CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/golang-github-com-pulumi-pulumi-aws-sdk-v7

A Pulumi provider SDK for creating and managing Amazon Web Services (AWS) cloud resources in Go, providing strongly-typed resource classes and data sources for all major AWS services.

Overview
Eval results
Files

iam.mddocs/reference/iam-security/

IAM Package

Package import path: github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam

import "github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"

Overview

The IAM package provides resources and data sources to manage AWS Identity and Access Management (IAM). IAM enables you to manage access to AWS services and resources securely via roles, policies, users, and groups.

Resource and Data Source Index

Resources (New*)

  • NewAccessKey - IAM access key for a user
  • NewAccountAlias - Account alias
  • NewAccountPasswordPolicy - Account password policy
  • NewGroup - IAM group
  • NewGroupMembership - Exclusive group membership (all users in group)
  • NewGroupPoliciesExclusive - Exclusively manage group inline policies
  • NewGroupPolicy - Inline policy attached to a group
  • NewGroupPolicyAttachment - Managed policy attached to a group
  • NewGroupPolicyAttachmentsExclusive - Exclusively manage group managed policy attachments
  • NewInstanceProfile - EC2 instance profile
  • NewOpenIdConnectProvider - OIDC identity provider
  • NewOrganizationsFeatures - IAM Organizations features
  • NewOutboundWebIdentityFederation - Outbound web identity federation
  • NewPolicy - IAM managed policy
  • NewPolicyAttachment - Exclusive policy attachment to users/roles/groups
  • NewRole - IAM role
  • NewRolePoliciesExclusive - Exclusively manage role inline policies
  • NewRolePolicy - Inline policy attached to a role
  • NewRolePolicyAttachment - Managed policy attached to a role
  • NewRolePolicyAttachmentsExclusive - Exclusively manage role managed policy attachments
  • NewSamlProvider - SAML identity provider
  • NewSecurityTokenServicePreferences - STS global endpoint preference
  • NewServerCertificate - Server certificate
  • NewServiceLinkedRole - AWS service-linked role
  • NewServiceSpecificCredential - Service-specific credential
  • NewSigningCertificate - Signing certificate
  • NewSshKey - SSH public key
  • NewUser - IAM user
  • NewUserGroupMembership - Non-exclusive user group membership
  • NewUserLoginProfile - User console login profile
  • NewUserPoliciesExclusive - Exclusively manage user inline policies
  • NewUserPolicy - Inline policy attached to a user
  • NewUserPolicyAttachment - Managed policy attached to a user
  • NewUserPolicyAttachmentsExclusive - Exclusively manage user managed policy attachments
  • NewVirtualMfaDevice - Virtual MFA device

Data Sources (Get*/Lookup*)

  • GetPolicyDocument - Generate IAM policy JSON (critical utility)
  • GetAccessKey - Look up access key metadata
  • GetAccessKeys - List access keys for a user
  • GetAccountAlias - Get account alias
  • GetAccountPasswordPolicy - Get account password policy
  • GetGroup - Look up a group
  • GetGroupMembership - Get group membership
  • GetGroupPolicy - Get an inline group policy
  • GetGroupPolicyAttachment - Get a managed policy attachment on a group
  • GetInstanceProfile - Look up an instance profile
  • GetInstanceProfiles - List instance profiles
  • GetOpenIdConnectProvider - Look up an OIDC provider
  • GetOrganizationsFeatures - Get Organizations IAM features
  • GetPolicy - Look up a managed policy by ARN
  • GetPolicyAttachment - Get policy attachment info
  • GetRole - Look up a role by name
  • GetRolePoliciesExclusive - Get exclusive role inline policies
  • GetRolePolicy - Get an inline role policy
  • GetRolePolicyAttachment - Get a managed policy attachment on a role
  • GetRolePolicyAttachmentsExclusive - Get exclusive role managed policy attachments
  • GetRoles - List roles
  • GetSamlProvider - Look up a SAML provider
  • GetServerCertificate - Look up a server certificate
  • GetServiceLinkedRole - Look up a service-linked role
  • GetSessionContext - Get caller identity session context
  • GetUser - Look up a user
  • GetUserGroupMembership - Get user group memberships
  • GetUserLoginProfile - Get user login profile
  • GetUserPolicy - Get an inline user policy
  • GetUserPolicyAttachment - Get a managed policy attachment on a user
  • GetUsers - List users
  • GetVirtualMfaDevice - Look up a virtual MFA device

Data Source: GetPolicyDocument (Critical)

GetPolicyDocument generates IAM policy JSON. This is the primary way to construct policy documents in Pulumi Go. It returns a *GetPolicyDocumentResult containing the .Json field used in policy resources.

func GetPolicyDocument(ctx *pulumi.Context, args *GetPolicyDocumentArgs, opts ...pulumi.InvokeOption) (*GetPolicyDocumentResult, error)

GetPolicyDocumentArgs

type GetPolicyDocumentArgs struct {
    // List of IAM policy documents merged into the exported document.
    // Statements with non-blank sids override statements with same sid from source docs.
    OverridePolicyDocuments []string `pulumi:"overridePolicyDocuments"`

    // ID for the policy document.
    PolicyId *string `pulumi:"policyId"`

    // List of IAM policy documents merged into the exported document.
    // All statements must have unique sids.
    SourcePolicyDocuments []string `pulumi:"sourcePolicyDocuments"`

    // Configuration blocks for policy statements.
    Statements []GetPolicyDocumentStatement `pulumi:"statements"`

    // IAM policy document version. Valid values: "2008-10-17", "2012-10-17".
    // Defaults to "2012-10-17".
    Version *string `pulumi:"version"`
}

GetPolicyDocumentResult

type GetPolicyDocumentResult struct {
    // Provider-assigned unique ID.
    Id string `pulumi:"id"`

    // Standard JSON policy document rendered based on the arguments.
    Json string `pulumi:"json"`

    // Minified JSON policy document.
    MinifiedJson string `pulumi:"minifiedJson"`

