CSI IAM policy.
external_dns EKSExternalDNSPolicy: The External DNS IAM policy.
external_secrets EKSExternalSecretsPolicy: The External Secrets policy.
fsx_lustre_csi FSxLustreCSIPolicy: The FSx for Lustre CSI Driver IAM policy.
karpenter_controller EKSKarpenterControllerPolicy: The Karpenter Controller policy.
load_balancer EKSLoadBalancerPolicy: The Load Balancer policy.
node_termination_handler EKSNodeTerminationHandlerPolicy: The Node Termination Handler policy to the role.
velero EKSVeleroPolicy: The Velero IAM policy.
vpn_cni EKSVPNCNIPolicy: The VPC CNI IAM policy to the role.

amazonManagedServicePrometheus Property Map: The Amazon Managed Service for Prometheus IAM policy.
appmesh Property Map: The Appmesh policies.
certManager Property Map: The Cert Manager IAM policy.
clusterAutoScaling Property Map: The Cluster Autoscaler IAM policy.
ebsCsi Property Map: The EBS CSI IAM policy.
efsCsi Property Map: The EFS CSI IAM policy.
externalDns Property Map: The External DNS IAM policy.
externalSecrets Property Map: The External Secrets policy.
fsxLustreCsi Property Map: The FSx for Lustre CSI Driver IAM policy.
karpenterController Property Map: The Karpenter Controller policy.
loadBalancer Property Map: The Load Balancer policy.
nodeTerminationHandler Property Map: The Node Termination Handler policy to the role.
velero Property Map: The Velero IAM policy.
vpnCni Property Map: The VPC CNI IAM policy to the role.

EKSServiceAccountRole

Description string: IAM Role description.
Name string: IAM role name.
NamePrefix string: IAM role name prefix.
Path string: Path of admin IAM role.
PermissionsBoundaryArn string: Permissions boundary ARN to use for the role.
PolicyArns List<string>: List of policy ARNs to use for the role.

Description string: IAM Role description.
Name string: IAM role name.
NamePrefix string: IAM role name prefix.
Path string: Path of admin IAM role.
PermissionsBoundaryArn string: Permissions boundary ARN to use for the role.
PolicyArns []string: List of policy ARNs to use for the role.

description String: IAM Role description.
name String: IAM role name.
namePrefix String: IAM role name prefix.
path String: Path of admin IAM role.
permissionsBoundaryArn String: Permissions boundary ARN to use for the role.
policyArns List<String>: List of policy ARNs to use for the role.

description string: IAM Role description.
name string: IAM role name.
namePrefix string: IAM role name prefix.
path string: Path of admin IAM role.
permissionsBoundaryArn string: Permissions boundary ARN to use for the role.
policyArns string[]: List of policy ARNs to use for the role.

description str: IAM Role description.
name str: IAM role name.
name_prefix str: IAM role name prefix.
path str: Path of admin IAM role.
permissions_boundary_arn str: Permissions boundary ARN to use for the role.
policy_arns Sequence[str]: List of policy ARNs to use for the role.

description String: IAM Role description.
name String: IAM role name.
namePrefix String: IAM role name prefix.
path String: Path of admin IAM role.
permissionsBoundaryArn String: Permissions boundary ARN to use for the role.
policyArns List<String>: List of policy ARNs to use for the role.

EKSVPNCNIPolicy

Attach bool: Determines whether to attach the VPC CNI IAM policy to the role.
EnableIpv4 bool: Determines whether to enable IPv4 permissions for VPC CNI policy.
EnableIpv6 bool: Determines whether to enable IPv6 permissions for VPC CNI policy.

Attach bool: Determines whether to attach the VPC CNI IAM policy to the role.
EnableIpv4 bool: Determines whether to enable IPv4 permissions for VPC CNI policy.
EnableIpv6 bool: Determines whether to enable IPv6 permissions for VPC CNI policy.

attach Boolean: Determines whether to attach the VPC CNI IAM policy to the role.
enableIpv4 Boolean: Determines whether to enable IPv4 permissions for VPC CNI policy.
enableIpv6 Boolean: Determines whether to enable IPv6 permissions for VPC CNI policy.

attach boolean: Determines whether to attach the VPC CNI IAM policy to the role.
enableIpv4 boolean: Determines whether to enable IPv4 permissions for VPC CNI policy.
enableIpv6 boolean: Determines whether to enable IPv6 permissions for VPC CNI policy.

attach bool: Determines whether to attach the VPC CNI IAM policy to the role.
enable_ipv4 bool: Determines whether to enable IPv4 permissions for VPC CNI policy.
enable_ipv6 bool: Determines whether to enable IPv6 permissions for VPC CNI policy.

attach Boolean: Determines whether to attach the VPC CNI IAM policy to the role.
enableIpv4 Boolean: Determines whether to enable IPv4 permissions for VPC CNI policy.
enableIpv6 Boolean: Determines whether to enable IPv6 permissions for VPC CNI policy.

EKSVeleroPolicy

Attach bool: Determines whether to attach the Velero IAM policy to the role.
S3BucketArns List<string>: List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

Attach bool: Determines whether to attach the Velero IAM policy to the role.
S3BucketArns []string: List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

attach Boolean: Determines whether to attach the Velero IAM policy to the role.
s3BucketArns List<String>: List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

attach boolean: Determines whether to attach the Velero IAM policy to the role.
s3BucketArns string[]: List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

attach bool: Determines whether to attach the Velero IAM policy to the role.
s3_bucket_arns Sequence[str]: List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

attach Boolean: Determines whether to attach the Velero IAM policy to the role.
s3BucketArns List<String>: List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

FSxLustreCSIPolicy

Attach bool: Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
ServiceRoleArns List<string>: Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

Attach bool: Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
ServiceRoleArns []string: Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

attach Boolean: Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
serviceRoleArns List<String>: Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

attach boolean: Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
serviceRoleArns string[]: Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

attach bool: Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
service_role_arns Sequence[str]: Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

attach Boolean: Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
serviceRoleArns List<String>: Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.