Docs Home
redpanda 1.2.1 published on Wednesday, Sep 10, 2025 by redpanda-data
redpanda.RoleAssignment
Explore with Pulumi AI
redpanda 1.2.1 published on Wednesday, Sep 10, 2025 by redpanda-data
Assigns an existing Redpanda role to a principal. Resource ID format: {role_name}:{principal}
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as redpanda from "@pulumi/redpanda";
const testResourceGroup = new redpanda.ResourceGroup("testResourceGroup", {});
const config = new pulumi.Config();
const region = config.get("region") || "us-east-2";
const cloudProvider = config.get("cloudProvider") || "aws";
const testNetwork = new redpanda.Network("testNetwork", {
resourceGroupId: testResourceGroup.id,
cloudProvider: cloudProvider,
region: region,
clusterType: "dedicated",
cidrBlock: "10.0.0.0/20",
});
const zones = config.getObject("zones") || [
"use2-az1",
"use2-az2",
"use2-az3",
];
const throughputTier = config.get("throughputTier") || "tier-1-aws-v2-arm";
const testCluster = new redpanda.Cluster("testCluster", {
networkId: testNetwork.id,
cloudProvider: cloudProvider,
region: region,
clusterType: "dedicated",
connectionType: "public",
throughputTier: throughputTier,
zones: zones,
allowDeletion: true,
tags: {
key: "value",
},
});
// Create a user
const testUser = new redpanda.User("testUser", {
password: "test-password",
mechanism: "scram-sha-256",
clusterApiUrl: testCluster.clusterApiUrl,
});
// Create a role (note: this would need to be created via rpk CLI separately)
// rpk security role create test-role
// Assign the role to the user
const testRoleAssignment = new redpanda.RoleAssignment("testRoleAssignment", {
roleName: "test-role",
principal: testUser.id,
clusterApiUrl: testCluster.clusterApiUrl,
});
const resourceGroupName = config.get("resourceGroupName") || "testname";
const networkName = config.get("networkName") || "testname";
const clusterName = config.get("clusterName") || "testname";
import pulumi
import pulumi_redpanda as redpanda
test_resource_group = redpanda.ResourceGroup("testResourceGroup")
config = pulumi.Config()
region = config.get("region")
if region is None:
region = "us-east-2"
cloud_provider = config.get("cloudProvider")
if cloud_provider is None:
cloud_provider = "aws"
test_network = redpanda.Network("testNetwork",
resource_group_id=test_resource_group.id,
cloud_provider=cloud_provider,
region=region,
cluster_type="dedicated",
cidr_block="10.0.0.0/20")
zones = config.get_object("zones")
if zones is None:
zones = [
"use2-az1",
"use2-az2",
"use2-az3",
]
throughput_tier = config.get("throughputTier")
if throughput_tier is None:
throughput_tier = "tier-1-aws-v2-arm"
test_cluster = redpanda.Cluster("testCluster",
network_id=test_network.id,
cloud_provider=cloud_provider,
region=region,
cluster_type="dedicated",
connection_type="public",
throughput_tier=throughput_tier,
zones=zones,
allow_deletion=True,
tags={
"key": "value",
})
# Create a user
test_user = redpanda.User("testUser",
password="test-password",
mechanism="scram-sha-256",
cluster_api_url=test_cluster.cluster_api_url)
# Create a role (note: this would need to be created via rpk CLI separately)
# rpk security role create test-role
# Assign the role to the user
test_role_assignment = redpanda.RoleAssignment("testRoleAssignment",
role_name="test-role",
principal=test_user.id,
cluster_api_url=test_cluster.cluster_api_url)
resource_group_name = config.get("resourceGroupName")
if resource_group_name is None:
resource_group_name = "testname"
network_name = config.get("networkName")
if network_name is None:
network_name = "testname"
cluster_name = config.get("clusterName")
if cluster_name is None:
cluster_name = "testname"
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/redpanda/redpanda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
testResourceGroup, err := redpanda.NewResourceGroup(ctx, "testResourceGroup", nil)
if err != nil {
return err
}
cfg := config.New(ctx, "")
region := "us-east-2"
if param := cfg.Get("region"); param != "" {
region = param
}
cloudProvider := "aws"
if param := cfg.Get("cloudProvider"); param != "" {
cloudProvider = param
}
testNetwork, err := redpanda.NewNetwork(ctx, "testNetwork", &redpanda.NetworkArgs{
ResourceGroupId: testResourceGroup.ID(),
CloudProvider: pulumi.String(cloudProvider),
Region: pulumi.String(region),
ClusterType: pulumi.String("dedicated"),
CidrBlock: pulumi.String("10.0.0.0/20"),
})
if err != nil {
return err
}
zones := []string{
"use2-az1",
"use2-az2",
"use2-az3",
}
if param := cfg.GetObject("zones"); param != nil {
zones = param
}
throughputTier := "tier-1-aws-v2-arm"
if param := cfg.Get("throughputTier"); param != "" {
throughputTier = param
}
testCluster, err := redpanda.NewCluster(ctx, "testCluster", &redpanda.ClusterArgs{
NetworkId: testNetwork.ID(),
CloudProvider: pulumi.String(cloudProvider),
Region: pulumi.String(region),
ClusterType: pulumi.String("dedicated"),
ConnectionType: pulumi.String("public"),
ThroughputTier: pulumi.String(throughputTier),
Zones: pulumi.Any(zones),
AllowDeletion: pulumi.Bool(true),
Tags: pulumi.StringMap{
"key": pulumi.String("value"),
},
})
if err != nil {
return err
}
// Create a user
testUser, err := redpanda.NewUser(ctx, "testUser", &redpanda.UserArgs{
Password: pulumi.String("test-password"),
Mechanism: pulumi.String("scram-sha-256"),
ClusterApiUrl: testCluster.ClusterApiUrl,
})
if err != nil {
return err
}
// Assign the role to the user
_, err = redpanda.NewRoleAssignment(ctx, "testRoleAssignment", &redpanda.RoleAssignmentArgs{
RoleName: pulumi.String("test-role"),
Principal: testUser.ID(),
ClusterApiUrl: testCluster.ClusterApiUrl,
})
if err != nil {
return err
}
resourceGroupName := "testname"
if param := cfg.Get("resourceGroupName"); param != "" {
resourceGroupName = param
}
networkName := "testname"
if param := cfg.Get("networkName"); param != "" {
networkName = param
}
clusterName := "testname"
if param := cfg.Get("clusterName"); param != "" {
clusterName = param
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Redpanda = Pulumi.Redpanda;
return await Deployment.RunAsync(() =>
{
var testResourceGroup = new Redpanda.ResourceGroup("testResourceGroup");
var config = new Config();
var region = config.Get("region") ?? "us-east-2";
var cloudProvider = config.Get("cloudProvider") ?? "aws";
var testNetwork = new Redpanda.Network("testNetwork", new()
{
ResourceGroupId = testResourceGroup.Id,
CloudProvider = cloudProvider,
Region = region,
ClusterType = "dedicated",
CidrBlock = "10.0.0.0/20",
});
var zones = config.GetObject<dynamic>("zones") ?? new[]
{
"use2-az1",
"use2-az2",
"use2-az3",
};
var throughputTier = config.Get("throughputTier") ?? "tier-1-aws-v2-arm";
var testCluster = new Redpanda.Cluster("testCluster", new()
{
NetworkId = testNetwork.Id,
CloudProvider = cloudProvider,
Region = region,
ClusterType = "dedicated",
ConnectionType = "public",
ThroughputTier = throughputTier,
Zones = zones,
AllowDeletion = true,
Tags =
{
{ "key", "value" },
},
});
// Create a user
var testUser = new Redpanda.User("testUser", new()
{
Password = "test-password",
Mechanism = "scram-sha-256",
ClusterApiUrl = testCluster.ClusterApiUrl,
});
// Create a role (note: this would need to be created via rpk CLI separately)
// rpk security role create test-role
// Assign the role to the user
var testRoleAssignment = new Redpanda.RoleAssignment("testRoleAssignment", new()
{
RoleName = "test-role",
Principal = testUser.Id,
ClusterApiUrl = testCluster.ClusterApiUrl,
});
var resourceGroupName = config.Get("resourceGroupName") ?? "testname";
var networkName = config.Get("networkName") ?? "testname";
var clusterName = config.Get("clusterName") ?? "testname";
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.redpanda.ResourceGroup;