    OverridePolicyDocuments []string                     `pulumi:"overridePolicyDocuments"`
    PolicyId                *string                      `pulumi:"policyId"`
    SourcePolicyDocuments   []string                     `pulumi:"sourcePolicyDocuments"`
    Statements              []GetPolicyDocumentStatement `pulumi:"statements"`
    Version                 *string                      `pulumi:"version"`
}

GetPolicyDocumentStatement

type GetPolicyDocumentStatement struct {
    // List of actions this statement allows or denies. E.g. ["ec2:RunInstances", "s3:*"].
    Actions []string `pulumi:"actions"`

    // Configuration blocks for conditions.
    Conditions []GetPolicyDocumentStatementCondition `pulumi:"conditions"`

    // Whether this statement allows or denies. Valid values: "Allow", "Deny". Defaults to "Allow".
    Effect *string `pulumi:"effect"`

    // List of actions this statement does NOT apply to.
    NotActions []string `pulumi:"notActions"`

    // Principals this statement does NOT apply to.
    NotPrincipals []GetPolicyDocumentStatementNotPrincipal `pulumi:"notPrincipals"`

    // List of resource ARNs this statement does NOT apply to. Conflicts with Resources.
    NotResources []string `pulumi:"notResources"`

    // Configuration blocks for principals.
    Principals []GetPolicyDocumentStatementPrincipal `pulumi:"principals"`

    // List of resource ARNs this statement applies to. Required by AWS for IAM policies.
    // Conflicts with NotResources.
    Resources []string `pulumi:"resources"`

    // Statement ID, an identifier for the policy statement.
    Sid *string `pulumi:"sid"`
}

GetPolicyDocumentStatementPrincipal

type GetPolicyDocumentStatementPrincipal struct {
    // Type of principal: "AWS", "Service", or "Federated".
    Type string `pulumi:"type"`

    // List of ARNs or service identifiers for the principal.
    Identifiers []string `pulumi:"identifiers"`
}

GetPolicyDocumentStatementCondition

type GetPolicyDocumentStatementCondition struct {
    // IAM condition operator. E.g. "StringEquals", "ArnLike", "Bool".
    Test string `pulumi:"test"`

    // IAM condition key. E.g. "aws:RequestedRegion", "s3:prefix".
    Variable string `pulumi:"variable"`

    // Values for the condition.
    Values []string `pulumi:"values"`
}

Usage Examples

Assume-role policy for EC2:

assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {
            Effect: pulumi.StringRef("Allow"),
            Principals: []iam.GetPolicyDocumentStatementPrincipal{
                {
                    Type:        "Service",
                    Identifiers: []string{"ec2.amazonaws.com"},
                },
            },
            Actions: []string{"sts:AssumeRole"},
        },
    },
}, nil)
// Use assumeRole.Json as AssumeRolePolicy in iam.NewRole

S3 access policy with conditions:

policy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {
            Sid:     pulumi.StringRef("AllowS3Read"),
            Effect:  pulumi.StringRef("Allow"),
            Actions: []string{"s3:GetObject", "s3:ListBucket"},
            Resources: []string{
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*",
            },
            Conditions: []iam.GetPolicyDocumentStatementCondition{
                {
                    Test:     "StringEquals",
                    Variable: "aws:RequestedRegion",
                    Values:   []string{"us-east-1"},
                },
            },
        },
    },
}, nil)

Merging policy documents:

base, _ := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {Actions: []string{"ec2:Describe*"}, Resources: []string{"*"}},
    },
}, nil)

merged, _ := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    SourcePolicyDocuments: []string{base.Json},
    Statements: []iam.GetPolicyDocumentStatement{
        {Actions: []string{"s3:GetObject"}, Resources: []string{"arn:aws:s3:::my-bucket/*"}},
    },
}, nil)

Resource: Role

Provides an IAM role.

func NewRole(ctx *pulumi.Context,
    name string, args *RoleArgs, opts ...pulumi.ResourceOption) (*Role, error)

func GetRole(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *RoleState, opts ...pulumi.ResourceOption) (*Role, error)

RoleArgs

type RoleArgs struct {
    // Policy that grants an entity permission to assume the role. Required.
    // NOTE: Cannot use iam.Policy resource here; use iam.GetPolicyDocument instead.
    AssumeRolePolicy pulumi.Input

    // Description of the role.
    Description pulumi.StringPtrInput

    // Whether to force detaching policies before destroying. Defaults to false.
    ForceDetachPolicies pulumi.BoolPtrInput

    // Configuration blocks defining exclusive inline policies.
    // DEPRECATED: Use iam.NewRolePolicy + iam.NewRolePoliciesExclusive instead.
    InlinePolicies RoleInlinePolicyArrayInput

    // Exclusive set of managed policy ARNs to attach.
    // DEPRECATED: Use iam.NewRolePolicyAttachment + iam.NewRolePolicyAttachmentsExclusive instead.
    ManagedPolicyArns pulumi.StringArrayInput

    // Maximum session duration in seconds (3600-43200). Defaults to 3600 (1 hour).
    MaxSessionDuration pulumi.IntPtrInput

    // Friendly name of the role. Conflicts with NamePrefix.
    Name pulumi.StringPtrInput

    // Unique name prefix. Conflicts with Name.
    NamePrefix pulumi.StringPtrInput

    // Path to the role. Defaults to "/".
    Path pulumi.StringPtrInput

    // ARN of the permissions boundary policy.
    PermissionsBoundary pulumi.StringPtrInput

    // Key-value map of tags.
    Tags pulumi.StringMapInput
}

Role (Output Fields)

type Role struct {
    pulumi.CustomResourceState

    // ARN of the role.
    Arn pulumi.StringOutput `pulumi:"arn"`

    // Policy that grants permission to assume the role.
    AssumeRolePolicy pulumi.StringOutput `pulumi:"assumeRolePolicy"`

