1. Packages
  2. AWS Classic
  3. API Docs
  4. iam
  5. Role

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.2.1 published on Friday, Sep 22, 2023 by Pulumi

aws.iam.Role

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.2.1 published on Friday, Sep 22, 2023 by Pulumi

    Provides an IAM role.

    NOTE: If policies are attached to the role via the aws.iam.PolicyAttachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.RolePolicyAttachment resource (recommended) does not have this requirement.

    NOTE: If you use this resource’s managed_policy_arns argument or inline_policy configuration blocks, this resource will take over exclusive management of the role’s respective policy types (e.g., both policy types if both arguments are used). These arguments are incompatible with other ways of managing a role’s policies, such as aws.iam.PolicyAttachment, aws.iam.RolePolicyAttachment, and aws.iam.RolePolicy. If you attempt to manage a role’s policies by multiple means, you will get resource cycling and/or errors.

    Example Usage

    Basic Example

    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var testRole = new Aws.Iam.Role("testRole", new()
        {
            AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Action"] = "sts:AssumeRole",
                        ["Effect"] = "Allow",
                        ["Sid"] = "",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["Service"] = "ec2.amazonaws.com",
                        },
                    },
                },
            }),
            Tags = 
            {
                { "tag-key", "tag-value" },
            },
        });
    
    });
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Statement": []map[string]interface{}{
    				map[string]interface{}{
    					"Action": "sts:AssumeRole",
    					"Effect": "Allow",
    					"Sid":    "",
    					"Principal": map[string]interface{}{
    						"Service": "ec2.amazonaws.com",
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = iam.NewRole(ctx, "testRole", &iam.RoleArgs{
    			AssumeRolePolicy: pulumi.String(json0),
    			Tags: pulumi.StringMap{
    				"tag-key": pulumi.String("tag-value"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var testRole = new Role("testRole", RoleArgs.builder()        
                .assumeRolePolicy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Statement", jsonArray(jsonObject(
                            jsonProperty("Action", "sts:AssumeRole"),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Sid", ""),
                            jsonProperty("Principal", jsonObject(
                                jsonProperty("Service", "ec2.amazonaws.com")
                            ))
                        )))
                    )))
                .tags(Map.of("tag-key", "tag-value"))
                .build());
    
        }
    }
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    test_role = aws.iam.Role("testRole",
        assume_role_policy=json.dumps({
            "Version": "2012-10-17",
            "Statement": [{
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Sid": "",
                "Principal": {
                    "Service": "ec2.amazonaws.com",
                },
            }],
        }),
        tags={
            "tag-key": "tag-value",
        })
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const testRole = new aws.iam.Role("testRole", {
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Action: "sts:AssumeRole",
                Effect: "Allow",
                Sid: "",
                Principal: {
                    Service: "ec2.amazonaws.com",
                },
            }],
        }),
        tags: {
            "tag-key": "tag-value",
        },
    });
    
    resources:
      testRole:
        type: aws:iam:Role
        properties:
          assumeRolePolicy:
            fn::toJSON:
              Version: 2012-10-17
              Statement:
                - Action: sts:AssumeRole
                  Effect: Allow
                  Sid:
                  Principal:
                    Service: ec2.amazonaws.com
          tags:
            tag-key: tag-value
    

    Example of Using Data Source for Assume Role Policy

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var instanceAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "ec2.amazonaws.com",
                            },
                        },
                    },
                },
            },
        });
    
        var instance = new Aws.Iam.Role("instance", new()
        {
            Path = "/system/",
            AssumeRolePolicy = instanceAssumeRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		instanceAssumeRolePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Actions: []string{
    						"sts:AssumeRole",
    					},
    					Principals: []iam.GetPolicyDocumentStatementPrincipal{
    						{
    							Type: "Service",
    							Identifiers: []string{
    								"ec2.amazonaws.com",
    							},
    						},
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewRole(ctx, "instance", &iam.RoleArgs{
    			Path:             pulumi.String("/system/"),
    			AssumeRolePolicy: *pulumi.String(instanceAssumeRolePolicy.Json),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var instanceAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions("sts:AssumeRole")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("ec2.amazonaws.com")
                        .build())
                    .build())
                .build());
    
            var instance = new Role("instance", RoleArgs.builder()        
                .path("/system/")
                .assumeRolePolicy(instanceAssumeRolePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    instance_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        actions=["sts:AssumeRole"],
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["ec2.amazonaws.com"],
        )],
    )])
    instance = aws.iam.Role("instance",
        path="/system/",
        assume_role_policy=instance_assume_role_policy.json)
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const instanceAssumeRolePolicy = aws.iam.getPolicyDocument({
        statements: [{
            actions: ["sts:AssumeRole"],
            principals: [{
                type: "Service",
                identifiers: ["ec2.amazonaws.com"],
            }],
        }],
    });
    const instance = new aws.iam.Role("instance", {
        path: "/system/",
        assumeRolePolicy: instanceAssumeRolePolicy.then(instanceAssumeRolePolicy => instanceAssumeRolePolicy.json),
    });
    
    resources:
      instance:
        type: aws:iam:Role
        properties:
          path: /system/
          assumeRolePolicy: ${instanceAssumeRolePolicy.json}
    variables:
      instanceAssumeRolePolicy:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - sts:AssumeRole
                principals:
                  - type: Service
                    identifiers:
                      - ec2.amazonaws.com
    

    Example of Exclusive Inline Policies

    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var inlinePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "ec2:DescribeAccountAttributes",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var example = new Aws.Iam.Role("example", new()
        {
            AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
            InlinePolicies = new[]
            {
                new Aws.Iam.Inputs.RoleInlinePolicyArgs
                {
                    Name = "my_inline_policy",
                    Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
                    {
                        ["Version"] = "2012-10-17",
                        ["Statement"] = new[]
                        {
                            new Dictionary<string, object?>
                            {
                                ["Action"] = new[]
                                {
                                    "ec2:Describe*",
                                },
                                ["Effect"] = "Allow",
                                ["Resource"] = "*",
                            },
                        },
                    }),
                },
                new Aws.Iam.Inputs.RoleInlinePolicyArgs
                {
                    Name = "policy-8675309",
                    Policy = inlinePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		inlinePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Actions: []string{
    						"ec2:DescribeAccountAttributes",
    					},
    					Resources: []string{
    						"*",
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Statement": []map[string]interface{}{
    				map[string]interface{}{
    					"Action": []string{
    						"ec2:Describe*",
    					},
    					"Effect":   "Allow",
    					"Resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
    			AssumeRolePolicy: pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
    			InlinePolicies: iam.RoleInlinePolicyArray{
    				&iam.RoleInlinePolicyArgs{
    					Name:   pulumi.String("my_inline_policy"),
    					Policy: pulumi.String(json0),
    				},
    				&iam.RoleInlinePolicyArgs{
    					Name:   pulumi.String("policy-8675309"),
    					Policy: *pulumi.String(inlinePolicy.Json),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var inlinePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions("ec2:DescribeAccountAttributes")
                    .resources("*")
                    .build())
                .build());
    
            var example = new Role("example", RoleArgs.builder()        
                .assumeRolePolicy(data.aws_iam_policy_document().instance_assume_role_policy().json())
                .inlinePolicies(            
                    RoleInlinePolicyArgs.builder()
                        .name("my_inline_policy")
                        .policy(serializeJson(
                            jsonObject(
                                jsonProperty("Version", "2012-10-17"),
                                jsonProperty("Statement", jsonArray(jsonObject(
                                    jsonProperty("Action", jsonArray("ec2:Describe*")),
                                    jsonProperty("Effect", "Allow"),
                                    jsonProperty("Resource", "*")
                                )))
                            )))
                        .build(),
                    RoleInlinePolicyArgs.builder()
                        .name("policy-8675309")
                        .policy(inlinePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                        .build())
                .build());
    
        }
    }
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    inline_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        actions=["ec2:DescribeAccountAttributes"],
        resources=["*"],
    )])
    example = aws.iam.Role("example",
        assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
        inline_policies=[
            aws.iam.RoleInlinePolicyArgs(
                name="my_inline_policy",
                policy=json.dumps({
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Action": ["ec2:Describe*"],
                        "Effect": "Allow",
                        "Resource": "*",
                    }],
                }),
            ),
            aws.iam.RoleInlinePolicyArgs(
                name="policy-8675309",
                policy=inline_policy.json,
            ),
        ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const inlinePolicy = aws.iam.getPolicyDocument({
        statements: [{
            actions: ["ec2:DescribeAccountAttributes"],
            resources: ["*"],
        }],
    });
    const example = new aws.iam.Role("example", {
        assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
        inlinePolicies: [
            {
                name: "my_inline_policy",
                policy: JSON.stringify({
                    Version: "2012-10-17",
                    Statement: [{
                        Action: ["ec2:Describe*"],
                        Effect: "Allow",
                        Resource: "*",
                    }],
                }),
            },
            {
                name: "policy-8675309",
                policy: inlinePolicy.then(inlinePolicy => inlinePolicy.json),
            },
        ],
    });
    
    resources:
      example:
        type: aws:iam:Role
        properties:
          assumeRolePolicy: ${data.aws_iam_policy_document.instance_assume_role_policy.json} # (not shown)
          inlinePolicies:
            - name: my_inline_policy
              policy:
                fn::toJSON:
                  Version: 2012-10-17
                  Statement:
                    - Action:
                        - ec2:Describe*
                      Effect: Allow
                      Resource: '*'
            - name: policy-8675309
              policy: ${inlinePolicy.json}
    variables:
      inlinePolicy:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - ec2:DescribeAccountAttributes
                resources:
                  - '*'
    

    Example of Removing Inline Policies

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Iam.Role("example", new()
        {
            AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
            InlinePolicies = new[]
            {
                null,
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
    			AssumeRolePolicy: pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
    			InlinePolicies: iam.RoleInlinePolicyArray{
    				nil,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Role("example", RoleArgs.builder()        
                .assumeRolePolicy(data.aws_iam_policy_document().instance_assume_role_policy().json())
                .inlinePolicies()
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.iam.Role("example",
        assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
        inline_policies=[aws.iam.RoleInlinePolicyArgs()])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.iam.Role("example", {
        assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
        inlinePolicies: [{}],
    });
    
    resources:
      example:
        type: aws:iam:Role
        properties:
          assumeRolePolicy: ${data.aws_iam_policy_document.instance_assume_role_policy.json} # (not shown)
          inlinePolicies:
            - {}
    

    Example of Exclusive Managed Policies

    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var policyOne = new Aws.Iam.Policy("policyOne", new()
        {
            PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Action"] = new[]
                        {
                            "ec2:Describe*",
                        },
                        ["Effect"] = "Allow",
                        ["Resource"] = "*",
                    },
                },
            }),
        });
    
        var policyTwo = new Aws.Iam.Policy("policyTwo", new()
        {
            PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Action"] = new[]
                        {
                            "s3:ListAllMyBuckets",
                            "s3:ListBucket",
                            "s3:HeadBucket",
                        },
                        ["Effect"] = "Allow",
                        ["Resource"] = "*",
                    },
                },
            }),
        });
    
        var example = new Aws.Iam.Role("example", new()
        {
            AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
            ManagedPolicyArns = new[]
            {
                policyOne.Arn,
                policyTwo.Arn,
            },
        });
    
    });
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Statement": []map[string]interface{}{
    				map[string]interface{}{
    					"Action": []string{
    						"ec2:Describe*",
    					},
    					"Effect":   "Allow",
    					"Resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		policyOne, err := iam.NewPolicy(ctx, "policyOne", &iam.PolicyArgs{
    			Policy: pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		tmpJSON1, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Statement": []map[string]interface{}{
    				map[string]interface{}{
    					"Action": []string{
    						"s3:ListAllMyBuckets",
    						"s3:ListBucket",
    						"s3:HeadBucket",
    					},
    					"Effect":   "Allow",
    					"Resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json1 := string(tmpJSON1)
    		policyTwo, err := iam.NewPolicy(ctx, "policyTwo", &iam.PolicyArgs{
    			Policy: pulumi.String(json1),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
    			AssumeRolePolicy: pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
    			ManagedPolicyArns: pulumi.StringArray{
    				policyOne.Arn,
    				policyTwo.Arn,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Policy;
    import com.pulumi.aws.iam.PolicyArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var policyOne = new Policy("policyOne", PolicyArgs.builder()        
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Statement", jsonArray(jsonObject(
                            jsonProperty("Action", jsonArray("ec2:Describe*")),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Resource", "*")
                        )))
                    )))
                .build());
    
            var policyTwo = new Policy("policyTwo", PolicyArgs.builder()        
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Statement", jsonArray(jsonObject(
                            jsonProperty("Action", jsonArray(
                                "s3:ListAllMyBuckets", 
                                "s3:ListBucket", 
                                "s3:HeadBucket"
                            )),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Resource", "*")
                        )))
                    )))
                .build());
    
            var example = new Role("example", RoleArgs.builder()        
                .assumeRolePolicy(data.aws_iam_policy_document().instance_assume_role_policy().json())
                .managedPolicyArns(            
                    policyOne.arn(),
                    policyTwo.arn())
                .build());
    
        }
    }
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    policy_one = aws.iam.Policy("policyOne", policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Action": ["ec2:Describe*"],
            "Effect": "Allow",
            "Resource": "*",
        }],
    }))
    policy_two = aws.iam.Policy("policyTwo", policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:HeadBucket",
            ],
            "Effect": "Allow",
            "Resource": "*",
        }],
    }))
    example = aws.iam.Role("example",
        assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
        managed_policy_arns=[
            policy_one.arn,
            policy_two.arn,
        ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const policyOne = new aws.iam.Policy("policyOne", {policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: ["ec2:Describe*"],
            Effect: "Allow",
            Resource: "*",
        }],
    })});
    const policyTwo = new aws.iam.Policy("policyTwo", {policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:HeadBucket",
            ],
            Effect: "Allow",
            Resource: "*",
        }],
    })});
    const example = new aws.iam.Role("example", {
        assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
        managedPolicyArns: [
            policyOne.arn,
            policyTwo.arn,
        ],
    });
    
    resources:
      example:
        type: aws:iam:Role
        properties:
          assumeRolePolicy: ${data.aws_iam_policy_document.instance_assume_role_policy.json}
          # (not shown)
          managedPolicyArns:
            - ${policyOne.arn}
            - ${policyTwo.arn}
      policyOne:
        type: aws:iam:Policy
        properties:
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Statement:
                - Action:
                    - ec2:Describe*
                  Effect: Allow
                  Resource: '*'
      policyTwo:
        type: aws:iam:Policy
        properties:
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Statement:
                - Action:
                    - s3:ListAllMyBuckets
                    - s3:ListBucket
                    - s3:HeadBucket
                  Effect: Allow
                  Resource: '*'
    

    Example of Removing Managed Policies

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Iam.Role("example", new()
        {
            AssumeRolePolicy = data.Aws_iam_policy_document.Instance_assume_role_policy.Json,
            ManagedPolicyArns = new[] {},
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
    			AssumeRolePolicy:  pulumi.Any(data.Aws_iam_policy_document.Instance_assume_role_policy.Json),
    			ManagedPolicyArns: pulumi.StringArray{},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Role("example", RoleArgs.builder()        
                .assumeRolePolicy(data.aws_iam_policy_document().instance_assume_role_policy().json())
                .managedPolicyArns()
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.iam.Role("example",
        assume_role_policy=data["aws_iam_policy_document"]["instance_assume_role_policy"]["json"],
        managed_policy_arns=[])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.iam.Role("example", {
        assumeRolePolicy: data.aws_iam_policy_document.instance_assume_role_policy.json,
        managedPolicyArns: [],
    });
    
    resources:
      example:
        type: aws:iam:Role
        properties:
          assumeRolePolicy: ${data.aws_iam_policy_document.instance_assume_role_policy.json}
          # (not shown)
          managedPolicyArns: []
    

    Create Role Resource

    new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);
    @overload
    def Role(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             assume_role_policy: Optional[str] = None,
             description: Optional[str] = None,
             force_detach_policies: Optional[bool] = None,
             inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
             managed_policy_arns: Optional[Sequence[str]] = None,
             max_session_duration: Optional[int] = None,
             name: Optional[str] = None,
             name_prefix: Optional[str] = None,
             path: Optional[str] = None,
             permissions_boundary: Optional[str] = None,
             tags: Optional[Mapping[str, str]] = None)
    @overload
    def Role(resource_name: str,
             args: RoleArgs,
             opts: Optional[ResourceOptions] = None)
    func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)
    public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)
    public Role(String name, RoleArgs args)
    public Role(String name, RoleArgs args, CustomResourceOptions options)
    
    type: aws:iam:Role
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Role Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Role resource accepts the following input properties:

    AssumeRolePolicy string | string

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    Description string

    Description of the role.

    ForceDetachPolicies bool

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    InlinePolicies List<RoleInlinePolicy>

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    ManagedPolicyArns List<string>
    MaxSessionDuration int

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    Name string

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    NamePrefix string

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    Path string

    Path to the role. See IAM Identifiers for more information.

    PermissionsBoundary string

    ARN of the policy that is used to set the permissions boundary for the role.

    Tags Dictionary<string, string>

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    AssumeRolePolicy string | string

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    Description string

    Description of the role.

    ForceDetachPolicies bool

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    InlinePolicies []RoleInlinePolicyArgs

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    ManagedPolicyArns []string
    MaxSessionDuration int

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    Name string

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    NamePrefix string

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    Path string

    Path to the role. See IAM Identifiers for more information.

    PermissionsBoundary string

    ARN of the policy that is used to set the permissions boundary for the role.

    Tags map[string]string

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    assumeRolePolicy String | String

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    description String

    Description of the role.

    forceDetachPolicies Boolean

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    inlinePolicies List<RoleInlinePolicy>

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    managedPolicyArns List<String>
    maxSessionDuration Integer

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    name String

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    namePrefix String

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    path String

    Path to the role. See IAM Identifiers for more information.

    permissionsBoundary String

    ARN of the policy that is used to set the permissions boundary for the role.

    tags Map<String,String>

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    assumeRolePolicy string | PolicyDocument

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    description string

    Description of the role.

    forceDetachPolicies boolean

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    inlinePolicies RoleInlinePolicy[]

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    managedPolicyArns string[]
    maxSessionDuration number

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    name string

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    namePrefix string

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    path string

    Path to the role. See IAM Identifiers for more information.

    permissionsBoundary string

    ARN of the policy that is used to set the permissions boundary for the role.

    tags {[key: string]: string}

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    assume_role_policy str | str

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    description str

    Description of the role.

    force_detach_policies bool

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    inline_policies Sequence[RoleInlinePolicyArgs]

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    managed_policy_arns Sequence[str]
    max_session_duration int

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    name str

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    name_prefix str

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    path str

    Path to the role. See IAM Identifiers for more information.

    permissions_boundary str

    ARN of the policy that is used to set the permissions boundary for the role.

    tags Mapping[str, str]

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    assumeRolePolicy String |

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    description String

    Description of the role.

    forceDetachPolicies Boolean

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    inlinePolicies List<Property Map>

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    managedPolicyArns List<String>
    maxSessionDuration Number

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    name String

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    namePrefix String

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    path String

    Path to the role. See IAM Identifiers for more information.

    permissionsBoundary String

    ARN of the policy that is used to set the permissions boundary for the role.

    tags Map<String>

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:

    Arn string

    Amazon Resource Name (ARN) specifying the role.

    CreateDate string

    Creation date of the IAM role.

    Id string

    The provider-assigned unique ID for this managed resource.

    TagsAll Dictionary<string, string>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    UniqueId string

    Stable and unique string identifying the role.

    Arn string

    Amazon Resource Name (ARN) specifying the role.

    CreateDate string

    Creation date of the IAM role.

    Id string

    The provider-assigned unique ID for this managed resource.

    TagsAll map[string]string

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    UniqueId string

    Stable and unique string identifying the role.

    arn String

    Amazon Resource Name (ARN) specifying the role.

    createDate String

    Creation date of the IAM role.

    id String

    The provider-assigned unique ID for this managed resource.

    tagsAll Map<String,String>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    uniqueId String

    Stable and unique string identifying the role.

    arn string

    Amazon Resource Name (ARN) specifying the role.

    createDate string

    Creation date of the IAM role.

    id string

    The provider-assigned unique ID for this managed resource.

    tagsAll {[key: string]: string}

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    uniqueId string

    Stable and unique string identifying the role.

    arn str

    Amazon Resource Name (ARN) specifying the role.

    create_date str

    Creation date of the IAM role.

    id str

    The provider-assigned unique ID for this managed resource.

    tags_all Mapping[str, str]

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    unique_id str

    Stable and unique string identifying the role.

    arn String

    Amazon Resource Name (ARN) specifying the role.

    createDate String

    Creation date of the IAM role.

    id String

    The provider-assigned unique ID for this managed resource.

    tagsAll Map<String>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    uniqueId String

    Stable and unique string identifying the role.

    Look up Existing Role Resource

    Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            assume_role_policy: Optional[str] = None,
            create_date: Optional[str] = None,
            description: Optional[str] = None,
            force_detach_policies: Optional[bool] = None,
            inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
            managed_policy_arns: Optional[Sequence[str]] = None,
            max_session_duration: Optional[int] = None,
            name: Optional[str] = None,
            name_prefix: Optional[str] = None,
            path: Optional[str] = None,
            permissions_boundary: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            unique_id: Optional[str] = None) -> Role
    func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)
    public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)
    public static Role get(String name, Output<String> id, RoleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string

    Amazon Resource Name (ARN) specifying the role.

    AssumeRolePolicy string | string

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    CreateDate string

    Creation date of the IAM role.

    Description string

    Description of the role.

    ForceDetachPolicies bool

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    InlinePolicies List<RoleInlinePolicy>

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    ManagedPolicyArns List<string>
    MaxSessionDuration int

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    Name string

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    NamePrefix string

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    Path string

    Path to the role. See IAM Identifiers for more information.

    PermissionsBoundary string

    ARN of the policy that is used to set the permissions boundary for the role.

    Tags Dictionary<string, string>

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    TagsAll Dictionary<string, string>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    UniqueId string

    Stable and unique string identifying the role.

    Arn string

    Amazon Resource Name (ARN) specifying the role.

    AssumeRolePolicy string | string

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    CreateDate string

    Creation date of the IAM role.

    Description string

    Description of the role.

    ForceDetachPolicies bool

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    InlinePolicies []RoleInlinePolicyArgs

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    ManagedPolicyArns []string
    MaxSessionDuration int

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    Name string

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    NamePrefix string

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    Path string

    Path to the role. See IAM Identifiers for more information.

    PermissionsBoundary string

    ARN of the policy that is used to set the permissions boundary for the role.

