1. Packages
  2. AWS IAM
  3. API Docs
  4. RoleForServiceAccountsEks
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

aws-iam.RoleForServiceAccountsEks

Explore with Pulumi AI

aws-iam logo
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi

    This resources helps you create an IAM role which can be assumed by AWS EKS ServiceAccounts with optional policies for commonly used controllers/custom resources within EKS. The optional policies you can specify are:

    • Cert-Manager
    • Cluster Autoscaler
    • EBS CSI Driver
    • EFS CSI Driver
    • External DNS
    • External Secrets
    • FSx for Lustre CSI Driver
    • Karpenter
    • Load Balancer Controller
    • Load Balancer Controller Target Group Binding Only
    • App Mesh Controller
    • App Mesh Envoy Proxy
    • Managed Service for Prometheus
    • Node Termination Handler
    • Velero
    • VPC CNI

    Example Usage

    using Pulumi;
    using Pulumi.AwsIam;
    using Pulumi.AwsIam.Inputs;
    
    class MyStack : Stack
    {
        public MyStack()
        {
            var roleForServiceAccountEks = new RoleForServiceAccountsEks("role-for-service-account-eks", new RoleForServiceAccountsEksArgs
            {
                Role = new EKSServiceAccountRoleArgs
                {
                    Name = "vpn-cni",
                },
                Tags = {
                    {"Name", "vpc-cni-irsa"},
                },
                OidcProviders = {
                    {"main", new OIDCProviderArgs
                    {
                        ProviderArn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
                        NamespaceServiceAccounts = {"default:my-app", "canary:my-app"},
                    }},
                },
                Policies = new EKSRolePoliciesArgs
                {
                    VpnCni = new EKSVPNCNIPolicyArgs
                    {
                        Attach = true,
                        EnableIpv4 = true,
                    },
                },
            });
    
            this.RoleForServiceAccountEks = Output.Create<RoleForServiceAccountsEks>(roleForServiceAccountEks);
        }
    
        [Output]
        public Output<RoleForServiceAccountsEks> RoleForServiceAccountEks { get; set; }
    }
    
    package main
    
    import (
        iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
        "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
        pulumi.Run(func(ctx *pulumi.Context) error {
            roleForServiceAccountsEKS, err := iam.NewRoleForServiceAccountsEks(ctx, "role-for-service-accounts-eks", &iam.RoleForServiceAccountsEksArgs{
                Role: iam.EKSServiceAccountRolePtr(&iam.EKSServiceAccountRoleArgs{
                    Name: pulumi.String("vpc-cni"),
                }),
                Tags: pulumi.ToStringMap(map[string]string{
                    "Name": "vpc-cni-irsa",
                }),
                OidcProviders: iam.OIDCProviderMap{
                    "main": iam.OIDCProviderArgs{
                        ProviderArn:              pulumi.String("arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"),
                        NamespaceServiceAccounts: pulumi.ToStringArray([]string{"default:my-app", "canary:my-app"}),
                    },
                },
                Policies: iam.EKSRolePoliciesPtr(&iam.EKSRolePoliciesArgs{
                    VpnCni: iam.EKSVPNCNIPolicyPtr(&iam.EKSVPNCNIPolicyArgs{
                        Attach:     pulumi.Bool(true),
                        EnableIpv4: pulumi.BoolPtr(true),
                    }),
                }),
            })
            if err != nil {
                return err
            }
    
            ctx.Export("roleForServiceAccountsEKS", roleForServiceAccountsEKS)
    
            return nil
        })
    }
    

    Coming soon!

    import pulumi
    import pulumi_aws_iam as iam
    
    role_for_service_account_eks = iam.RoleForServiceAccountsEks(
        'role_for_service_account_eks',
        role=iam.RoleArgs(
            name='vpc-cni'
        ),
        tags={
            'Name': 'vpc-cni-irsa',
        },
        oidc_providers={
            'main': iam.OIDCProviderArgs(
                provider_arn='arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D',
                namespace_service_accounts=['default:my-app', 'canary:my-app'],
            ),
        },
        policies=iam.EKSRolePoliciesArgs(
            vpn_cni=iam.EKSVPNCNIPolicyArgs(
                attach=True,
                enable_ipv4=True,
            ),
        ),
    )
    
    pulumi.export('role_for_service_account_eks', role_for_service_account_eks)
    
    import * as iam from "@pulumi/aws-iam";
    
    export const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks("aws-iam-example-role-for-service-accounts-eks", {
        role: {
            name: "vpc-cni"
        },
        tags: {
            Name: "vpc-cni-irsa",
        },
        oidcProviders: {
            main: {
                providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
                namespaceServiceAccounts: ["default:my-app", "canary:my-app"],
            }
        },
        policies: {
            vpnCni: {
                attach: true,
                enableIpv4: true,
            },
        },
    });
    
    name: awsiam-yaml
    runtime: yaml
    resources:
        roleForServiceAccountsEks:
            type: "aws-iam:index:RoleForServiceAccountsEks"
            properties:
                role:
                    name: "vpc-cni"
                tags:
                    Name: "vpc-cni-irsa"
                oidcProviders:
                    main:
                        providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
                        namespaceServiceAccounts:
                            - "default:my-app"
                            - "canary:my-app"
                policies:
                    vpnCni:
                        attach: true
                        enableIpv4: true
    outputs:
        roleForServiceAccountsEks: ${roleForServiceAccountsEks}
    

    Create RoleForServiceAccountsEks Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new RoleForServiceAccountsEks(name: string, args?: RoleForServiceAccountsEksArgs, opts?: CustomResourceOptions);
    @overload
    def RoleForServiceAccountsEks(resource_name: str,
                                  args: Optional[RoleForServiceAccountsEksArgs] = None,
                                  opts: Optional[ResourceOptions] = None)
    
