aws-iam.RoleForServiceAccountsEks

This resources helps you create an IAM role which can be assumed by AWS EKS ServiceAccounts with optional policies for commonly used controllers/custom resources within EKS. The optional policies you can specify are:

  • Cert-Manager
  • Cluster Autoscaler
  • EBS CSI Driver
  • EFS CSI Driver
  • External DNS
  • External Secrets
  • FSx for Lustre CSI Driver
  • Karpenter
  • Load Balancer Controller
  • Load Balancer Controller Target Group Binding Only
  • App Mesh Controller
  • App Mesh Envoy Proxy
  • Managed Service for Prometheus
  • Node Termination Handler
  • Velero
  • VPC CNI

Example Usage

using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;

class MyStack : Stack
{
    public MyStack()
    {
        var roleForServiceAccountEks = new RoleForServiceAccountsEks("role-for-service-account-eks", new RoleForServiceAccountsEksArgs
        {
            Role = new EKSServiceAccountRoleArgs
            {
                Name = "vpn-cni",
            },
            Tags = {
                {"Name", "vpc-cni-irsa"},
            },
            OidcProviders = {
                {"main", new OIDCProviderArgs
                {
                    ProviderArn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
                    NamespaceServiceAccounts = {"default:my-app", "canary:my-app"},
                }},
            },
            Policies = new EKSRolePoliciesArgs
            {
                VpnCni = new EKSVPNCNIPolicyArgs
                {
                    Attach = true,
                    EnableIpv4 = true,
                },
            },
        });

        this.RoleForServiceAccountEks = Output.Create<RoleForServiceAccountsEks>(roleForServiceAccountEks);
    }

    [Output]
    public Output<RoleForServiceAccountsEks> RoleForServiceAccountEks { get; set; }
}
package main

import (
    iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        roleForServiceAccountsEKS, err := iam.NewRoleForServiceAccountsEks(ctx, "role-for-service-accounts-eks", &iam.RoleForServiceAccountsEksArgs{
            Role: iam.EKSServiceAccountRolePtr(&iam.EKSServiceAccountRoleArgs{
                Name: pulumi.String("vpc-cni"),
            }),
            Tags: pulumi.ToStringMap(map[string]string{
                "Name": "vpc-cni-irsa",
            }),
            OidcProviders: iam.OIDCProviderMap{
                "main": iam.OIDCProviderArgs{
                    ProviderArn:              pulumi.String("arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"),
                    NamespaceServiceAccounts: pulumi.ToStringArray([]string{"default:my-app", "canary:my-app"}),
                },
            },
            Policies: iam.EKSRolePoliciesPtr(&iam.EKSRolePoliciesArgs{
                VpnCni: iam.EKSVPNCNIPolicyPtr(&iam.EKSVPNCNIPolicyArgs{
                    Attach:     pulumi.Bool(true),
                    EnableIpv4: pulumi.BoolPtr(true),
                }),
            }),
        })
        if err != nil {
            return err
        }

        ctx.Export("roleForServiceAccountsEKS", roleForServiceAccountsEKS)

        return nil
    })
}

Coming soon!

import pulumi
import pulumi_aws_iam as iam

role_for_service_account_eks = iam.RoleForServiceAccountsEks(
    'role_for_service_account_eks',
    role=iam.RoleArgs(
        name='vpc-cni'
    ),
    tags={
        'Name': 'vpc-cni-irsa',
    },
    oidc_providers={
        'main': iam.OIDCProviderArgs(
            provider_arn='arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D',
            namespace_service_accounts=['default:my-app', 'canary:my-app'],
        ),
    },
    policies=iam.EKSRolePoliciesArgs(
        vpn_cni=iam.EKSVPNCNIPolicyArgs(
            attach=True,
            enable_ipv4=True,
        ),
    ),
)

pulumi.export('role_for_service_account_eks', role_for_service_account_eks)
import * as iam from "@pulumi/aws-iam";

