aws-iam.AssumableRole
Explore with Pulumi AI
This resource helps you create a single IAM Role which can be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts and Users.
Example Usage
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
class MyStack : Stack
{
public MyStack()
{
var assumableRole = new AssumableRole("assumable-role", new AssumableRoleArgs
{
TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"},
Role = new RoleWithMFAArgs
{
Name = "custom",
RequiresMfa = true,
PolicyArns = {"arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"},
},
});
this.AssumableRole = Output.Create<AssumableRole>(assumableRole);
}
[Output]
public Output<AssumableRole> AssumableRole { get; set; }
}
package main
import (
iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
assumableRole, err := iam.NewAssumableRole(ctx, "assumable-role", &iam.AssumableRoleArgs{
TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}),
Role: &iam.RoleWithMFAArgs{
Name: pulumi.String("custom"),
RequiresMfa: pulumi.BoolPtr(true),
PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}),
},
})
if err != nil {
return err
}
ctx.Export("assumableRole", assumableRole)
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_iam as iam
assumable_role = iam.AssumableRole(
'assumable_role',
trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],
role=iam.RoleWithMFAArgs(
name='custom',
requires_mfa=True,
policy_arns=['arn:aws:iam::aws:policy/AmazonCognitoReadOnly','arn:aws:iam::aws:policy/AlexaForBusinessFullAccess'],
),
)
pulumi.export('assumable_role', assumable_role)
import * as iam from "@pulumi/aws-iam";
export const assumableRole = new iam.AssumableRole("aws-iam-example-assumable-role", {
trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ],
role: {
name: "custom",
requiresMfa: true,
policyArns: [ "arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" ],
},
});
name: awsiam-yaml
runtime: yaml
resources:
assumableRole:
type: "aws-iam:index:AssumableRole"
properties:
trustedRoleArns:
- "arn:aws:iam::307990089504:root"
- "arn:aws:iam::835367859851:user/pulumipus"
role:
name: "custom"
requiresMfa: true
policyArns:
- "arn:aws:iam::aws:policy/AmazonCognitoReadOnly"
- "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"
outputs:
assumableRole: ${assumableRole}
Create AssumableRole Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AssumableRole(name: string, args?: AssumableRoleArgs, opts?: ComponentResourceOptions);
@overload
def AssumableRole(resource_name: str,
args: Optional[AssumableRoleArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def AssumableRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
attach_admin_policy: Optional[bool] = None,
attach_poweruser_policy: Optional[bool] = None,
attach_readonly_policy: Optional[bool] = None,
custom_role_trust_policy: Optional[str] = None,
force_detach_policies: Optional[bool] = None,
max_session_duration: Optional[int] = None,
mfa_age: Optional[int] = None,
role: Optional[RoleWithMFAArgs] = None,
role_sts_external_ids: Optional[Sequence[str]] = None,
tags: Optional[Mapping[str, str]] = None,
trusted_role_actions: Optional[Sequence[str]] = None,
trusted_role_arns: Optional[Sequence[str]] = None,
trusted_role_services: Optional[Sequence[str]] = None)
func NewAssumableRole(ctx *Context, name string, args *AssumableRoleArgs, opts ...ResourceOption) (*AssumableRole, error)
public AssumableRole(string name, AssumableRoleArgs? args = null, ComponentResourceOptions? opts = null)
public AssumableRole(String name, AssumableRoleArgs args)
public AssumableRole(String name, AssumableRoleArgs args, ComponentResourceOptions options)
type: aws-iam:AssumableRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AssumableRoleArgs
- The arguments to resource properties.
