{ "name": "aws-iam", "version": "0.0.3", "meta": { "moduleFormat": "(.*)" }, "language": { "csharp": { "namespaces": { "aws-iam": "AwsIam" }, "packageReferences": { "Pulumi": "3.*", "Pulumi.Aws": "5.*" } }, "go": { "generateResourceContainerTypes": true, "importBasePath": "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" }, "java": { "artifactId": "awsiam", "buildFiles": "gradle" }, "nodejs": { "dependencies": { "@pulumi/aws": "^5.0.0" }, "devDependencies": { "typescript": "^3.7.0" } }, "python": { "requires": { "pulumi": ">=3.0.0,<4.0.0", "pulumi-aws": ">=5.0.0,<6.0.0" } } }, "config": {}, "types": { "aws-iam:index:AccessKeyOutput": { "description": "The IAM access key.", "properties": { "encryptedSecret": { "type": "string", "description": "The encrypted secret, base64 encoded." }, "id": { "type": "string", "description": "The access key ID." }, "keyFingerprint": { "type": "string", "description": "The fingerprint of the PGP key used to encrypt the secret." }, "secret": { "type": "string", "description": "The access key secret." }, "sesSmtpPasswordV4": { "type": "string", "description": "The secret access key converted into an SES SMTP password by applying AWS's Sigv4 conversion algorithm." }, "status": { "type": "string", "description": "Active or Inactive. Keys are initially active, but can be made inactive by other means." } }, "type": "object" }, "aws-iam:index:AccountPasswordPolicy": { "description": "Options to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.", "properties": { "allowUsersToChange": { "type": "boolean", "description": "Whether to allow users to change their own password.\n" }, "hardExpiry": { "type": "boolean", "description": "Whether users are prevented from setting a new password after their password has\nexpired (i.e. require administrator reset).\n" }, "maxAge": { "type": "integer", "description": "The number of days that an user password is valid. If not set or a value of `0` is provided, then\npasswords will not expire.\n" }, "minimumLength": { "type": "integer", "description": "Minimum length to require for user passwords. Defaults to `8` if not set or\nthe provided value is invalid. Valid values are between 6 and 128.\n" }, "requireLowercaseCharacters": { "type": "boolean", "description": "Whether to require lowercase characters for user passwords.\n" }, "requireNumbers": { "type": "boolean", "description": "Whether to require numbers for user passwords.\n" }, "requireSymbols": { "type": "boolean", "description": "Whether to require symbols for user passwords.\n" }, "requireUppercaseCharacters": { "type": "boolean", "description": "Whether to require uppercase characters for user passwords.\n" }, "reusePrevention": { "type": "integer", "description": "The number of previous passwords that users are prevented from reusing. If not set or a\nvalue of `0` is provided, no reuse prevention policy will be used.\n" } }, "type": "object", "required": [ "allowUsersToChange", "hardExpiry", "requireLowercaseCharacters", "requireNumbers", "requireSymbols", "requireUppercaseCharacters" ] }, "aws-iam:index:AdminRole": { "description": "The admin role.", "properties": { "name": { "type": "string", "description": "IAM role with admin access.", "default": "admin" }, "path": { "type": "string", "description": "Path of admin IAM role.", "default": "/" }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for admin role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for admin role." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "type": "object" }, "aws-iam:index:AdminRoleWithMFA": { "description": "The admin role.", "properties": { "name": { "type": "string", "description": "IAM role with admin access." }, "path": { "type": "string", "description": "Path of admin IAM role." }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for admin role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for admin role." }, "requiresMfa": { "type": "boolean", "description": "Whether admin role requires MFA." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "type": "object" }, "aws-iam:index:EKSAmazonManagedServicePrometheusPolicy": { "description": "The Amazon Managed Service for Prometheus IAM policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role." }, "workspaceArns": { "type": "array", "items": { "type": "string" }, "description": "List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of \"*\"\nwill be provided.\n" } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:EKSAppmeshPolicy": { "description": "The Appmesh policies.", "properties": { "controller": { "type": "boolean", "description": "Determines whether to attach the Appmesh Controller policy to the role." }, "envoyProxy": { "type": "boolean", "description": "Determines whether to attach the Appmesh envoy proxy policy to the role." } }, "type": "object" }, "aws-iam:index:EKSCertManagerPolicy": { "description": "The Cert Manager IAM policy to attach to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the Cert Manager IAM policy to the role." }, "hostedZoneArns": { "type": "array", "items": { "type": "string" }, "description": "Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided,\nthe default ARN \"arn:aws:route53:::hostedzone/*\" will be applied.\n" } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:EKSClusterAutoscalerPolicy": { "description": "The Cluster Autoscaler IAM policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the Cluster Autoscaler IAM policy to the role." }, "clusterIds": { "type": "array", "items": { "type": "string" }, "description": "List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy." } }, "type": "object", "required": [ "attach", "clusterIds" ] }, "aws-iam:index:EKSEBSCSIPolicy": { "description": "The EBS CSI IAM policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the EBS CSI IAM policy to the role." }, "kmsCmkIds": { "type": "array", "items": { "type": "string" }, "description": "KMS CMK IDs to allow EBS CSI to manage encrypted volumes." } }, "type": "object", "required": [ "attach", "kmsCmkIds" ] }, "aws-iam:index:EKSEFSCSIPolicy": { "description": "The EFS CSI IAM policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the EFS CSI IAM policy to the role." } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:EKSExternalDNSPolicy": { "description": "The External DNS IAM policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the External DNS IAM policy to the role." }, "hostedZoneArns": { "type": "array", "items": { "type": "string" }, "description": "Route53 hosted zone ARNs to allow External DNS to manage records. If not provided,\nthe default ARN \"arn:aws:route53:::hostedzone/*\" will be applied.\n" } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:EKSExternalSecretsPolicy": { "description": "The External Secrets policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the External Secrets policy to the role." }, "secretsManagerArns": { "type": "array", "items": { "type": "string" }, "description": "List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN \"arn:aws:secretsmanager:*:*:secret:*\" will be applied." }, "ssmParameterArns": { "type": "array", "items": { "type": "string" }, "description": "List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided,\nthe default ARN \"arn:aws:ssm:*:*:parameter/*\" will be applied.\n" } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:EKSKarpenterControllerPolicy": { "description": "The Karpenter Controller policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the Karpenter Controller policy to the role." }, "clusterId": { "type": "string", "description": "Cluster ID where the Karpenter controller is provisioned/managing.", "default": "*" }, "nodeIamRoleArns": { "type": "array", "items": { "type": "string" }, "description": "List of node IAM role ARNs Karpenter can use to launch nodes. If not provided,\nthe default ARN \"*\" will be applied.\n" }, "ssmParameterArns": { "type": "array", "items": { "type": "string" }, "description": "List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided,\nthe default ARN \"arn:aws:ssm:*:*:parameter/aws/service/*\" will be applied.\n" }, "subnetAccountId": { "type": "string", "description": "Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account." }, "tagKey": { "type": "string", "description": "Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner.", "default": "karpenter.sh/discovery" } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:EKSLoadBalancerPolicy": { "description": "The Load Balancer policy.", "properties": { "controller": { "type": "boolean", "description": "Determines whether to attach the Load Balancer Controller policy to the role." }, "targetGroupBindingOnly": { "type": "boolean", "description": "Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only." } }, "type": "object" }, "aws-iam:index:EKSNodeTerminationHandlerPolicy": { "description": "The Node Termination Handler policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the Node Termination Handler policy to the role." }, "sqsQueueArns": { "type": "array", "items": { "type": "string" }, "description": "List of SQS ARNs that contain node termination events. If not provided, then a default\nARN of \"*\" will be provided.