export const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks("aws-iam-example-role-for-service-accounts-eks", {
    role: {
        name: "vpc-cni"
    },
    tags: {
        Name: "vpc-cni-irsa",
    },
    oidcProviders: {
        main: {
            providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
            namespaceServiceAccounts: ["default:my-app", "canary:my-app"],
        }
    },
    policies: {
        vpnCni: {
            attach: true,
            enableIpv4: true,
        },
    },
});
name: awsiam-yaml
runtime: yaml
resources:
    roleForServiceAccountsEks:
        type: "aws-iam:index:RoleForServiceAccountsEks"
        properties:
            role:
                name: "vpc-cni"
            tags:
                Name: "vpc-cni-irsa"
            oidcProviders:
                main:
                    providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
                    namespaceServiceAccounts:
                        - "default:my-app"
                        - "canary:my-app"
            policies:
                vpnCni:
                    attach: true
                    enableIpv4: true
outputs:
    roleForServiceAccountsEks: ${roleForServiceAccountsEks}

Create RoleForServiceAccountsEks Resource

new RoleForServiceAccountsEks(name: string, args?: RoleForServiceAccountsEksArgs, opts?: CustomResourceOptions);
@overload
def RoleForServiceAccountsEks(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              assume_role_condition_test: Optional[str] = None,
                              force_detach_policies: Optional[bool] = None,
                              max_session_duration: Optional[int] = None,
                              oidc_providers: Optional[Mapping[str, OIDCProviderArgs]] = None,
                              policies: Optional[EKSRolePoliciesArgs] = None,
                              policy_name_prefix: Optional[str] = None,
                              role: Optional[EKSServiceAccountRoleArgs] = None,
                              tags: Optional[Mapping[str, str]] = None)
@overload
def RoleForServiceAccountsEks(resource_name: str,
                              args: Optional[RoleForServiceAccountsEksArgs] = None,
                              opts: Optional[ResourceOptions] = None)
func NewRoleForServiceAccountsEks(ctx *Context, name string, args *RoleForServiceAccountsEksArgs, opts ...ResourceOption) (*RoleForServiceAccountsEks, error)
public RoleForServiceAccountsEks(string name, RoleForServiceAccountsEksArgs? args = null, CustomResourceOptions? opts = null)
public RoleForServiceAccountsEks(String name, RoleForServiceAccountsEksArgs args)
public RoleForServiceAccountsEks(String name, RoleForServiceAccountsEksArgs args, CustomResourceOptions options)
type: aws-iam:RoleForServiceAccountsEks
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args RoleForServiceAccountsEksArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args RoleForServiceAccountsEksArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args RoleForServiceAccountsEksArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args RoleForServiceAccountsEksArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args RoleForServiceAccountsEksArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

RoleForServiceAccountsEks Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The RoleForServiceAccountsEks resource accepts the following input properties:

AssumeRoleConditionTest string

Name of the IAM condition operator to evaluate when assuming the role.

ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

OidcProviders Dictionary<string, Pulumi.AwsIam.Inputs.OIDCProviderArgs>

Map of OIDC providers.

Policies Pulumi.AwsIam.Inputs.EKSRolePoliciesArgs
PolicyNamePrefix string

IAM policy name prefix.

Role Pulumi.AwsIam.Inputs.EKSServiceAccountRoleArgs
Tags Dictionary<string, string>

A map of tags to add.

AssumeRoleConditionTest string

Name of the IAM condition operator to evaluate when assuming the role.

ForceDetachPolicies bool

Whether policies should be detached from this role when destroying.

MaxSessionDuration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

OidcProviders map[string]OIDCProviderArgs

Map of OIDC providers.

Policies EKSRolePoliciesArgs
PolicyNamePrefix string

IAM policy name prefix.

