Namespace Pulumi.Aws.Iam
Classes
AccessKey
Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var lbUser = new Aws.Iam.User("lbUser", new Aws.Iam.UserArgs
{
Path = "/system/",
});
var lbAccessKey = new Aws.Iam.AccessKey("lbAccessKey", new Aws.Iam.AccessKeyArgs
{
PgpKey = "keybase:some_person_that_exists",
User = lbUser.Name,
});
var lbRo = new Aws.Iam.UserPolicy("lbRo", new Aws.Iam.UserPolicyArgs
{
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": [
""ec2:Describe*""
],
""Effect"": ""Allow"",
""Resource"": ""*""
}
]
}
",
User = lbUser.Name,
});
this.Secret = lbAccessKey.EncryptedSecret;
}
[Output("secret")]
public Output<string> Secret { get; set; }
}
AccessKeyArgs
AccessKeyState
AccountAlias
Note: There is only a single account alias per AWS account.
Manages the account alias for the AWS Account.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var @alias = new Aws.Iam.AccountAlias("alias", new Aws.Iam.AccountAliasArgs
{
AccountAlias = "my-account-alias",
});
}
}
AccountAliasArgs
AccountAliasState
AccountPasswordPolicy
Note: There is only a single policy allowed per AWS account. An existing policy will be lost when using this resource as an effect of this limitation.
Manages Password Policy for the AWS Account. See more about Account Password Policy in the official AWS docs.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var strict = new Aws.Iam.AccountPasswordPolicy("strict", new Aws.Iam.AccountPasswordPolicyArgs
{
AllowUsersToChangePassword = true,
MinimumPasswordLength = 8,
RequireLowercaseCharacters = true,
RequireNumbers = true,
RequireSymbols = true,
RequireUppercaseCharacters = true,
});
}
}
AccountPasswordPolicyArgs
AccountPasswordPolicyState
GetAccountAlias
GetAccountAliasResult
GetGroup
GetGroupArgs
GetGroupResult
GetInstanceProfile
GetInstanceProfileArgs
GetInstanceProfileResult
GetPolicy
GetPolicyArgs
GetPolicyDocument
GetPolicyDocumentArgs
GetPolicyDocumentResult
GetPolicyResult
GetRole
GetRoleArgs
GetRoleResult
GetServerCertificate
GetServerCertificateArgs
GetServerCertificateResult
GetUser
GetUserArgs
GetUserResult
Group
Provides an IAM group.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var developers = new Aws.Iam.Group("developers", new Aws.Iam.GroupArgs
{
Path = "/users/",
});
}
}
GroupArgs
GroupMembership
WARNING: Multiple aws.iam.GroupMembership resources with the same group name will produce inconsistent behavior!
Provides a top level resource to manage IAM Group membership for IAM Users. For more information on managing IAM Groups or IAM Users, see IAM Groups or IAM Users
Note:
aws.iam.GroupMembershipwill conflict with itself if used more than once with the same group. To non-exclusively manage the users in a group, see the [aws.iam.UserGroupMembershipresource][3].