import com.pulumi.redpanda.Network;
import com.pulumi.redpanda.NetworkArgs;
import com.pulumi.redpanda.Cluster;
import com.pulumi.redpanda.ClusterArgs;
import com.pulumi.redpanda.User;
import com.pulumi.redpanda.UserArgs;
import com.pulumi.redpanda.RoleAssignment;
import com.pulumi.redpanda.RoleAssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
var testResourceGroup = new ResourceGroup("testResourceGroup");
final var region = config.get("region").orElse("us-east-2");
final var cloudProvider = config.get("cloudProvider").orElse("aws");
var testNetwork = new Network("testNetwork", NetworkArgs.builder()
.resourceGroupId(testResourceGroup.id())
.cloudProvider(cloudProvider)
.region(region)
.clusterType("dedicated")
.cidrBlock("10.0.0.0/20")
.build());
final var zones = config.get("zones").orElse(
"use2-az1",
"use2-az2",
"use2-az3");
final var throughputTier = config.get("throughputTier").orElse("tier-1-aws-v2-arm");
var testCluster = new Cluster("testCluster", ClusterArgs.builder()
.networkId(testNetwork.id())
.cloudProvider(cloudProvider)
.region(region)
.clusterType("dedicated")
.connectionType("public")
.throughputTier(throughputTier)
.zones(zones)
.allowDeletion(true)
.tags(Map.of("key", "value"))
.build());
// Create a user
var testUser = new User("testUser", UserArgs.builder()
.password("test-password")
.mechanism("scram-sha-256")
.clusterApiUrl(testCluster.clusterApiUrl())
.build());
// Create a role (note: this would need to be created via rpk CLI separately)
// rpk security role create test-role
// Assign the role to the user
var testRoleAssignment = new RoleAssignment("testRoleAssignment", RoleAssignmentArgs.builder()
.roleName("test-role")
.principal(testUser.id())
.clusterApiUrl(testCluster.clusterApiUrl())
.build());
final var resourceGroupName = config.get("resourceGroupName").orElse("testname");
final var networkName = config.get("networkName").orElse("testname");
final var clusterName = config.get("clusterName").orElse("testname");
}
}
configuration:
resourceGroupName:
type: string
default: testname
networkName:
type: string
default: testname
clusterName:
type: string
default: testname
region:
type: string
default: us-east-2
zones:
type: dynamic
default:
- use2-az1
- use2-az2
- use2-az3
cloudProvider:
type: string
default: aws
throughputTier:
type: string
default: tier-1-aws-v2-arm
resources:
testResourceGroup:
type: redpanda:ResourceGroup
testNetwork:
type: redpanda:Network
properties:
resourceGroupId: ${testResourceGroup.id}
cloudProvider: ${cloudProvider}
region: ${region}
clusterType: dedicated
cidrBlock: 10.0.0.0/20
testCluster:
type: redpanda:Cluster
properties:
networkId: ${testNetwork.id}
cloudProvider: ${cloudProvider}
region: ${region}
clusterType: dedicated
connectionType: public
throughputTier: ${throughputTier}
zones: ${zones}
allowDeletion: true
tags:
key: value
# Create a user
testUser: # Create a role (note: this would need to be created via rpk CLI separately)
# rpk security role create test-role
type: redpanda:User
properties:
password: test-password
mechanism: scram-sha-256
clusterApiUrl: ${testCluster.clusterApiUrl}
# Assign the role to the user
testRoleAssignment:
type: redpanda:RoleAssignment
properties:
roleName: test-role
principal: ${testUser.id}
clusterApiUrl: ${testCluster.clusterApiUrl}
Notes
- The role must already exist before it can be assigned. Roles are typically created using
rpk security role createor through the Redpanda Console. - The principal should be specified as just the username (e.g.,
"john.doe"). TheUser:prefix is not needed and will be automatically stripped if provided. - Role assignments are atomic operations - you cannot update an existing assignment. To change a role assignment, delete and recreate the resource.
- The resource uses the Redpanda gRPC SecurityService (via console endpoint) for role management operations.
Create RoleAssignment Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new RoleAssignment(name: string, args: RoleAssignmentArgs, opts?: CustomResourceOptions);@overload
def RoleAssignment(resource_name: str,
args: RoleAssignmentArgs,
opts: Optional[ResourceOptions] = None)
@overload
def RoleAssignment(resource_name: str,
opts: Optional[ResourceOptions] = None,
cluster_api_url: Optional[str] = None,
principal: Optional[str] = None,
role_name: Optional[str] = None)func NewRoleAssignment(ctx *Context, name string, args RoleAssignmentArgs, opts ...ResourceOption) (*RoleAssignment, error)public RoleAssignment(string name, RoleAssignmentArgs args, CustomResourceOptions? opts = null)
public RoleAssignment(String name, RoleAssignmentArgs args)
public RoleAssignment(String name, RoleAssignmentArgs args, CustomResourceOptions options)
type: redpanda:RoleAssignment
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RoleAssignmentArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RoleAssignmentArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RoleAssignmentArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RoleAssignmentArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RoleAssignmentArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var roleAssignmentResource = new Redpanda.RoleAssignment("roleAssignmentResource", new()
{
ClusterApiUrl = "string",
Principal = "string",
RoleName = "string",
});
example, err := redpanda.NewRoleAssignment(ctx, "roleAssignmentResource", &redpanda.RoleAssignmentArgs{
ClusterApiUrl: pulumi.String("string"),
Principal: pulumi.String("string"),
RoleName: pulumi.String("string"),
})
var roleAssignmentResource = new RoleAssignment("roleAssignmentResource", RoleAssignmentArgs.builder()
.clusterApiUrl("string")
.principal("string")
.roleName("string")
.build());
role_assignment_resource = redpanda.RoleAssignment("roleAssignmentResource",
cluster_api_url="string",
principal="string",
role_name="string")
const roleAssignmentResource = new redpanda.RoleAssignment("roleAssignmentResource", {
clusterApiUrl: "string",
principal: "string",
roleName: "string",
});
type: redpanda:RoleAssignment
properties:
clusterApiUrl: string
principal: string
roleName: string
RoleAssignment Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The RoleAssignment resource accepts the following input properties:
- Cluster
Api stringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- Principal string
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - Role
Name string - The name of the role to assign
- Cluster
Api stringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- Principal string
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - Role
Name string - The name of the role to assign
- cluster
Api StringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- principal String
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - role
Name String - The name of the role to assign
- cluster
Api stringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- principal string
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - role
Name string - The name of the role to assign
- cluster_
api_ strurl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- principal str
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - role_
name str - The name of the role to assign
- cluster
Api StringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- principal String
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - role
Name String - The name of the role to assign
Outputs
All input properties are implicitly available as output properties. Additionally, the RoleAssignment resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing RoleAssignment Resource
Get an existing RoleAssignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RoleAssignmentState, opts?: CustomResourceOptions): RoleAssignment@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
cluster_api_url: Optional[str] = None,
principal: Optional[str] = None,
role_name: Optional[str] = None) -> RoleAssignmentfunc GetRoleAssignment(ctx *Context, name string, id IDInput, state *RoleAssignmentState, opts ...ResourceOption) (*RoleAssignment, error)public static RoleAssignment Get(string name, Input<string> id, RoleAssignmentState? state, CustomResourceOptions? opts = null)public static RoleAssignment get(String name, Output<String> id, RoleAssignmentState state, CustomResourceOptions options)resources: _: type: redpanda:RoleAssignment get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Cluster
Api stringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- Principal string
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - Role
Name string - The name of the role to assign
- Cluster
Api stringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- Principal string
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - Role
Name string - The name of the role to assign
- cluster
Api StringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- principal String
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - role
Name String - The name of the role to assign
- cluster
Api stringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- principal string
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - role
Name string - The name of the role to assign
- cluster_
api_ strurl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- principal str
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - role_
name str - The name of the role to assign
- cluster
Api StringUrl - The cluster API URL. Changing this will prevent deletion of the resource on the existing cluster
- principal String
- The principal to assign the role to. Specify just the username (e.g.,
"john.doe") - role
Name String - The name of the role to assign
Import
Role assignments can be imported using the format role_name:principal:
$ pulumi import redpanda:index/roleAssignment:RoleAssignment test "test-role:test-user"
Note: The cluster_api_url must be specified in your Terraform configuration. The import will validate the role assignment exists during the next pulumi preview or pulumi up.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- redpanda redpanda-data/terraform-provider-redpanda
- License
- Notes
- This Pulumi package is based on the
redpandaTerraform Provider.
redpanda 1.2.1 published on Wednesday, Sep 10, 2025 by redpanda-data