    @overload
    def RoleForServiceAccountsEks(resource_name: str,
                                  opts: Optional[ResourceOptions] = None,
                                  assume_role_condition_test: Optional[str] = None,
                                  force_detach_policies: Optional[bool] = None,
                                  max_session_duration: Optional[int] = None,
                                  oidc_providers: Optional[Mapping[str, OIDCProviderArgs]] = None,
                                  policies: Optional[EKSRolePoliciesArgs] = None,
                                  policy_name_prefix: Optional[str] = None,
                                  role: Optional[EKSServiceAccountRoleArgs] = None,
                                  tags: Optional[Mapping[str, str]] = None)
    func NewRoleForServiceAccountsEks(ctx *Context, name string, args *RoleForServiceAccountsEksArgs, opts ...ResourceOption) (*RoleForServiceAccountsEks, error)
    public RoleForServiceAccountsEks(string name, RoleForServiceAccountsEksArgs? args = null, CustomResourceOptions? opts = null)
    public RoleForServiceAccountsEks(String name, RoleForServiceAccountsEksArgs args)
    public RoleForServiceAccountsEks(String name, RoleForServiceAccountsEksArgs args, CustomResourceOptions options)
    
    type: aws-iam:RoleForServiceAccountsEks
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args RoleForServiceAccountsEksArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RoleForServiceAccountsEksArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RoleForServiceAccountsEksArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RoleForServiceAccountsEksArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RoleForServiceAccountsEksArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var roleForServiceAccountsEksResource = new AwsIam.RoleForServiceAccountsEks("roleForServiceAccountsEksResource", new()
    {
        AssumeRoleConditionTest = "string",
        ForceDetachPolicies = false,
        MaxSessionDuration = 0,
        OidcProviders = 
        {
            { "string", new AwsIam.Inputs.OIDCProviderArgs
            {
                NamespaceServiceAccounts = new[]
                {
                    "string",
                },
                ProviderArn = "string",
            } },
        },
        Policies = new AwsIam.Inputs.EKSRolePoliciesArgs
        {
            AmazonManagedServicePrometheus = new AwsIam.Inputs.EKSAmazonManagedServicePrometheusPolicyArgs
            {
                Attach = false,
                WorkspaceArns = new[]
                {
                    "string",
                },
            },
            Appmesh = new AwsIam.Inputs.EKSAppmeshPolicyArgs
            {
                Controller = false,
                EnvoyProxy = false,
            },
            CertManager = new AwsIam.Inputs.EKSCertManagerPolicyArgs
            {
                Attach = false,
                HostedZoneArns = new[]
                {
                    "string",
                },
            },
            ClusterAutoScaling = new AwsIam.Inputs.EKSClusterAutoscalerPolicyArgs
            {
                Attach = false,
                ClusterIds = new[]
                {
                    "string",
                },
            },
            EbsCsi = new AwsIam.Inputs.EKSEBSCSIPolicyArgs
            {
                Attach = false,
                KmsCmkIds = new[]
                {
                    "string",
                },
            },
            EfsCsi = new AwsIam.Inputs.EKSEFSCSIPolicyArgs
            {
                Attach = false,
            },
            ExternalDns = new AwsIam.Inputs.EKSExternalDNSPolicyArgs
            {
                Attach = false,
                HostedZoneArns = new[]
                {
                    "string",
                },
            },
            ExternalSecrets = new AwsIam.Inputs.EKSExternalSecretsPolicyArgs
            {
                Attach = false,
                SecretsManagerArns = new[]
                {
                    "string",
                },
                SsmParameterArns = new[]
                {
                    "string",
                },
            },
            FsxLustreCsi = new AwsIam.Inputs.FSxLustreCSIPolicyArgs
            {
                Attach = false,
                ServiceRoleArns = new[]
                {
                    "string",
                },
            },
            KarpenterController = new AwsIam.Inputs.EKSKarpenterControllerPolicyArgs
            {
                Attach = false,
                ClusterId = "string",
                NodeIamRoleArns = new[]
                {
                    "string",
                },
                SsmParameterArns = new[]
                {
                    "string",
                },
                SubnetAccountId = "string",
                TagKey = "string",
            },
            LoadBalancer = new AwsIam.Inputs.EKSLoadBalancerPolicyArgs
            {
                Controller = false,
                TargetGroupBindingOnly = false,
            },
            NodeTerminationHandler = new AwsIam.Inputs.EKSNodeTerminationHandlerPolicyArgs
            {
                Attach = false,
                SqsQueueArns = new[]
                {
                    "string",
                },
            },
            Velero = new AwsIam.Inputs.EKSVeleroPolicyArgs
            {
                Attach = false,
                S3BucketArns = new[]
                {
                    "string",
                },
            },
            VpnCni = new AwsIam.Inputs.EKSVPNCNIPolicyArgs
            {
                Attach = false,
                EnableIpv4 = false,
                EnableIpv6 = false,
            },
        },
        PolicyNamePrefix = "string",
        Role = new AwsIam.Inputs.EKSServiceAccountRoleArgs
        {
            Description = "string",
            Name = "string",
            NamePrefix = "string",
            Path = "string",
            PermissionsBoundaryArn = "string",
            PolicyArns = new[]
            {
                "string",
            },
        },
        Tags = 
        {
            { "string", "string" },
        },
    });
    