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var @group = new Aws.Iam.Group("group", new Aws.Iam.GroupArgs
{
});
var userOne = new Aws.Iam.User("userOne", new Aws.Iam.UserArgs
{
});
var userTwo = new Aws.Iam.User("userTwo", new Aws.Iam.UserArgs
{
});
var team = new Aws.Iam.GroupMembership("team", new Aws.Iam.GroupMembershipArgs
{
Group = @group.Name,
Users =
{
userOne.Name,
userTwo.Name,
},
});
}
}
GroupMembershipArgs
GroupMembershipState
GroupPolicy
Provides an IAM policy attached to a group.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var myDevelopers = new Aws.Iam.Group("myDevelopers", new Aws.Iam.GroupArgs
{
Path = "/users/",
});
var myDeveloperPolicy = new Aws.Iam.GroupPolicy("myDeveloperPolicy", new Aws.Iam.GroupPolicyArgs
{
Group = myDevelopers.Id,
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": [
""ec2:Describe*""
],
""Effect"": ""Allow"",
""Resource"": ""*""
}
]
}
",
});
}
}
GroupPolicyArgs
GroupPolicyAttachment
Attaches a Managed IAM Policy to an IAM group
NOTE: The usage of this resource conflicts with the
aws.iam.PolicyAttachmentresource and will permanently show a difference if both are defined.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var @group = new Aws.Iam.Group("group", new Aws.Iam.GroupArgs
{
});
var policy = new Aws.Iam.Policy("policy", new Aws.Iam.PolicyArgs
{
Description = "A test policy",
Policy = "",
});
// insert policy here
var test_attach = new Aws.Iam.GroupPolicyAttachment("test-attach", new Aws.Iam.GroupPolicyAttachmentArgs
{
Group = @group.Name,
PolicyArn = policy.Arn,
});
}
}
GroupPolicyAttachmentArgs
GroupPolicyAttachmentState
GroupPolicyState
GroupState
InstanceProfile
Provides an IAM instance profile.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": ""sts:AssumeRole"",
""Principal"": {
""Service"": ""ec2.amazonaws.com""
},
""Effect"": ""Allow"",
""Sid"": """"
}
]
}
",
Path = "/",
});
var testProfile = new Aws.Iam.InstanceProfile("testProfile", new Aws.Iam.InstanceProfileArgs
{
Role = role.Name,
});
}
}
InstanceProfileArgs
InstanceProfileState
OpenIdConnectProvider
Provides an IAM OpenID Connect provider.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var @default = new Aws.Iam.OpenIdConnectProvider("default", new Aws.Iam.OpenIdConnectProviderArgs
{
ClientIdLists =
{
"266362248691-342342xasdasdasda-apps.googleusercontent.com",
},
ThumbprintLists = {},
Url = "https://accounts.google.com",
});
}
}
OpenIdConnectProviderArgs
OpenIdConnectProviderState
Policy
Provides an IAM policy.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var policy = new Aws.Iam.Policy("policy", new Aws.Iam.PolicyArgs
{
Description = "My test policy",
Path = "/",
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": [
""ec2:Describe*""
],
""Effect"": ""Allow"",
""Resource"": ""*""
}
]
}
",
});
}
}
PolicyArgs
PolicyAttachment
Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)
!> WARNING: The aws.iam.PolicyAttachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws.iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider aws.iam.RolePolicyAttachment, aws.iam.UserPolicyAttachment, or aws.iam.GroupPolicyAttachment instead. These resources do not enforce exclusive attachment of an IAM policy.
NOTE: The usage of this resource conflicts with the
aws.iam.GroupPolicyAttachment,aws.iam.RolePolicyAttachment, andaws.iam.UserPolicyAttachmentresources and will permanently show a difference if both are defined.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var user = new Aws.Iam.User("user", new Aws.Iam.UserArgs
{
});
var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": ""sts:AssumeRole"",
""Principal"": {
""Service"": ""ec2.amazonaws.com""
},
""Effect"": ""Allow"",
""Sid"": """"
}
]
}
",
});
var @group = new Aws.Iam.Group("group", new Aws.Iam.GroupArgs
{
});
var policy = new Aws.Iam.Policy("policy", new Aws.Iam.PolicyArgs
{
Description = "A test policy",
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": [
""ec2:Describe*""
],
""Effect"": ""Allow"",
""Resource"": ""*""
}
]
}
",
});
var test_attach = new Aws.Iam.PolicyAttachment("test-attach", new Aws.Iam.PolicyAttachmentArgs
{
Groups =
{
@group.Name,
},
PolicyArn = policy.Arn,
Roles =
{
role.Name,
},
Users =
{
user.Name,
},
});
}
}
PolicyAttachmentArgs
PolicyAttachmentState
PolicyState
Role
Provides an IAM role.