Role EKSServiceAccountRoleArgs
Tags map[string]string

A map of tags to add.

assumeRoleConditionTest String

Name of the IAM condition operator to evaluate when assuming the role.

forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Integer

Maximum CLI/API session duration in seconds between 3600 and 43200.

oidcProviders Map<String,OIDCProviderArgs>

Map of OIDC providers.

policies EKSRolePoliciesArgs
policyNamePrefix String

IAM policy name prefix.

role EKSServiceAccountRoleArgs
tags Map<String,String>

A map of tags to add.

assumeRoleConditionTest string

Name of the IAM condition operator to evaluate when assuming the role.

forceDetachPolicies boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration number

Maximum CLI/API session duration in seconds between 3600 and 43200.

oidcProviders {[key: string]: OIDCProviderArgs}

Map of OIDC providers.

policies EKSRolePoliciesArgs
policyNamePrefix string

IAM policy name prefix.

role EKSServiceAccountRoleArgs
tags {[key: string]: string}

A map of tags to add.

assume_role_condition_test str

Name of the IAM condition operator to evaluate when assuming the role.

force_detach_policies bool

Whether policies should be detached from this role when destroying.

max_session_duration int

Maximum CLI/API session duration in seconds between 3600 and 43200.

oidc_providers Mapping[str, OIDCProviderArgs]

Map of OIDC providers.

policies EKSRolePoliciesArgs
policy_name_prefix str

IAM policy name prefix.

role EKSServiceAccountRoleArgs
tags Mapping[str, str]

A map of tags to add.

assumeRoleConditionTest String

Name of the IAM condition operator to evaluate when assuming the role.

forceDetachPolicies Boolean

Whether policies should be detached from this role when destroying.

maxSessionDuration Number

Maximum CLI/API session duration in seconds between 3600 and 43200.

oidcProviders Map<Property Map>

Map of OIDC providers.

policies Property Map
policyNamePrefix String

IAM policy name prefix.

role Property Map
tags Map<String>

A map of tags to add.

Outputs

All input properties are implicitly available as output properties. Additionally, the RoleForServiceAccountsEks resource produces the following output properties:

Supporting Types

EKSAmazonManagedServicePrometheusPolicy

Attach bool

Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.

WorkspaceArns List<string>

List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

Attach bool

Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.

WorkspaceArns []string

List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

attach Boolean

Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.

workspaceArns List<String>

List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

attach boolean

Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.

workspaceArns string[]

List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

attach bool

Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.

workspace_arns Sequence[str]

List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

attach Boolean

Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.

workspaceArns List<String>

List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.

EKSAppmeshPolicy

Controller bool

Determines whether to attach the Appmesh Controller policy to the role.

EnvoyProxy bool

Determines whether to attach the Appmesh envoy proxy policy to the role.

Controller bool

Determines whether to attach the Appmesh Controller policy to the role.

EnvoyProxy bool

Determines whether to attach the Appmesh envoy proxy policy to the role.

controller Boolean

Determines whether to attach the Appmesh Controller policy to the role.

envoyProxy Boolean

Determines whether to attach the Appmesh envoy proxy policy to the role.

controller boolean

Determines whether to attach the Appmesh Controller policy to the role.

envoyProxy boolean

Determines whether to attach the Appmesh envoy proxy policy to the role.

controller bool

Determines whether to attach the Appmesh Controller policy to the role.

envoy_proxy bool

Determines whether to attach the Appmesh envoy proxy policy to the role.

controller Boolean

Determines whether to attach the Appmesh Controller policy to the role.

envoyProxy Boolean

Determines whether to attach the Appmesh envoy proxy policy to the role.

EKSCertManagerPolicy

Attach bool

Determines whether to attach the Cert Manager IAM policy to the role.

HostedZoneArns List<string>

Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

Attach bool

Determines whether to attach the Cert Manager IAM policy to the role.

