tessl/npm-pulumi--aws
A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
iam.mddocs/security/
IAM - Identity and Access Management
AWS IAM controls access to AWS services and resources. Manage users, roles, policies, and permissions.
Common Tasks
Create Lambda execution role with S3 access
const role = new aws.iam.Role("lambda-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{ Action: "sts:AssumeRole", Effect: "Allow",
Principal: { Service: "lambda.amazonaws.com" } }],
}),
});
new aws.iam.RolePolicyAttachment("lambda-exec", {
role: role.name,
policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
});Create custom policy and attach to role
const policy = new aws.iam.Policy("s3-access", {
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{ Effect: "Allow", Action: ["s3:GetObject", "s3:PutObject"],
Resource: "arn:aws:s3:::my-bucket/*" }],
}),
});
new aws.iam.RolePolicyAttachment("attach", {
role: role.name,
policyArn: policy.arn,
});Create IAM user with programmatic access
const user = new aws.iam.User("developer", { name: "developer" });
const accessKey = new aws.iam.AccessKey("dev-key", { user: user.name });
export const accessKeyId = accessKey.id;
export const secretAccessKey = accessKey.secret;Capabilities
Role
IAM roles for AWS services and applications.
class Role extends pulumi.CustomResource {
constructor(name: string, args: RoleArgs, opts?: pulumi.CustomResourceOptions);
readonly arn: pulumi.Output<string>;
readonly name: pulumi.Output<string>;
readonly uniqueId: pulumi.Output<string>;
}
interface RoleArgs {
assumeRolePolicy: pulumi.Input<string | PolicyDocument>;
description?: pulumi.Input<string>;
maxSessionDuration?: pulumi.Input<number>;
path?: pulumi.Input<string>;
permissionsBoundary?: pulumi.Input<string>;
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}Example: Create role for Lambda
const lambdaRole = new aws.iam.Role("lambda-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Effect: "Allow",
Principal: {
Service: "lambda.amazonaws.com",
},
}],
}),
tags: { Application: "my-app" },
});Policy
Create custom IAM policies.
class Policy extends pulumi.CustomResource {
constructor(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions);
readonly arn: pulumi.Output<string>;
readonly id: pulumi.Output<string>;
}
interface PolicyArgs {
policy: pulumi.Input<string | PolicyDocument>;
description?: pulumi.Input<string>;
path?: pulumi.Input<string>;
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}Example: Create custom policy
const customPolicy = new aws.iam.Policy("custom-policy", {
description: "Custom policy for S3 access",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:GetObject",
"s3:PutObject",
],
Resource: "arn:aws:s3:::my-bucket/*",
}],
}),
});RolePolicyAttachment
Attach policies to roles.
class RolePolicyAttachment extends pulumi.CustomResource {
constructor(name: string, args: RolePolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions);
}
interface RolePolicyAttachmentArgs {
role: pulumi.Input<string>;
policyArn: pulumi.Input<string>;
}Example: Attach policy to role
// Attach AWS managed policy
new aws.iam.RolePolicyAttachment("lambda-basic", {
role: lambdaRole.name,
policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
});
// Attach custom policy
new aws.iam.RolePolicyAttachment("custom-attachment", {
role: lambdaRole.name,
policyArn: customPolicy.arn,
});User
IAM users for AWS console and API access.
class User extends pulumi.CustomResource {
constructor(name: string, args?: UserArgs, opts?: pulumi.CustomResourceOptions);
readonly arn: pulumi.Output<string>;
readonly name: pulumi.Output<string>;
}
interface UserArgs {
name?: pulumi.Input<string>;
path?: pulumi.Input<string>;
permissionsBoundary?: pulumi.Input<string>;
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}Group
IAM groups for organizing users.
class Group extends pulumi.CustomResource {
constructor(name: string, args?: GroupArgs, opts?: pulumi.CustomResourceOptions);
}
interface GroupArgs {
name?: pulumi.Input<string>;
path?: pulumi.Input<string>;
}AccessKey
Access keys for programmatic access.
class AccessKey extends pulumi.CustomResource {
constructor(name: string, args: AccessKeyArgs, opts?: pulumi.CustomResourceOptions);
readonly id: pulumi.Output<string>;
readonly secret: pulumi.Output<string>;
}
interface AccessKeyArgs {
user: pulumi.Input<string>;
}Example: Create access key for user
const user = new aws.iam.User("developer", {
name: "developer",
path: "/users/",
});
const accessKey = new aws.iam.AccessKey("dev-key", {
user: user.name,
});
export const accessKeyId = accessKey.id;
export const secretAccessKey = accessKey.secret;InstanceProfile
Instance profiles for EC2 instances.
class InstanceProfile extends pulumi.CustomResource {
constructor(name: string, args?: InstanceProfileArgs, opts?: pulumi.CustomResourceOptions);
readonly arn: pulumi.Output<string>;
}
interface InstanceProfileArgs {
role?: pulumi.Input<string>;
name?: pulumi.Input<string>;
}Data Sources
function getRole(args: GetRoleArgs): Promise<GetRoleResult>;
function getUser(args: GetUserArgs): Promise<GetUserResult>;
function getPolicy(args: GetPolicyArgs): Promise<GetPolicyResult>;
function getPolicyDocument(args: GetPolicyDocumentArgs): Promise<GetPolicyDocumentResult>;Usage Example
import * as aws from "@pulumi/aws";
import * as pulumi from "@pulumi/pulumi";
// Create role for Lambda
const lambdaRole = new aws.iam.Role("lambda-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Effect: "Allow",
Principal: {
Service: "lambda.amazonaws.com",
},
}],
}),
tags: { Application: "my-app" },
});
// Attach AWS managed policy
new aws.iam.RolePolicyAttachment("lambda-basic", {
role: lambdaRole.name,
policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
});
// Create custom policy
const customPolicy = new aws.iam.Policy("custom-policy", {
description: "Custom policy for S3 access",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:GetObject",
"s3:PutObject",
],
Resource: "arn:aws:s3:::my-bucket/*",
}],
}),
});
// Attach custom policy
new aws.iam.RolePolicyAttachment("custom-attachment", {
role: lambdaRole.name,
policyArn: customPolicy.arn,
});
// Create user
const user = new aws.iam.User("developer", {
name: "developer",
path: "/users/",
});
// Create access key
const accessKey = new aws.iam.AccessKey("dev-key", {
user: user.name,
});
export const roleArn = lambdaRole.arn;
export const accessKeyId = accessKey.id;
export const secretAccessKey = accessKey.secret;IAM module includes 35 resources. See All Services for complete list.
Related Services
- Lambda - Execution roles for Lambda functions
- EC2 - Instance profiles for EC2 instances
- S3 - Bucket policies and access control
- KMS - Key policies for encryption keys
- Secrets Manager - IAM-based secret access control
Install with Tessl CLI
npx tessl i tessl/npm-pulumi--aws@7.16.0