NOTE: If policies are attached to the role via the
aws.iam.PolicyAttachmentresource and you are modifying the rolenameorpath, theforce_detach_policiesargument must be set totrueand applied before attempting the operation otherwise you will encounter aDeleteConflicterror. Theaws.iam.RolePolicyAttachmentresource (recommended) does not have this requirement.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": ""sts:AssumeRole"",
""Principal"": {
""Service"": ""ec2.amazonaws.com""
},
""Effect"": ""Allow"",
""Sid"": """"
}
]
}
",
Tags =
{
{ "tag-key", "tag-value" },
},
});
}
}
Example of Using Data Source for Assume Role Policy
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var instance_assume_role_policy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"sts:AssumeRole",
},
Principals =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Identifiers =
{
"ec2.amazonaws.com",
},
Type = "Service",
},
},
},
},
}));
var instance = new Aws.Iam.Role("instance", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = instance_assume_role_policy.Apply(instance_assume_role_policy => instance_assume_role_policy.Json),
Path = "/system/",
});
}
}
RoleArgs
RolePolicy
Provides an IAM role inline policy.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": ""sts:AssumeRole"",
""Principal"": {
""Service"": ""ec2.amazonaws.com""
},
""Effect"": ""Allow"",
""Sid"": """"
}
]
}
",
});
var testPolicy = new Aws.Iam.RolePolicy("testPolicy", new Aws.Iam.RolePolicyArgs
{
Role = testRole.Id,
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": [
""ec2:Describe*""
],
""Effect"": ""Allow"",
""Resource"": ""*""
}
]
}
",
});
}
}
RolePolicyArgs
RolePolicyAttachment
Attaches a Managed IAM Policy to an IAM role
NOTE: The usage of this resource conflicts with the
aws.iam.PolicyAttachmentresource and will permanently show a difference if both are defined.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = @" {
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": ""sts:AssumeRole"",
""Principal"": {
""Service"": ""ec2.amazonaws.com""
},
""Effect"": ""Allow"",
""Sid"": """"
}
]
}
",
});
var policy = new Aws.Iam.Policy("policy", new Aws.Iam.PolicyArgs
{
Description = "A test policy",
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": [
""ec2:Describe*""
],
""Effect"": ""Allow"",
""Resource"": ""*""
}
]
}
",
});
var test_attach = new Aws.Iam.RolePolicyAttachment("test-attach", new Aws.Iam.RolePolicyAttachmentArgs
{
PolicyArn = policy.Arn,
Role = role.Name,
});
}
}
RolePolicyAttachmentArgs
RolePolicyAttachmentState
RolePolicyState
RoleState
SamlProvider
Provides an IAM SAML provider.
Example Usage
using System.IO;
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var @default = new Aws.Iam.SamlProvider("default", new Aws.Iam.SamlProviderArgs
{
SamlMetadataDocument = File.ReadAllText("saml-metadata.xml"),
});
}
}
SamlProviderArgs
SamlProviderState
ServerCertificate
Provides an IAM Server Certificate resource to upload Server Certificates. Certs uploaded to IAM can easily work with other AWS services such as:
- AWS Elastic Beanstalk
- Elastic Load Balancing
- CloudFront
- AWS OpsWorks
For information about server certificates in IAM, see [Managing Server Certificates][2] in AWS Documentation.
Note: All arguments including the private key will be stored in the raw state as plain-text. Read more about sensitive data in state.