HostedZoneArns []string

Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach Boolean

Determines whether to attach the Cert Manager IAM policy to the role.

hostedZoneArns List<String>

Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach boolean

Determines whether to attach the Cert Manager IAM policy to the role.

hostedZoneArns string[]

Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach bool

Determines whether to attach the Cert Manager IAM policy to the role.

hosted_zone_arns Sequence[str]

Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach Boolean

Determines whether to attach the Cert Manager IAM policy to the role.

hostedZoneArns List<String>

Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

EKSClusterAutoscalerPolicy

Attach bool

Determines whether to attach the Cluster Autoscaler IAM policy to the role.

ClusterIds List<string>

List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

Attach bool

Determines whether to attach the Cluster Autoscaler IAM policy to the role.

ClusterIds []string

List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

attach Boolean

Determines whether to attach the Cluster Autoscaler IAM policy to the role.

clusterIds List<String>

List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

attach boolean

Determines whether to attach the Cluster Autoscaler IAM policy to the role.

clusterIds string[]

List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

attach bool

Determines whether to attach the Cluster Autoscaler IAM policy to the role.

cluster_ids Sequence[str]

List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

attach Boolean

Determines whether to attach the Cluster Autoscaler IAM policy to the role.

clusterIds List<String>

List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.

EKSEBSCSIPolicy

Attach bool

Determines whether to attach the EBS CSI IAM policy to the role.

KmsCmkIds List<string>

KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

Attach bool

Determines whether to attach the EBS CSI IAM policy to the role.

KmsCmkIds []string

KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

attach Boolean

Determines whether to attach the EBS CSI IAM policy to the role.

kmsCmkIds List<String>

KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

attach boolean

Determines whether to attach the EBS CSI IAM policy to the role.

kmsCmkIds string[]

KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

attach bool

Determines whether to attach the EBS CSI IAM policy to the role.

kms_cmk_ids Sequence[str]

KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

attach Boolean

Determines whether to attach the EBS CSI IAM policy to the role.

kmsCmkIds List<String>

KMS CMK IDs to allow EBS CSI to manage encrypted volumes.

EKSEFSCSIPolicy

Attach bool

Determines whether to attach the EFS CSI IAM policy to the role.

Attach bool

Determines whether to attach the EFS CSI IAM policy to the role.

attach Boolean

Determines whether to attach the EFS CSI IAM policy to the role.

attach boolean

Determines whether to attach the EFS CSI IAM policy to the role.

attach bool

Determines whether to attach the EFS CSI IAM policy to the role.

attach Boolean

Determines whether to attach the EFS CSI IAM policy to the role.

EKSExternalDNSPolicy

Attach bool

Determines whether to attach the External DNS IAM policy to the role.

HostedZoneArns List<string>

Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

Attach bool

Determines whether to attach the External DNS IAM policy to the role.

HostedZoneArns []string

Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach Boolean

Determines whether to attach the External DNS IAM policy to the role.

hostedZoneArns List<String>

Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach boolean

Determines whether to attach the External DNS IAM policy to the role.

hostedZoneArns string[]

Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach bool

Determines whether to attach the External DNS IAM policy to the role.

hosted_zone_arns Sequence[str]

Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

attach Boolean

Determines whether to attach the External DNS IAM policy to the role.

hostedZoneArns List<String>

Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.

EKSExternalSecretsPolicy

Attach bool

Determines whether to attach the External Secrets policy to the role.

SecretsManagerArns List<string>

List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.

SsmParameterArns List<string>

List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

Attach bool

Determines whether to attach the External Secrets policy to the role.

SecretsManagerArns []string

List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.

SsmParameterArns []string

List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

attach Boolean

Determines whether to attach the External Secrets policy to the role.

secretsManagerArns List<String>

List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.

ssmParameterArns List<String>

List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

attach boolean

Determines whether to attach the External Secrets policy to the role.

secretsManagerArns string[]

List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.

ssmParameterArns string[]

List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

attach bool

Determines whether to attach the External Secrets policy to the role.

secrets_manager_arns Sequence[str]

List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.

ssm_parameter_arns Sequence[str]

List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

attach Boolean

Determines whether to attach the External Secrets policy to the role.

secretsManagerArns List<String>

List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.

ssmParameterArns List<String>

List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.

EKSKarpenterControllerPolicy

Attach bool

Determines whether to attach the Karpenter Controller policy to the role.

ClusterId string

Cluster ID where the Karpenter controller is provisioned/managing.

NodeIamRoleArns List<string>

List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.

SsmParameterArns List<string>

List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.

SubnetAccountId string

Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.

TagKey string

Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

Attach bool

Determines whether to attach the Karpenter Controller policy to the role.

ClusterId string

Cluster ID where the Karpenter controller is provisioned/managing.

NodeIamRoleArns []string

List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.

SsmParameterArns []string

List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.

SubnetAccountId string

Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.

TagKey string

Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

attach Boolean

Determines whether to attach the Karpenter Controller policy to the role.

clusterId String

Cluster ID where the Karpenter controller is provisioned/managing.

nodeIamRoleArns List<String>

List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.

ssmParameterArns List<String>

List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.

subnetAccountId String

Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.

tagKey String

Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

attach boolean

Determines whether to attach the Karpenter Controller policy to the role.

clusterId string

Cluster ID where the Karpenter controller is provisioned/managing.

nodeIamRoleArns string[]

List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.

ssmParameterArns string[]

List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.

subnetAccountId string

Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.

tagKey string

Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

attach bool

Determines whether to attach the Karpenter Controller policy to the role.

cluster_id str

Cluster ID where the Karpenter controller is provisioned/managing.

node_iam_role_arns Sequence[str]

List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.

ssm_parameter_arns Sequence[str]

List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.

subnet_account_id str

Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.

tag_key str

Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

attach Boolean

Determines whether to attach the Karpenter Controller policy to the role.

clusterId String

Cluster ID where the Karpenter controller is provisioned/managing.

nodeIamRoleArns List<String>

List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.

ssmParameterArns List<String>

List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.

subnetAccountId String

Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.

tagKey String

Tag key ({key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.

EKSLoadBalancerPolicy

Controller bool

Determines whether to attach the Load Balancer Controller policy to the role.

TargetGroupBindingOnly bool

Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

Controller bool

Determines whether to attach the Load Balancer Controller policy to the role.

TargetGroupBindingOnly bool

Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

controller Boolean

Determines whether to attach the Load Balancer Controller policy to the role.

targetGroupBindingOnly Boolean

Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

controller boolean

Determines whether to attach the Load Balancer Controller policy to the role.

targetGroupBindingOnly boolean

Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

controller bool

Determines whether to attach the Load Balancer Controller policy to the role.

target_group_binding_only bool

Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

controller Boolean

Determines whether to attach the Load Balancer Controller policy to the role.

targetGroupBindingOnly Boolean

Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.

EKSNodeTerminationHandlerPolicy

Attach bool

Determines whether to attach the Node Termination Handler policy to the role.

SqsQueueArns List<string>

List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

Attach bool

Determines whether to attach the Node Termination Handler policy to the role.

SqsQueueArns []string

List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

attach Boolean

Determines whether to attach the Node Termination Handler policy to the role.

sqsQueueArns List<String>

List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

attach boolean

Determines whether to attach the Node Termination Handler policy to the role.

sqsQueueArns string[]

List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

attach bool

Determines whether to attach the Node Termination Handler policy to the role.

sqs_queue_arns Sequence[str]

List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

attach Boolean

Determines whether to attach the Node Termination Handler policy to the role.

sqsQueueArns List<String>

List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.

EKSRolePolicies

AmazonManagedServicePrometheus Pulumi.AwsIam.Inputs.EKSAmazonManagedServicePrometheusPolicy

The Amazon Managed Service for Prometheus IAM policy.

Appmesh Pulumi.AwsIam.Inputs.EKSAppmeshPolicy

The Appmesh policies.

CertManager Pulumi.AwsIam.Inputs.EKSCertManagerPolicy

The Cert Manager IAM policy.

