Docs Home
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi
aws-iam.AssumableRoles
Explore with Pulumi AI
This resource helps you create predefined IAM roles (admin, poweruser, and readonly) which
can be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts
and Users.
Example Usage
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
class MyStack : Stack
{
public MyStack()
{
var assumableRoles = new AssumableRoles("assumable-roles", new AssumableRolesArgs
{
TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"},
Admin = new AdminRoleWithMFAArgs(),
Poweruser = new PoweruserRoleWithMFAArgs
{
Name = "developer",
},
Readonly = new ReadonlyRoleWithMFAArgs
{
RequiresMfa = true,
},
});
this.AssumableRoles = Output.Create<AssumableRoles>(assumableRoles);
}
[Output]
public Output<AssumableRoles> AssumableRoles { get; set; }
}
package main
import (
iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
assumableRoles, err := iam.NewAssumableRoles(ctx, "assumable-roles", &iam.AssumableRolesArgs{
TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}),
Admin: iam.AdminRoleWithMFAArgs{},
Poweruser: iam.PoweruserRoleWithMFAArgs{
Name: pulumi.String("developer"),
},
Readonly: iam.ReadonlyRoleWithMFAArgs{
RequiresMfa: pulumi.BoolPtr(true),
},
})
if err != nil {
return err
}
ctx.Export("assumableRoles", assumableRoles)
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_iam as iam
assumable_roles = iam.AssumableRoles(
'assumable_roles',
trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],
admin=iam.AdminRoleArgs(),
poweruser=iam.PoweruserRoleArgs(
name='developer',
),
readonly=iam.ReadonlyRoleWithMFAArgs(
requires_mfa=True,
),
)
pulumi.export('assumable_roles', assumable_roles)
import * as iam from "@pulumi/aws-iam";
export const assumableRoles = new iam.AssumableRoles("aws-iam-example-assumable-roles", {
trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ],
admin: {},
poweruser: {
name: "developer",
},
readonly: {
requiresMfa: true,
},
});
name: awsiam-yaml
runtime: yaml
resources:
assumableRoles:
type: "aws-iam:index:AssumableRoles"
properties:
trustedRoleArns:
- "arn:aws:iam::307990089504:root"
- "arn:aws:iam::835367859851:user/pulumipus"
poweruser:
name: "developer"
readonly:
requiresMfa: true
outputs:
assumableRoles: ${assumableRoles}
Create AssumableRoles Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AssumableRoles(name: string, args: AssumableRolesArgs, opts?: ComponentResourceOptions);@overload
def AssumableRoles(resource_name: str,
args: AssumableRolesArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AssumableRoles(resource_name: str,
opts: Optional[ResourceOptions] = None,
admin: Optional[AdminRoleWithMFAArgs] = None,
force_detach_policies: Optional[bool] = None,
max_session_duration: Optional[int] = None,
mfa_age: Optional[int] = None,
poweruser: Optional[PoweruserRoleWithMFAArgs] = None,
readonly: Optional[ReadonlyRoleWithMFAArgs] = None,
trusted_role_arns: Optional[Sequence[str]] = None,
trusted_role_services: Optional[Sequence[str]] = None)func NewAssumableRoles(ctx *Context, name string, args AssumableRolesArgs, opts ...ResourceOption) (*AssumableRoles, error)public AssumableRoles(string name, AssumableRolesArgs args, ComponentResourceOptions? opts = null)
public AssumableRoles(String name, AssumableRolesArgs args)
public AssumableRoles(String name, AssumableRolesArgs args, ComponentResourceOptions options)
type: aws-iam:AssumableRoles
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AssumableRolesArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AssumableRolesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AssumableRolesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AssumableRolesArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AssumableRolesArgs
- The arguments to resource properties.