    example, err := awsiam.NewRoleForServiceAccountsEks(ctx, "roleForServiceAccountsEksResource", &awsiam.RoleForServiceAccountsEksArgs{
    	AssumeRoleConditionTest: pulumi.String("string"),
    	ForceDetachPolicies:     pulumi.Bool(false),
    	MaxSessionDuration:      pulumi.Int(0),
    	OidcProviders: awsiam.OIDCProviderMap{
    		"string": &awsiam.OIDCProviderArgs{
    			NamespaceServiceAccounts: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			ProviderArn: pulumi.String("string"),
    		},
    	},
    	Policies: &awsiam.EKSRolePoliciesArgs{
    		AmazonManagedServicePrometheus: &awsiam.EKSAmazonManagedServicePrometheusPolicyArgs{
    			Attach: pulumi.Bool(false),
    			WorkspaceArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		Appmesh: &awsiam.EKSAppmeshPolicyArgs{
    			Controller: pulumi.Bool(false),
    			EnvoyProxy: pulumi.Bool(false),
    		},
    		CertManager: &awsiam.EKSCertManagerPolicyArgs{
    			Attach: pulumi.Bool(false),
    			HostedZoneArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		ClusterAutoScaling: &awsiam.EKSClusterAutoscalerPolicyArgs{
    			Attach: pulumi.Bool(false),
    			ClusterIds: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		EbsCsi: &awsiam.EKSEBSCSIPolicyArgs{
    			Attach: pulumi.Bool(false),
    			KmsCmkIds: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		EfsCsi: &awsiam.EKSEFSCSIPolicyArgs{
    			Attach: pulumi.Bool(false),
    		},
    		ExternalDns: &awsiam.EKSExternalDNSPolicyArgs{
    			Attach: pulumi.Bool(false),
    			HostedZoneArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		ExternalSecrets: &awsiam.EKSExternalSecretsPolicyArgs{
    			Attach: pulumi.Bool(false),
    			SecretsManagerArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			SsmParameterArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		FsxLustreCsi: &awsiam.FSxLustreCSIPolicyArgs{
    			Attach: pulumi.Bool(false),
    			ServiceRoleArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		KarpenterController: &awsiam.EKSKarpenterControllerPolicyArgs{
    			Attach:    pulumi.Bool(false),
    			ClusterId: pulumi.String("string"),
    			NodeIamRoleArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			SsmParameterArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			SubnetAccountId: pulumi.String("string"),
    			TagKey:          pulumi.String("string"),
    		},
    		LoadBalancer: &awsiam.EKSLoadBalancerPolicyArgs{
    			Controller:             pulumi.Bool(false),
    			TargetGroupBindingOnly: pulumi.Bool(false),
    		},
    		NodeTerminationHandler: &awsiam.EKSNodeTerminationHandlerPolicyArgs{
    			Attach: pulumi.Bool(false),
    			SqsQueueArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		Velero: &awsiam.EKSVeleroPolicyArgs{
    			Attach: pulumi.Bool(false),
    			S3BucketArns: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    		VpnCni: &awsiam.EKSVPNCNIPolicyArgs{
    			Attach:     pulumi.Bool(false),
    			EnableIpv4: pulumi.Bool(false),
    			EnableIpv6: pulumi.Bool(false),
    		},
    	},
    	PolicyNamePrefix: pulumi.String("string"),
    	Role: &awsiam.EKSServiceAccountRoleArgs{
    		Description:            pulumi.String("string"),
    		Name:                   pulumi.String("string"),
    		NamePrefix:             pulumi.String("string"),
    		Path:                   pulumi.String("string"),
    		PermissionsBoundaryArn: pulumi.String("string"),
    		PolicyArns: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    })
    
    var roleForServiceAccountsEksResource = new RoleForServiceAccountsEks("roleForServiceAccountsEksResource", RoleForServiceAccountsEksArgs.builder()
        .assumeRoleConditionTest("string")
        .forceDetachPolicies(false)
        .maxSessionDuration(0)
        .oidcProviders(Map.of("string", Map.ofEntries(
            Map.entry("namespaceServiceAccounts", "string"),
            Map.entry("providerArn", "string")
        )))
        .policies(EKSRolePoliciesArgs.builder()
            .amazonManagedServicePrometheus(EKSAmazonManagedServicePrometheusPolicyArgs.builder()
                .attach(false)
                .workspaceArns("string")
                .build())
            .appmesh(EKSAppmeshPolicyArgs.builder()
                .controller(false)
                .envoyProxy(false)
                .build())
            .certManager(EKSCertManagerPolicyArgs.builder()
                .attach(false)
                .hostedZoneArns("string")
                .build())
            .clusterAutoScaling(EKSClusterAutoscalerPolicyArgs.builder()
                .attach(false)
                .clusterIds("string")
                .build())
            .ebsCsi(EKSEBSCSIPolicyArgs.builder()
                .attach(false)
                .kmsCmkIds("string")
                .build())
            .efsCsi(EKSEFSCSIPolicyArgs.builder()
                .attach(false)
                .build())
            .externalDns(EKSExternalDNSPolicyArgs.builder()
                .attach(false)
                .hostedZoneArns("string")
                .build())
            .externalSecrets(EKSExternalSecretsPolicyArgs.builder()
                .attach(false)
                .secretsManagerArns("string")
                .ssmParameterArns("string")
                .build())
            .fsxLustreCsi(FSxLustreCSIPolicyArgs.builder()
                .attach(false)
                .serviceRoleArns("string")
                .build())
            .karpenterController(EKSKarpenterControllerPolicyArgs.builder()
                .attach(false)
                .clusterId("string")
                .nodeIamRoleArns("string")
                .ssmParameterArns("string")
                .subnetAccountId("string")
                .tagKey("string")
                .build())
            .loadBalancer(EKSLoadBalancerPolicyArgs.builder()
                .controller(false)
                .targetGroupBindingOnly(false)
                .build())
            .nodeTerminationHandler(EKSNodeTerminationHandlerPolicyArgs.builder()
                .attach(false)
                .sqsQueueArns("string")
                .build())
            .velero(EKSVeleroPolicyArgs.builder()
                .attach(false)
                .s3BucketArns("string")
                .build())
            .vpnCni(EKSVPNCNIPolicyArgs.builder()
                .attach(false)
                .enableIpv4(false)
                .enableIpv6(false)
                .build())
            .build())
        .policyNamePrefix("string")
        .role(EKSServiceAccountRoleArgs.builder()
            .description("string")
            .name("string")
            .namePrefix("string")
            .path("string")
            .permissionsBoundaryArn("string")
            .policyArns("string")
            .build())
        .tags(Map.of("string", "string"))
        .build());
    
