0
# Provider Configuration
1
2
The AWS Provider class configures authentication, regional settings, and global behavior for all AWS resources in a Pulumi program.
3
4
## Capabilities
5
6
### Provider Class
7
8
Central configuration resource that manages AWS connection settings and global defaults.
9
10
```typescript { .api }
11
/**
12
* AWS Provider resource for configuring authentication and global settings
13
*/
14
class Provider extends pulumi.ProviderResource {
15
constructor(name: string, args?: ProviderArgs, opts?: pulumi.ResourceOptions);
16
17
// Authentication properties
18
readonly accessKey?: pulumi.Output<string>;
19
readonly secretKey?: pulumi.Output<string>;
20
readonly token?: pulumi.Output<string>;
21
readonly profile?: pulumi.Output<string>;
22
23
// Regional configuration
24
readonly region?: pulumi.Output<string>;
25
readonly stsRegion?: pulumi.Output<string>;
26
27
// Advanced configuration
28
readonly defaultTags?: pulumi.Output<ProviderDefaultTags>;
29
readonly customEndpoints?: pulumi.Output<ProviderCustomEndpoints>;
30
readonly maxRetries?: pulumi.Output<number>;
31
readonly httpProxy?: pulumi.Output<string>;
32
readonly httpsProxy?: pulumi.Output<string>;
33
}
34
35
interface ProviderArgs {
36
// Authentication
37
accessKey?: pulumi.Input<string>;
38
secretKey?: pulumi.Input<string>;
39
token?: pulumi.Input<string>;
40
profile?: pulumi.Input<string>;
41
42
// Regional settings
43
region?: pulumi.Input<string>;
44
stsRegion?: pulumi.Input<string>;
45
46
// Role assumption
47
assumeRole?: pulumi.Input<ProviderAssumeRole>;
48
assumeRoleWithWebIdentity?: pulumi.Input<ProviderAssumeRoleWithWebIdentity>;
49
50
// Security settings
51
allowedAccountIds?: pulumi.Input<pulumi.Input<string>[]>;
52
forbiddenAccountIds?: pulumi.Input<pulumi.Input<string>[]>;
53
54
// Global tags and configuration
55
defaultTags?: pulumi.Input<ProviderDefaultTags>;
56
ignoreTags?: pulumi.Input<ProviderIgnoreTags>;
57
58
// Networking and endpoints
59
customEndpoints?: pulumi.Input<ProviderCustomEndpoints>;
60
httpProxy?: pulumi.Input<string>;
61
httpsProxy?: pulumi.Input<string>;
62
noProxy?: pulumi.Input<string>;
63
64
// Performance and behavior
65
maxRetries?: pulumi.Input<number>;
66
retryMode?: pulumi.Input<string>;
67
skipCredentialsValidation?: pulumi.Input<boolean>;
68
skipMetadataApiCheck?: pulumi.Input<boolean>;
69
insecure?: pulumi.Input<boolean>;
70
}
71
```
72
73
**Usage Examples:**
74
75
```typescript
76
import * as aws from "@pulumi/aws";
77
78
// Basic provider with region
79
const provider = new aws.Provider("aws-provider", {
80
region: "us-west-2"
81
});
82
83
// Provider with profile authentication
84
const provider = new aws.Provider("aws-profile", {
85
region: "us-east-1",
86
profile: "production"
87
});
88
89
// Provider with role assumption
90
const provider = new aws.Provider("aws-assume-role", {
91
region: "eu-west-1",
92
assumeRole: {
93
roleArn: "arn:aws:iam::123456789012:role/CrossAccountRole",
94
sessionName: "pulumi-session"
95
}
96
});
97
98
// Provider with default tags
99
const provider = new aws.Provider("aws-tagged", {
100
region: "us-west-2",
101
defaultTags: {
102
tags: {
103
Environment: "production",
104
ManagedBy: "pulumi"
105
}
106
}
107
});
108
```
109
110
### Role Assumption
111
112
Configuration for assuming IAM roles, including cross-account access and web identity federation.