    // Creation date.
    CreateDate pulumi.StringOutput `pulumi:"createDate"`

    Description         pulumi.StringPtrOutput      `pulumi:"description"`
    ForceDetachPolicies pulumi.BoolPtrOutput         `pulumi:"forceDetachPolicies"`
    InlinePolicies      RoleInlinePolicyArrayOutput  `pulumi:"inlinePolicies"`
    ManagedPolicyArns   pulumi.StringArrayOutput     `pulumi:"managedPolicyArns"`
    MaxSessionDuration  pulumi.IntPtrOutput          `pulumi:"maxSessionDuration"`
    Name                pulumi.StringOutput          `pulumi:"name"`
    NamePrefix          pulumi.StringOutput          `pulumi:"namePrefix"`
    Path                pulumi.StringPtrOutput       `pulumi:"path"`
    PermissionsBoundary pulumi.StringPtrOutput       `pulumi:"permissionsBoundary"`
    Tags                pulumi.StringMapOutput       `pulumi:"tags"`
    TagsAll             pulumi.StringMapOutput       `pulumi:"tagsAll"`

    // Stable unique string identifying the role.
    UniqueId pulumi.StringOutput `pulumi:"uniqueId"`
}

Usage Example

assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {
            Effect: pulumi.StringRef("Allow"),
            Principals: []iam.GetPolicyDocumentStatementPrincipal{
                {Type: "Service", Identifiers: []string{"ec2.amazonaws.com"}},
            },
            Actions: []string{"sts:AssumeRole"},
        },
    },
}, nil)
if err != nil {
    return err
}

role, err := iam.NewRole(ctx, "myRole", &iam.RoleArgs{
    Name:             pulumi.String("my-role"),
    AssumeRolePolicy: pulumi.String(assumeRole.Json),
    Description:      pulumi.String("Role for EC2 instances"),
    MaxSessionDuration: pulumi.Int(7200),
    Tags: pulumi.StringMap{
        "Environment": pulumi.String("prod"),
    },
})

Resource: RolePolicy (Inline)

Provides an IAM role inline policy.

func NewRolePolicy(ctx *pulumi.Context,
    name string, args *RolePolicyArgs, opts ...pulumi.ResourceOption) (*RolePolicy, error)

func GetRolePolicy(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *RolePolicyState, opts ...pulumi.ResourceOption) (*RolePolicy, error)

RolePolicyArgs

type RolePolicyArgs struct {
    // Name of the policy. If omitted, provider assigns random unique name.
    Name pulumi.StringPtrInput

    // Unique name prefix. Conflicts with Name.
    NamePrefix pulumi.StringPtrInput

    // Inline policy document as JSON string.
    Policy pulumi.StringInput

    // Name of the IAM role to attach the policy to.
    Role pulumi.StringInput
}

RolePolicy (Output Fields)

type RolePolicy struct {
    pulumi.CustomResourceState

    Name       pulumi.StringOutput `pulumi:"name"`
    NamePrefix pulumi.StringOutput `pulumi:"namePrefix"`
    Policy     pulumi.StringOutput `pulumi:"policy"`
    Role       pulumi.StringOutput `pulumi:"role"`
}

Resource: RolePolicyAttachment

Attaches a managed IAM policy to a role. Recommended over PolicyAttachment for role-specific attachments.

func NewRolePolicyAttachment(ctx *pulumi.Context,
    name string, args *RolePolicyAttachmentArgs, opts ...pulumi.ResourceOption) (*RolePolicyAttachment, error)

func GetRolePolicyAttachment(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *RolePolicyAttachmentState, opts ...pulumi.ResourceOption) (*RolePolicyAttachment, error)

RolePolicyAttachmentArgs

type RolePolicyAttachmentArgs struct {
    // ARN of the policy to attach.
    PolicyArn pulumi.StringInput

    // Name of the IAM role.
    Role pulumi.StringInput
}

RolePolicyAttachment (Output Fields)

type RolePolicyAttachment struct {
    pulumi.CustomResourceState

    PolicyArn pulumi.StringOutput `pulumi:"policyArn"`
    Role      pulumi.StringOutput `pulumi:"role"`
}

Usage Example

_, err = iam.NewRolePolicyAttachment(ctx, "attach", &iam.RolePolicyAttachmentArgs{
    Role:      role.Name,
    PolicyArn: policy.Arn,
})

Resource: Policy

Provides an IAM managed policy.

func NewPolicy(ctx *pulumi.Context,
    name string, args *PolicyArgs, opts ...pulumi.ResourceOption) (*Policy, error)

func GetPolicy(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *PolicyState, opts ...pulumi.ResourceOption) (*Policy, error)

PolicyArgs

type PolicyArgs struct {
    // Number of ms to wait between creating the policy and setting its version as default.
    DelayAfterPolicyCreationInMs pulumi.IntPtrInput

    // Description of the IAM policy.
    Description pulumi.StringPtrInput

    // Name of the policy. Conflicts with NamePrefix.
    Name pulumi.StringPtrInput

    // Unique name prefix. Conflicts with Name.
    NamePrefix pulumi.StringPtrInput

    // Path in which to create the policy. Defaults to "/".
    Path pulumi.StringPtrInput

    // Policy document as JSON string. Use GetPolicyDocument to generate.
    Policy pulumi.StringInput

    // Key-value map of tags.
    Tags pulumi.StringMapInput
}

Policy (Output Fields)

type Policy struct {
    pulumi.CustomResourceState

    // ARN assigned by AWS.
    Arn pulumi.StringOutput `pulumi:"arn"`

    // Number of entities the policy is attached to.
    AttachmentCount              pulumi.IntOutput       `pulumi:"attachmentCount"`
    DelayAfterPolicyCreationInMs pulumi.IntPtrOutput    `pulumi:"delayAfterPolicyCreationInMs"`
    Description                  pulumi.StringPtrOutput `pulumi:"description"`
    Name                         pulumi.StringOutput    `pulumi:"name"`
    NamePrefix                   pulumi.StringOutput    `pulumi:"namePrefix"`
    Path                         pulumi.StringPtrOutput `pulumi:"path"`
    Policy                       pulumi.StringOutput    `pulumi:"policy"`