- options ComponentResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var assumableRoleResource = new AwsIam.AssumableRole("assumableRoleResource", new()
{
AttachAdminPolicy = false,
AttachPoweruserPolicy = false,
AttachReadonlyPolicy = false,
CustomRoleTrustPolicy = "string",
ForceDetachPolicies = false,
MaxSessionDuration = 0,
MfaAge = 0,
Role = new AwsIam.Inputs.RoleWithMFAArgs
{
Name = "string",
Path = "string",
PermissionsBoundaryArn = "string",
PolicyArns = new[]
{
"string",
},
RequiresMfa = false,
Tags =
{
{ "string", "string" },
},
},
RoleStsExternalIds = new[]
{
"string",
},
Tags =
{
{ "string", "string" },
},
TrustedRoleActions = new[]
{
"string",
},
TrustedRoleArns = new[]
{
"string",
},
TrustedRoleServices = new[]
{
"string",
},
});
example, err := awsiam.NewAssumableRole(ctx, "assumableRoleResource", &awsiam.AssumableRoleArgs{
AttachAdminPolicy: pulumi.Bool(false),
AttachPoweruserPolicy: pulumi.Bool(false),
AttachReadonlyPolicy: pulumi.Bool(false),
CustomRoleTrustPolicy: pulumi.String("string"),
ForceDetachPolicies: pulumi.Bool(false),
MaxSessionDuration: pulumi.Int(0),
MfaAge: pulumi.Int(0),
Role: &awsiam.RoleWithMFAArgs{
Name: pulumi.String("string"),
Path: pulumi.String("string"),
PermissionsBoundaryArn: pulumi.String("string"),
PolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
RequiresMfa: pulumi.Bool(false),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
},
RoleStsExternalIds: pulumi.StringArray{
pulumi.String("string"),
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
TrustedRoleActions: pulumi.StringArray{
pulumi.String("string"),
},
TrustedRoleArns: pulumi.StringArray{
pulumi.String("string"),
},
TrustedRoleServices: pulumi.StringArray{
pulumi.String("string"),
},
})
var assumableRoleResource = new AssumableRole("assumableRoleResource", AssumableRoleArgs.builder()
.attachAdminPolicy(false)
.attachPoweruserPolicy(false)
.attachReadonlyPolicy(false)
.customRoleTrustPolicy("string")
.forceDetachPolicies(false)
.maxSessionDuration(0)
.mfaAge(0)
.role(RoleWithMFAArgs.builder()
.name("string")
.path("string")
.permissionsBoundaryArn("string")
.policyArns("string")
.requiresMfa(false)
.tags(Map.of("string", "string"))
.build())
.roleStsExternalIds("string")
.tags(Map.of("string", "string"))
.trustedRoleActions("string")
.trustedRoleArns("string")
.trustedRoleServices("string")
.build());
assumable_role_resource = aws_iam.AssumableRole("assumableRoleResource",
attach_admin_policy=False,
attach_poweruser_policy=False,
attach_readonly_policy=False,
custom_role_trust_policy="string",
force_detach_policies=False,
max_session_duration=0,
mfa_age=0,
role={
"name": "string",
"path": "string",
"permissions_boundary_arn": "string",
"policy_arns": ["string"],
"requires_mfa": False,
"tags": {
"string": "string",
},
},
role_sts_external_ids=["string"],
tags={
"string": "string",
},
trusted_role_actions=["string"],
trusted_role_arns=["string"],
trusted_role_services=["string"])
const assumableRoleResource = new aws_iam.AssumableRole("assumableRoleResource", {
attachAdminPolicy: false,
attachPoweruserPolicy: false,
attachReadonlyPolicy: false,
customRoleTrustPolicy: "string",
forceDetachPolicies: false,
maxSessionDuration: 0,
mfaAge: 0,
role: {
name: "string",
path: "string",
permissionsBoundaryArn: "string",
policyArns: ["string"],
requiresMfa: false,
tags: {
string: "string",
},
},
roleStsExternalIds: ["string"],
tags: {
string: "string",
},
trustedRoleActions: ["string"],
trustedRoleArns: ["string"],
trustedRoleServices: ["string"],
});
type: aws-iam:AssumableRole
properties:
attachAdminPolicy: false
attachPoweruserPolicy: false
attachReadonlyPolicy: false
customRoleTrustPolicy: string
forceDetachPolicies: false
maxSessionDuration: 0
mfaAge: 0
role:
name: string
path: string
permissionsBoundaryArn: string
policyArns:
- string
requiresMfa: false
tags:
string: string
roleStsExternalIds:
- string
tags:
string: string
trustedRoleActions:
- string
trustedRoleArns:
- string
trustedRoleServices:
- string
AssumableRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AssumableRole resource accepts the following input properties:
- Attach
Admin boolPolicy - Whether to attach an admin policy to a role.
- Attach
Poweruser boolPolicy - Whether to attach a poweruser policy to a role.
- Attach
Readonly boolPolicy - Whether to attach a readonly policy to a role.
- Custom
Role stringTrust Policy - A custom role trust policy.
- Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Mfa
Age int - Max age of valid MFA (in seconds) for roles which require MFA.
- Role
Pulumi.
Aws Iam. Inputs. Role With MFA - An IAM role that requires MFA.
- Role
Sts List<string>External Ids - STS ExternalId condition values to use with a role (when MFA is not required).
- Dictionary<string, string>
- A map of tags to add.
- Trusted
Role List<string>Actions - Actions of STS.
- Trusted
Role List<string>Arns - ARNs of AWS entities who can assume these roles.
- Trusted
Role List<string>Services - AWS Services that can assume these roles.
- Attach
Admin boolPolicy - Whether to attach an admin policy to a role.
- Attach
Poweruser boolPolicy - Whether to attach a poweruser policy to a role.
- Attach
Readonly boolPolicy - Whether to attach a readonly policy to a role.
- Custom
Role stringTrust Policy - A custom role trust policy.
- Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Mfa
Age int - Max age of valid MFA (in seconds) for roles which require MFA.
- Role
Role
With MFAArgs - An IAM role that requires MFA.
- Role
Sts []stringExternal Ids - STS ExternalId condition values to use with a role (when MFA is not required).
- map[string]string
- A map of tags to add.
- Trusted
Role []stringActions - Actions of STS.
- Trusted
Role []stringArns - ARNs of AWS entities who can assume these roles.
- Trusted
Role []stringServices - AWS Services that can assume these roles.
- attach
Admin BooleanPolicy - Whether to attach an admin policy to a role.
- attach
Poweruser BooleanPolicy - Whether to attach a poweruser policy to a role.
- attach
Readonly BooleanPolicy - Whether to attach a readonly policy to a role.
- custom
Role StringTrust Policy - A custom role trust policy.
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session IntegerDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age Integer - Max age of valid MFA (in seconds) for roles which require MFA.
- role
Role
With MFA - An IAM role that requires MFA.
- role
Sts List<String>External Ids - STS ExternalId condition values to use with a role (when MFA is not required).
- Map<String,String>
- A map of tags to add.
- trusted
Role List<String>Actions - Actions of STS.
- trusted
Role List<String>Arns - ARNs of AWS entities who can assume these roles.
- trusted
Role List<String>Services - AWS Services that can assume these roles.
- attach
Admin booleanPolicy - Whether to attach an admin policy to a role.
- attach
Poweruser booleanPolicy - Whether to attach a poweruser policy to a role.
- attach
Readonly booleanPolicy - Whether to attach a readonly policy to a role.
- custom
Role stringTrust Policy - A custom role trust policy.
- force
Detach booleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session numberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age number - Max age of valid MFA (in seconds) for roles which require MFA.
- role
Role
With MFA - An IAM role that requires MFA.
- role
Sts string[]External Ids - STS ExternalId condition values to use with a role (when MFA is not required).
- {[key: string]: string}
- A map of tags to add.
- trusted
Role string[]Actions - Actions of STS.
- trusted
Role string[]Arns - ARNs of AWS entities who can assume these roles.
- trusted
Role string[]Services - AWS Services that can assume these roles.