    role_for_service_accounts_eks_resource = aws_iam.RoleForServiceAccountsEks("roleForServiceAccountsEksResource",
        assume_role_condition_test="string",
        force_detach_policies=False,
        max_session_duration=0,
        oidc_providers={
            "string": aws_iam.OIDCProviderArgs(
                namespace_service_accounts=["string"],
                provider_arn="string",
            ),
        },
        policies=aws_iam.EKSRolePoliciesArgs(
            amazon_managed_service_prometheus=aws_iam.EKSAmazonManagedServicePrometheusPolicyArgs(
                attach=False,
                workspace_arns=["string"],
            ),
            appmesh=aws_iam.EKSAppmeshPolicyArgs(
                controller=False,
                envoy_proxy=False,
            ),
            cert_manager=aws_iam.EKSCertManagerPolicyArgs(
                attach=False,
                hosted_zone_arns=["string"],
            ),
            cluster_auto_scaling=aws_iam.EKSClusterAutoscalerPolicyArgs(
                attach=False,
                cluster_ids=["string"],
            ),
            ebs_csi=aws_iam.EKSEBSCSIPolicyArgs(
                attach=False,
                kms_cmk_ids=["string"],
            ),
            efs_csi=aws_iam.EKSEFSCSIPolicyArgs(
                attach=False,
            ),
            external_dns=aws_iam.EKSExternalDNSPolicyArgs(
                attach=False,
                hosted_zone_arns=["string"],
            ),
            external_secrets=aws_iam.EKSExternalSecretsPolicyArgs(
                attach=False,
                secrets_manager_arns=["string"],
                ssm_parameter_arns=["string"],
            ),
            fsx_lustre_csi=aws_iam.FSxLustreCSIPolicyArgs(
                attach=False,
                service_role_arns=["string"],
            ),
            karpenter_controller=aws_iam.EKSKarpenterControllerPolicyArgs(
                attach=False,
                cluster_id="string",
                node_iam_role_arns=["string"],
                ssm_parameter_arns=["string"],
                subnet_account_id="string",
                tag_key="string",
            ),
            load_balancer=aws_iam.EKSLoadBalancerPolicyArgs(
                controller=False,
                target_group_binding_only=False,
            ),
            node_termination_handler=aws_iam.EKSNodeTerminationHandlerPolicyArgs(
                attach=False,
                sqs_queue_arns=["string"],
            ),
            velero=aws_iam.EKSVeleroPolicyArgs(
                attach=False,
                s3_bucket_arns=["string"],
            ),
            vpn_cni=aws_iam.EKSVPNCNIPolicyArgs(
                attach=False,
                enable_ipv4=False,
                enable_ipv6=False,
            ),
        ),
        policy_name_prefix="string",
        role=aws_iam.EKSServiceAccountRoleArgs(
            description="string",
            name="string",
            name_prefix="string",
            path="string",
            permissions_boundary_arn="string",
            policy_arns=["string"],
        ),
        tags={
            "string": "string",
        })
    
    const roleForServiceAccountsEksResource = new aws_iam.RoleForServiceAccountsEks("roleForServiceAccountsEksResource", {
        assumeRoleConditionTest: "string",
        forceDetachPolicies: false,
        maxSessionDuration: 0,
        oidcProviders: {
            string: {
                namespaceServiceAccounts: ["string"],
                providerArn: "string",
            },
        },
        policies: {
            amazonManagedServicePrometheus: {
                attach: false,
                workspaceArns: ["string"],
            },
            appmesh: {
                controller: false,
                envoyProxy: false,
            },
            certManager: {
                attach: false,
                hostedZoneArns: ["string"],
            },
            clusterAutoScaling: {
                attach: false,
                clusterIds: ["string"],
            },
            ebsCsi: {
                attach: false,
                kmsCmkIds: ["string"],
            },
            efsCsi: {
                attach: false,
            },
            externalDns: {
                attach: false,
                hostedZoneArns: ["string"],
            },
            externalSecrets: {
                attach: false,
                secretsManagerArns: ["string"],
                ssmParameterArns: ["string"],
            },
            fsxLustreCsi: {
                attach: false,
                serviceRoleArns: ["string"],
            },
            karpenterController: {
                attach: false,
                clusterId: "string",
                nodeIamRoleArns: ["string"],
                ssmParameterArns: ["string"],
                subnetAccountId: "string",
                tagKey: "string",
            },
            loadBalancer: {
                controller: false,
                targetGroupBindingOnly: false,
            },
            nodeTerminationHandler: {
                attach: false,
                sqsQueueArns: ["string"],
            },
            velero: {
                attach: false,
                s3BucketArns: ["string"],
            },
            vpnCni: {
                attach: false,
                enableIpv4: false,
                enableIpv6: false,
            },
        },
        policyNamePrefix: "string",
        role: {
            description: "string",
            name: "string",
            namePrefix: "string",
            path: "string",
            permissionsBoundaryArn: "string",
            policyArns: ["string"],
        },
        tags: {
            string: "string",
        },
    });
    
    type: aws-iam:RoleForServiceAccountsEks
    properties:
        assumeRoleConditionTest: string
        forceDetachPolicies: false
        maxSessionDuration: 0
        oidcProviders:
            string:
                namespaceServiceAccounts:
                    - string
                providerArn: string
        policies:
            amazonManagedServicePrometheus:
                attach: false
                workspaceArns:
                    - string
            appmesh:
                controller: false
                envoyProxy: false
            certManager:
                attach: false
                hostedZoneArns:
                    - string
            clusterAutoScaling:
                attach: false
                clusterIds:
                    - string
            ebsCsi:
                attach: false
                kmsCmkIds:
                    - string
            efsCsi:
                attach: false
            externalDns:
                attach: false
                hostedZoneArns:
                    - string
            externalSecrets:
                attach: false
                secretsManagerArns:
                    - string
                ssmParameterArns:
                    - string
            fsxLustreCsi:
                attach: false
                serviceRoleArns:
                    - string
            karpenterController:
                attach: false
                clusterId: string
                nodeIamRoleArns:
                    - string
                ssmParameterArns:
                    - string
                subnetAccountId: string
                tagKey: string
            loadBalancer:
                controller: false
                targetGroupBindingOnly: false
            nodeTerminationHandler:
                attach: false
                sqsQueueArns:
                    - string
            velero:
                attach: false
                s3BucketArns:
                    - string
            vpnCni:
                attach: false
                enableIpv4: false
                enableIpv6: false
        policyNamePrefix: string
        role:
            description: string
            name: string
            namePrefix: string
            path: string
            permissionsBoundaryArn: string
            policyArns:
                - string
        tags:
            string: string
    

    RoleForServiceAccountsEks Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The RoleForServiceAccountsEks resource accepts the following input properties:

    AssumeRoleConditionTest string
    Name of the IAM condition operator to evaluate when assuming the role.
    ForceDetachPolicies bool
    Whether policies should be detached from this role when destroying.
    MaxSessionDuration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    OidcProviders Dictionary<string, Pulumi.AwsIam.Inputs.OIDCProviderArgs>
    Map of OIDC providers.
    Policies Pulumi.AwsIam.Inputs.EKSRolePolicies
    PolicyNamePrefix string
    IAM policy name prefix.
    Role Pulumi.AwsIam.Inputs.EKSServiceAccountRole
    Tags Dictionary<string, string>
    A map of tags to add.
    AssumeRoleConditionTest string
    Name of the IAM condition operator to evaluate when assuming the role.
    ForceDetachPolicies bool
    Whether policies should be detached from this role when destroying.
    MaxSessionDuration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    OidcProviders map[string]OIDCProviderArgs
    Map of OIDC providers.
    Policies EKSRolePoliciesArgs
    PolicyNamePrefix string
    IAM policy name prefix.
    Role EKSServiceAccountRoleArgs
    Tags map[string]string
    A map of tags to add.
    assumeRoleConditionTest String
    Name of the IAM condition operator to evaluate when assuming the role.
    forceDetachPolicies Boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration Integer
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    oidcProviders Map<String,OIDCProviderArgs>
    Map of OIDC providers.
    policies EKSRolePolicies
    policyNamePrefix String
    IAM policy name prefix.
    role EKSServiceAccountRole
    tags Map<String,String>
    A map of tags to add.
    assumeRoleConditionTest string
    Name of the IAM condition operator to evaluate when assuming the role.
    forceDetachPolicies boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration number
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    oidcProviders {[key: string]: OIDCProviderArgs}
    Map of OIDC providers.
    policies EKSRolePolicies
    policyNamePrefix string
    IAM policy name prefix.
    role EKSServiceAccountRole
    tags {[key: string]: string}
    A map of tags to add.
    assume_role_condition_test str
    Name of the IAM condition operator to evaluate when assuming the role.
    force_detach_policies bool
    Whether policies should be detached from this role when destroying.
    max_session_duration int
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    oidc_providers Mapping[str, OIDCProviderArgs]
    Map of OIDC providers.
    policies EKSRolePoliciesArgs
    policy_name_prefix str
    IAM policy name prefix.
    role EKSServiceAccountRoleArgs
    tags Mapping[str, str]
    A map of tags to add.
    assumeRoleConditionTest String
    Name of the IAM condition operator to evaluate when assuming the role.
    forceDetachPolicies Boolean
    Whether policies should be detached from this role when destroying.
    maxSessionDuration Number
    Maximum CLI/API session duration in seconds between 3600 and 43200.
    oidcProviders Map<Property Map>
    Map of OIDC providers.
    policies Property Map
    policyNamePrefix String
    IAM policy name prefix.
    role Property Map
    tags Map<String>
    A map of tags to add.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the RoleForServiceAccountsEks resource produces the following output properties:

    Supporting Types

    EKSAmazonManagedServicePrometheusPolicy, EKSAmazonManagedServicePrometheusPolicyArgs

    Attach bool
    Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
    WorkspaceArns List<string>
    List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
    Attach bool
    Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
    WorkspaceArns []string
    List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
    attach Boolean
    Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
    workspaceArns List<String>
    List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
    attach boolean
    Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
    workspaceArns string[]
    List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
    attach bool
    Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
    workspace_arns Sequence[str]
    List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
    attach Boolean
    Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
    workspaceArns List<String>
    List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

    EKSAppmeshPolicy, EKSAppmeshPolicyArgs

    Controller bool
    Determines whether to attach the Appmesh Controller policy to the role.
    EnvoyProxy bool
    Determines whether to attach the Appmesh envoy proxy policy to the role.
    Controller bool
    Determines whether to attach the Appmesh Controller policy to the role.
    EnvoyProxy bool
    Determines whether to attach the Appmesh envoy proxy policy to the role.
    controller Boolean
    Determines whether to attach the Appmesh Controller policy to the role.
    envoyProxy Boolean
    Determines whether to attach the Appmesh envoy proxy policy to the role.
    controller boolean
    Determines whether to attach the Appmesh Controller policy to the role.
    envoyProxy boolean
    Determines whether to attach the Appmesh envoy proxy policy to the role.
    controller bool
    Determines whether to attach the Appmesh Controller policy to the role.
    envoy_proxy bool
    Determines whether to attach the Appmesh envoy proxy policy to the role.
    controller Boolean
    Determines whether to attach the Appmesh Controller policy to the role.
    envoyProxy Boolean
    Determines whether to attach the Appmesh envoy proxy policy to the role.

    EKSCertManagerPolicy, EKSCertManagerPolicyArgs

    Attach bool
    Determines whether to attach the Cert Manager IAM policy to the role.
    HostedZoneArns List<string>
    Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    Attach bool
    Determines whether to attach the Cert Manager IAM policy to the role.
    HostedZoneArns []string
    Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    attach Boolean
    Determines whether to attach the Cert Manager IAM policy to the role.
    hostedZoneArns List<String>
    Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    attach boolean
    Determines whether to attach the Cert Manager IAM policy to the role.
    hostedZoneArns string[]
    Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    attach bool
    Determines whether to attach the Cert Manager IAM policy to the role.
    hosted_zone_arns Sequence[str]
    Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    attach Boolean
    Determines whether to attach the Cert Manager IAM policy to the role.
    hostedZoneArns List<String>
    Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

    EKSClusterAutoscalerPolicy, EKSClusterAutoscalerPolicyArgs

    Attach bool
    Determines whether to attach the Cluster Autoscaler IAM policy to the role.
    ClusterIds List<string>
    List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
    Attach bool
    Determines whether to attach the Cluster Autoscaler IAM policy to the role.
    ClusterIds []string
    List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
    attach Boolean
    Determines whether to attach the Cluster Autoscaler IAM policy to the role.
    clusterIds List<String>
    List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
    attach boolean
    Determines whether to attach the Cluster Autoscaler IAM policy to the role.
    clusterIds string[]
    List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
    attach bool
    Determines whether to attach the Cluster Autoscaler IAM policy to the role.
    cluster_ids Sequence[str]
    List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
    attach Boolean
    Determines whether to attach the Cluster Autoscaler IAM policy to the role.
    clusterIds List<String>
    List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

    EKSEBSCSIPolicy, EKSEBSCSIPolicyArgs

    Attach bool
    Determines whether to attach the EBS CSI IAM policy to the role.
    KmsCmkIds List<string>
    KMS CMK IDs to allow EBS CSI to manage encrypted volumes.
    Attach bool
    Determines whether to attach the EBS CSI IAM policy to the role.
    KmsCmkIds []string
    KMS CMK IDs to allow EBS CSI to manage encrypted volumes.
    attach Boolean
    Determines whether to attach the EBS CSI IAM policy to the role.
    kmsCmkIds List<String>
    KMS CMK IDs to allow EBS CSI to manage encrypted volumes.
    attach boolean
    Determines whether to attach the EBS CSI IAM policy to the role.
    kmsCmkIds string[]
    KMS CMK IDs to allow EBS CSI to manage encrypted volumes.
    attach bool
    Determines whether to attach the EBS CSI IAM policy to the role.
    kms_cmk_ids Sequence[str]
    KMS CMK IDs to allow EBS CSI to manage encrypted volumes.
    attach Boolean
    Determines whether to attach the EBS CSI IAM policy to the role.
    kmsCmkIds List<String>
    KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

    EKSEFSCSIPolicy, EKSEFSCSIPolicyArgs

    Attach bool
    Determines whether to attach the EFS CSI IAM policy to the role.
    Attach bool
    Determines whether to attach the EFS CSI IAM policy to the role.
    attach Boolean
    Determines whether to attach the EFS CSI IAM policy to the role.
    attach boolean
    Determines whether to attach the EFS CSI IAM policy to the role.
    attach bool
    Determines whether to attach the EFS CSI IAM policy to the role.
    attach Boolean
    Determines whether to attach the EFS CSI IAM policy to the role.