113
114
```typescript { .api }
115
interface ProviderAssumeRole {
116
/** ARN of the role to assume */
117
roleArn?: pulumi.Input<string>;
118
/** Session name for the assumed role session */
119
sessionName?: pulumi.Input<string>;
120
/** External ID for role assumption */
121
externalId?: pulumi.Input<string>;
122
/** IAM policy to apply to the assumed role session */
123
policy?: pulumi.Input<string>;
124
/** Session tags for the assumed role */
125
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
126
/** Session duration in seconds (900-43200) */
127
duration?: pulumi.Input<string>;
128
}
129
130
interface ProviderAssumeRoleWithWebIdentity {
131
/** ARN of the role to assume */
132
roleArn?: pulumi.Input<string>;
133
/** Session name for the assumed role session */
134
sessionName?: pulumi.Input<string>;
135
/** Path to the web identity token file */
136
webIdentityTokenFile?: pulumi.Input<string>;
137
/** IAM policy to apply to the assumed role session */
138
policy?: pulumi.Input<string>;
139
/** Session duration in seconds (900-43200) */
140
duration?: pulumi.Input<string>;
141
}
142
```
143
144
### Default Tags
145
146
Global tagging configuration applied to all resources created by the provider.
147
148
```typescript { .api }
149
interface ProviderDefaultTags {
150
/** Map of tags to apply to all resources */
151
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
152
}
153
154
interface ProviderIgnoreTags {
155
/** Tag keys to ignore during resource updates */
156
keys?: pulumi.Input<pulumi.Input<string>[]>;
157
/** Tag key prefixes to ignore during resource updates */
158
keyPrefixes?: pulumi.Input<pulumi.Input<string>[]>;
159
}
160
```
161
162
### Custom Endpoints
163
164
Override default AWS service endpoints for testing or private deployments.
165
166
```typescript { .api }
167
interface ProviderCustomEndpoints {
168
/** EC2 service endpoint URL */
169
ec2?: pulumi.Input<string>;
170
/** S3 service endpoint URL */
171
s3?: pulumi.Input<string>;
172
/** Lambda service endpoint URL */
173
lambda?: pulumi.Input<string>;
174
/** IAM service endpoint URL */
175
iam?: pulumi.Input<string>;
176
/** RDS service endpoint URL */
177
rds?: pulumi.Input<string>;
178
/** DynamoDB service endpoint URL */
179
dynamodb?: pulumi.Input<string>;
180
// ... endpoints for all 225+ AWS services
181
}
182
```
183
184
**Usage Examples:**
185
186
```typescript
187
// Custom endpoints for LocalStack testing
188
const provider = new aws.Provider("localstack", {
189
region: "us-east-1",
190
accessKey: "test",
191
secretKey: "test",
192
customEndpoints: {
193
s3: "http://localhost:4566",
194
lambda: "http://localhost:4566",
195
dynamodb: "http://localhost:4566"
196
},
197
skipCredentialsValidation: true,
198
skipMetadataApiCheck: true
199
});
200
201
// Private cloud or VPC endpoints
202
const provider = new aws.Provider("private-cloud", {
203
region: "us-west-2",
204
customEndpoints: {
205
s3: "https://s3.private.example.com",
206
ec2: "https://ec2.private.example.com"
207
}
208
});
209
```
210
211
### Authentication Methods
212
213
The provider supports multiple authentication methods in order of precedence:
214
215
1. **Explicit credentials** - `accessKey`, `secretKey`, `token` parameters
216
2. **Profile-based** - `profile` parameter referencing AWS CLI profiles
217
3. **Role assumption** - `assumeRole` configuration
218
4. **Environment variables** - `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, etc.
219
5. **Instance metadata** - EC2 instance profiles and ECS task roles
220
6. **Web Identity Federation** - `assumeRoleWithWebIdentity` for OIDC providers
221
222
### Global Configuration Functions
223
224
Utility functions for retrieving provider and account information.
225
226
```typescript { .api }
227
/**
228
* Get information about the AWS provider configuration
229
*/
230
function getDefaultTags(args?: GetDefaultTagsArgs): Promise<GetDefaultTagsResult>;
231
232
interface GetDefaultTagsResult {
233
/** Tags configured at the provider level */
234
readonly tags: {[key: string]: string};
235
}
236
237
/**
238
* Get current AWS caller identity information
239
*/
240
function getCallerIdentity(args?: GetCallerIdentityArgs): Promise<GetCallerIdentityResult>;
241
242
interface GetCallerIdentityResult {
243
/** AWS account ID */
244
readonly accountId: string;
245
/** ARN of the calling identity */
246
readonly arn: string;
247
/** Unique ID of the calling identity */
248
readonly userId: string;
249
}
250
```