    // Policy's ID.
    PolicyId pulumi.StringOutput    `pulumi:"policyId"`
    Tags     pulumi.StringMapOutput `pulumi:"tags"`
    TagsAll  pulumi.StringMapOutput `pulumi:"tagsAll"`
}

Usage Example

policyDoc, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {
            Effect:    pulumi.StringRef("Allow"),
            Actions:   []string{"s3:GetObject", "s3:PutObject"},
            Resources: []string{"arn:aws:s3:::my-bucket/*"},
        },
    },
}, nil)

policy, err := iam.NewPolicy(ctx, "myPolicy", &iam.PolicyArgs{
    Name:        pulumi.String("my-s3-policy"),
    Description: pulumi.String("S3 read/write access"),
    Policy:      pulumi.String(policyDoc.Json),
})

Resource: PolicyAttachment

Attaches a managed IAM policy to users, roles, and/or groups exclusively (all attachments for the policy must be declared in a single resource).

WARNING: PolicyAttachment creates exclusive attachments. All users/roles/groups with this policy across the entire account must be declared in one PolicyAttachment. Use RolePolicyAttachment, UserPolicyAttachment, or GroupPolicyAttachment for non-exclusive attachments.

func NewPolicyAttachment(ctx *pulumi.Context,
    name string, args *PolicyAttachmentArgs, opts ...pulumi.ResourceOption) (*PolicyAttachment, error)

func GetPolicyAttachment(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *PolicyAttachmentState, opts ...pulumi.ResourceOption) (*PolicyAttachment, error)

PolicyAttachmentArgs

type PolicyAttachmentArgs struct {
    // Group names the policy should be applied to.
    Groups pulumi.StringArrayInput

    // Name of the attachment. Cannot be empty.
    Name pulumi.StringInput

    // ARN of the policy to apply.
    PolicyArn pulumi.StringInput

    // Role names the policy should be applied to.
    Roles pulumi.StringArrayInput

    // User names the policy should be applied to.
    Users pulumi.StringArrayInput
}

PolicyAttachment (Output Fields)

type PolicyAttachment struct {
    pulumi.CustomResourceState

    Groups    pulumi.StringArrayOutput `pulumi:"groups"`
    Name      pulumi.StringOutput      `pulumi:"name"`
    PolicyArn pulumi.StringOutput      `pulumi:"policyArn"`
    Roles     pulumi.StringArrayOutput `pulumi:"roles"`
    Users     pulumi.StringArrayOutput `pulumi:"users"`
}

Resource: User

Provides an IAM user.

func NewUser(ctx *pulumi.Context,
    name string, args *UserArgs, opts ...pulumi.ResourceOption) (*User, error)

func GetUser(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *UserState, opts ...pulumi.ResourceOption) (*User, error)

UserArgs

type UserArgs struct {
    // When destroying, destroy even if user has non-provider-managed access keys, login
    // profile, or MFA devices.
    ForceDestroy pulumi.BoolPtrInput

    // User's name. Alphanumeric + =,.@-_. Case insensitive.
    Name pulumi.StringPtrInput

    // Path in which to create the user.
    Path pulumi.StringPtrInput

    // ARN of the permissions boundary policy.
    PermissionsBoundary pulumi.StringPtrInput

    // Key-value map of tags.
    Tags pulumi.StringMapInput
}

User (Output Fields)

type User struct {
    pulumi.CustomResourceState

    // ARN assigned by AWS.
    Arn                 pulumi.StringOutput    `pulumi:"arn"`
    ForceDestroy        pulumi.BoolPtrOutput   `pulumi:"forceDestroy"`
    Name                pulumi.StringOutput    `pulumi:"name"`
    Path                pulumi.StringPtrOutput `pulumi:"path"`
    PermissionsBoundary pulumi.StringPtrOutput `pulumi:"permissionsBoundary"`
    Tags                pulumi.StringMapOutput `pulumi:"tags"`
    TagsAll             pulumi.StringMapOutput `pulumi:"tagsAll"`

    // Unique ID assigned by AWS.
    UniqueId pulumi.StringOutput `pulumi:"uniqueId"`
}

Resource: UserPolicy (Inline)

Provides an IAM policy attached directly to a user.

func NewUserPolicy(ctx *pulumi.Context,
    name string, args *UserPolicyArgs, opts ...pulumi.ResourceOption) (*UserPolicy, error)

func GetUserPolicy(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *UserPolicyState, opts ...pulumi.ResourceOption) (*UserPolicy, error)

UserPolicyArgs

type UserPolicyArgs struct {
    // Name of the policy. If omitted, provider assigns random unique name.
    Name pulumi.StringPtrInput

    // Unique name prefix. Conflicts with Name.
    NamePrefix pulumi.StringPtrInput

    // Policy document as JSON string.
    Policy pulumi.StringInput

    // IAM user to attach this policy to.
    User pulumi.StringInput
}

UserPolicy (Output Fields)

type UserPolicy struct {
    pulumi.CustomResourceState

    Name       pulumi.StringOutput `pulumi:"name"`
    NamePrefix pulumi.StringOutput `pulumi:"namePrefix"`
    Policy     pulumi.StringOutput `pulumi:"policy"`
    User       pulumi.StringOutput `pulumi:"user"`
}

Resource: UserPolicyAttachment

Attaches a managed IAM policy to a user (non-exclusive).

func NewUserPolicyAttachment(ctx *pulumi.Context,
    name string, args *UserPolicyAttachmentArgs, opts ...pulumi.ResourceOption) (*UserPolicyAttachment, error)

func GetUserPolicyAttachment(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *UserPolicyAttachmentState, opts ...pulumi.ResourceOption) (*UserPolicyAttachment, error)

UserPolicyAttachmentArgs

type UserPolicyAttachmentArgs struct {
    // ARN of the policy to attach.
    PolicyArn pulumi.StringInput