    EKSExternalDNSPolicy, EKSExternalDNSPolicyArgs

    Attach bool
    Determines whether to attach the External DNS IAM policy to the role.
    HostedZoneArns List<string>
    Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    Attach bool
    Determines whether to attach the External DNS IAM policy to the role.
    HostedZoneArns []string
    Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    attach Boolean
    Determines whether to attach the External DNS IAM policy to the role.
    hostedZoneArns List<String>
    Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    attach boolean
    Determines whether to attach the External DNS IAM policy to the role.
    hostedZoneArns string[]
    Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    attach bool
    Determines whether to attach the External DNS IAM policy to the role.
    hosted_zone_arns Sequence[str]
    Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
    attach Boolean
    Determines whether to attach the External DNS IAM policy to the role.
    hostedZoneArns List<String>
    Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

    EKSExternalSecretsPolicy, EKSExternalSecretsPolicyArgs

    Attach bool
    Determines whether to attach the External Secrets policy to the role.
    SecretsManagerArns List<string>
    List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
    SsmParameterArns List<string>
    List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
    Attach bool
    Determines whether to attach the External Secrets policy to the role.
    SecretsManagerArns []string
    List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
    SsmParameterArns []string
    List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
    attach Boolean
    Determines whether to attach the External Secrets policy to the role.
    secretsManagerArns List<String>
    List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
    ssmParameterArns List<String>
    List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
    attach boolean
    Determines whether to attach the External Secrets policy to the role.
    secretsManagerArns string[]
    List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
    ssmParameterArns string[]
    List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
    attach bool
    Determines whether to attach the External Secrets policy to the role.
    secrets_manager_arns Sequence[str]
    List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
    ssm_parameter_arns Sequence[str]
    List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
    attach Boolean
    Determines whether to attach the External Secrets policy to the role.
    secretsManagerArns List<String>
    List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
    ssmParameterArns List<String>
    List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

    EKSKarpenterControllerPolicy, EKSKarpenterControllerPolicyArgs

    Attach bool
    Determines whether to attach the Karpenter Controller policy to the role.
    ClusterId string
    Cluster ID where the Karpenter controller is provisioned/managing.
    NodeIamRoleArns List<string>
    List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
    SsmParameterArns List<string>
    List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
    SubnetAccountId string
    Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
    TagKey string
    Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
    Attach bool
    Determines whether to attach the Karpenter Controller policy to the role.
    ClusterId string
    Cluster ID where the Karpenter controller is provisioned/managing.
    NodeIamRoleArns []string
    List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
    SsmParameterArns []string
    List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
    SubnetAccountId string
    Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
    TagKey string
    Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
    attach Boolean
    Determines whether to attach the Karpenter Controller policy to the role.
    clusterId String
    Cluster ID where the Karpenter controller is provisioned/managing.
    nodeIamRoleArns List<String>
    List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
    ssmParameterArns List<String>
    List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
    subnetAccountId String
    Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
    tagKey String
    Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
    attach boolean
    Determines whether to attach the Karpenter Controller policy to the role.
    clusterId string
    Cluster ID where the Karpenter controller is provisioned/managing.
    nodeIamRoleArns string[]
    List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
    ssmParameterArns string[]
    List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
    subnetAccountId string
    Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
    tagKey string
    Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
    attach bool
    Determines whether to attach the Karpenter Controller policy to the role.
    cluster_id str
    Cluster ID where the Karpenter controller is provisioned/managing.
    node_iam_role_arns Sequence[str]
    List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
    ssm_parameter_arns Sequence[str]
    List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
    subnet_account_id str
    Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
    tag_key str
    Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
    attach Boolean
    Determines whether to attach the Karpenter Controller policy to the role.
    clusterId String
    Cluster ID where the Karpenter controller is provisioned/managing.
    nodeIamRoleArns List<String>
    List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
    ssmParameterArns List<String>
    List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
    subnetAccountId String
    Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
    tagKey String
    Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

    EKSLoadBalancerPolicy, EKSLoadBalancerPolicyArgs

    Controller bool
    Determines whether to attach the Load Balancer Controller policy to the role.
    TargetGroupBindingOnly bool
    Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
    Controller bool
    Determines whether to attach the Load Balancer Controller policy to the role.
    TargetGroupBindingOnly bool
    Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
    controller Boolean
    Determines whether to attach the Load Balancer Controller policy to the role.
    targetGroupBindingOnly Boolean
    Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
    controller boolean
    Determines whether to attach the Load Balancer Controller policy to the role.
    targetGroupBindingOnly boolean
    Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
    controller bool
    Determines whether to attach the Load Balancer Controller policy to the role.
    target_group_binding_only bool
    Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
    controller Boolean
    Determines whether to attach the Load Balancer Controller policy to the role.
    targetGroupBindingOnly Boolean
    Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

    EKSNodeTerminationHandlerPolicy, EKSNodeTerminationHandlerPolicyArgs

    Attach bool
    Determines whether to attach the Node Termination Handler policy to the role.
    SqsQueueArns List<string>
    List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
    Attach bool
    Determines whether to attach the Node Termination Handler policy to the role.
    SqsQueueArns []string
    List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
    attach Boolean
    Determines whether to attach the Node Termination Handler policy to the role.
    sqsQueueArns List<String>
    List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
    attach boolean
    Determines whether to attach the Node Termination Handler policy to the role.
    sqsQueueArns string[]
    List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
    attach bool
    Determines whether to attach the Node Termination Handler policy to the role.
    sqs_queue_arns Sequence[str]
    List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
    attach Boolean
    Determines whether to attach the Node Termination Handler policy to the role.
    sqsQueueArns List<String>
    List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