\n" } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:EKSRolePolicies": { "description": "The different policies to attach to the role.", "properties": { "amazonManagedServicePrometheus": { "$ref": "#/types/aws-iam:index:EKSAmazonManagedServicePrometheusPolicy", "description": "The Amazon Managed Service for Prometheus IAM policy." }, "appmesh": { "$ref": "#/types/aws-iam:index:EKSAppmeshPolicy", "description": "The Appmesh policies." }, "certManager": { "$ref": "#/types/aws-iam:index:EKSCertManagerPolicy", "description": "The Cert Manager IAM policy." }, "clusterAutoScaling": { "$ref": "#/types/aws-iam:index:EKSClusterAutoscalerPolicy", "description": "The Cluster Autoscaler IAM policy." }, "ebsCsi": { "$ref": "#/types/aws-iam:index:EKSEBSCSIPolicy", "description": "The EBS CSI IAM policy." }, "efsCsi": { "$ref": "#/types/aws-iam:index:EKSEFSCSIPolicy", "description": "The EFS CSI IAM policy." }, "externalDns": { "$ref": "#/types/aws-iam:index:EKSExternalDNSPolicy", "description": "The External DNS IAM policy." }, "externalSecrets": { "$ref": "#/types/aws-iam:index:EKSExternalSecretsPolicy", "description": "The External Secrets policy." }, "fsxLustreCsi": { "$ref": "#/types/aws-iam:index:FSxLustreCSIPolicy", "description": "The FSx for Lustre CSI Driver IAM policy." }, "karpenterController": { "$ref": "#/types/aws-iam:index:EKSKarpenterControllerPolicy", "description": "The Karpenter Controller policy." }, "loadBalancer": { "$ref": "#/types/aws-iam:index:EKSLoadBalancerPolicy", "description": "The Load Balancer policy." }, "nodeTerminationHandler": { "$ref": "#/types/aws-iam:index:EKSNodeTerminationHandlerPolicy", "description": "The Node Termination Handler policy to the role." }, "velero": { "$ref": "#/types/aws-iam:index:EKSVeleroPolicy", "description": "The Velero IAM policy." }, "vpnCni": { "$ref": "#/types/aws-iam:index:EKSVPNCNIPolicy", "description": "The VPC CNI IAM policy to the role." } }, "type": "object" }, "aws-iam:index:EKSServiceAccountRole": { "properties": { "description": { "type": "string", "description": "IAM Role description." }, "name": { "type": "string", "description": "IAM role name.", "default": "" }, "namePrefix": { "type": "string", "description": "IAM role name prefix.", "default": "" }, "path": { "type": "string", "description": "Path of admin IAM role.", "default": "/" }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for the role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for the role." } }, "type": "object" }, "aws-iam:index:EKSVPNCNIPolicy": { "description": "The VPC CNI IAM policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the VPC CNI IAM policy to the role." }, "enableIpv4": { "type": "boolean", "description": "Determines whether to enable IPv4 permissions for VPC CNI policy." }, "enableIpv6": { "type": "boolean", "description": "Determines whether to enable IPv6 permissions for VPC CNI policy." } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:EKSVeleroPolicy": { "description": "The Velero IAM policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the Velero IAM policy to the role." }, "s3BucketArns": { "type": "array", "items": { "type": "string" }, "description": "List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources.\nIf not provided, a default ARN of \"*\" will be provided.\n" } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:FSxLustreCSIPolicy": { "description": "The FSx for Lustre CSI Driver IAM policy to the role.", "properties": { "attach": { "type": "boolean", "description": "Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role." }, "serviceRoleArns": { "type": "array", "items": { "type": "string" }, "description": "Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided,\nthe default ARN \"arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*\" will be applied.\n" } }, "type": "object", "required": [ "attach" ] }, "aws-iam:index:KeybaseOutput": { "properties": { "passwordDecryptCommand": { "type": "string", "description": "Decrypt user password command." }, "passwordPgpMessage": { "type": "string", "description": "Encrypted password" }, "secretKeyDecryptCommand": { "type": "string", "description": "Decrypt access secret key command." }, "secretKeyPgpMessage": { "type": "string", "description": "Encrypted access secret key." } }, "type": "object" }, "aws-iam:index:OIDCProvider": { "properties": { "namespaceServiceAccounts": { "type": "array", "items": { "type": "string" } }, "providerArn": { "type": "string" } }, "type": "object" }, "aws-iam:index:PoweruserRole": { "description": "The poweruser role.", "properties": { "name": { "type": "string", "description": "IAM role with poweruser access.", "default": "poweruser" }, "path": { "type": "string", "description": "Path of poweruser IAM role.", "default": "/" }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for poweruser role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for poweruser role." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "type": "object" }, "aws-iam:index:PoweruserRoleWithMFA": { "description": "The poweruser role.", "properties": { "name": { "type": "string", "description": "IAM role with poweruser access.", "default": "poweruser" }, "path": { "type": "string", "description": "Path of poweruser IAM role.", "default": "/" }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for poweruser role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for poweruser role." }, "requiresMfa": { "type": "boolean", "description": "Whether admin role requires MFA.", "default": true }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "type": "object" }, "aws-iam:index:ReadonlyRole": { "description": "The readonly role.", "properties": { "name": { "type": "string", "description": "IAM role with readonly access.", "default": "readonly" }, "path": { "type": "string", "description": "Path of readonly IAM role.", "default": "/" }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for readonly role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for readonly role." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "type": "object" }, "aws-iam:index:ReadonlyRoleWithMFA": { "description": "The readonly role.", "properties": { "name": { "type": "string", "description": "IAM role with readonly access.", "default": "readonly" }, "path": { "type": "string", "description": "Path of readonly IAM role.", "default": "/" }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for readonly role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for readonly role." }, "requiresMfa": { "type": "boolean", "description": "Whether admin role requires MFA.", "default": true }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "type": "object" }, "aws-iam:index:Role": { "description": "An IAM role.", "properties": { "name": { "type": "string", "description": "IAM role name.", "default": "" }, "namePrefix": { "type": "string", "description": "IAM role name prefix.", "default": "" }, "path": { "type": "string", "description": "Path of admin IAM role.", "default": "/" }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for the role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for the role." } }, "type": "object" }, "aws-iam:index:RoleWithMFA": { "description": "An IAM role that requires MFA.", "properties": { "name": { "type": "string", "description": "IAM role with the access.", "default": "admin" }, "path": { "type": "string", "description": "Path of the IAM role.", "default": "/" }, "permissionsBoundaryArn": { "type": "string", "description": "Permissions boundary ARN to use for the role.", "default": "" }, "policyArns": { "type": "array", "items": { "type": "string" }, "description": "List of policy ARNs to use for the role." }, "requiresMfa": { "type": "boolean", "description": "Whether the role requires MFA.", "default": true }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "type": "object" }, "aws-iam:index:UserOutput": { "description": "The IAM user.", "properties": { "arn": { "type": "string", "description": "The ARN assigned by AWS for this user." }, "loginProfileEncryptedPassword": { "type": "string", "description": "The encrypted password, base64 encoded." }, "loginProfileKeyFingerprint": { "type": "string", "description": "The fingerprint of the PGP key used to encrypt the password." }, "loginProfilePassword": { "type": "string", "description": "The user password." }, "name": { "type": "string", "description": "The user's name." }, "sshKeyFingerprint": { "type": "string", "description": "The unique identifier for the SSH public key." }, "sshKeySshPublicKeyId": { "type": "string", "description": "The unique identifier for the SSH public key" }, "uniqueId": { "type": "string", "description": "The unique ID assigned by AWS." } }, "type": "object", "required": [ "arn", "name", "uniqueId" ] } }, "provider": { "type": "object" }, "resources": { "aws-iam:index:Account": { "description": "This resource helps you manage an Iam Account's Alias and Password Policy. If your IAM Account Alias was previously\nset (either via the AWS console or when AWS created your Account) you will see an error like the below:\n\n```\n * Aws_iam_account_alias.this: Error creating account alias with name my-account-alias\n```\n\nIf you want to manage you Alias using Pulumi you will need to import this resource.