- attach_
admin_ boolpolicy - Whether to attach an admin policy to a role.
- attach_
poweruser_ boolpolicy - Whether to attach a poweruser policy to a role.
- attach_
readonly_ boolpolicy - Whether to attach a readonly policy to a role.
- custom_
role_ strtrust_ policy - A custom role trust policy.
- force_
detach_ boolpolicies - Whether policies should be detached from this role when destroying.
- max_
session_ intduration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa_
age int - Max age of valid MFA (in seconds) for roles which require MFA.
- role
Role
With MFAArgs - An IAM role that requires MFA.
- role_
sts_ Sequence[str]external_ ids - STS ExternalId condition values to use with a role (when MFA is not required).
- Mapping[str, str]
- A map of tags to add.
- trusted_
role_ Sequence[str]actions - Actions of STS.
- trusted_
role_ Sequence[str]arns - ARNs of AWS entities who can assume these roles.
- trusted_
role_ Sequence[str]services - AWS Services that can assume these roles.
- attach
Admin BooleanPolicy - Whether to attach an admin policy to a role.
- attach
Poweruser BooleanPolicy - Whether to attach a poweruser policy to a role.
- attach
Readonly BooleanPolicy - Whether to attach a readonly policy to a role.
- custom
Role StringTrust Policy - A custom role trust policy.
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session NumberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age Number - Max age of valid MFA (in seconds) for roles which require MFA.
- role Property Map
- An IAM role that requires MFA.
- role
Sts List<String>External Ids - STS ExternalId condition values to use with a role (when MFA is not required).
- Map<String>
- A map of tags to add.
- trusted
Role List<String>Actions - Actions of STS.
- trusted
Role List<String>Arns - ARNs of AWS entities who can assume these roles.
- trusted
Role List<String>Services - AWS Services that can assume these roles.
Outputs
All input properties are implicitly available as output properties. Additionally, the AssumableRole resource produces the following output properties:
- Instance
Profile Dictionary<string, string>
- Instance
Profile map[string]string
- instance
Profile Map<String,String>
- instance
Profile {[key: string]: string}
- instance_
profile Mapping[str, str]
- instance
Profile Map<String>
Supporting Types
RoleWithMFA, RoleWithMFAArgs
- Name string
- IAM role with the access.
- Path string
- Path of the IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- Policy
Arns List<string> - List of policy ARNs to use for the role.
- Requires
Mfa bool - Whether the role requires MFA.
- Dictionary<string, string>
- A map of tags to add.
- Name string
- IAM role with the access.
- Path string
- Path of the IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- Policy
Arns []string - List of policy ARNs to use for the role.
- Requires
Mfa bool - Whether the role requires MFA.
- map[string]string
- A map of tags to add.
- name String
- IAM role with the access.
- path String
- Path of the IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for the role.
- policy
Arns List<String> - List of policy ARNs to use for the role.
- requires
Mfa Boolean - Whether the role requires MFA.
- Map<String,String>
- A map of tags to add.
- name string
- IAM role with the access.
- path string
- Path of the IAM role.
- permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- policy
Arns string[] - List of policy ARNs to use for the role.
- requires
Mfa boolean - Whether the role requires MFA.
- {[key: string]: string}
- A map of tags to add.
- name str
- IAM role with the access.
- path str
- Path of the IAM role.
- permissions_
boundary_ strarn - Permissions boundary ARN to use for the role.
- policy_
arns Sequence[str] - List of policy ARNs to use for the role.
- requires_
mfa bool - Whether the role requires MFA.
- Mapping[str, str]
- A map of tags to add.
- name String
- IAM role with the access.
- path String
- Path of the IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for the role.
- policy
Arns List<String> - List of policy ARNs to use for the role.
- requires
Mfa Boolean - Whether the role requires MFA.
- Map<String>
- A map of tags to add.
Package Details
- Repository
- aws-iam
- License