    // IAM user the policy should be applied to.
    User pulumi.StringInput
}

UserPolicyAttachment (Output Fields)

type UserPolicyAttachment struct {
    pulumi.CustomResourceState

    PolicyArn pulumi.StringOutput `pulumi:"policyArn"`
    User      pulumi.StringOutput `pulumi:"user"`
}

Resource: UserLoginProfile

Manages an IAM User login profile (console access with password).

func NewUserLoginProfile(ctx *pulumi.Context,
    name string, args *UserLoginProfileArgs, opts ...pulumi.ResourceOption) (*UserLoginProfile, error)

func GetUserLoginProfile(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *UserLoginProfileState, opts ...pulumi.ResourceOption) (*UserLoginProfile, error)

UserLoginProfileArgs

type UserLoginProfileArgs struct {
    // Length of generated password. Default 20.
    PasswordLength pulumi.IntPtrInput

    // Whether user must reset password on first login.
    PasswordResetRequired pulumi.BoolPtrInput

    // Base-64 encoded PGP public key or keybase username (keybase:username).
    PgpKey pulumi.StringPtrInput

    // IAM user's name.
    User pulumi.StringInput
}

UserLoginProfile (Output Fields)

type UserLoginProfile struct {
    pulumi.CustomResourceState

    // Encrypted password (base64 encoded) if pgpKey was specified.
    EncryptedPassword     pulumi.StringOutput    `pulumi:"encryptedPassword"`
    KeyFingerprint        pulumi.StringOutput    `pulumi:"keyFingerprint"`

    // Plain text password when pgpKey is not provided.
    Password              pulumi.StringOutput    `pulumi:"password"`
    PasswordLength        pulumi.IntPtrOutput    `pulumi:"passwordLength"`
    PasswordResetRequired pulumi.BoolOutput      `pulumi:"passwordResetRequired"`
    PgpKey                pulumi.StringPtrOutput `pulumi:"pgpKey"`
    User                  pulumi.StringOutput    `pulumi:"user"`
}

Resource: Group

Provides an IAM group.

func NewGroup(ctx *pulumi.Context,
    name string, args *GroupArgs, opts ...pulumi.ResourceOption) (*Group, error)

func GetGroup(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *GroupState, opts ...pulumi.ResourceOption) (*Group, error)

GroupArgs

type GroupArgs struct {
    // Group name. Alphanumeric + =,.@-_. Case insensitive.
    Name pulumi.StringPtrInput

    // Path in which to create the group.
    Path pulumi.StringPtrInput
}

Group (Output Fields)

type Group struct {
    pulumi.CustomResourceState

    // ARN assigned by AWS.
    Arn      pulumi.StringOutput    `pulumi:"arn"`
    Name     pulumi.StringOutput    `pulumi:"name"`
    Path     pulumi.StringPtrOutput `pulumi:"path"`

    // Unique ID assigned by AWS.
    UniqueId pulumi.StringOutput    `pulumi:"uniqueId"`
}

Resource: GroupMembership

Provides exclusive management of IAM group membership. All users in the group must be declared in a single resource.

NOTE: Use UserGroupMembership for non-exclusive membership management.

func NewGroupMembership(ctx *pulumi.Context,
    name string, args *GroupMembershipArgs, opts ...pulumi.ResourceOption) (*GroupMembership, error)

func GetGroupMembership(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *GroupMembershipState, opts ...pulumi.ResourceOption) (*GroupMembership, error)

GroupMembershipArgs

type GroupMembershipArgs struct {
    // IAM group name to attach users to.
    Group pulumi.StringInput

    // Name to identify the group membership resource.
    Name pulumi.StringInput

    // List of IAM user names to associate with the group.
    Users pulumi.StringArrayInput
}

GroupMembership (Output Fields)

type GroupMembership struct {
    pulumi.CustomResourceState

    Group pulumi.StringOutput      `pulumi:"group"`
    Name  pulumi.StringOutput      `pulumi:"name"`
    Users pulumi.StringArrayOutput `pulumi:"users"`
}

Resource: GroupPolicy (Inline)

Provides an IAM inline policy attached to a group.

func NewGroupPolicy(ctx *pulumi.Context,
    name string, args *GroupPolicyArgs, opts ...pulumi.ResourceOption) (*GroupPolicy, error)

func GetGroupPolicy(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *GroupPolicyState, opts ...pulumi.ResourceOption) (*GroupPolicy, error)

GroupPolicyArgs

type GroupPolicyArgs struct {
    // IAM group to attach the policy to.
    Group pulumi.StringInput

    // Name of the policy. If omitted, provider assigns random name.
    Name pulumi.StringPtrInput

    // Unique name prefix. Conflicts with Name.
    NamePrefix pulumi.StringPtrInput

    // Policy document as JSON string.
    Policy pulumi.StringInput
}

GroupPolicy (Output Fields)

type GroupPolicy struct {
    pulumi.CustomResourceState

    Group      pulumi.StringOutput `pulumi:"group"`
    Name       pulumi.StringOutput `pulumi:"name"`
    NamePrefix pulumi.StringOutput `pulumi:"namePrefix"`
    Policy     pulumi.StringOutput `pulumi:"policy"`
}

Resource: GroupPolicyAttachment

Attaches a managed IAM policy to a group (non-exclusive).

func NewGroupPolicyAttachment(ctx *pulumi.Context,
    name string, args *GroupPolicyAttachmentArgs, opts ...pulumi.ResourceOption) (*GroupPolicyAttachment, error)

func GetGroupPolicyAttachment(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *GroupPolicyAttachmentState, opts ...pulumi.ResourceOption) (*GroupPolicyAttachment, error)

GroupPolicyAttachmentArgs

type GroupPolicyAttachmentArgs struct {
    // IAM group the policy should be applied to.
    Group pulumi.StringInput

    // ARN of the policy to attach.
    PolicyArn pulumi.StringInput
}

GroupPolicyAttachment (Output Fields)

type GroupPolicyAttachment struct {
    pulumi.CustomResourceState

    Group     pulumi.StringOutput `pulumi:"group"`
    PolicyArn pulumi.StringOutput `pulumi:"policyArn"`
}