    EKSRolePolicies, EKSRolePoliciesArgs

    AmazonManagedServicePrometheus Pulumi.AwsIam.Inputs.EKSAmazonManagedServicePrometheusPolicy
    The Amazon Managed Service for Prometheus IAM policy.
    Appmesh Pulumi.AwsIam.Inputs.EKSAppmeshPolicy
    The Appmesh policies.
    CertManager Pulumi.AwsIam.Inputs.EKSCertManagerPolicy
    The Cert Manager IAM policy.
    ClusterAutoScaling Pulumi.AwsIam.Inputs.EKSClusterAutoscalerPolicy
    The Cluster Autoscaler IAM policy.
    EbsCsi Pulumi.AwsIam.Inputs.EKSEBSCSIPolicy
    The EBS CSI IAM policy.
    EfsCsi Pulumi.AwsIam.Inputs.EKSEFSCSIPolicy
    The EFS CSI IAM policy.
    ExternalDns Pulumi.AwsIam.Inputs.EKSExternalDNSPolicy
    The External DNS IAM policy.
    ExternalSecrets Pulumi.AwsIam.Inputs.EKSExternalSecretsPolicy
    The External Secrets policy.
    FsxLustreCsi Pulumi.AwsIam.Inputs.FSxLustreCSIPolicy
    The FSx for Lustre CSI Driver IAM policy.
    KarpenterController Pulumi.AwsIam.Inputs.EKSKarpenterControllerPolicy
    The Karpenter Controller policy.
    LoadBalancer Pulumi.AwsIam.Inputs.EKSLoadBalancerPolicy
    The Load Balancer policy.
    NodeTerminationHandler Pulumi.AwsIam.Inputs.EKSNodeTerminationHandlerPolicy
    The Node Termination Handler policy to the role.
    Velero Pulumi.AwsIam.Inputs.EKSVeleroPolicy
    The Velero IAM policy.
    VpnCni Pulumi.AwsIam.Inputs.EKSVPNCNIPolicy
    The VPC CNI IAM policy to the role.
    AmazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy
    The Amazon Managed Service for Prometheus IAM policy.
    Appmesh EKSAppmeshPolicy
    The Appmesh policies.
    CertManager EKSCertManagerPolicy
    The Cert Manager IAM policy.
    ClusterAutoScaling EKSClusterAutoscalerPolicy
    The Cluster Autoscaler IAM policy.
    EbsCsi EKSEBSCSIPolicy
    The EBS CSI IAM policy.
    EfsCsi EKSEFSCSIPolicy
    The EFS CSI IAM policy.
    ExternalDns EKSExternalDNSPolicy
    The External DNS IAM policy.
    ExternalSecrets EKSExternalSecretsPolicy
    The External Secrets policy.
    FsxLustreCsi FSxLustreCSIPolicy
    The FSx for Lustre CSI Driver IAM policy.
    KarpenterController EKSKarpenterControllerPolicy
    The Karpenter Controller policy.
    LoadBalancer EKSLoadBalancerPolicy
    The Load Balancer policy.
    NodeTerminationHandler EKSNodeTerminationHandlerPolicy
    The Node Termination Handler policy to the role.
    Velero EKSVeleroPolicy
    The Velero IAM policy.
    VpnCni EKSVPNCNIPolicy
    The VPC CNI IAM policy to the role.
    amazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy
    The Amazon Managed Service for Prometheus IAM policy.
    appmesh EKSAppmeshPolicy
    The Appmesh policies.
    certManager EKSCertManagerPolicy
    The Cert Manager IAM policy.
    clusterAutoScaling EKSClusterAutoscalerPolicy
    The Cluster Autoscaler IAM policy.
    ebsCsi EKSEBSCSIPolicy
    The EBS CSI IAM policy.
    efsCsi EKSEFSCSIPolicy
    The EFS CSI IAM policy.
    externalDns EKSExternalDNSPolicy
    The External DNS IAM policy.
    externalSecrets EKSExternalSecretsPolicy
    The External Secrets policy.
    fsxLustreCsi FSxLustreCSIPolicy
    The FSx for Lustre CSI Driver IAM policy.
    karpenterController EKSKarpenterControllerPolicy
    The Karpenter Controller policy.
    loadBalancer EKSLoadBalancerPolicy
    The Load Balancer policy.
    nodeTerminationHandler EKSNodeTerminationHandlerPolicy
    The Node Termination Handler policy to the role.
    velero EKSVeleroPolicy
    The Velero IAM policy.
    vpnCni EKSVPNCNIPolicy
    The VPC CNI IAM policy to the role.
    amazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy
    The Amazon Managed Service for Prometheus IAM policy.
    appmesh EKSAppmeshPolicy
    The Appmesh policies.
    certManager EKSCertManagerPolicy
    The Cert Manager IAM policy.
    clusterAutoScaling EKSClusterAutoscalerPolicy
    The Cluster Autoscaler IAM policy.
    ebsCsi EKSEBSCSIPolicy
    The EBS CSI IAM policy.
    efsCsi EKSEFSCSIPolicy
    The EFS CSI IAM policy.
    externalDns EKSExternalDNSPolicy
    The External DNS IAM policy.
    externalSecrets EKSExternalSecretsPolicy
    The External Secrets policy.
    fsxLustreCsi FSxLustreCSIPolicy
    The FSx for Lustre CSI Driver IAM policy.
    karpenterController EKSKarpenterControllerPolicy
    The Karpenter Controller policy.
    loadBalancer EKSLoadBalancerPolicy
    The Load Balancer policy.
    nodeTerminationHandler EKSNodeTerminationHandlerPolicy
    The Node Termination Handler policy to the role.
    velero EKSVeleroPolicy
    The Velero IAM policy.
    vpnCni EKSVPNCNIPolicy
    The VPC CNI IAM policy to the role.
    amazon_managed_service_prometheus EKSAmazonManagedServicePrometheusPolicy
    The Amazon Managed Service for Prometheus IAM policy.
    appmesh EKSAppmeshPolicy
    The Appmesh policies.
    cert_manager EKSCertManagerPolicy
    The Cert Manager IAM policy.
    cluster_auto_scaling EKSClusterAutoscalerPolicy
    The Cluster Autoscaler IAM policy.
    ebs_csi EKSEBSCSIPolicy
    The EBS CSI IAM policy.
    efs_csi EKSEFSCSIPolicy
    The EFS CSI IAM policy.
    external_dns EKSExternalDNSPolicy
    The External DNS IAM policy.
    external_secrets EKSExternalSecretsPolicy
    The External Secrets policy.
    fsx_lustre_csi FSxLustreCSIPolicy
    The FSx for Lustre CSI Driver IAM policy.
    karpenter_controller EKSKarpenterControllerPolicy
    The Karpenter Controller policy.
    load_balancer EKSLoadBalancerPolicy
    The Load Balancer policy.
    node_termination_handler EKSNodeTerminationHandlerPolicy
    The Node Termination Handler policy to the role.
    velero EKSVeleroPolicy
    The Velero IAM policy.
    vpn_cni EKSVPNCNIPolicy
    The VPC CNI IAM policy to the role.
    amazonManagedServicePrometheus Property Map
    The Amazon Managed Service for Prometheus IAM policy.
    appmesh Property Map
    The Appmesh policies.
    certManager Property Map
    The Cert Manager IAM policy.
    clusterAutoScaling Property Map
    The Cluster Autoscaler IAM policy.
    ebsCsi Property Map
    The EBS CSI IAM policy.
    efsCsi Property Map
    The EFS CSI IAM policy.
    externalDns Property Map
    The External DNS IAM policy.
    externalSecrets Property Map
    The External Secrets policy.
    fsxLustreCsi Property Map
    The FSx for Lustre CSI Driver IAM policy.
    karpenterController Property Map
    The Karpenter Controller policy.
    loadBalancer Property Map
    The Load Balancer policy.
    nodeTerminationHandler Property Map
    The Node Termination Handler policy to the role.
    velero Property Map
    The Velero IAM policy.
    vpnCni Property Map
    The VPC CNI IAM policy to the role.