ClusterAutoScaling Pulumi.AwsIam.Inputs.EKSClusterAutoscalerPolicy

The Cluster Autoscaler IAM policy.

EbsCsi Pulumi.AwsIam.Inputs.EKSEBSCSIPolicy

The EBS CSI IAM policy.

EfsCsi Pulumi.AwsIam.Inputs.EKSEFSCSIPolicy

The EFS CSI IAM policy.

ExternalDns Pulumi.AwsIam.Inputs.EKSExternalDNSPolicy

The External DNS IAM policy.

ExternalSecrets Pulumi.AwsIam.Inputs.EKSExternalSecretsPolicy

The External Secrets policy.

FsxLustreCsi Pulumi.AwsIam.Inputs.FSxLustreCSIPolicy

The FSx for Lustre CSI Driver IAM policy.

KarpenterController Pulumi.AwsIam.Inputs.EKSKarpenterControllerPolicy

The Karpenter Controller policy.

LoadBalancer Pulumi.AwsIam.Inputs.EKSLoadBalancerPolicy

The Load Balancer policy.

NodeTerminationHandler Pulumi.AwsIam.Inputs.EKSNodeTerminationHandlerPolicy

The Node Termination Handler policy to the role.

Velero Pulumi.AwsIam.Inputs.EKSVeleroPolicy

The Velero IAM policy.

VpnCni Pulumi.AwsIam.Inputs.EKSVPNCNIPolicy

The VPC CNI IAM policy to the role.

AmazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy

The Amazon Managed Service for Prometheus IAM policy.

Appmesh EKSAppmeshPolicy

The Appmesh policies.

CertManager EKSCertManagerPolicy

The Cert Manager IAM policy.

ClusterAutoScaling EKSClusterAutoscalerPolicy

The Cluster Autoscaler IAM policy.

EbsCsi EKSEBSCSIPolicy

The EBS CSI IAM policy.

EfsCsi EKSEFSCSIPolicy

The EFS CSI IAM policy.

ExternalDns EKSExternalDNSPolicy

The External DNS IAM policy.

ExternalSecrets EKSExternalSecretsPolicy

The External Secrets policy.

FsxLustreCsi FSxLustreCSIPolicy

The FSx for Lustre CSI Driver IAM policy.

KarpenterController EKSKarpenterControllerPolicy

The Karpenter Controller policy.

LoadBalancer EKSLoadBalancerPolicy

The Load Balancer policy.

NodeTerminationHandler EKSNodeTerminationHandlerPolicy

The Node Termination Handler policy to the role.

Velero EKSVeleroPolicy

The Velero IAM policy.

VpnCni EKSVPNCNIPolicy

The VPC CNI IAM policy to the role.

amazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy

The Amazon Managed Service for Prometheus IAM policy.

appmesh EKSAppmeshPolicy

The Appmesh policies.

certManager EKSCertManagerPolicy

The Cert Manager IAM policy.

clusterAutoScaling EKSClusterAutoscalerPolicy

The Cluster Autoscaler IAM policy.

ebsCsi EKSEBSCSIPolicy

The EBS CSI IAM policy.

efsCsi EKSEFSCSIPolicy

The EFS CSI IAM policy.

externalDns EKSExternalDNSPolicy

The External DNS IAM policy.

externalSecrets EKSExternalSecretsPolicy

The External Secrets policy.

fsxLustreCsi FSxLustreCSIPolicy

The FSx for Lustre CSI Driver IAM policy.

karpenterController EKSKarpenterControllerPolicy

The Karpenter Controller policy.

loadBalancer EKSLoadBalancerPolicy

The Load Balancer policy.

nodeTerminationHandler EKSNodeTerminationHandlerPolicy

The Node Termination Handler policy to the role.

velero EKSVeleroPolicy

The Velero IAM policy.

vpnCni EKSVPNCNIPolicy

The VPC CNI IAM policy to the role.

amazonManagedServicePrometheus EKSAmazonManagedServicePrometheusPolicy

The Amazon Managed Service for Prometheus IAM policy.

appmesh EKSAppmeshPolicy

The Appmesh policies.

certManager EKSCertManagerPolicy

The Cert Manager IAM policy.

clusterAutoScaling EKSClusterAutoscalerPolicy

The Cluster Autoscaler IAM policy.

ebsCsi EKSEBSCSIPolicy

The EBS CSI IAM policy.

efsCsi EKSEFSCSIPolicy

The EFS CSI IAM policy.

externalDns EKSExternalDNSPolicy

The External DNS IAM policy.

externalSecrets EKSExternalSecretsPolicy

The External Secrets policy.

fsxLustreCsi FSxLustreCSIPolicy

The FSx for Lustre CSI Driver IAM policy.

karpenterController EKSKarpenterControllerPolicy

The Karpenter Controller policy.

loadBalancer EKSLoadBalancerPolicy

The Load Balancer policy.

nodeTerminationHandler EKSNodeTerminationHandlerPolicy

The Node Termination Handler policy to the role.

velero EKSVeleroPolicy

The Velero IAM policy.

vpnCni EKSVPNCNIPolicy

The VPC CNI IAM policy to the role.

amazon_managed_service_prometheus EKSAmazonManagedServicePrometheusPolicy

The Amazon Managed Service for Prometheus IAM policy.

appmesh EKSAppmeshPolicy

The Appmesh policies.

cert_manager EKSCertManagerPolicy

The Cert Manager IAM policy.

cluster_auto_scaling EKSClusterAutoscalerPolicy

The Cluster Autoscaler IAM policy.

ebs_csi EKSEBSCSIPolicy

The EBS CSI IAM policy.

efs_csi EKSEFSCSIPolicy

The EFS CSI IAM policy.

external_dns EKSExternalDNSPolicy

The External DNS IAM policy.

external_secrets EKSExternalSecretsPolicy

The External Secrets policy.

fsx_lustre_csi FSxLustreCSIPolicy

The FSx for Lustre CSI Driver IAM policy.

karpenter_controller EKSKarpenterControllerPolicy

The Karpenter Controller policy.

load_balancer EKSLoadBalancerPolicy

The Load Balancer policy.

node_termination_handler EKSNodeTerminationHandlerPolicy

The Node Termination Handler policy to the role.

velero EKSVeleroPolicy

The Velero IAM policy.

vpn_cni EKSVPNCNIPolicy

The VPC CNI IAM policy to the role.

amazonManagedServicePrometheus Property Map

The Amazon Managed Service for Prometheus IAM policy.

appmesh Property Map

The Appmesh policies.

certManager Property Map

The Cert Manager IAM policy.

clusterAutoScaling Property Map

The Cluster Autoscaler IAM policy.

ebsCsi Property Map

The EBS CSI IAM policy.

efsCsi Property Map

The EFS CSI IAM policy.

externalDns Property Map

The External DNS IAM policy.

externalSecrets Property Map

The External Secrets policy.

fsxLustreCsi Property Map

The FSx for Lustre CSI Driver IAM policy.

karpenterController Property Map

The Karpenter Controller policy.

loadBalancer Property Map

The Load Balancer policy.

nodeTerminationHandler Property Map

The Node Termination Handler policy to the role.

velero Property Map

The Velero IAM policy.

vpnCni Property Map

The VPC CNI IAM policy to the role.

EKSServiceAccountRole

Description string

IAM Role description.

Name string

IAM role name.

NamePrefix string

IAM role name prefix.

Path string

Path of admin IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for the role.

PolicyArns List<string>

List of policy ARNs to use for the role.

Description string

IAM Role description.

Name string

IAM role name.

NamePrefix string

IAM role name prefix.

Path string

Path of admin IAM role.

PermissionsBoundaryArn string

Permissions boundary ARN to use for the role.