    Tags map[string]string

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    TagsAll map[string]string

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    UniqueId string

    Stable and unique string identifying the role.

    arn String

    Amazon Resource Name (ARN) specifying the role.

    assumeRolePolicy String | String

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    createDate String

    Creation date of the IAM role.

    description String

    Description of the role.

    forceDetachPolicies Boolean

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    inlinePolicies List<RoleInlinePolicy>

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    managedPolicyArns List<String>
    maxSessionDuration Integer

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    name String

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    namePrefix String

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    path String

    Path to the role. See IAM Identifiers for more information.

    permissionsBoundary String

    ARN of the policy that is used to set the permissions boundary for the role.

    tags Map<String,String>

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll Map<String,String>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    uniqueId String

    Stable and unique string identifying the role.

    arn string

    Amazon Resource Name (ARN) specifying the role.

    assumeRolePolicy string | PolicyDocument

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    createDate string

    Creation date of the IAM role.

    description string

    Description of the role.

    forceDetachPolicies boolean

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    inlinePolicies RoleInlinePolicy[]

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    managedPolicyArns string[]
    maxSessionDuration number

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    name string

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    namePrefix string

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    path string

    Path to the role. See IAM Identifiers for more information.

    permissionsBoundary string

    ARN of the policy that is used to set the permissions boundary for the role.

    tags {[key: string]: string}

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll {[key: string]: string}

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    uniqueId string

    Stable and unique string identifying the role.

    arn str

    Amazon Resource Name (ARN) specifying the role.

    assume_role_policy str | str

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    create_date str

    Creation date of the IAM role.

    description str

    Description of the role.

    force_detach_policies bool

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    inline_policies Sequence[RoleInlinePolicyArgs]

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    managed_policy_arns Sequence[str]
    max_session_duration int

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    name str

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    name_prefix str

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    path str

    Path to the role. See IAM Identifiers for more information.

    permissions_boundary str

    ARN of the policy that is used to set the permissions boundary for the role.

    tags Mapping[str, str]

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tags_all Mapping[str, str]

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    unique_id str

    Stable and unique string identifying the role.

    arn String

    Amazon Resource Name (ARN) specifying the role.

    assumeRolePolicy String |

    Policy that grants an entity permission to assume the role.

    NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

    The following arguments are optional:

    createDate String

    Creation date of the IAM role.

    description String

    Description of the role.

    forceDetachPolicies Boolean

    Whether to force detaching any policies the role has before destroying it. Defaults to false.

    inlinePolicies List<Property Map>

    Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, the provider will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause the provider to remove all inline policies added out of band on apply.

    managedPolicyArns List<String>
    maxSessionDuration Number

    Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

    name String

    Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.

    namePrefix String

    Creates a unique friendly name beginning with the specified prefix. Conflicts with name.

    path String

    Path to the role. See IAM Identifiers for more information.

    permissionsBoundary String

    ARN of the policy that is used to set the permissions boundary for the role.

    tags Map<String>

    Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll Map<String>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    uniqueId String

    Stable and unique string identifying the role.

    Supporting Types

    RoleInlinePolicy, RoleInlinePolicyArgs

    Name string

    Name of the role policy.

    Policy string

    Policy document as a JSON formatted string.

    Name string

    Name of the role policy.

    Policy string

    Policy document as a JSON formatted string.

    name String

    Name of the role policy.

    policy String

    Policy document as a JSON formatted string.

    name string

    Name of the role policy.

    policy string

    Policy document as a JSON formatted string.

    name str

    Name of the role policy.

    policy str

    Policy document as a JSON formatted string.

    name String

    Name of the role policy.

    policy String

    Policy document as a JSON formatted string.

    Import

    Using pulumi import, import IAM Roles using the name. For example:

     $ pulumi import aws:iam/role:Role developer developer_name
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the aws Terraform Provider.

    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.2.1 published on Friday, Sep 22, 2023 by Pulumi