    EKSServiceAccountRole, EKSServiceAccountRoleArgs

    Description string
    IAM Role description.
    Name string
    IAM role name.
    NamePrefix string
    IAM role name prefix.
    Path string
    Path of admin IAM role.
    PermissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    PolicyArns List<string>
    List of policy ARNs to use for the role.
    Description string
    IAM Role description.
    Name string
    IAM role name.
    NamePrefix string
    IAM role name prefix.
    Path string
    Path of admin IAM role.
    PermissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    PolicyArns []string
    List of policy ARNs to use for the role.
    description String
    IAM Role description.
    name String
    IAM role name.
    namePrefix String
    IAM role name prefix.
    path String
    Path of admin IAM role.
    permissionsBoundaryArn String
    Permissions boundary ARN to use for the role.
    policyArns List<String>
    List of policy ARNs to use for the role.
    description string
    IAM Role description.
    name string
    IAM role name.
    namePrefix string
    IAM role name prefix.
    path string
    Path of admin IAM role.
    permissionsBoundaryArn string
    Permissions boundary ARN to use for the role.
    policyArns string[]
    List of policy ARNs to use for the role.
    description str
    IAM Role description.
    name str
    IAM role name.
    name_prefix str
    IAM role name prefix.
    path str
    Path of admin IAM role.
    permissions_boundary_arn str
    Permissions boundary ARN to use for the role.
    policy_arns Sequence[str]
    List of policy ARNs to use for the role.
    description String
    IAM Role description.
    name String
    IAM role name.
    namePrefix String
    IAM role name prefix.
    path String
    Path of admin IAM role.
    permissionsBoundaryArn String
    Permissions boundary ARN to use for the role.
    policyArns List<String>
    List of policy ARNs to use for the role.

    EKSVPNCNIPolicy, EKSVPNCNIPolicyArgs

    Attach bool
    Determines whether to attach the VPC CNI IAM policy to the role.
    EnableIpv4 bool
    Determines whether to enable IPv4 permissions for VPC CNI policy.
    EnableIpv6 bool
    Determines whether to enable IPv6 permissions for VPC CNI policy.
    Attach bool
    Determines whether to attach the VPC CNI IAM policy to the role.
    EnableIpv4 bool
    Determines whether to enable IPv4 permissions for VPC CNI policy.
    EnableIpv6 bool
    Determines whether to enable IPv6 permissions for VPC CNI policy.
    attach Boolean
    Determines whether to attach the VPC CNI IAM policy to the role.
    enableIpv4 Boolean
    Determines whether to enable IPv4 permissions for VPC CNI policy.
    enableIpv6 Boolean
    Determines whether to enable IPv6 permissions for VPC CNI policy.
    attach boolean
    Determines whether to attach the VPC CNI IAM policy to the role.
    enableIpv4 boolean
    Determines whether to enable IPv4 permissions for VPC CNI policy.
    enableIpv6 boolean
    Determines whether to enable IPv6 permissions for VPC CNI policy.
    attach bool
    Determines whether to attach the VPC CNI IAM policy to the role.
    enable_ipv4 bool
    Determines whether to enable IPv4 permissions for VPC CNI policy.
    enable_ipv6 bool
    Determines whether to enable IPv6 permissions for VPC CNI policy.
    attach Boolean
    Determines whether to attach the VPC CNI IAM policy to the role.
    enableIpv4 Boolean
    Determines whether to enable IPv4 permissions for VPC CNI policy.
    enableIpv6 Boolean
    Determines whether to enable IPv6 permissions for VPC CNI policy.

    EKSVeleroPolicy, EKSVeleroPolicyArgs

    Attach bool
    Determines whether to attach the Velero IAM policy to the role.
    S3BucketArns List<string>
    List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
    Attach bool
    Determines whether to attach the Velero IAM policy to the role.
    S3BucketArns []string
    List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
    attach Boolean
    Determines whether to attach the Velero IAM policy to the role.
    s3BucketArns List<String>
    List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
    attach boolean
    Determines whether to attach the Velero IAM policy to the role.
    s3BucketArns string[]
    List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
    attach bool
    Determines whether to attach the Velero IAM policy to the role.
    s3_bucket_arns Sequence[str]
    List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
    attach Boolean
    Determines whether to attach the Velero IAM policy to the role.
    s3BucketArns List<String>
    List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

    FSxLustreCSIPolicy, FSxLustreCSIPolicyArgs

    Attach bool
    Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
    ServiceRoleArns List<string>
    Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
    Attach bool
    Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
    ServiceRoleArns []string
    Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
    attach Boolean
    Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
    serviceRoleArns List<String>
    Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
    attach boolean
    Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
    serviceRoleArns string[]
    Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
    attach bool
    Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
    service_role_arns Sequence[str]
    Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
    attach Boolean
    Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
    serviceRoleArns List<String>
    Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

    OIDCProvider, OIDCProviderArgs

    Package Details

    Repository
    aws-iam
    License
    aws-iam logo
    AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi