aws-iam.AssumableRoleWithOIDC
Explore with Pulumi AI
This resources helps you create a single IAM role which can be assume by trusted resources using OpenID Connect Federated Users.
Example Usage
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
class MyStack : Stack
{
public MyStack()
{
var assumableRoleWithOidc = new AssumableRoleWithOIDC("assumable-role-with-oidc", new AssumableRoleWithOIDCArgs
{
Role = new RoleArgs
{
Name = "oidc-role",
PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
},
Tags = new InputMap<string>
{
{"Role", "odic-role"},
},
ProviderUrls = {"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"},
});
this.AssumableRoleWithOidc = Output.Create<AssumableRoleWithOIDC>(assumableRoleWithOidc);
}
[Output]
public Output<AssumableRoleWithOIDC> AssumableRoleWithOidc { get; set; }
}
package main
import (
iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
assumableRoleWithOIDC, err := iam.NewAssumableRoleWithOIDC(ctx, "assumable-role-with-oidc", &iam.AssumableRoleWithOIDCArgs{
Role: iam.RoleArgs{
Name: pulumi.String("oidc-role"),
PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
},
Tags: pulumi.ToStringMap(map[string]string{
"Role": "oidc-role",
}),
ProviderUrls: pulumi.ToStringArray([]string{"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"}),
})
if err != nil {
return err
}
ctx.Export("assumableRoleWithOIDC", assumableRoleWithOIDC)
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_iam as iam
assumable_role_with_oidc = iam.AssumableRoleWithOIDC(
'assumable_role_with_oidc',
role=iam.RoleArgs(
name='oidc-role',
policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy']
),
tags={
'Role': 'oidc-role',
},
provider_urls=['oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8']
)
pulumi.export('assumable_role_with_oidc', assumable_role_with_oidc)
import * as iam from "@pulumi/aws-iam";
export const assumableRoleWithOidc = new iam.AssumableRoleWithOIDC("aws-iam-example-assumable-role-with-oidc", {
providerUrls: ["oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"],
role: {
name: "oidc-role",
policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ],
},
tags: {
Role: "oidc-role",
},
});
name: awsiam-yaml
runtime: yaml
resources:
assumableRoleWithOidc:
type: "aws-iam:index:AssumableRoleWithOIDC"
properties:
role:
name: "oidc-role"
policyArns:
- "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
tags:
Role: "oidc-role"
providerUrls:
- "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
outputs:
assumableRoleWithOidc: ${assumableRoleWithOidc}
Create AssumableRoleWithOIDC Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AssumableRoleWithOIDC(name: string, args?: AssumableRoleWithOIDCArgs, opts?: ComponentResourceOptions);
@overload
def AssumableRoleWithOIDC(resource_name: str,
args: Optional[AssumableRoleWithOIDCArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def AssumableRoleWithOIDC(resource_name: str,
opts: Optional[ResourceOptions] = None,
aws_account_id: Optional[str] = None,
force_detach_policies: Optional[bool] = None,
max_session_duration: Optional[int] = None,
oidc_fully_qualified_audiences: Optional[Sequence[str]] = None,
oidc_fully_qualified_subjects: Optional[Sequence[str]] = None,
oidc_subjects_with_wildcards: Optional[Sequence[str]] = None,
provider_urls: Optional[Sequence[str]] = None,
role: Optional[RoleArgs] = None,
tags: Optional[Mapping[str, str]] = None)
func NewAssumableRoleWithOIDC(ctx *Context, name string, args *AssumableRoleWithOIDCArgs, opts ...ResourceOption) (*AssumableRoleWithOIDC, error)
public AssumableRoleWithOIDC(string name, AssumableRoleWithOIDCArgs? args = null, ComponentResourceOptions? opts = null)
public AssumableRoleWithOIDC(String name, AssumableRoleWithOIDCArgs args)
public AssumableRoleWithOIDC(String name, AssumableRoleWithOIDCArgs args, ComponentResourceOptions options)
type: aws-iam:AssumableRoleWithOIDC
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AssumableRoleWithOIDCArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AssumableRoleWithOIDCArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AssumableRoleWithOIDCArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AssumableRoleWithOIDCArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AssumableRoleWithOIDCArgs
- The arguments to resource properties.
- options ComponentResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var assumableRoleWithOIDCResource = new AwsIam.AssumableRoleWithOIDC("assumableRoleWithOIDCResource", new()
{
AwsAccountId = "string",
ForceDetachPolicies = false,
MaxSessionDuration = 0,
OidcFullyQualifiedAudiences = new[]
{
"string",
},
OidcFullyQualifiedSubjects = new[]
{
"string",
},
OidcSubjectsWithWildcards = new[]
{
"string",
},
ProviderUrls = new[]
{
"string",
},
Role = new AwsIam.Inputs.RoleArgs
{
Name = "string",
NamePrefix = "string",
Path = "string",
PermissionsBoundaryArn = "string",
PolicyArns = new[]
{
"string",
},
},
Tags =
{
{ "string", "string" },
},
});
example, err := awsiam.NewAssumableRoleWithOIDC(ctx, "assumableRoleWithOIDCResource", &awsiam.AssumableRoleWithOIDCArgs{
AwsAccountId: pulumi.String("string"),
ForceDetachPolicies: pulumi.Bool(false),
MaxSessionDuration: pulumi.Int(0),
OidcFullyQualifiedAudiences: pulumi.StringArray{
pulumi.String("string"),
},
OidcFullyQualifiedSubjects: pulumi.StringArray{
pulumi.String("string"),
},
OidcSubjectsWithWildcards: pulumi.StringArray{
pulumi.String("string"),
},
ProviderUrls: pulumi.StringArray{
pulumi.String("string"),
},
Role: &awsiam.RoleArgs{
Name: pulumi.String("string"),
NamePrefix: pulumi.String("string"),
Path: pulumi.String("string"),
PermissionsBoundaryArn: pulumi.String("string"),
PolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var assumableRoleWithOIDCResource = new AssumableRoleWithOIDC("assumableRoleWithOIDCResource", AssumableRoleWithOIDCArgs.builder()
.awsAccountId("string")
.forceDetachPolicies(false)
.maxSessionDuration(0)
.oidcFullyQualifiedAudiences("string")
.oidcFullyQualifiedSubjects("string")
.oidcSubjectsWithWildcards("string")
.providerUrls("string")
.role(RoleArgs.builder()
.name("string")
.namePrefix("string")
.path("string")
.permissionsBoundaryArn("string")
.policyArns("string")
.build())
.tags(Map.of("string", "string"))
.build());
assumable_role_with_oidc_resource = aws_iam.AssumableRoleWithOIDC("assumableRoleWithOIDCResource",
aws_account_id="string",
force_detach_policies=False,
max_session_duration=0,
oidc_fully_qualified_audiences=["string"],
oidc_fully_qualified_subjects=["string"],
oidc_subjects_with_wildcards=["string"],
provider_urls=["string"],
role={
"name": "string",
"name_prefix": "string",
"path": "string",
"permissions_boundary_arn": "string",
"policy_arns": ["string"],
},
tags={
"string": "string",
})
const assumableRoleWithOIDCResource = new aws_iam.AssumableRoleWithOIDC("assumableRoleWithOIDCResource", {
awsAccountId: "string",
forceDetachPolicies: false,
maxSessionDuration: 0,
oidcFullyQualifiedAudiences: ["string"],
oidcFullyQualifiedSubjects: ["string"],
oidcSubjectsWithWildcards: ["string"],
providerUrls: ["string"],
role: {
name: "string",
namePrefix: "string",
path: "string",
permissionsBoundaryArn: "string",
policyArns: ["string"],
},
tags: {
string: "string",
},
});
type: aws-iam:AssumableRoleWithOIDC
properties:
awsAccountId: string
forceDetachPolicies: false
maxSessionDuration: 0
oidcFullyQualifiedAudiences:
- string
oidcFullyQualifiedSubjects:
- string
oidcSubjectsWithWildcards:
- string
providerUrls:
- string
role:
name: string
namePrefix: string
path: string
permissionsBoundaryArn: string
policyArns:
- string
tags:
string: string
AssumableRoleWithOIDC Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AssumableRoleWithOIDC resource accepts the following input properties:
- Aws
Account stringId - The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.
- Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Oidc
Fully List<string>Qualified Audiences - The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.
- Oidc
Fully List<string>Qualified Subjects - The fully qualified OIDC subjects to be added to the role policy.