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Account\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const account = new iam.Account(\"account\", {\n accountAlias: \"cool-alias\",\n passwordPolicy: {\n minimumLength: 37,\n requireNumbers: false,\n allowUsersToChange: true,\n hardExpiry: true,\n requireSymbols: true,\n requireLowercaseCharacters: true,\n requireUppercaseCharacters: true,\n },\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\naccount = iam.Account(\n 'account',\n account_alias='cool-alias',\n password_policy=iam.AccountPasswordPolicyArgs(\n minimum_length=37,\n require_numbers=False,\n allow_users_to_change=True,\n hard_expiry=True,\n require_symbols=True,\n require_lowercase_characters=True,\n require_uppercase_characters=True,\n )\n)\n\npulumi.export('account', account)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n account, err := iam.NewAccount(ctx, \"account\", &iam.AccountArgs{\n AccountAlias: pulumi.String(\"cool-alias\"),\n PasswordPolicy: iam.AccountPasswordPolicyArgs{\n MinimumLength: pulumi.IntPtr(37),\n RequireNumbers: pulumi.Bool(false),\n AllowUsersToChange: pulumi.Bool(true),\n HardExpiry: pulumi.Bool(true),\n RequireSymbols: pulumi.Bool(true),\n RequireLowercaseCharacters: pulumi.Bool(true),\n RequireUppercaseCharacters: pulumi.Bool(true),\n },\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"account\", account)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var account = new Account(\"account\", new AccountArgs\n {\n AccountAlias = \"cool-alias\",\n PasswordPolicy=new AccountPasswordPolicyArgs\n {\n MinimumLength = 37,\n RequireNumbers = false,\n AllowUsersToChange = true,\n HardExpiry = true,\n RequireSymbols = true,\n RequireLowercaseCharacters = true,\n RequireUppercaseCharacters = true,\n }\n\n });\n\n this.Account = Output.Create(account);\n }\n\n [Output]\n public Output Account { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n account:\n type: \"aws-iam:index:Account\"\n properties:\n accountAlias: \"cool-alias\"\n passwordPolicy:\n minimumLength: 37\n requireNumbers: false\n allowUsersToChange: true\n hardExpiry: true\n requireSymbols: true\n requireLowercaseCharacters: true\n requireUppercaseCharacters: true\noutputs:\n account: ${account}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "arn": { "type": "string", "description": "The AWS ARN associated with the calling entity.\n" }, "id": { "type": "string", "description": "The AWS Account ID number of the account that owns or contains the calling entity.\n" }, "passwordPolicyExpirePasswords": { "type": "boolean", "description": "Indicates whether passwords in the account expire. Returns true if max password\nage contains a value greater than 0. Returns false if it is 0 or not present.\n" }, "userId": { "type": "string", "description": "The unique identifier of the calling entity.\n" } }, "type": "object", "required": [ "arn", "id", "passwordPolicyExpirePasswords", "userId" ], "inputProperties": { "accountAlias": { "type": "string", "description": "AWS IAM account alias for this account." }, "passwordPolicy": { "$ref": "#/types/aws-iam:index:AccountPasswordPolicy", "description": "Options to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. If\nleft empty the default AWS password policy will be applied.\n" } }, "requiredInputs": [ "accountAlias", "passwordPolicy" ], "isComponent": true }, "aws-iam:index:AssumableRole": { "description": "This resource helps you create a single IAM Role which can be assumed by trusted resources.\nTrusted resources can be any IAM ARNs, typically, AWS Accounts and Users.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Assumable Role\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const assumableRole = new iam.AssumableRole(\"aws-iam-example-assumable-role\", {\n trustedRoleArns: [ \"arn:aws:iam::307990089504:root\", \"arn:aws:iam::835367859851:user/pulumipus\" ],\n role: {\n name: \"custom\",\n requiresMfa: true,\n policyArns: [ \"arn:aws:iam::aws:policy/AmazonCognitoReadOnly\",\"arn:aws:iam::aws:policy/AlexaForBusinessFullAccess\" ],\n },\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\nassumable_role = iam.AssumableRole(\n 'assumable_role',\n trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],\n role=iam.RoleWithMFAArgs(\n name='custom',\n requires_mfa=True,\n policy_arns=['arn:aws:iam::aws:policy/AmazonCognitoReadOnly','arn:aws:iam::aws:policy/AlexaForBusinessFullAccess'],\n ),\n)\n\npulumi.export('assumable_role', assumable_role)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n assumableRole, err := iam.NewAssumableRole(ctx, \"assumable-role\", &iam.AssumableRoleArgs{\n TrustedRoleArns: pulumi.ToStringArray([]string{\"arn:aws:iam::307990089504:root\", \"arn:aws:iam::835367859851:user/pulumipus\"}),\n Role: &iam.RoleWithMFAArgs{\n Name: pulumi.String(\"custom\"),\n RequiresMfa: pulumi.BoolPtr(true),\n PolicyArns: pulumi.ToStringArray([]string{\"arn:aws:iam::aws:policy/AmazonCognitoReadOnly\", \"arn:aws:iam::aws:policy/AlexaForBusinessFullAccess\"}),\n },\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"assumableRole\", assumableRole)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var assumableRole = new AssumableRole(\"assumable-role\", new AssumableRoleArgs\n {\n TrustedRoleArns = {\"arn:aws:iam::307990089504:root\", \"arn:aws:iam::835367859851:user/pulumipus\"},\n Role = new RoleWithMFAArgs\n {\n Name = \"custom\",\n RequiresMfa = true,\n PolicyArns = {\"arn:aws:iam::aws:policy/AmazonCognitoReadOnly\",\"arn:aws:iam::aws:policy/AlexaForBusinessFullAccess\"},\n },\n });\n\n this.AssumableRole = Output.Create(assumableRole);\n }\n\n [Output]\n public Output AssumableRole { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n assumableRole:\n type: \"aws-iam:index:AssumableRole\"\n properties:\n trustedRoleArns:\n - \"arn:aws:iam::307990089504:root\"\n - \"arn:aws:iam::835367859851:user/pulumipus\"\n role:\n name: \"custom\"\n requiresMfa: true\n policyArns:\n - \"arn:aws:iam::aws:policy/AmazonCognitoReadOnly\"\n - \"arn:aws:iam::aws:policy/AlexaForBusinessFullAccess\"\noutputs:\n assumableRole: ${assumableRole}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "instanceProfile": { "type": "object", "additionalProperties": { "type": "string" } }, "role": { "type": "object", "additionalProperties": { "type": "string" } } }, "type": "object", "required": [ "instanceProfile", "role" ], "inputProperties": { "attachAdminPolicy": { "type": "boolean", "description": "Whether to attach an admin policy to a role.", "default": false }, "attachPoweruserPolicy": { "type": "boolean", "description": "Whether to attach a poweruser policy to a role.", "default": false }, "attachReadonlyPolicy": { "type": "boolean", "description": "Whether to attach a readonly policy to a role.", "default": false }, "customRoleTrustPolicy": { "type": "string", "description": "A custom role trust policy.", "default": "" }, "forceDetachPolicies": { "type": "boolean", "description": "Whether policies should be detached from this role when destroying.", "default": false }, "maxSessionDuration": { "type": "integer", "description": "Maximum CLI/API session duration in seconds between 3600 and 43200.", "default": 3600 }, "mfaAge": { "type": "integer", "description": "Max age of valid MFA (in seconds) for roles which require MFA.", "default": 86400 }, "role": { "$ref": "#/types/aws-iam:index:RoleWithMFA", "description": "An IAM role that requires MFA." }, "roleStsExternalIds": { "type": "array", "items": { "type": "string" }, "description": "STS ExternalId condition values to use with a role (when MFA is not required)." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." }, "trustedRoleActions": { "type": "array", "items": { "type": "string" }, "description": "Actions of STS." }, "trustedRoleArns": { "type": "array", "items": { "type": "string" }, "description": "ARNs of AWS entities who can assume these roles." }, "trustedRoleServices": { "type": "array", "items": { "type": "string" }, "description": "AWS Services that can assume these roles." } }, "isComponent": true }, "aws-iam:index:AssumableRoleWithOIDC": { "description": "This resources helps you create a single IAM role which can be assume by trusted\nresources using OpenID Connect Federated Users.