- options ComponentResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var assumableRolesResource = new AwsIam.AssumableRoles("assumableRolesResource", new()
{
Admin = new AwsIam.Inputs.AdminRoleWithMFAArgs
{
Name = "string",
Path = "string",
PermissionsBoundaryArn = "string",
PolicyArns = new[]
{
"string",
},
RequiresMfa = false,
Tags =
{
{ "string", "string" },
},
},
ForceDetachPolicies = false,
MaxSessionDuration = 0,
MfaAge = 0,
Poweruser = new AwsIam.Inputs.PoweruserRoleWithMFAArgs
{
Name = "string",
Path = "string",
PermissionsBoundaryArn = "string",
PolicyArns = new[]
{
"string",
},
RequiresMfa = false,
Tags =
{
{ "string", "string" },
},
},
Readonly = new AwsIam.Inputs.ReadonlyRoleWithMFAArgs
{
Name = "string",
Path = "string",
PermissionsBoundaryArn = "string",
PolicyArns = new[]
{
"string",
},
RequiresMfa = false,
Tags =
{
{ "string", "string" },
},
},
TrustedRoleArns = new[]
{
"string",
},
TrustedRoleServices = new[]
{
"string",
},
});
example, err := awsiam.NewAssumableRoles(ctx, "assumableRolesResource", &awsiam.AssumableRolesArgs{
Admin: &awsiam.AdminRoleWithMFAArgs{
Name: pulumi.String("string"),
Path: pulumi.String("string"),
PermissionsBoundaryArn: pulumi.String("string"),
PolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
RequiresMfa: pulumi.Bool(false),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
},
ForceDetachPolicies: pulumi.Bool(false),
MaxSessionDuration: pulumi.Int(0),
MfaAge: pulumi.Int(0),
Poweruser: &awsiam.PoweruserRoleWithMFAArgs{
Name: pulumi.String("string"),
Path: pulumi.String("string"),
PermissionsBoundaryArn: pulumi.String("string"),
PolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
RequiresMfa: pulumi.Bool(false),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
},
Readonly: &awsiam.ReadonlyRoleWithMFAArgs{
Name: pulumi.String("string"),
Path: pulumi.String("string"),
PermissionsBoundaryArn: pulumi.String("string"),
PolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
RequiresMfa: pulumi.Bool(false),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
},
TrustedRoleArns: pulumi.StringArray{
pulumi.String("string"),
},
TrustedRoleServices: pulumi.StringArray{
pulumi.String("string"),
},
})
var assumableRolesResource = new AssumableRoles("assumableRolesResource", AssumableRolesArgs.builder()
.admin(AdminRoleWithMFAArgs.builder()
.name("string")
.path("string")
.permissionsBoundaryArn("string")
.policyArns("string")
.requiresMfa(false)
.tags(Map.of("string", "string"))
.build())
.forceDetachPolicies(false)
.maxSessionDuration(0)
.mfaAge(0)
.poweruser(PoweruserRoleWithMFAArgs.builder()
.name("string")
.path("string")
.permissionsBoundaryArn("string")
.policyArns("string")
.requiresMfa(false)
.tags(Map.of("string", "string"))
.build())
.readonly(ReadonlyRoleWithMFAArgs.builder()
.name("string")
.path("string")
.permissionsBoundaryArn("string")
.policyArns("string")
.requiresMfa(false)
.tags(Map.of("string", "string"))
.build())
.trustedRoleArns("string")
.trustedRoleServices("string")
.build());
assumable_roles_resource = aws_iam.AssumableRoles("assumableRolesResource",
admin={
"name": "string",
"path": "string",
"permissions_boundary_arn": "string",
"policy_arns": ["string"],
"requires_mfa": False,
"tags": {
"string": "string",
},
},
force_detach_policies=False,
max_session_duration=0,
mfa_age=0,
poweruser={
"name": "string",
"path": "string",
"permissions_boundary_arn": "string",
"policy_arns": ["string"],
"requires_mfa": False,
"tags": {
"string": "string",
},
},
readonly={
"name": "string",
"path": "string",
"permissions_boundary_arn": "string",
"policy_arns": ["string"],
"requires_mfa": False,
"tags": {
"string": "string",
},
},
trusted_role_arns=["string"],
trusted_role_services=["string"])
const assumableRolesResource = new aws_iam.AssumableRoles("assumableRolesResource", {
admin: {
name: "string",
path: "string",
permissionsBoundaryArn: "string",
policyArns: ["string"],
requiresMfa: false,
tags: {
string: "string",
},
},
forceDetachPolicies: false,
maxSessionDuration: 0,
mfaAge: 0,
poweruser: {
name: "string",
path: "string",
permissionsBoundaryArn: "string",
policyArns: ["string"],
requiresMfa: false,
tags: {
string: "string",
},
},
readonly: {
name: "string",
path: "string",
permissionsBoundaryArn: "string",
policyArns: ["string"],
requiresMfa: false,
tags: {
string: "string",
},
},
trustedRoleArns: ["string"],
trustedRoleServices: ["string"],
});
type: aws-iam:AssumableRoles
properties:
admin:
name: string
path: string
permissionsBoundaryArn: string
policyArns:
- string
requiresMfa: false
tags:
string: string
forceDetachPolicies: false
maxSessionDuration: 0
mfaAge: 0
poweruser:
name: string
path: string
permissionsBoundaryArn: string
policyArns:
- string
requiresMfa: false
tags:
string: string
readonly:
name: string
path: string
permissionsBoundaryArn: string
policyArns:
- string
requiresMfa: false
tags:
string: string
trustedRoleArns:
- string
trustedRoleServices:
- string
AssumableRoles Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AssumableRoles resource accepts the following input properties:
- Admin
Pulumi.
Aws Iam. Inputs. Admin Role With MFA - Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Mfa
Age int - Max age of valid MFA (in seconds) for roles which require MFA.
- Poweruser
Pulumi.
Aws Iam. Inputs. Poweruser Role With MFA - Readonly
Pulumi.
Aws Iam. Inputs. Readonly Role With MFA - Trusted
Role List<string>Arns - ARNs of AWS entities who can assume these roles.
- Trusted
Role List<string>Services - AWS Services that can assume these roles.
- Admin
Admin
Role With MFAArgs - Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Mfa
Age int - Max age of valid MFA (in seconds) for roles which require MFA.
- Poweruser
Poweruser
Role With MFAArgs - Readonly
Readonly
Role With MFAArgs - Trusted
Role []stringArns - ARNs of AWS entities who can assume these roles.
- Trusted
Role []stringServices - AWS Services that can assume these roles.
- admin
Admin
Role With MFA - force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session IntegerDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age Integer - Max age of valid MFA (in seconds) for roles which require MFA.
- poweruser
Poweruser
Role With MFA - readonly
Readonly
Role With MFA - trusted
Role List<String>Arns - ARNs of AWS entities who can assume these roles.
- trusted
Role List<String>Services - AWS Services that can assume these roles.
- admin
Admin
Role With MFA - force
Detach booleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session numberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age number - Max age of valid MFA (in seconds) for roles which require MFA.
- poweruser
Poweruser
Role With MFA - readonly
Readonly
Role With MFA - trusted
Role string[]Arns - ARNs of AWS entities who can assume these roles.
- trusted
Role string[]Services - AWS Services that can assume these roles.
- admin
Admin
Role With MFAArgs - force_
detach_ boolpolicies - Whether policies should be detached from this role when destroying.
- max_
session_ intduration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa_
age int - Max age of valid MFA (in seconds) for roles which require MFA.
- poweruser
Poweruser
Role With MFAArgs - readonly
Readonly
Role With MFAArgs - trusted_
role_ Sequence[str]arns - ARNs of AWS entities who can assume these roles.
- trusted_
role_ Sequence[str]services - AWS Services that can assume these roles.
- admin Property Map
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session NumberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- mfa
Age Number - Max age of valid MFA (in seconds) for roles which require MFA.
- poweruser Property Map
- readonly Property Map
- trusted
Role List<String>Arns - ARNs of AWS entities who can assume these roles.
- trusted
Role List<String>Services - AWS Services that can assume these roles.
Outputs
All input properties are implicitly available as output properties. Additionally, the AssumableRoles resource produces the following output properties:
Supporting Types
AdminRoleWithMFA, AdminRoleWithMFAArgs
- Name string
- IAM role with admin access.
- Path string
- Path of admin IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for admin role.
- Policy
Arns List<string> - List of policy ARNs to use for admin role.
- Requires
Mfa bool - Whether admin role requires MFA.
- Dictionary<string, string>
- A map of tags to add.
- Name string
- IAM role with admin access.
- Path string
- Path of admin IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for admin role.
- Policy
Arns []string - List of policy ARNs to use for admin role.
- Requires
Mfa bool - Whether admin role requires MFA.
- map[string]string
- A map of tags to add.
- name String
- IAM role with admin access.
- path String
- Path of admin IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for admin role.
- policy
Arns List<String> - List of policy ARNs to use for admin role.
- requires
Mfa Boolean - Whether admin role requires MFA.
- Map<String,String>
- A map of tags to add.
- name string
- IAM role with admin access.
- path string
- Path of admin IAM role.
- permissions
Boundary stringArn - Permissions boundary ARN to use for admin role.
- policy
Arns string[] - List of policy ARNs to use for admin role.
- requires
Mfa boolean - Whether admin role requires MFA.
- {[key: string]: string}
- A map of tags to add.
- name str
- IAM role with admin access.
- path str
- Path of admin IAM role.
- permissions_
boundary_ strarn - Permissions boundary ARN to use for admin role.
- policy_
arns Sequence[str] - List of policy ARNs to use for admin role.
- requires_
mfa bool - Whether admin role requires MFA.
- Mapping[str, str]
- A map of tags to add.
- name String
- IAM role with admin access.
- path String
- Path of admin IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for admin role.
- policy
Arns List<String> - List of policy ARNs to use for admin role.
- requires
Mfa Boolean - Whether admin role requires MFA.
- Map<String>
- A map of tags to add.
PoweruserRoleWithMFA, PoweruserRoleWithMFAArgs
- Name string
- IAM role with poweruser access.
- Path string
- Path of poweruser IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for poweruser role.
- Policy
Arns List<string> - List of policy ARNs to use for poweruser role.
- Requires
Mfa bool - Whether admin role requires MFA.
- Dictionary<string, string>
- A map of tags to add.
- Name string
- IAM role with poweruser access.
- Path string
- Path of poweruser IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for poweruser role.
- Policy
Arns []string - List of policy ARNs to use for poweruser role.
- Requires
Mfa bool - Whether admin role requires MFA.
- map[string]string
- A map of tags to add.
- name String
- IAM role with poweruser access.
- path String
- Path of poweruser IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for poweruser role.
- policy
Arns List<String> - List of policy ARNs to use for poweruser role.
- requires
Mfa Boolean - Whether admin role requires MFA.
- Map<String,String>
- A map of tags to add.
- name string
- IAM role with poweruser access.
- path string
- Path of poweruser IAM role.
- permissions
Boundary stringArn - Permissions boundary ARN to use for poweruser role.
- policy
Arns string[] - List of policy ARNs to use for poweruser role.
- requires
Mfa boolean - Whether admin role requires MFA.
- {[key: string]: string}
- A map of tags to add.
- name str
- IAM role with poweruser access.
- path str
- Path of poweruser IAM role.
- permissions_
boundary_ strarn - Permissions boundary ARN to use for poweruser role.
- policy_
arns Sequence[str] - List of policy ARNs to use for poweruser role.
- requires_
mfa bool - Whether admin role requires MFA.
- Mapping[str, str]
- A map of tags to add.
- name String
- IAM role with poweruser access.
- path String
- Path of poweruser IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for poweruser role.
- policy
Arns List<String> - List of policy ARNs to use for poweruser role.
- requires
Mfa Boolean - Whether admin role requires MFA.
- Map<String>
- A map of tags to add.
ReadonlyRoleWithMFA, ReadonlyRoleWithMFAArgs
- Name string
- IAM role with readonly access.
- Path string
- Path of readonly IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for readonly role.
- Policy
Arns List<string> - List of policy ARNs to use for readonly role.
- Requires
Mfa bool - Whether admin role requires MFA.
- Dictionary<string, string>
- A map of tags to add.
- Name string
- IAM role with readonly access.
- Path string
- Path of readonly IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for readonly role.
- Policy
Arns []string - List of policy ARNs to use for readonly role.
- Requires
Mfa bool - Whether admin role requires MFA.
- map[string]string
- A map of tags to add.
- name String
- IAM role with readonly access.
- path String
- Path of readonly IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for readonly role.
- policy
Arns List<String> - List of policy ARNs to use for readonly role.
- requires
Mfa Boolean - Whether admin role requires MFA.
- Map<String,String>
- A map of tags to add.
- name string
- IAM role with readonly access.
- path string
- Path of readonly IAM role.
- permissions
Boundary stringArn - Permissions boundary ARN to use for readonly role.
- policy
Arns string[] - List of policy ARNs to use for readonly role.
- requires
Mfa boolean - Whether admin role requires MFA.
- {[key: string]: string}
- A map of tags to add.
- name str
- IAM role with readonly access.
- path str
- Path of readonly IAM role.
- permissions_
boundary_ strarn - Permissions boundary ARN to use for readonly role.
- policy_
arns Sequence[str] - List of policy ARNs to use for readonly role.
- requires_
mfa bool - Whether admin role requires MFA.
- Mapping[str, str]
- A map of tags to add.
- name String
- IAM role with readonly access.
- path String
- Path of readonly IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for readonly role.
- policy
Arns List<String> - List of policy ARNs to use for readonly role.
- requires
Mfa Boolean - Whether admin role requires MFA.
- Map<String>
- A map of tags to add.
Package Details
- Repository
- aws-iam
- License