- Oidc
Subjects List<string>With Wildcards - The OIDC subject using wildcards to be added to the role policy.
- Provider
Urls List<string> - List of URLs of the OIDC Providers.
- Role
Pulumi.
Aws Iam. Inputs. Role - The IAM role.
- Dictionary<string, string>
- A map of tags to add.
- Aws
Account stringId - The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.
- Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Oidc
Fully []stringQualified Audiences - The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.
- Oidc
Fully []stringQualified Subjects - The fully qualified OIDC subjects to be added to the role policy.
- Oidc
Subjects []stringWith Wildcards - The OIDC subject using wildcards to be added to the role policy.
- Provider
Urls []string - List of URLs of the OIDC Providers.
- Role
Role
Args - The IAM role.
- map[string]string
- A map of tags to add.
- aws
Account StringId - The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session IntegerDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- oidc
Fully List<String>Qualified Audiences - The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.
- oidc
Fully List<String>Qualified Subjects - The fully qualified OIDC subjects to be added to the role policy.
- oidc
Subjects List<String>With Wildcards - The OIDC subject using wildcards to be added to the role policy.
- provider
Urls List<String> - List of URLs of the OIDC Providers.
- role Role
- The IAM role.
- Map<String,String>
- A map of tags to add.
- aws
Account stringId - The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.
- force
Detach booleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session numberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- oidc
Fully string[]Qualified Audiences - The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.
- oidc
Fully string[]Qualified Subjects - The fully qualified OIDC subjects to be added to the role policy.
- oidc
Subjects string[]With Wildcards - The OIDC subject using wildcards to be added to the role policy.
- provider
Urls string[] - List of URLs of the OIDC Providers.
- role Role
- The IAM role.
- {[key: string]: string}
- A map of tags to add.
- aws_
account_ strid - The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.
- force_
detach_ boolpolicies - Whether policies should be detached from this role when destroying.
- max_
session_ intduration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- oidc_
fully_ Sequence[str]qualified_ audiences - The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.
- oidc_
fully_ Sequence[str]qualified_ subjects - The fully qualified OIDC subjects to be added to the role policy.
- oidc_
subjects_ Sequence[str]with_ wildcards - The OIDC subject using wildcards to be added to the role policy.
- provider_
urls Sequence[str] - List of URLs of the OIDC Providers.
- role
Role
Args - The IAM role.
- Mapping[str, str]
- A map of tags to add.
- aws
Account StringId - The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session NumberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- oidc
Fully List<String>Qualified Audiences - The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise.
- oidc
Fully List<String>Qualified Subjects - The fully qualified OIDC subjects to be added to the role policy.
- oidc
Subjects List<String>With Wildcards - The OIDC subject using wildcards to be added to the role policy.
- provider
Urls List<String> - List of URLs of the OIDC Providers.
- role Property Map
- The IAM role.
- Map<String>
- A map of tags to add.
Outputs
All input properties are implicitly available as output properties. Additionally, the AssumableRoleWithOIDC resource produces the following output properties:
Supporting Types
Role, RoleArgs
- Name string
- IAM role name.
- Name
Prefix string - IAM role name prefix.
- Path string
- Path of admin IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- Policy
Arns List<string> - List of policy ARNs to use for the role.
- Name string
- IAM role name.
- Name
Prefix string - IAM role name prefix.
- Path string
- Path of admin IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- Policy
Arns []string - List of policy ARNs to use for the role.
- name String
- IAM role name.
- name
Prefix String - IAM role name prefix.
- path String
- Path of admin IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for the role.
- policy
Arns List<String> - List of policy ARNs to use for the role.
- name string
- IAM role name.
- name
Prefix string - IAM role name prefix.
- path string
- Path of admin IAM role.
- permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- policy
Arns string[] - List of policy ARNs to use for the role.
- name str
- IAM role name.
- name_
prefix str - IAM role name prefix.
- path str
- Path of admin IAM role.
- permissions_
boundary_ strarn - Permissions boundary ARN to use for the role.
- policy_
arns Sequence[str] - List of policy ARNs to use for the role.
- name String
- IAM role name.
- name
Prefix String - IAM role name prefix.
- path String
- Path of admin IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for the role.
- policy
Arns List<String> - List of policy ARNs to use for the role.
Package Details
- Repository
- aws-iam
- License