Resource: InstanceProfile

Provides an IAM instance profile for EC2 instances.

func NewInstanceProfile(ctx *pulumi.Context,
    name string, args *InstanceProfileArgs, opts ...pulumi.ResourceOption) (*InstanceProfile, error)

func GetInstanceProfile(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *InstanceProfileState, opts ...pulumi.ResourceOption) (*InstanceProfile, error)

InstanceProfileArgs

type InstanceProfileArgs struct {
    // Name of the instance profile. Conflicts with NamePrefix.
    // Must be unique regardless of path or role.
    Name pulumi.StringPtrInput

    // Unique name prefix. Conflicts with Name.
    NamePrefix pulumi.StringPtrInput

    // Path to the instance profile.
    Path pulumi.StringPtrInput

    // Name of the role to add to the profile.
    Role pulumi.StringPtrInput

    // Key-value map of tags.
    Tags pulumi.StringMapInput
}

InstanceProfile (Output Fields)

type InstanceProfile struct {
    pulumi.CustomResourceState

    // ARN assigned by AWS.
    Arn        pulumi.StringOutput    `pulumi:"arn"`
    CreateDate pulumi.StringOutput    `pulumi:"createDate"`
    Name       pulumi.StringOutput    `pulumi:"name"`
    NamePrefix pulumi.StringOutput    `pulumi:"namePrefix"`
    Path       pulumi.StringPtrOutput `pulumi:"path"`
    Role       pulumi.StringPtrOutput `pulumi:"role"`
    Tags       pulumi.StringMapOutput `pulumi:"tags"`
    TagsAll    pulumi.StringMapOutput `pulumi:"tagsAll"`

    // Unique ID assigned by AWS.
    UniqueId pulumi.StringOutput `pulumi:"uniqueId"`
}

Usage Example

role, err := iam.NewRole(ctx, "ec2Role", &iam.RoleArgs{
    Name:             pulumi.String("ec2-role"),
    AssumeRolePolicy: pulumi.String(assumeRole.Json),
})

profile, err := iam.NewInstanceProfile(ctx, "ec2Profile", &iam.InstanceProfileArgs{
    Name: pulumi.String("ec2-profile"),
    Role: role.Name,
})
// Use profile.Arn with EC2 instance iamInstanceProfile argument

Resource: AccessKey

Provides an IAM access key for a user (programmatic access credentials).

func NewAccessKey(ctx *pulumi.Context,
    name string, args *AccessKeyArgs, opts ...pulumi.ResourceOption) (*AccessKey, error)

func GetAccessKey(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *AccessKeyState, opts ...pulumi.ResourceOption) (*AccessKey, error)

AccessKeyArgs

type AccessKeyArgs struct {
    // Base-64 encoded PGP public key or keybase username (keybase:username).
    // Encrypts the secret to prevent plaintext in state.
    PgpKey pulumi.StringPtrInput

    // Access key status. Valid: "Active", "Inactive". Defaults to "Active".
    Status pulumi.StringPtrInput

    // IAM user to associate with this access key.
    User pulumi.StringInput
}

AccessKey (Output Fields)

type AccessKey struct {
    pulumi.CustomResourceState

    CreateDate pulumi.StringOutput    `pulumi:"createDate"`

    // Encrypted secret (base64) if pgpKey was specified. Not available for imported resources.
    EncryptedSecret pulumi.StringOutput `pulumi:"encryptedSecret"`

    // Encrypted SES SMTP password (base64) if pgpKey was specified.
    EncryptedSesSmtpPasswordV4 pulumi.StringOutput `pulumi:"encryptedSesSmtpPasswordV4"`

    KeyFingerprint pulumi.StringOutput    `pulumi:"keyFingerprint"`
    PgpKey         pulumi.StringPtrOutput `pulumi:"pgpKey"`

    // Plain-text secret. Not available for imported resources. Written to state file - use PgpKey to avoid this.
    Secret pulumi.StringOutput `pulumi:"secret"`

    // SES SMTP password converted via AWS SigV4 algorithm.
    SesSmtpPasswordV4 pulumi.StringOutput    `pulumi:"sesSmtpPasswordV4"`
    Status            pulumi.StringPtrOutput `pulumi:"status"`
    User              pulumi.StringOutput    `pulumi:"user"`
}

Resource: OpenIdConnectProvider

Provides an IAM OpenID Connect (OIDC) provider for federation with external identity providers (GitHub Actions, EKS IRSA, etc.).

func NewOpenIdConnectProvider(ctx *pulumi.Context,
    name string, args *OpenIdConnectProviderArgs, opts ...pulumi.ResourceOption) (*OpenIdConnectProvider, error)

func GetOpenIdConnectProvider(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *OpenIdConnectProviderState, opts ...pulumi.ResourceOption) (*OpenIdConnectProvider, error)

OpenIdConnectProviderArgs

type OpenIdConnectProviderArgs struct {
    // List of client IDs (audiences). The value sent as clientId in OAuth requests.
    ClientIdLists pulumi.StringArrayInput

    // Key-value map of tags.
    Tags pulumi.StringMapInput

    // List of server certificate thumbprints. Optional for providers using a root CA trusted by AWS.
    ThumbprintLists pulumi.StringArrayInput

    // URL of the identity provider (corresponds to the iss claim).
    Url pulumi.StringInput
}

OpenIdConnectProvider (Output Fields)

type OpenIdConnectProvider struct {
    pulumi.CustomResourceState

    // ARN assigned by AWS.
    Arn             pulumi.StringOutput      `pulumi:"arn"`
    ClientIdLists   pulumi.StringArrayOutput `pulumi:"clientIdLists"`
    Tags            pulumi.StringMapOutput   `pulumi:"tags"`
    TagsAll         pulumi.StringMapOutput   `pulumi:"tagsAll"`
    ThumbprintLists pulumi.StringArrayOutput `pulumi:"thumbprintLists"`
    Url             pulumi.StringOutput      `pulumi:"url"`
}

Usage Example (EKS IRSA)

oidcProvider, err := iam.NewOpenIdConnectProvider(ctx, "eks", &iam.OpenIdConnectProviderArgs{
    Url: eksCluster.Identities.ApplyT(func(ids []eks.ClusterIdentity) string {
        return ids[0].Oidcs[0].Issuer
    }).(pulumi.StringOutput),
    ClientIdLists:   pulumi.StringArray{pulumi.String("sts.amazonaws.com")},
    ThumbprintLists: pulumi.StringArray{pulumi.String("9e99a48a9960b14926bb7f3b02e22da2b0ab7280")},
})

Resource: SamlProvider

Provides an IAM SAML 2.0 identity provider.

func NewSamlProvider(ctx *pulumi.Context,
    name string, args *SamlProviderArgs, opts ...pulumi.ResourceOption) (*SamlProvider, error)

func GetSamlProvider(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *SamlProviderState, opts ...pulumi.ResourceOption) (*SamlProvider, error)

SamlProviderArgs

type SamlProviderArgs struct {
    // Name of the provider.
    Name pulumi.StringPtrInput

    // XML document from an identity provider that supports SAML 2.0.
    SamlMetadataDocument pulumi.StringInput

    // Key-value map of tags.
    Tags pulumi.StringMapInput
}

SamlProvider (Output Fields)

type SamlProvider struct {
    pulumi.CustomResourceState

    // ARN assigned by AWS.
    Arn                  pulumi.StringOutput    `pulumi:"arn"`
    Name                 pulumi.StringOutput    `pulumi:"name"`
    SamlMetadataDocument pulumi.StringOutput    `pulumi:"samlMetadataDocument"`
    SamlProviderUuid     pulumi.StringOutput    `pulumi:"samlProviderUuid"`
    Tags                 pulumi.StringMapOutput `pulumi:"tags"`
    TagsAll              pulumi.StringMapOutput `pulumi:"tagsAll"`

    // Expiration date and time in RFC1123 format.
    ValidUntil pulumi.StringOutput `pulumi:"validUntil"`
}

Resource: ServiceLinkedRole

Provides an IAM service-linked role (managed by AWS for specific services).

func NewServiceLinkedRole(ctx *pulumi.Context,
    name string, args *ServiceLinkedRoleArgs, opts ...pulumi.ResourceOption) (*ServiceLinkedRole, error)

func GetServiceLinkedRole(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *ServiceLinkedRoleState, opts ...pulumi.ResourceOption) (*ServiceLinkedRole, error)

ServiceLinkedRoleArgs

type ServiceLinkedRoleArgs struct {
    // AWS service DNS name. E.g. "elasticbeanstalk.amazonaws.com".
    AwsServiceName pulumi.StringInput

    // Optional suffix appended to the role name. Not all services support this.
    CustomSuffix pulumi.StringPtrInput

    // Description of the role.
    Description pulumi.StringPtrInput

    // Key-value map of tags.
    Tags pulumi.StringMapInput
}

ServiceLinkedRole (Output Fields)

type ServiceLinkedRole struct {
    pulumi.CustomResourceState

    // ARN of the role.
    Arn            pulumi.StringOutput    `pulumi:"arn"`
    AwsServiceName pulumi.StringOutput    `pulumi:"awsServiceName"`
    CreateDate     pulumi.StringOutput    `pulumi:"createDate"`
    CustomSuffix   pulumi.StringPtrOutput `pulumi:"customSuffix"`
    Description    pulumi.StringPtrOutput `pulumi:"description"`
    Name           pulumi.StringOutput    `pulumi:"name"`
    Path           pulumi.StringOutput    `pulumi:"path"`
    Tags           pulumi.StringMapOutput `pulumi:"tags"`
    TagsAll        pulumi.StringMapOutput `pulumi:"tagsAll"`

    // Stable unique string identifying the role.
    UniqueId pulumi.StringOutput `pulumi:"uniqueId"`
}

Usage Example

_, err := iam.NewServiceLinkedRole(ctx, "elasticbeanstalk", &iam.ServiceLinkedRoleArgs{
    AwsServiceName: pulumi.String("elasticbeanstalk.amazonaws.com"),
})

Resource: AccountPasswordPolicy

Manages the AWS account IAM password policy. Only one policy is allowed per account.

func NewAccountPasswordPolicy(ctx *pulumi.Context,
    name string, args *AccountPasswordPolicyArgs, opts ...pulumi.ResourceOption) (*AccountPasswordPolicy, error)

func GetAccountPasswordPolicy(ctx *pulumi.Context,
    name string, id pulumi.IDInput, state *AccountPasswordPolicyState, opts ...pulumi.ResourceOption) (*AccountPasswordPolicy, error)

AccountPasswordPolicyArgs

type AccountPasswordPolicyArgs struct {
    // Whether users can change their own password.
    AllowUsersToChangePassword pulumi.BoolPtrInput

    // Whether administrator reset is required after password expiry.
    HardExpiry pulumi.BoolPtrInput

    // Number of days a password is valid.
    MaxPasswordAge pulumi.IntPtrInput

    // Minimum password length.
    MinimumPasswordLength pulumi.IntPtrInput

    // Number of previous passwords users cannot reuse.
    PasswordReusePrevention pulumi.IntPtrInput

    // Require lowercase characters.
    RequireLowercaseCharacters pulumi.BoolPtrInput

    // Require numbers.
    RequireNumbers pulumi.BoolPtrInput

    // Require symbols.
    RequireSymbols pulumi.BoolPtrInput

    // Require uppercase characters.
    RequireUppercaseCharacters pulumi.BoolPtrInput
}

AccountPasswordPolicy (Output Fields)

type AccountPasswordPolicy struct {
    pulumi.CustomResourceState

    AllowUsersToChangePassword pulumi.BoolPtrOutput `pulumi:"allowUsersToChangePassword"`

    // True if MaxPasswordAge > 0.
    ExpirePasswords            pulumi.BoolOutput    `pulumi:"expirePasswords"`
    HardExpiry                 pulumi.BoolOutput    `pulumi:"hardExpiry"`
    MaxPasswordAge             pulumi.IntOutput     `pulumi:"maxPasswordAge"`
    MinimumPasswordLength      pulumi.IntPtrOutput  `pulumi:"minimumPasswordLength"`
    PasswordReusePrevention    pulumi.IntOutput     `pulumi:"passwordReusePrevention"`
    RequireLowercaseCharacters pulumi.BoolOutput    `pulumi:"requireLowercaseCharacters"`
    RequireNumbers             pulumi.BoolOutput    `pulumi:"requireNumbers"`
    RequireSymbols             pulumi.BoolOutput    `pulumi:"requireSymbols"`
    RequireUppercaseCharacters pulumi.BoolOutput    `pulumi:"requireUppercaseCharacters"`
}

Common Patterns

Pattern 1: Role with Managed Policy

import (
    "github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

// 1. Create trust policy
assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {
            Effect: pulumi.StringRef("Allow"),
            Principals: []iam.GetPolicyDocumentStatementPrincipal{
                {Type: "Service", Identifiers: []string{"lambda.amazonaws.com"}},
            },
            Actions: []string{"sts:AssumeRole"},
        },
    },
}, nil)

// 2. Create role
role, err := iam.NewRole(ctx, "lambdaRole", &iam.RoleArgs{
    Name:             pulumi.String("lambda-execution-role"),
    AssumeRolePolicy: pulumi.String(assumeRole.Json),
})

// 3. Attach AWS managed policy
_, err = iam.NewRolePolicyAttachment(ctx, "basicExecution", &iam.RolePolicyAttachmentArgs{
    Role:      role.Name,
    PolicyArn: pulumi.String("arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"),
})

Pattern 2: EC2 Instance Profile

assumeRole, _ := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {
            Effect: pulumi.StringRef("Allow"),
            Principals: []iam.GetPolicyDocumentStatementPrincipal{
                {Type: "Service", Identifiers: []string{"ec2.amazonaws.com"}},
            },
            Actions: []string{"sts:AssumeRole"},
        },
    },
}, nil)

role, _ := iam.NewRole(ctx, "ec2Role", &iam.RoleArgs{
    Name:             pulumi.String("ec2-role"),
    AssumeRolePolicy: pulumi.String(assumeRole.Json),
})

profile, _ := iam.NewInstanceProfile(ctx, "ec2Profile", &iam.InstanceProfileArgs{
    Name: pulumi.String("ec2-profile"),
    Role: role.Name,
})

Pattern 3: User with Programmatic Access

user, _ := iam.NewUser(ctx, "svcUser", &iam.UserArgs{
    Name: pulumi.String("my-service-user"),
    Path: pulumi.String("/services/"),
})

accessKey, _ := iam.NewAccessKey(ctx, "svcUserKey", &iam.AccessKeyArgs{
    User:   user.Name,
    PgpKey: pulumi.String("keybase:my_keybase_username"),
})

policyDoc, _ := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {
            Effect:    pulumi.StringRef("Allow"),
            Actions:   []string{"s3:GetObject"},
            Resources: []string{"arn:aws:s3:::my-bucket/*"},
        },
    },
}, nil)

policy, _ := iam.NewPolicy(ctx, "svcPolicy", &iam.PolicyArgs{
    Name:   pulumi.String("svc-s3-policy"),
    Policy: pulumi.String(policyDoc.Json),
})

_, _ = iam.NewUserPolicyAttachment(ctx, "svcAttach", &iam.UserPolicyAttachmentArgs{
    User:      user.Name,
    PolicyArn: policy.Arn,
})

Pattern 4: OIDC Provider for GitHub Actions

oidcProvider, _ := iam.NewOpenIdConnectProvider(ctx, "github", &iam.OpenIdConnectProviderArgs{
    Url:             pulumi.String("https://token.actions.githubusercontent.com"),
    ClientIdLists:   pulumi.StringArray{pulumi.String("sts.amazonaws.com")},
    ThumbprintLists: pulumi.StringArray{pulumi.String("6938fd4d98bab03faadb97b34396831e3780aea1")},
})

trustPolicy, _ := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
        {
            Effect: pulumi.StringRef("Allow"),
            Principals: []iam.GetPolicyDocumentStatementPrincipal{
                {Type: "Federated", Identifiers: pulumi.StringArrayOutput{oidcProvider.Arn}.ToStringArrayOutput()},
            },
            Actions: []string{"sts:AssumeRoleWithWebIdentity"},
            Conditions: []iam.GetPolicyDocumentStatementCondition{
                {
                    Test:     "StringEquals",
                    Variable: "token.actions.githubusercontent.com:aud",
                    Values:   []string{"sts.amazonaws.com"},
                },
                {
                    Test:     "StringLike",
                    Variable: "token.actions.githubusercontent.com:sub",
                    Values:   []string{"repo:my-org/my-repo:*"},
                },
            },
        },
    },
}, nil)

Import

Most IAM resources support import:

# Role
pulumi import aws:iam/role:Role example role_name

# Policy
pulumi import aws:iam/policy:Policy example arn:aws:iam::123456789012:policy/PolicyName

# RolePolicyAttachment
pulumi import aws:iam/rolePolicyAttachment:RolePolicyAttachment example role_name/arn:aws:iam::xxxx:policy/PolicyName

# User
pulumi import aws:iam/user:User example username

# Group
pulumi import aws:iam/group:Group example groupname

# InstanceProfile
pulumi import aws:iam/instanceProfile:InstanceProfile example profile_name

Install with Tessl CLI

npx tessl i tessl/golang-github-com-pulumi-pulumi-aws-sdk-v7@7.16.1

docs

reference

iam-security

iam.md

kms.md

core-data-sources.md

provider.md

index.md

tile.json