PolicyArns []string

List of policy ARNs to use for the role.

description String

IAM Role description.

name String

IAM role name.

namePrefix String

IAM role name prefix.

path String

Path of admin IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for the role.

policyArns List<String>

List of policy ARNs to use for the role.

description string

IAM Role description.

name string

IAM role name.

namePrefix string

IAM role name prefix.

path string

Path of admin IAM role.

permissionsBoundaryArn string

Permissions boundary ARN to use for the role.

policyArns string[]

List of policy ARNs to use for the role.

description str

IAM Role description.

name str

IAM role name.

name_prefix str

IAM role name prefix.

path str

Path of admin IAM role.

permissions_boundary_arn str

Permissions boundary ARN to use for the role.

policy_arns Sequence[str]

List of policy ARNs to use for the role.

description String

IAM Role description.

name String

IAM role name.

namePrefix String

IAM role name prefix.

path String

Path of admin IAM role.

permissionsBoundaryArn String

Permissions boundary ARN to use for the role.

policyArns List<String>

List of policy ARNs to use for the role.

EKSVPNCNIPolicy

Attach bool

Determines whether to attach the VPC CNI IAM policy to the role.

EnableIpv4 bool

Determines whether to enable IPv4 permissions for VPC CNI policy.

EnableIpv6 bool

Determines whether to enable IPv6 permissions for VPC CNI policy.

Attach bool

Determines whether to attach the VPC CNI IAM policy to the role.

EnableIpv4 bool

Determines whether to enable IPv4 permissions for VPC CNI policy.

EnableIpv6 bool

Determines whether to enable IPv6 permissions for VPC CNI policy.

attach Boolean

Determines whether to attach the VPC CNI IAM policy to the role.

enableIpv4 Boolean

Determines whether to enable IPv4 permissions for VPC CNI policy.

enableIpv6 Boolean

Determines whether to enable IPv6 permissions for VPC CNI policy.

attach boolean

Determines whether to attach the VPC CNI IAM policy to the role.

enableIpv4 boolean

Determines whether to enable IPv4 permissions for VPC CNI policy.

enableIpv6 boolean

Determines whether to enable IPv6 permissions for VPC CNI policy.

attach bool

Determines whether to attach the VPC CNI IAM policy to the role.

enable_ipv4 bool

Determines whether to enable IPv4 permissions for VPC CNI policy.

enable_ipv6 bool

Determines whether to enable IPv6 permissions for VPC CNI policy.

attach Boolean

Determines whether to attach the VPC CNI IAM policy to the role.

enableIpv4 Boolean

Determines whether to enable IPv4 permissions for VPC CNI policy.

enableIpv6 Boolean

Determines whether to enable IPv6 permissions for VPC CNI policy.

EKSVeleroPolicy

Attach bool

Determines whether to attach the Velero IAM policy to the role.

S3BucketArns List<string>

List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

Attach bool

Determines whether to attach the Velero IAM policy to the role.

S3BucketArns []string

List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

attach Boolean

Determines whether to attach the Velero IAM policy to the role.

s3BucketArns List<String>

List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

attach boolean

Determines whether to attach the Velero IAM policy to the role.

s3BucketArns string[]

List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

attach bool

Determines whether to attach the Velero IAM policy to the role.

s3_bucket_arns Sequence[str]

List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

attach Boolean

Determines whether to attach the Velero IAM policy to the role.

s3BucketArns List<String>

List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.

FSxLustreCSIPolicy

Attach bool

Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.

ServiceRoleArns List<string>

Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

Attach bool

Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.

ServiceRoleArns []string

Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

attach Boolean

Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.

serviceRoleArns List<String>

Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

attach boolean

Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.

serviceRoleArns string[]

Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

attach bool

Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.

service_role_arns Sequence[str]

Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

attach Boolean

Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.

serviceRoleArns List<String>

Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.

OIDCProvider

Package Details

Repository
aws-iam
License