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Assumable Role With OIDC\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const assumableRoleWithOidc = new iam.AssumableRoleWithOIDC(\"aws-iam-example-assumable-role-with-oidc\", {\n providerUrls: [\"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8\"],\n role: {\n name: \"oidc-role\",\n policyArns: [ \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\" ],\n },\n tags: {\n Role: \"oidc-role\",\n },\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\nassumable_role_with_oidc = iam.AssumableRoleWithOIDC(\n 'assumable_role_with_oidc',\n role=iam.RoleArgs(\n name='oidc-role',\n policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy']\n ),\n tags={\n 'Role': 'oidc-role',\n },\n provider_urls=['oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8']\n)\n\npulumi.export('assumable_role_with_oidc', assumable_role_with_oidc)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n assumableRoleWithOIDC, err := iam.NewAssumableRoleWithOIDC(ctx, \"assumable-role-with-oidc\", &iam.AssumableRoleWithOIDCArgs{\n Role: iam.RoleArgs{\n Name: pulumi.String(\"oidc-role\"),\n PolicyArns: pulumi.ToStringArray([]string{\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"}),\n },\n Tags: pulumi.ToStringMap(map[string]string{\n \"Role\": \"oidc-role\",\n }),\n ProviderUrls: pulumi.ToStringArray([]string{\"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8\"}),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"assumableRoleWithOIDC\", assumableRoleWithOIDC)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var assumableRoleWithOidc = new AssumableRoleWithOIDC(\"assumable-role-with-oidc\", new AssumableRoleWithOIDCArgs\n {\n Role = new RoleArgs\n {\n Name = \"oidc-role\",\n PolicyArns = {\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"},\n },\n Tags = new InputMap\n {\n {\"Role\", \"odic-role\"},\n },\n ProviderUrls = {\"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8\"},\n });\n\n this.AssumableRoleWithOidc = Output.Create(assumableRoleWithOidc);\n }\n\n [Output]\n public Output AssumableRoleWithOidc { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n assumableRoleWithOidc:\n type: \"aws-iam:index:AssumableRoleWithOIDC\"\n properties:\n role:\n name: \"oidc-role\"\n policyArns:\n - \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"\n tags:\n Role: \"oidc-role\"\n providerUrls:\n - \"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8\"\noutputs:\n assumableRoleWithOidc: ${assumableRoleWithOidc}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "arn": { "type": "string", "description": "ARN of IAM role." }, "name": { "type": "string", "description": "Name of IAM role." }, "path": { "type": "string", "description": "Path of IAM role." }, "uniqueId": { "type": "string", "description": "Unique ID of IAM role." } }, "type": "object", "required": [ "arn", "name", "path", "uniqueId" ], "inputProperties": { "awsAccountId": { "type": "string", "description": "The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider.", "default": "" }, "forceDetachPolicies": { "type": "boolean", "description": "Whether policies should be detached from this role when destroying.", "default": false }, "maxSessionDuration": { "type": "integer", "description": "Maximum CLI/API session duration in seconds between 3600 and 43200.", "default": 3600 }, "oidcFullyQualifiedAudiences": { "type": "array", "items": { "type": "string" }, "description": "The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise." }, "oidcFullyQualifiedSubjects": { "type": "array", "items": { "type": "string" }, "description": "The fully qualified OIDC subjects to be added to the role policy." }, "oidcSubjectsWithWildcards": { "type": "array", "items": { "type": "string" }, "description": "The OIDC subject using wildcards to be added to the role policy." }, "providerUrls": { "type": "array", "items": { "type": "string" }, "description": "List of URLs of the OIDC Providers." }, "role": { "$ref": "#/types/aws-iam:index:Role", "description": "The IAM role." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "isComponent": true }, "aws-iam:index:AssumableRoleWithSAML": { "description": "This resource helps you create a single IAM Role which can be assumed by trusted\nresources using SAML Federated Users.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Assumable Role With SAML\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const assumableRoleWithSaml = new iam.AssumableRoleWithSAML(\"aws-iam-example-assumable-role-with-saml\", {\n providerIds: [ \"arn:aws:iam::235367859851:saml-provider/idp_saml\" ],\n role: {\n name: \"saml-role\",\n policyArns: [ \"arn:aws:iam::aws:policy/ReadOnlyAccess\" ],\n },\n tags: {\n Role: \"saml-role\",\n },\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\nassumable_role_with_saml = iam.AssumableRoleWithSAML(\n 'assumable_role_with_saml',\n role=iam.RoleArgs(\n name='saml-role',\n policy_arns=['arn:aws:iam::aws:policy/ReadOnlyAccess'],\n ),\n tags={\n 'Role': 'saml-role',\n },\n provider_ids=['arn:aws:iam::235367859851:saml-provider/idp_saml']\n)\n\npulumi.export('assumable_role_with_saml', assumable_role_with_saml)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n assumableRoleWithSAML, err := iam.NewAssumableRoleWithSAML(ctx, \"assumable-role-with-saml\", &iam.AssumableRoleWithSAMLArgs{\n Role: iam.RoleArgs{\n Name: pulumi.String(\"saml-role\"),\n PolicyArns: pulumi.ToStringArray([]string{\"arn:aws:iam::aws:policy/ReadOnlyAccess\"}),\n },\n Tags: pulumi.ToStringMap(map[string]string{\n \"Role\": \"saml-role\",\n }),\n ProviderIds: pulumi.ToStringArray([]string{\"arn:aws:iam::235367859851:saml-provider/idp_saml\"}),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"assumableRoleWithSAML\", assumableRoleWithSAML)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var assumableRoleWithSaml = new AssumableRoleWithSAML(\"assumable-role-with-saml\", new AssumableRoleWithSAMLArgs\n {\n Role = new RoleArgs\n {\n Name = \"saml-role\",\n PolicyArns = {\"arn:aws:iam::aws:policy/ReadOnlyAccess\"},\n },\n Tags = new InputMap\n {\n {\"Role\", \"saml-role\"},\n },\n ProviderIds = {\"arn:aws:iam::235367859851:saml-provider/idp_saml\"},\n });\n\n this.AssumableRoleWithSaml = Output.Create(assumableRoleWithSaml);\n }\n\n [Output]\n public Output AssumableRoleWithSaml { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n assumableRoleWithSaml:\n type: \"aws-iam:index:AssumableRoleWithSAML\"\n properties:\n role:\n name: \"saml-role\"\n policyArns:\n - \"arn:aws:iam::aws:policy/ReadOnlyAccess\"\n tags:\n Role: \"saml-role\"\n providerIds:\n - \"arn:aws:iam::235367859851:saml-provider/idp_saml\"\noutputs:\n assumableRoleWithSaml: ${assumableRoleWithSaml}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "roleArn": { "type": "string", "description": "ARN of IAM role." }, "roleName": { "type": "string", "description": "Name of IAM role." }, "rolePath": { "type": "string", "description": "Path of IAM role." }, "roleUniqueId": { "type": "string", "description": "Unique ID of IAM role." } }, "type": "object", "required": [ "roleArn", "roleName", "rolePath", "roleUniqueId" ], "inputProperties": { "awsSamlEndpoint": { "type": "string", "description": "AWS SAML Endpoint.", "default": "https://signin.aws.amazon.com/saml" }, "forceDetachPolicies": { "type": "boolean", "description": "Whether policies should be detached from this role when destroying.", "default": false }, "maxSessionDuration": { "type": "integer", "description": "Maximum CLI/API session duration in seconds between 3600 and 43200.", "default": 3600 }, "providerIds": { "type": "array", "items": { "type": "string" }, "description": "List of SAML Provider IDs." }, "role": { "$ref": "#/types/aws-iam:index:Role" }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "isComponent": true }, "aws-iam:index:AssumableRoles": { "description": "This resource helps you create predefined IAM roles (`admin`, `poweruser`, and `readonly`) which\ncan be assumed by trusted resources. Trusted resources can be any IAM ARNs, typically, AWS Accounts\nand Users.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Assumable Roles\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const assumableRoles = new iam.AssumableRoles(\"aws-iam-example-assumable-roles\", {\n trustedRoleArns: [ \"arn:aws:iam::307990089504:root\", \"arn:aws:iam::835367859851:user/pulumipus\" ],\n admin: {},\n poweruser: {\n name: \"developer\",\n },\n readonly: {\n requiresMfa: true,\n },\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\nassumable_roles = iam.AssumableRoles(\n 'assumable_roles',\n trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],\n admin=iam.AdminRoleArgs(),\n poweruser=iam.PoweruserRoleArgs(\n name='developer',\n ),\n readonly=iam.ReadonlyRoleWithMFAArgs(\n requires_mfa=True,\n ),\n)\n\npulumi.export('assumable_roles', assumable_roles)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n assumableRoles, err := iam.NewAssumableRoles(ctx, \"assumable-roles\", &iam.AssumableRolesArgs{\n TrustedRoleArns: pulumi.ToStringArray([]string{\"arn:aws:iam::307990089504:root\", \"arn:aws:iam::835367859851:user/pulumipus\"}),\n Admin: iam.AdminRoleWithMFAArgs{},\n Poweruser: iam.PoweruserRoleWithMFAArgs{\n Name: pulumi.String(\"developer\"),\n },\n Readonly: iam.ReadonlyRoleWithMFAArgs{\n RequiresMfa: pulumi.BoolPtr(true),\n },\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"assumableRoles\", assumableRoles)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var assumableRoles = new AssumableRoles(\"assumable-roles\", new AssumableRolesArgs\n {\n TrustedRoleArns = {\"arn:aws:iam::307990089504:root\", \"arn:aws:iam::835367859851:user/pulumipus\"},\n Admin = new AdminRoleWithMFAArgs(),\n Poweruser = new PoweruserRoleWithMFAArgs\n {\n Name = \"developer\",\n },\n Readonly = new ReadonlyRoleWithMFAArgs\n {\n RequiresMfa = true,\n },\n });\n\n this.AssumableRoles = Output.Create(assumableRoles);\n }\n\n [Output]\n public Output AssumableRoles { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n assumableRoles:\n type: \"aws-iam:index:AssumableRoles\"\n properties:\n trustedRoleArns:\n - \"arn:aws:iam::307990089504:root\"\n - \"arn:aws:iam::835367859851:user/pulumipus\"\n poweruser:\n name: \"developer\"\n readonly:\n requiresMfa: true\noutputs:\n assumableRoles: ${assumableRoles}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "admin": { "type": "object", "additionalProperties": { "type": "string" } }, "poweruser": { "type": "object", "additionalProperties": { "type": "string" } }, "readonly": { "type": "object", "additionalProperties": { "type": "string" } } }, "type": "object", "required": [ "admin" ], "inputProperties": { "admin": { "$ref": "#/types/aws-iam:index:AdminRoleWithMFA" }, "forceDetachPolicies": { "type": "boolean", "description": "Whether policies should be detached from this role when destroying.", "default": false }, "maxSessionDuration": { "type": "integer", "description": "Maximum CLI/API session duration in seconds between 3600 and 43200.", "default": 3600 }, "mfaAge": { "type": "integer", "description": "Max age of valid MFA (in seconds) for roles which require MFA.", "default": 86400 }, "poweruser": { "$ref": "#/types/aws-iam:index:PoweruserRoleWithMFA" }, "readonly": { "$ref": "#/types/aws-iam:index:ReadonlyRoleWithMFA" }, "trustedRoleArns": { "type": "array", "items": { "type": "string" }, "description": "ARNs of AWS entities who can assume these roles." }, "trustedRoleServices": { "type": "array", "items": { "type": "string" }, "description": "AWS Services that can assume these roles." } }, "requiredInputs": [ "admin" ], "isComponent": true }, "aws-iam:index:AssumableRolesWithSAML": { "description": "This resource helps you create predefined IAM roles (`admin`, `poweruser`, and `readonly`) which can be assumed\nby trusted resources using SAML Federated Users.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n### Assumable Roles With SAML\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const assumableRolesWithSaml = new iam.AssumableRolesWithSAML(\"aws-iam-example-assumable-role-with-saml\", {\n providerIds: [ \"arn:aws:iam::235367859851:saml-provider/idp_saml\" ],\n admin: {},\n poweruser: {\n name: \"developer\",\n },\n readonly: {},\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\nassumable_roles_with_saml = iam.AssumableRolesWithSAML(\n 'assumable_roles_with_saml',\n provider_ids=['arn:aws:iam::235367859851:saml-provider/idp_saml'],\n admin=iam.AdminRoleArgs(),\n readonly=iam.ReadonlyRoleArgs(),\n poweruser=iam.PoweruserRoleArgs(\n name='developer',\n ),\n)\n\npulumi.export('assumable_roles_with_saml', assumable_roles_with_saml)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n assumableRolesWithSAML, err := iam.NewAssumableRolesWithSAML(ctx, \"assumable-roles-with-saml\", &iam.AssumableRolesWithSAMLArgs{\n ProviderIds: pulumi.ToStringArray([]string{\"arn:aws:iam::235367859851:saml-provider/idp_saml\"}),\n Admin: iam.AdminRoleArgs{},\n Readonly: iam.ReadonlyRoleArgs{},\n Poweruser: iam.PoweruserRoleArgs{\n Name: pulumi.String(\"developer\"),\n },\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"assumableRolesWithSAML\", assumableRolesWithSAML)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var assumableRolesWithSaml = new AssumableRolesWithSAML(\"assumable-roles-with-saml\", new AssumableRolesWithSAMLArgs\n {\n ProviderIds = {\"arn:aws:iam::235367859851:saml-provider/idp_saml\"},\n Admin = new AdminRoleArgs(),\n Readonly = new ReadonlyRoleArgs(),\n Poweruser = new PoweruserRoleArgs\n {\n Name = \"developer\",\n },\n });\n\n this.AssumableRolesWithSaml = Output.Create(assumableRolesWithSaml);\n }\n\n [Output]\n public Output AssumableRolesWithSaml { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n assumableRolesWithSaml:\n type: \"aws-iam:index:AssumableRolesWithSAML\"\n properties:\n providerIds:\n - \"arn:aws:iam::235367859851:saml-provider/idp_saml\"\n poweruser:\n name: \"developer\"\noutputs:\n assumableRolesWithSaml: ${assumableRolesWithSaml}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "admin": { "type": "object", "additionalProperties": { "type": "string" } }, "poweruser": { "type": "object", "additionalProperties": { "type": "string" } }, "readonly": { "type": "object", "additionalProperties": { "type": "string" } } }, "type": "object", "required": [ "admin" ], "inputProperties": { "admin": { "$ref": "#/types/aws-iam:index:AdminRole" }, "awsSamlEndpoint": { "type": "string", "description": "AWS SAML Endpoint.", "default": "https://signin.aws.amazon.com/saml" }, "forceDetachPolicies": { "type": "boolean", "description": "Whether policies should be detached from this role when destroying.", "default": false }, "maxSessionDuration": { "type": "integer", "description": "Maximum CLI/API session duration in seconds between 3600 and 43200.", "default": 3600 }, "poweruser": { "$ref": "#/types/aws-iam:index:PoweruserRole" }, "providerIds": { "type": "array", "items": { "type": "string" }, "description": "List of SAML Provider IDs." }, "readonly": { "$ref": "#/types/aws-iam:index:ReadonlyRole" } }, "isComponent": true }, "aws-iam:index:EKSRole": { "description": "This resource helps you create an IAM role that can be assumed by one or more EKS ServiceAccounts,\nin one or more EKS Clusters. With this resource:\n\n- You do not need any knowledge of cluster OIDC information.\n- You can assume the role from multiple EKS clusters, for example used in DR or when a workload is spread across clusters.\n- You can support multiple ServiceAccount in the same cluster, for example when a workload runs in multiple namespaces.\n\nNotes:\n\n- The EKS cluster needs to exist first, in the current AWS account and region\n- The key in the `Cluster Service Accounts` is the exact name of the EKS cluster.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Multi Cluster\n\nWith this resource you can provision an IAM Role named `my-app` that can be assumed from:\n\n- EKS cluster `staging-main-1`, namespace `default`, ServiceAccount called `my-app-staging`.\n- EKS cluster `staging-backup-1`, namespace `default`, ServiceAccount called `my-app-staging`.\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const eksRole = new iam.EKSRole(\"aws-iam-example-eks-role\", {\n role: {\n name: \"eks-role\",\n policyArns: [ \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\" ],\n },\n tags: {\n Name: \"eks-role\",\n },\n clusterServiceAccounts: {\n \"staging-main-1\": [ \"default:my-app-staging\" ],\n \"staging-backup-1\": [ \"default:my-app-staging\" ],\n },\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\neks_role = iam.EKSRole(\n 'eks_role',\n role=iam.RoleArgs(\n name='eks-role',\n policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'],\n ),\n tags={\n 'Name': 'eks-role',\n },\n cluster_service_acccounts={\n 'staging-main-1': [ 'default:my-app-staging' ],\n 'staging-backup-1': [ 'default:my-app-staging' ],\n },\n)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n eksRole, err := iam.NewEKSRole(ctx, \"eks-role\", &iam.EKSRoleArgs{\n Role: iam.RoleArgs{\n Name: pulumi.String(\"eks-role\"),\n PolicyArns: pulumi.ToStringArray([]string{\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"}),\n },\n Tags: pulumi.ToStringMap(map[string]string{\n \"Role\": \"eks-role\",\n }),\n Uncomment the below and replace actual cluster values.\n ClusterServiceAccounts: pulumi.ToStringArrayMap(map[string][]string{\n \"staging-main-1\": {\"default:my-app-staging\"},\n \"staging-backup-1\": {\"default:my-app-staging\"},\n }),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"eksRole\", eksRole)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\nusing System.Collections.Immutable;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var eksRole = new EKSRole(\"eks-role\", new EKSRoleArgs\n {\n Role = new RoleArgs\n {\n Name = \"eks-role\",\n PolicyArns = {\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"},\n },\n Tags = new InputMap\n {\n {\"Name\", \"eks-role\"},\n },\n Uncomment the below and replace actual cluster values.\n ClusterServiceAccounts = {\n {\"staging-main-1\", ImmutableArray.Create(new string[] {\"default:my-app-staging\"})},\n {\"staging-backup-1\", ImmutableArray.Create(new string[] {\"default:my-app-staging\"})}\n },\n });\n\n this.EksRole = Output.Create(eksRole);\n }\n\n [Output]\n public Output EksRole { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n eksRole:\n type: \"aws-iam:index:EKSRole\"\n properties:\n role:\n name: \"eks-role\"\n policyArns:\n - \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"\n tags:\n Name: \"eks-role\"\n clusterServiceAccounts:\n \"staging-main-1\":\n - \"default:my-app-staging\"\n \"staging-backup-1\":\n - \"default:my-app-staging\"\noutputs:\n eksRole: ${eksRole}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "arn": { "type": "string", "description": "ARN of IAM role." }, "name": { "type": "string", "description": "Name of IAM role." }, "path": { "type": "string", "description": "Path of IAM role." }, "uniqueId": { "type": "string", "description": "Unique ID of IAM role." } }, "type": "object", "required": [ "arn", "name", "path", "uniqueId" ], "inputProperties": { "clusterServiceAccounts": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } }, "description": "EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details" }, "forceDetachPolicies": { "type": "boolean", "description": "Whether policies should be detached from this role when destroying.", "default": false }, "maxSessionDuration": { "type": "integer", "description": "Maximum CLI/API session duration in seconds between 3600 and 43200.", "default": 3600 }, "providerUrlSaPairs": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } }, "description": "OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used" }, "role": { "$ref": "#/types/aws-iam:index:Role" }, "rolePolicyArns": { "type": "array", "items": { "type": "string" }, "description": "ARNs of any policies to attach to the IAM role." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "isComponent": true }, "aws-iam:index:GroupWithAssumableRolesPolicy": { "description": "This resource helps you create an IAM Group with Users who are allowed to assume specified\nIAM roles.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Group With Assumable Roles Policy\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const groupWithAssumableRolesPolicy = new iam.GroupWithAssumableRolesPolicy(\"aws-iam-example-group-with-assumable-roles-policy\", {\n name: \"production-readonly\",\n assumableRoles: [ \"arn:aws:iam::835367859855:role/readonly\" ],\n groupUsers: [ \"user1\" ],\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\ngroup_with_assume_roles_policy = iam.GroupWithAssumableRolesPolicy(\n 'group_with_assume_roles_policy',\n name='production-readonly',\n assumable_roles=['arn:aws:iam::835367859855:role/readonly'],\n group_users=['user1','user2'],\n)\n\npulumi.export('group_with_assume_roles_policy', group_with_assume_roles_policy)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n groupWithAssumableRolesPolicy, err := iam.NewGroupWithAssumableRolesPolicy(ctx, \"group-with-assumable-roles-policy\", &iam.GroupWithAssumableRolesPolicyArgs{\n Name: pulumi.String(\"production-readonly\"),\n AssumableRoles: pulumi.ToStringArray([]string{\"arn:aws:iam::835367859855:role/readonly\"}),\n GroupUsers: pulumi.ToStringArray([]string{\"user1\", \"user2\"}),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"groupWithAssumableRolesPolicy\", groupWithAssumableRolesPolicy)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var groupWithAssumableRolePolicy = new GroupWithAssumableRolesPolicy(\"group-with-assumable-roles-policy\", new GroupWithAssumableRolesPolicyArgs\n {\n Name = \"production-readonly\",\n AssumableRoles = {\"arn:aws:iam::835367859855:role/readonly\"},\n GroupUsers = {\"user1\", \"user2\"},\n });\n\n this.GroupWithAssumableRolesPolicy = Output.Create(groupWithAssumableRolePolicy);\n }\n\n [Output]\n public Output GroupWithAssumableRolesPolicy { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n groupWithAssumableRolesPolicy:\n type: \"aws-iam:index:GroupWithAssumableRolesPolicy\"\n properties:\n name: \"production-readonly\"\n assumableRoles:\n - \"arn:aws:iam::835367859855:role/readonly\"\n groupUsers:\n - \"user1\"\n - \"user2\"\noutputs:\n groupWithAssumableRolesPolicy: ${groupWithAssumableRolesPolicy}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "assumableRoles": { "type": "array", "items": { "type": "string" }, "description": "List of IAM roles ARNs which can be assumed by the group" }, "groupArn": { "type": "string", "description": "IAM group arn." }, "groupName": { "type": "string", "description": "IAM group name." }, "groupUsers": { "type": "array", "items": { "type": "string" }, "description": "List of IAM users in IAM group" }, "policyArn": { "type": "string", "description": "Assume role policy ARN of IAM group" } }, "type": "object", "required": [ "assumableRoles", "groupArn", "groupName", "groupUsers", "policyArn" ], "inputProperties": { "assumableRoles": { "type": "array", "items": { "type": "string" }, "description": "List of IAM roles ARNs which can be assumed by the group" }, "groupUsers": { "type": "array", "items": { "type": "string" }, "description": "List of IAM users to have in an IAM group which can assume the role" }, "name": { "type": "string", "description": "Name of IAM policy and IAM group." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "requiredInputs": [ "assumableRoles", "groupUsers", "name" ], "isComponent": true }, "aws-iam:index:GroupWithPolicies": { "description": "This resources allows you to create an IAM group with specified IAM policies,\nand then add specified users into your created group.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Group With Policies\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const groupWithPolicies = new iam.GroupWithPolicies(\"aws-iam-example-group-with-policies\", {\n name: \"superadmins\",\n groupUsers: [ \"user1\", \"user2\" ],\n attachIamSelfManagementPolicy: true,\n customGroupPolicyArns: [ \"arn:aws:iam::aws:policy/AdministratorAccess\" ],\n customGroupPolicies: [{\n \"name\": \"AllowS3Listing\",\n \"policy\": \"{}\",\n }],\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\ngroup_with_policies = iam.GroupWithPolicies(\n 'group_with_policies',\n name='superadmins',\n group_users=['user1','user2'],\n attach_iam_self_management_policy=True,\n custom_group_policy_arns=['arn:aws:iam::aws:policy/AdministratorAccess'],\n custom_group_policies=[{\n 'name': 'AllowS3Listing',\n 'policy': '{}',\n }],\n)\n\npulumi.export('group_with_policies', group_with_policies)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n groupWithPolicies, err := iam.NewGroupWithPolicies(ctx, \"group-with-policies\", &iam.GroupWithPoliciesArgs{\n Name: pulumi.String(\"superadmins\"),\n GroupUsers: pulumi.ToStringArray([]string{\"user1\", \"user2\"}),\n AttachIamSelfManagementPolicy: pulumi.BoolPtr(true),\n CustomGroupPolicyArns: pulumi.ToStringArray([]string{\"arn:aws:iam::aws:policy/AdministratorAccess\"}),\n CustomGroupPolicies: pulumi.ToStringMapArray([]map[string]string{\n {\n \"name\": \"AllowS3Listing\",\n \"policy\": \"{}\",\n },\n }),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"groupWithPolicies\", groupWithPolicies)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var groupWithPolicies = new GroupWithPolicies(\"group-with-policies\", new GroupWithPoliciesArgs\n {\n Name = \"superadmins\",\n GroupUsers = {\"user1\", \"user2\"},\n AttachIamSelfManagementPolicy = true,\n CustomGroupPolicyArns = {\"arn:aws:iam::aws:policy/AdministratorAccess\"},\n CustomGroupPolicies = new InputList>\n {\n ImmutableDictionary.Create()\n .Add(\"name\", \"AllowS3Listing\")\n .Add(\"policy\", \"{}\"),\n },\n });\n\n this.GroupWithPolicies = Output.Create(groupWithPolicies);\n }\n\n [Output]\n public Output GroupWithPolicies { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n groupWithPolicies:\n type: \"aws-iam:index:GroupWithPolicies\"\n properties:\n name: \"superadmins\"\n groupUsers:\n - \"user1\"\n - \"user2\"\n attachIamSelfManagementPolicy: true\n customGroupPolicyArns:\n - \"arn:aws:iam::aws:policy/AdministratorAccess\"\n customGroupPolicies:\n - name: \"AllowS3Listing\"\n policy: \"{}\"\n outputs:\n groupWithPolicies: ${groupWithPolicies}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "awsAccountId": { "type": "string", "description": "IAM AWS account id." }, "groupArn": { "type": "string", "description": "IAM group arn." }, "groupName": { "type": "string", "description": "IAM group name." }, "groupUsers": { "type": "array", "items": { "type": "string" }, "description": "List of IAM users in IAM group" } }, "type": "object", "required": [ "awsAccountId", "groupArn", "groupName", "groupUsers" ], "inputProperties": { "attachIamSelfManagementPolicy": { "type": "boolean", "description": "Whether to attach IAM policy which allows IAM users to manage their credentials and MFA.", "default": true }, "awsAccountId": { "type": "string", "description": "AWS account id to use inside IAM policies. If empty, current AWS account ID will be used.", "default": "" }, "customGroupPolicies": { "type": "array", "items": { "type": "object", "additionalProperties": { "type": "string" } }, "description": "List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element." }, "customGroupPolicyArns": { "type": "array", "items": { "type": "string" }, "description": "List of IAM policies ARNs to attach to IAM group." }, "groupUsers": { "type": "array", "items": { "type": "string" }, "description": "List of IAM users to have in an IAM group which can assume the role." }, "iamSelfManagementPolicyNamePrefix": { "type": "string", "description": "Name prefix for IAM policy to create with IAM self-management permissions.", "default": "IAMSelfManagement-" }, "name": { "type": "string", "description": "Name of IAM group.", "default": "" }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "requiredInputs": [ "groupUsers", "name" ], "isComponent": true }, "aws-iam:index:Policy": { "description": "This resource helps you create an IAM policy.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## Policy\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const policy = new iam.Policy(\"aws-iam-example-policy\", {\n name: \"aws-iam-example-policy\",\n path: \"/\",\n description: \"My example policy\",\n policyDocument: `{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"ec2:Describe*\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n }`,\n});\n```\n\n```python\nimport json\nimport pulumi\nimport pulumi_aws_iam as iam\n\npolicy = iam.Policy(\n 'policy',\n name='example',\n path='/',\n description='My example policy',\n policy_document=json.dumps({\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"ec2:Describe*\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n })\n)\n```\n\n```go\npackage main\n\nimport (\n \"encoding/json\"\n\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n policyJSON, err := json.Marshal(map[string]interface{}{\n \"Version\": \"2012-10-17\",\n \"Statement\": []interface{}{\n map[string]interface{}{\n \"Effect\": \"Allow\",\n \"Action\": []string{\"ec2:Describe\"},\n \"Resource\": []string{\"*\"},\n },\n },\n })\n if err != nil {\n return err\n }\n\n policy, err := iam.NewPolicy(ctx, \"policy\", &iam.PolicyArgs{\n Name: pulumi.String(\"example\"),\n Path: pulumi.String(\"/\"),\n Description: pulumi.String(\"My example policy\"),\n PolicyDocument: pulumi.String(string(policyJSON)),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"policy\", policy)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var policy = new Policy(\"policy\", new PolicyArgs\n {\n Name = \"example\",\n Path = \"/\",\n Description = \"My example policy\",\n PolicyDocument =\n @\"{\n \"\"Version\"\": \"\"2012-10-17\"\",\n \"\"Statement\"\": [\n {\n \"\"Action\"\": [\n \"\"ec2:Describe*\"\"\n ],\n \"\"Effect\"\": \"\"Allow\"\",\n \"\"Resource\"\": \"\"*\"\"\n }\n ]\n }\"\n });\n }\n\n [Output]\n public Output Policy { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n policy:\n type: \"aws-iam:index:Policy\"\n properties:\n name: \"example\"\n path: \"/\"\n description: \"My example policy\"\n policyDocument: |\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"ec2:Describe*\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n }\noutputs:\n policy: ${policy}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "arn": { "type": "string", "description": "The ARN assigned by AWS to this policy." }, "description": { "type": "string", "description": "The description of the policy." }, "id": { "type": "string", "description": "The policy's ID." }, "name": { "type": "string", "description": "The name of the policy." }, "path": { "type": "string", "description": "The path of the policy in IAM." }, "policyDocument": { "type": "string", "description": "The policy document." } }, "type": "object", "required": [ "arn", "description", "id", "name", "path", "policyDocument" ], "inputProperties": { "description": { "type": "string", "description": "The description of the policy.", "default": "IAM Policy" }, "name": { "type": "string", "description": "The name of the policy." }, "path": { "type": "string", "description": "The path of the policy in IAM.", "default": "/" }, "policyDocument": { "type": "string", "description": "The policy document." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "requiredInputs": [ "name", "policyDocument" ], "isComponent": true }, "aws-iam:index:ReadOnlyPolicy": { "description": "This resource helps you create an IAM read-only policy for the services you specify. The default AWS\nread-only policies may not include services you need or may contain services you do not need access to.\nThis resource helps ensure your read-only policy has permissions to exactly what you specify.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## RDS and Dynamo Read Only Policy\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const readOnlyPolicy = new iam.ReadOnlyPolicy(\"aws-iam-example-read-only-policy\", {\n name: \"aws-iam-example-read-only\",\n path: \"/\",\n description: \"My example read only policy\",\n allowedServices: [ \"rds\", \"dynamodb\" ],\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\nread_only_policy = iam.ReadOnlyPolicy(\n 'read_only_policy',\n name='example',\n path='/',\n description='My example read only policy',\n allowed_services=['rds','dynamodb'],\n)\n\npulumi.export('read_only_policy', read_only_policy)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n readOnlyPolicy, err := iam.NewReadOnlyPolicy(ctx, \"read-only-policy\", &iam.ReadOnlyPolicyArgs{\n Name: pulumi.String(\"example\"),\n Path: pulumi.String(\"/\"),\n Description: pulumi.String(\"My example policy\"),\n AllowedServices: pulumi.ToStringArray([]string{\"rds\", \"dynamodb\"}),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"readOnlyPolicy\", readOnlyPolicy)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var readOnlyPolicy = new ReadOnlyPolicy(\"read-only-policy\", new ReadOnlyPolicyArgs\n {\n Name = \"example\",\n Path = \"/\",\n Description = \"My example read only policy\",\n AllowedServices = {\"rds\", \"dynamodb\"},\n });\n\n this.ReadOnlyPolicy = Output.Create(readOnlyPolicy);\n }\n\n [Output]\n public Output ReadOnlyPolicy { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n readOnlyPolicy:\n type: \"aws-iam:index:ReadOnlyPolicy\"\n properties:\n name: \"example\"\n path: \"/\"\n description: \"My example read only policy\"\n allowedServices:\n - \"rds\"\n - \"dynamodb\"\noutputs:\n readOnlyPolicy: ${readOnlyPolicy}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "arn": { "type": "string", "description": "The ARN assigned by AWS to this policy." }, "description": { "type": "string", "description": "The description of the policy." }, "id": { "type": "string", "description": "The policy's ID." }, "name": { "type": "string", "description": "The name of the policy." }, "path": { "type": "string", "description": "The path of the policy in IAM." }, "policy": { "type": "string", "description": "The policy document." }, "policyJson": { "type": "string", "description": "Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies." } }, "type": "object", "required": [ "arn", "description", "id", "name", "path", "policy", "policyJson" ], "inputProperties": { "additionalPolicyJson": { "type": "string", "description": "JSON policy document if you want to add custom actions.", "default": "{}" }, "allowCloudwatchLogsQuery": { "type": "boolean", "description": "Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.", "default": true }, "allowPredefinedStsActions": { "type": "boolean", "description": "Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.", "default": true }, "allowWebConsoleServices": { "type": "boolean", "description": "Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).", "default": true }, "allowedServices": { "type": "array", "items": { "type": "string" }, "description": "List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html." }, "description": { "type": "string", "description": "The description of the policy.", "default": "IAM Policy" }, "name": { "type": "string", "description": "The name of the policy." }, "path": { "type": "string", "description": "The path of the policy in IAM.", "default": "/" }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." }, "webConsoleServices": { "type": "array", "items": { "type": "string" }, "description": "List of web console services to allow." } }, "requiredInputs": [ "name" ], "isComponent": true }, "aws-iam:index:RoleForServiceAccountsEks": { "description": "This resources helps you create an IAM role which can be assumed by AWS EKS ServiceAccounts with optional policies for\ncommonly used controllers/custom resources within EKS. The optional policies you can specify are:\n\n- Cert-Manager\n- Cluster Autoscaler\n- EBS CSI Driver\n- EFS CSI Driver\n- External DNS\n- External Secrets\n- FSx for Lustre CSI Driver\n- Karpenter\n- Load Balancer Controller\n- Load Balancer Controller Target Group Binding Only\n- App Mesh Controller\n- App Mesh Envoy Proxy\n- Managed Service for Prometheus\n- Node Termination Handler\n- Velero\n- VPC CNI\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n## VPC CNI\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks(\"aws-iam-example-role-for-service-accounts-eks\", {\n role: {\n name: \"vpc-cni\"\n },\n tags: {\n Name: \"vpc-cni-irsa\",\n },\n oidcProviders: {\n main: {\n providerArn: \"arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D\",\n namespaceServiceAccounts: [\"default:my-app\", \"canary:my-app\"],\n }\n },\n policies: {\n vpnCni: {\n attach: true,\n enableIpv4: true,\n },\n },\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\nrole_for_service_account_eks = iam.RoleForServiceAccountsEks(\n 'role_for_service_account_eks',\n role=iam.RoleArgs(\n name='vpc-cni'\n ),\n tags={\n 'Name': 'vpc-cni-irsa',\n },\n oidc_providers={\n 'main': iam.OIDCProviderArgs(\n provider_arn='arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D',\n namespace_service_accounts=['default:my-app', 'canary:my-app'],\n ),\n },\n policies=iam.EKSRolePoliciesArgs(\n vpn_cni=iam.EKSVPNCNIPolicyArgs(\n attach=True,\n enable_ipv4=True,\n ),\n ),\n)\n\npulumi.export('role_for_service_account_eks', role_for_service_account_eks)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n roleForServiceAccountsEKS, err := iam.NewRoleForServiceAccountsEks(ctx, \"role-for-service-accounts-eks\", &iam.RoleForServiceAccountsEksArgs{\n Role: iam.EKSServiceAccountRolePtr(&iam.EKSServiceAccountRoleArgs{\n Name: pulumi.String(\"vpc-cni\"),\n }),\n Tags: pulumi.ToStringMap(map[string]string{\n \"Name\": \"vpc-cni-irsa\",\n }),\n OidcProviders: iam.OIDCProviderMap{\n \"main\": iam.OIDCProviderArgs{\n ProviderArn: pulumi.String(\"arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D\"),\n NamespaceServiceAccounts: pulumi.ToStringArray([]string{\"default:my-app\", \"canary:my-app\"}),\n },\n },\n Policies: iam.EKSRolePoliciesPtr(&iam.EKSRolePoliciesArgs{\n VpnCni: iam.EKSVPNCNIPolicyPtr(&iam.EKSVPNCNIPolicyArgs{\n Attach: pulumi.Bool(true),\n EnableIpv4: pulumi.BoolPtr(true),\n }),\n }),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"roleForServiceAccountsEKS\", roleForServiceAccountsEKS)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var roleForServiceAccountEks = new RoleForServiceAccountsEks(\"role-for-service-account-eks\", new RoleForServiceAccountsEksArgs\n {\n Role = new EKSServiceAccountRoleArgs\n {\n Name = \"vpn-cni\",\n },\n Tags = {\n {\"Name\", \"vpc-cni-irsa\"},\n },\n OidcProviders = {\n {\"main\", new OIDCProviderArgs\n {\n ProviderArn = \"arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D\",\n NamespaceServiceAccounts = {\"default:my-app\", \"canary:my-app\"},\n }},\n },\n Policies = new EKSRolePoliciesArgs\n {\n VpnCni = new EKSVPNCNIPolicyArgs\n {\n Attach = true,\n EnableIpv4 = true,\n },\n },\n });\n\n this.RoleForServiceAccountEks = Output.Create(roleForServiceAccountEks);\n }\n\n [Output]\n public Output RoleForServiceAccountEks { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n roleForServiceAccountsEks:\n type: \"aws-iam:index:RoleForServiceAccountsEks\"\n properties:\n role:\n name: \"vpc-cni\"\n tags:\n Name: \"vpc-cni-irsa\"\n oidcProviders:\n main:\n providerArn: \"arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D\"\n namespaceServiceAccounts:\n - \"default:my-app\"\n - \"canary:my-app\"\n policies:\n vpnCni:\n attach: true\n enableIpv4: true\noutputs:\n roleForServiceAccountsEks: ${roleForServiceAccountsEks}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "role": { "type": "object", "additionalProperties": { "type": "string" } } }, "type": "object", "required": [ "role" ], "inputProperties": { "assumeRoleConditionTest": { "type": "string", "description": "Name of the IAM condition operator to evaluate when assuming the role.", "default": "StringEquals" }, "forceDetachPolicies": { "type": "boolean", "description": "Whether policies should be detached from this role when destroying.", "default": false }, "maxSessionDuration": { "type": "integer", "description": "Maximum CLI/API session duration in seconds between 3600 and 43200.", "default": 3600 }, "oidcProviders": { "type": "object", "additionalProperties": { "$ref": "#/types/aws-iam:index:OIDCProvider" }, "description": "Map of OIDC providers." }, "policies": { "$ref": "#/types/aws-iam:index:EKSRolePolicies" }, "policyNamePrefix": { "type": "string", "description": "IAM policy name prefix.", "default": "AmazonEKS_" }, "role": { "$ref": "#/types/aws-iam:index:EKSServiceAccountRole" }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." } }, "isComponent": true }, "aws-iam:index:User": { "description": "This resources helps you create an IAM User, Login Profile, and Access Key. Additionally you\ncan optionally upload an IAM SSH User Public Key.\n\n{{% examples %}}\n## Example Usage\n\n{{% example %}}\n### User\n\n```typescript\nimport * as iam from \"@pulumi/aws-iam\";\n\nexport const user = new iam.User(\"aws-iam-example-user\", {\n name: \"pulumipus\",\n forceDestroy: true,\n pgpKey: \"keybase:test\",\n passwordResetRequired: false,\n});\n```\n\n```python\nimport pulumi\nimport pulumi_aws_iam as iam\n\nuser = iam.User(\n 'user',\n name='pulumipus',\n force_destroy=True,\n pgp_key='keybase:test',\n password_reset_required=False,\n)\n\npulumi.export('user', user)\n```\n\n```go\npackage main\n\nimport (\n iam \"github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam\"\n \"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n pulumi.Run(func(ctx *pulumi.Context) error {\n user, err := iam.NewUser(ctx, \"user\", &iam.UserArgs{\n Name: pulumi.String(\"pulumipus\"),\n ForceDestroy: pulumi.BoolPtr(true),\n PgpKey: pulumi.String(\"keybase:test\"),\n PasswordResetRequired: pulumi.BoolPtr(false),\n })\n if err != nil {\n return err\n }\n\n ctx.Export(\"user\", user)\n\n return nil\n })\n}\n```\n\n```csharp\nusing Pulumi;\nusing Pulumi.AwsIam;\nusing Pulumi.AwsIam.Inputs;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var user = new User(\"user\", new UserArgs\n {\n Name = \"pulumipus\",\n ForceDestroy = true,\n PgpKey = \"keybase:test\",\n PasswordResetRequired = false,\n });\n\n this.User = Output.Create(user);\n }\n\n [Output]\n public Output User { get; set; }\n}\n```\n\n```yaml\nname: awsiam-yaml\nruntime: yaml\nresources:\n user:\n type: \"aws-iam:index:User\"\n properties:\n name: \"pulumipus\"\n forceDestroy: true\n pgpKey: \"keybase:test\"\n passwordResetRequired: false\noutputs:\n user: ${user}\n```\n{{ /example }}\n\n{{% examples %}}\n", "properties": { "accessKey": { "$ref": "#/types/aws-iam:index:AccessKeyOutput", "description": "The IAM access key." }, "keybase": { "$ref": "#/types/aws-iam:index:KeybaseOutput" }, "pgpKey": { "type": "string", "description": "PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted)." }, "userInfo": { "$ref": "#/types/aws-iam:index:UserOutput", "description": "The IAM user." } }, "type": "object", "required": [ "accessKey", "keybase", "pgpKey", "userInfo" ], "inputProperties": { "forceDestroy": { "type": "boolean", "description": "When destroying this user, destroy even if it has non-Pulumi-managed IAM access keys, login profile or MFA devices. Without forceDestroy a user with non-Pulumi-managed access keys and login profile will fail to be destroyed." }, "name": { "type": "string", "description": "Desired name for the IAM user." }, "passwordLength": { "type": "integer", "description": "The length of the generated password" }, "passwordResetRequired": { "type": "boolean", "description": "Whether the user should be forced to reset the generated password on first login." }, "path": { "type": "string", "description": "Desired path for the IAM user.", "default": "/" }, "permissionsBoundary": { "type": "string", "description": "The ARN of the policy that is used to set the permissions boundary for the user." }, "pgpKey": { "type": "string", "description": "Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key." }, "sshKeyEncoding": { "type": "string", "description": "Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.", "default": "SSH" }, "sshPublicKey": { "type": "string", "description": "The SSH public key. The public key must be encoded in ssh-rsa format or PEM format." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A map of tags to add." }, "uploadIamUserSshKey": { "type": "boolean", "description": "Whether to upload a public ssh key to the IAM user." } }, "requiredInputs": [ "name" ], "isComponent": true } } }