aws logo
AWS Classic v5.34.0, Mar 30 23

aws.iam.Role

Provides an IAM role.

NOTE: If policies are attached to the role via the aws.iam.PolicyAttachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.RolePolicyAttachment resource (recommended) does not have this requirement.

NOTE: If you use this resource’s managed_policy_arns argument or inline_policy configuration blocks, this resource will take over exclusive management of the role’s respective policy types (e.g., both policy types if both arguments are used). These arguments are incompatible with other ways of managing a role’s policies, such as aws.iam.PolicyAttachment, aws.iam.RolePolicyAttachment, and aws.iam.RolePolicy. If you attempt to manage a role’s policies by multiple means, you will get resource cycling and/or errors.

Example Usage

Basic Example

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var testRole = new Aws.Iam.Role("testRole", new()
    {
        AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["Version"] = "2012-10-17",
            ["Statement"] = new[]
            {
                new Dictionary<string, object?>
                {
                    ["Action"] = "sts:AssumeRole",
                    ["Effect"] = "Allow",
                    ["Sid"] = "",
                    ["Principal"] = new Dictionary<string, object?>
                    {
                        ["Service"] = "ec2.amazonaws.com",
                    },
                },
            },
        }),
        Tags = 
        {
            { "tag-key", "tag-value" },
        },
    });

});
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Sid":    "",
					"Principal": map[string]interface{}{
						"Service": "ec2.amazonaws.com",
					},
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = iam.NewRole(ctx, "testRole", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.String(json0),
			Tags: pulumi.StringMap{
				"tag-key": pulumi.String("tag-value"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var testRole = new Role("testRole", RoleArgs.builder()        
            .assumeRolePolicy(serializeJson(
                jsonObject(
                    jsonProperty("Version", "2012-10-17"),
                    jsonProperty("Statement", jsonArray(jsonObject(
                        jsonProperty("Action", "sts:AssumeRole"),
                        jsonProperty("Effect", "Allow"),
                        jsonProperty("Sid", ""),
                        jsonProperty("Principal", jsonObject(
                            jsonProperty("Service", "ec2.amazonaws.com")
                        ))
                    )))
                )))
            .tags(Map.of("tag-key", "tag-value"))
            .build());

    }
}
import pulumi
import json
import pulumi_aws as aws

test_role = aws.iam.Role("testRole",
    assume_role_policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Sid": "",
            "Principal": {
                "Service": "ec2.amazonaws.com",
            },
        }],
    }),
    tags={
        "tag-key": "tag-value",
    })
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testRole = new aws.iam.Role("testRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Effect: "Allow",
            Sid: "",
            Principal: {
                Service: "ec2.amazonaws.com",
            },
        }],
    }),
    tags: {
        "tag-key": "tag-value",
    },
});
resources:
  testRole:
    type: aws:iam:Role
    properties:
      assumeRolePolicy:
        fn::toJSON:
          Version: 2012-10-17
          Statement:
            - Action: sts:AssumeRole
              Effect: Allow
              Sid:
              Principal:
                Service: ec2.amazonaws.com
      tags:
        tag-key: tag-value

Example of Using Data Source for Assume Role Policy

using System.Collections.Generic;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var instanceAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Actions = new[]
                {
                    "sts:AssumeRole",
                },
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Type = "Service",
                        Identifiers = new[]
                        {
                            "ec2.amazonaws.com",
                        },
                    },
                },
            },
        },
    });

    var instance = new Aws.Iam.Role("instance", new()
    {
        Path = "/system/",
        AssumeRolePolicy = instanceAssumeRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });

});
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		instanceAssumeRolePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				{
					Actions: []string{
						"sts:AssumeRole",
					},
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						{
							Type: "Service",
							Identifiers: []string{
								"ec2.amazonaws.com",
							},
						},
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "instance", &iam.RoleArgs{
			Path:             pulumi.String("/system/"),
			AssumeRolePolicy: *pulumi.String(instanceAssumeRolePolicy.Json),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var instanceAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .actions("sts:AssumeRole")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("ec2.amazonaws.com")
                    .build())
                .build())
            .build());

        var instance = new Role("instance", RoleArgs.builder()        
            .path("/system/")
            .assumeRolePolicy(instanceAssumeRolePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());

    }
}
import pulumi
import pulumi_aws as aws

instance_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    actions=["sts:AssumeRole"],
    principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
        type="Service",
        identifiers=["ec2.amazonaws.com"],
    )],
)])
instance = aws.iam.Role("instance",
    path="/system/",
    assume_role_policy=instance_assume_role_policy.json)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const instanceAssumeRolePolicy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRole"],
        principals: [{
            type: "Service",
            identifiers: ["ec2.amazonaws.com"],
        }],
    }],
});
const instance = new aws.iam.Role("instance", {
    path: "/system/",
    assumeRolePolicy: instanceAssumeRolePolicy.then(instanceAssumeRolePolicy => instanceAssumeRolePolicy.json),
});
resources:
  instance:
    type: aws:iam:Role
    properties:
      path: /system/
      assumeRolePolicy: ${instanceAssumeRolePolicy.json}
variables:
  instanceAssumeRolePolicy:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - actions:
              - sts:AssumeRole
            principals:
              - type: Service
                identifiers:
                  - ec2.amazonaws.com

Example of Exclusive Inline Policies

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var inlinePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Actions = new[]
                {
                    "ec2:DescribeAccountAttributes",
                },
                Resources = new[]
                {
                    "*",
                },
            },
        },
    });

    var example = new Aws.Iam.Role("example", new()
    {
        AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
        InlinePolicies = new[]
        {
            new Aws.Iam.Inputs.RoleInlinePolicyArgs
            {
                Name = "my_inline_policy",
                Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
                {
                    ["Version"] = "2012-10-17",
                    ["Statement"] = new[]
                    {
                        new Dictionary<string, object?>
                        {
                            ["Action"] = new[]
                            {
                                "ec2:Describe*",
                            },
                            ["Effect"] = "Allow",
                            ["Resource"] = "*",
                        },
                    },
                }),
            },
            new Aws.Iam.Inputs.RoleInlinePolicyArgs
            {
                Name = "policy-8675309",
                Policy = inlinePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
        },
    });

});
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		inlinePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				{
					Actions: []string{
						"ec2:DescribeAccountAttributes",
					},
					Resources: []string{
						"*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": []string{
						"ec2:Describe*",
					},
					"Effect":   "Allow",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
			InlinePolicies: iam.RoleInlinePolicyArray{
				&iam.RoleInlinePolicyArgs{
					Name:   pulumi.String("my_inline_policy"),
					Policy: pulumi.String(json0),
				},
				&iam.RoleInlinePolicyArgs{
					Name:   pulumi.String("policy-8675309"),
					Policy: *pulumi.String(inlinePolicy.Json),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var inlinePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .actions("ec2:DescribeAccountAttributes")
                .resources("*")
                .build())
            .build());

        var example = new Role("example", RoleArgs.builder()        
            .assumeRolePolicy(data.aws_iam_policy_document().instance_assume_role_policy().json())
            .inlinePolicies(            
                RoleInlinePolicyArgs.builder()
                    .name("my_inline_policy")
                    .policy(serializeJson(
                        jsonObject(
                            jsonProperty("Version", "2012-10-17"),
                            jsonProperty("Statement", jsonArray(jsonObject(
                                jsonProperty("Action", jsonArray("ec2:Describe*")),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Resource", "*")
                            )))
                        )))
                    .build(),
                RoleInlinePolicyArgs.builder()
                    .name("policy-8675309")
                    .policy(inlinePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                    .build())
            .build());

    }
}
import pulumi
import json
import pulumi_aws as aws

inline_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    actions=["ec2:DescribeAccountAttributes"],
    resources=["*"],
)])
example = aws.iam.Role("example",
    assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
    inline_policies=[
        aws.iam.RoleInlinePolicyArgs(
            name="my_inline_policy",
            policy=json.dumps({
                "Version": "2012-10-17",
                "Statement": [{
                    "Action": ["ec2:Describe*"],
                    "Effect": "Allow",
                    "Resource": "*",
                }],
            }),
        ),
        aws.iam.RoleInlinePolicyArgs(
            name="policy-8675309",
            policy=inline_policy.json,
        ),
    ])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const inlinePolicy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["ec2:DescribeAccountAttributes"],
        resources: ["*"],
    }],
});
const example = new aws.iam.Role("example", {
    assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
    inlinePolicies: [
        {
            name: "my_inline_policy",
            policy: JSON.stringify({
                Version: "2012-10-17",
                Statement: [{
                    Action: ["ec2:Describe*"],
                    Effect: "Allow",
                    Resource: "*",
                }],
            }),
        },
        {
            name: "policy-8675309",
            policy: inlinePolicy.then(inlinePolicy => inlinePolicy.json),
        },
    ],
});
resources:
  example:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${data.aws_iam_policy_document.instance_assume_role_policy.json} # (not shown)
      inlinePolicies:
        - name: my_inline_policy
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Statement:
                - Action:
                    - ec2:Describe*
                  Effect: Allow
                  Resource: '*'
        - name: policy-8675309
          policy: ${inlinePolicy.json}
variables:
  inlinePolicy:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - actions:
              - ec2:DescribeAccountAttributes
            resources:
              - '*'

Example of Removing Inline Policies

using System.Collections.Generic;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Iam.Role("example", new()
    {
        AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
        InlinePolicies = new[]
        {
            null,
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
			InlinePolicies: iam.RoleInlinePolicyArray{
				nil,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Role("example", RoleArgs.builder()        
            .assumeRolePolicy(data.aws_iam_policy_document().instance_assume_role_policy().json())
            .inlinePolicies()
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.iam.Role("example",
    assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
    inline_policies=[aws.iam.RoleInlinePolicyArgs()])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.iam.Role("example", {
    assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
    inlinePolicies: [{}],
});
resources:
  example:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${data.aws_iam_policy_document.instance_assume_role_policy.json} # (not shown)
      inlinePolicies:
        - {}

Example of Exclusive Managed Policies

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var policyOne = new Aws.Iam.Policy("policyOne", new()
    {
        PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["Version"] = "2012-10-17",
            ["Statement"] = new[]
            {
                new Dictionary<string, object?>
                {
                    ["Action"] = new[]
                    {
                        "ec2:Describe*",
                    },
                    ["Effect"] = "Allow",
                    ["Resource"] = "*",
                },
            },
        }),
    });

    var policyTwo = new Aws.Iam.Policy("policyTwo", new()
    {
        PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["Version"] = "2012-10-17",
            ["Statement"] = new[]
            {
                new Dictionary<string, object?>
                {
                    ["Action"] = new[]
                    {
                        "s3:ListAllMyBuckets",
                        "s3:ListBucket",
                        "s3:HeadBucket",
                    },
                    ["Effect"] = "Allow",
                    ["Resource"] = "*",
                },
            },
        }),
    });

    var example = new Aws.Iam.Role("example", new()
    {
        AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
        ManagedPolicyArns = new[]
        {
            policyOne.Arn,
            policyTwo.Arn,
        },
    });

});
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": []string{
						"ec2:Describe*",
					},
					"Effect":   "Allow",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		policyOne, err := iam.NewPolicy(ctx, "policyOne", &iam.PolicyArgs{
			Policy: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		tmpJSON1, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": []string{
						"s3:ListAllMyBuckets",
						"s3:ListBucket",
						"s3:HeadBucket",
					},
					"Effect":   "Allow",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json1 := string(tmpJSON1)
		policyTwo, err := iam.NewPolicy(ctx, "policyTwo", &iam.PolicyArgs{
			Policy: pulumi.String(json1),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
			ManagedPolicyArns: pulumi.StringArray{
				policyOne.Arn,
				policyTwo.Arn,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var policyOne = new Policy("policyOne", PolicyArgs.builder()        
            .policy(serializeJson(
                jsonObject(
                    jsonProperty("Version", "2012-10-17"),
                    jsonProperty("Statement", jsonArray(jsonObject(
                        jsonProperty("Action", jsonArray("ec2:Describe*")),
                        jsonProperty("Effect", "Allow"),
                        jsonProperty("Resource", "*")
                    )))
                )))
            .build());

        var policyTwo = new Policy("policyTwo", PolicyArgs.builder()        
            .policy(serializeJson(
                jsonObject(
                    jsonProperty("Version", "2012-10-17"),
                    jsonProperty("Statement", jsonArray(jsonObject(
                        jsonProperty("Action", jsonArray(
                            "s3:ListAllMyBuckets", 
                            "s3:ListBucket", 
                            "s3:HeadBucket"
                        )),
                        jsonProperty("Effect", "Allow"),
                        jsonProperty("Resource", "*")
                    )))
                )))
            .build());

        var example = new Role("example", RoleArgs.builder()        
            .assumeRolePolicy(data.aws_iam_policy_document().instance_assume_role_policy().json())
            .managedPolicyArns(            
                policyOne.arn(),
                policyTwo.arn())
            .build());

    }
}
import pulumi
import json
import pulumi_aws as aws

policy_one = aws.iam.Policy("policyOne", policy=json.dumps({
    "Version": "2012-10-17",
    "Statement": [{
        "Action": ["ec2:Describe*"],
        "Effect": "Allow",
        "Resource": "*",
    }],
}))
policy_two = aws.iam.Policy("policyTwo", policy=json.dumps({
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:HeadBucket",
        ],
        "Effect": "Allow",
        "Resource": "*",
    }],
}))
example = aws.iam.Role("example",
    assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
    managed_policy_arns=[
        policy_one.arn,
        policy_two.arn,
    ])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const policyOne = new aws.iam.Policy("policyOne", {policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
        Action: ["ec2:Describe*"],
        Effect: "Allow",
        Resource: "*",
    }],
})});
const policyTwo = new aws.iam.Policy("policyTwo", {policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
        Action: [
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:HeadBucket",
        ],
        Effect: "Allow",
        Resource: "*",
    }],
})});
const example = new aws.iam.Role("example", {
    assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
    managedPolicyArns: [
        policyOne.arn,
        policyTwo.arn,
    ],
});
resources:
  example:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${data.aws_iam_policy_document.instance_assume_role_policy.json}
      # (not shown)
      managedPolicyArns:
        - ${policyOne.arn}
        - ${policyTwo.arn}
  policyOne:
    type: aws:iam:Policy
    properties:
      policy:
        fn::toJSON:
          Version: 2012-10-17
          Statement:
            - Action:
                - ec2:Describe*
              Effect: Allow
              Resource: '*'
  policyTwo:
    type: aws:iam:Policy
    properties:
      policy:
        fn::toJSON:
          Version: 2012-10-17
          Statement:
            - Action:
                - s3:ListAllMyBuckets
                - s3:ListBucket
                - s3:HeadBucket
              Effect: Allow
              Resource: '*'

Example of Removing Managed Policies

using System.Collections.Generic;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Iam.Role("example", new()
    {
        AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
        ManagedPolicyArns = new[] {},
    });

});
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
			AssumeRolePolicy:  pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
			ManagedPolicyArns: pulumi.StringArray{},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Role("example", RoleArgs.builder()        
            .assumeRolePolicy(data.aws_iam_policy_document().instance_assume_role_policy().json())
            .managedPolicyArns()
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.iam.Role("example",
    assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
    managed_policy_arns=[])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.iam.Role("example", {
    assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
    managedPolicyArns: [],
});
resources:
  example:
    type: aws:iam:Role
    properties:
      assumeRolePolicy: ${data.aws_iam_policy_document.instance_assume_role_policy.json}
      # (not shown)
      managedPolicyArns: []

Create Role Resource

new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);
@overload
def Role(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         assume_role_policy: Optional[str] = None,
         description: Optional[str] = None,
         force_detach_policies: Optional[bool] = None,
         inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
         managed_policy_arns: Optional[Sequence[str]] = None,
         max_session_duration: Optional[int] = None,
         name: Optional[str] = None,
         name_prefix: Optional[str] = None,
         path: Optional[str] = None,
         permissions_boundary: Optional[str] = None,
         tags: Optional[Mapping[str, str]] = None)
@overload
def Role(resource_name: str,
         args: RoleArgs,
         opts: Optional[ResourceOptions] = None)
func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)
public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)
public Role(String name, RoleArgs args)
public Role(String name, RoleArgs args, CustomResourceOptions options)
type: aws:iam:Role
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args RoleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Role Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Role resource accepts the following input properties:

AssumeRolePolicy string | string

Policy that grants an entity permission to assume the role.

Description string

Description of the role.

ForceDetachPolicies bool

Whether to force detaching any policies the role has before destroying it. Defaults to false.

InlinePolicies List<Pulumi.Aws.Iam.Inputs.RoleInlinePolicyArgs>

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

ManagedPolicyArns List<string>
MaxSessionDuration int

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

Name string

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

NamePrefix string

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

Path string

Path to the role. See IAM Identifiers for more information.

PermissionsBoundary string

ARN of the policy that is used to set the permissions boundary for the role.

Tags Dictionary<string, string>

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

AssumeRolePolicy string | string

Policy that grants an entity permission to assume the role.

Description string

Description of the role.

ForceDetachPolicies bool

Whether to force detaching any policies the role has before destroying it. Defaults to false.

InlinePolicies []RoleInlinePolicyArgs

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

ManagedPolicyArns []string
MaxSessionDuration int

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

Name string

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

NamePrefix string

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

Path string

Path to the role. See IAM Identifiers for more information.

PermissionsBoundary string

ARN of the policy that is used to set the permissions boundary for the role.

Tags map[string]string

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

assumeRolePolicy String | String

Policy that grants an entity permission to assume the role.

description String

Description of the role.

forceDetachPolicies Boolean

Whether to force detaching any policies the role has before destroying it. Defaults to false.

inlinePolicies List<RoleInlinePolicyArgs>

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

managedPolicyArns List<String>
maxSessionDuration Integer

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name String

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

namePrefix String

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

path String

Path to the role. See IAM Identifiers for more information.

permissionsBoundary String

ARN of the policy that is used to set the permissions boundary for the role.

tags Map<String,String>

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

assumeRolePolicy string | PolicyDocument

Policy that grants an entity permission to assume the role.

description string

Description of the role.

forceDetachPolicies boolean

Whether to force detaching any policies the role has before destroying it. Defaults to false.

inlinePolicies RoleInlinePolicyArgs[]

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

managedPolicyArns string[]
maxSessionDuration number

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name string

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

namePrefix string

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

path string

Path to the role. See IAM Identifiers for more information.

permissionsBoundary string

ARN of the policy that is used to set the permissions boundary for the role.

tags {[key: string]: string}

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

assume_role_policy str | str

Policy that grants an entity permission to assume the role.

description str

Description of the role.

force_detach_policies bool

Whether to force detaching any policies the role has before destroying it. Defaults to false.

inline_policies Sequence[RoleInlinePolicyArgs]

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

managed_policy_arns Sequence[str]
max_session_duration int

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name str

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

name_prefix str

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

path str

Path to the role. See IAM Identifiers for more information.

permissions_boundary str

ARN of the policy that is used to set the permissions boundary for the role.

tags Mapping[str, str]

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

assumeRolePolicy String |

Policy that grants an entity permission to assume the role.

description String

Description of the role.

forceDetachPolicies Boolean

Whether to force detaching any policies the role has before destroying it. Defaults to false.

inlinePolicies List<Property Map>

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

managedPolicyArns List<String>
maxSessionDuration Number

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name String

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

namePrefix String

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

path String

Path to the role. See IAM Identifiers for more information.

permissionsBoundary String

ARN of the policy that is used to set the permissions boundary for the role.

tags Map<String>

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Outputs

All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:

Arn string

Amazon Resource Name (ARN) specifying the role.

CreateDate string

Creation date of the IAM role.

Id string

The provider-assigned unique ID for this managed resource.

TagsAll Dictionary<string, string>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

UniqueId string

Stable and unique string identifying the role.

Arn string

Amazon Resource Name (ARN) specifying the role.

CreateDate string

Creation date of the IAM role.

Id string

The provider-assigned unique ID for this managed resource.

TagsAll map[string]string

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

UniqueId string

Stable and unique string identifying the role.

arn String

Amazon Resource Name (ARN) specifying the role.

createDate String

Creation date of the IAM role.

id String

The provider-assigned unique ID for this managed resource.

tagsAll Map<String,String>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

uniqueId String

Stable and unique string identifying the role.

arn string

Amazon Resource Name (ARN) specifying the role.

createDate string

Creation date of the IAM role.

id string

The provider-assigned unique ID for this managed resource.

tagsAll {[key: string]: string}

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

uniqueId string

Stable and unique string identifying the role.

arn str

Amazon Resource Name (ARN) specifying the role.

create_date str

Creation date of the IAM role.

id str

The provider-assigned unique ID for this managed resource.

tags_all Mapping[str, str]

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

unique_id str

Stable and unique string identifying the role.

arn String

Amazon Resource Name (ARN) specifying the role.

createDate String

Creation date of the IAM role.

id String

The provider-assigned unique ID for this managed resource.

tagsAll Map<String>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

uniqueId String

Stable and unique string identifying the role.

Look up Existing Role Resource

Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        assume_role_policy: Optional[str] = None,
        create_date: Optional[str] = None,
        description: Optional[str] = None,
        force_detach_policies: Optional[bool] = None,
        inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
        managed_policy_arns: Optional[Sequence[str]] = None,
        max_session_duration: Optional[int] = None,
        name: Optional[str] = None,
        name_prefix: Optional[str] = None,
        path: Optional[str] = None,
        permissions_boundary: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        unique_id: Optional[str] = None) -> Role
func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)
public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)
public static Role get(String name, Output<String> id, RoleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Arn string

Amazon Resource Name (ARN) specifying the role.

AssumeRolePolicy string | string

Policy that grants an entity permission to assume the role.

CreateDate string

Creation date of the IAM role.

Description string

Description of the role.

ForceDetachPolicies bool

Whether to force detaching any policies the role has before destroying it. Defaults to false.

InlinePolicies List<Pulumi.Aws.Iam.Inputs.RoleInlinePolicyArgs>

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

ManagedPolicyArns List<string>
MaxSessionDuration int

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

Name string

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

NamePrefix string

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

Path string

Path to the role. See IAM Identifiers for more information.

PermissionsBoundary string

ARN of the policy that is used to set the permissions boundary for the role.

Tags Dictionary<string, string>

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

TagsAll Dictionary<string, string>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

UniqueId string

Stable and unique string identifying the role.

Arn string

Amazon Resource Name (ARN) specifying the role.

AssumeRolePolicy string | string

Policy that grants an entity permission to assume the role.

CreateDate string

Creation date of the IAM role.

Description string

Description of the role.

ForceDetachPolicies bool

Whether to force detaching any policies the role has before destroying it. Defaults to false.

InlinePolicies []RoleInlinePolicyArgs

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

ManagedPolicyArns []string
MaxSessionDuration int

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

Name string

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

NamePrefix string

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

Path string

Path to the role. See IAM Identifiers for more information.

PermissionsBoundary string

ARN of the policy that is used to set the permissions boundary for the role.

Tags map[string]string

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

TagsAll map[string]string

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

UniqueId string

Stable and unique string identifying the role.

arn String

Amazon Resource Name (ARN) specifying the role.

assumeRolePolicy String | String

Policy that grants an entity permission to assume the role.

createDate String

Creation date of the IAM role.

description String

Description of the role.

forceDetachPolicies Boolean

Whether to force detaching any policies the role has before destroying it. Defaults to false.

inlinePolicies List<RoleInlinePolicyArgs>

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

managedPolicyArns List<String>
maxSessionDuration Integer

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name String

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

namePrefix String

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

path String

Path to the role. See IAM Identifiers for more information.

permissionsBoundary String

ARN of the policy that is used to set the permissions boundary for the role.

tags Map<String,String>

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll Map<String,String>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

uniqueId String

Stable and unique string identifying the role.

arn string

Amazon Resource Name (ARN) specifying the role.

assumeRolePolicy string | PolicyDocument

Policy that grants an entity permission to assume the role.

createDate string

Creation date of the IAM role.

description string

Description of the role.

forceDetachPolicies boolean

Whether to force detaching any policies the role has before destroying it. Defaults to false.

inlinePolicies RoleInlinePolicyArgs[]

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

managedPolicyArns string[]
maxSessionDuration number

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name string

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

namePrefix string

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

path string

Path to the role. See IAM Identifiers for more information.

permissionsBoundary string

ARN of the policy that is used to set the permissions boundary for the role.

tags {[key: string]: string}

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll {[key: string]: string}

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

uniqueId string

Stable and unique string identifying the role.

arn str

Amazon Resource Name (ARN) specifying the role.

assume_role_policy str | str

Policy that grants an entity permission to assume the role.

create_date str

Creation date of the IAM role.

description str

Description of the role.

force_detach_policies bool

Whether to force detaching any policies the role has before destroying it. Defaults to false.

inline_policies Sequence[RoleInlinePolicyArgs]

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

managed_policy_arns Sequence[str]
max_session_duration int

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name str

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

name_prefix str

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

path str

Path to the role. See IAM Identifiers for more information.

permissions_boundary str

ARN of the policy that is used to set the permissions boundary for the role.

tags Mapping[str, str]

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tags_all Mapping[str, str]

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

unique_id str

Stable and unique string identifying the role.

arn String

Amazon Resource Name (ARN) specifying the role.

assumeRolePolicy String |

Policy that grants an entity permission to assume the role.

createDate String

Creation date of the IAM role.

description String

Description of the role.

forceDetachPolicies Boolean

Whether to force detaching any policies the role has before destroying it. Defaults to false.

inlinePolicies List<Property Map>

Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

managedPolicyArns List<String>
maxSessionDuration Number

Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name String

Friendly name of the role. If omitted, this provider will assign a random, unique name. See IAM Identifiers for more information.

namePrefix String

Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

path String

Path to the role. See IAM Identifiers for more information.

permissionsBoundary String

ARN of the policy that is used to set the permissions boundary for the role.

tags Map<String>

Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll Map<String>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

uniqueId String

Stable and unique string identifying the role.

Supporting Types

RoleInlinePolicy

Name string

Name of the role policy.

Policy string

Policy document as a JSON formatted string.

Name string

Name of the role policy.

Policy string

Policy document as a JSON formatted string.

name String

Name of the role policy.

policy String

Policy document as a JSON formatted string.

name string

Name of the role policy.

policy string

Policy document as a JSON formatted string.

name str

Name of the role policy.

policy str

Policy document as a JSON formatted string.

name String

Name of the role policy.

policy String

Policy document as a JSON formatted string.

Import

IAM Roles can be imported using the name, e.g.,

 $ pulumi import aws:iam/role:Role developer developer_name

Package Details

Repository
AWS Classic pulumi/pulumi-aws
License
Apache-2.0
Notes

This Pulumi package is based on the aws Terraform Provider.