Example Usage
using System.IO;
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var testCert = new Aws.Iam.ServerCertificate("testCert", new Aws.Iam.ServerCertificateArgs
{
CertificateBody = File.ReadAllText("self-ca-cert.pem"),
PrivateKey = File.ReadAllText("test-key.pem"),
});
}
}
ServerCertificateArgs
ServerCertificateState
ServiceLinkedRole
Provides an IAM service-linked role.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var elasticbeanstalk = new Aws.Iam.ServiceLinkedRole("elasticbeanstalk", new Aws.Iam.ServiceLinkedRoleArgs
{
AwsServiceName = "elasticbeanstalk.amazonaws.com",
});
}
}
ServiceLinkedRoleArgs
ServiceLinkedRoleState
SshKey
Uploads an SSH public key and associates it with the specified IAM user.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var userUser = new Aws.Iam.User("userUser", new Aws.Iam.UserArgs
{
Path = "/",
});
var userSshKey = new Aws.Iam.SshKey("userSshKey", new Aws.Iam.SshKeyArgs
{
Encoding = "SSH",
PublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 mytest@mydomain.com",
Username = userUser.Name,
});
}
}
SshKeyArgs
SshKeyState
User
Provides an IAM user.
NOTE: If policies are attached to the user via the
aws.iam.PolicyAttachmentresource and you are modifying the usernameorpath, theforce_destroyargument must be set totrueand applied before attempting the operation otherwise you will encounter aDeleteConflicterror. Theaws.iam.UserPolicyAttachmentresource (recommended) does not have this requirement.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var lbUser = new Aws.Iam.User("lbUser", new Aws.Iam.UserArgs
{
Path = "/system/",
Tags =
{
{ "tag-key", "tag-value" },
},
});
var lbAccessKey = new Aws.Iam.AccessKey("lbAccessKey", new Aws.Iam.AccessKeyArgs
{
User = lbUser.Name,
});
var lbRo = new Aws.Iam.UserPolicy("lbRo", new Aws.Iam.UserPolicyArgs
{
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": [
""ec2:Describe*""
],
""Effect"": ""Allow"",
""Resource"": ""*""
}
]
}
",
User = lbUser.Name,
});
}
}
UserArgs
UserGroupMembership
Provides a resource for adding an IAM User to IAM Groups. This resource can be used multiple times with the same user for non-overlapping groups.
To exclusively manage the users in a group, see the
[aws.iam.GroupMembership resource][3].
Example usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var user1 = new Aws.Iam.User("user1", new Aws.Iam.UserArgs
{
});
var group1 = new Aws.Iam.Group("group1", new Aws.Iam.GroupArgs
{
});
var group2 = new Aws.Iam.Group("group2", new Aws.Iam.GroupArgs
{
});
var example1 = new Aws.Iam.UserGroupMembership("example1", new Aws.Iam.UserGroupMembershipArgs
{
Groups =
{
group1.Name,
group2.Name,
},
User = user1.Name,
});
var group3 = new Aws.Iam.Group("group3", new Aws.Iam.GroupArgs
{
});
var example2 = new Aws.Iam.UserGroupMembership("example2", new Aws.Iam.UserGroupMembershipArgs
{
Groups =
{
group3.Name,
},
User = user1.Name,
});
}
}
UserGroupMembershipArgs
UserGroupMembershipState
UserLoginProfile
Manages an IAM User Login Profile with limited support for password creation during this provider resource creation. Uses PGP to encrypt the password for safe transport to the user. PGP keys can be obtained from Keybase.
To reset an IAM User login password via this provider, you can use delete and recreate this resource or change any of the arguments.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var exampleUser = new Aws.Iam.User("exampleUser", new Aws.Iam.UserArgs
{
ForceDestroy = true,
Path = "/",
});
var exampleUserLoginProfile = new Aws.Iam.UserLoginProfile("exampleUserLoginProfile", new Aws.Iam.UserLoginProfileArgs
{
PgpKey = "keybase:some_person_that_exists",
User = exampleUser.Name,
});
this.Password = exampleUserLoginProfile.EncryptedPassword;
}
[Output("password")]
public Output<string> Password { get; set; }
}
UserLoginProfileArgs
UserLoginProfileState
UserPolicy
Provides an IAM policy attached to a user.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var lbUser = new Aws.Iam.User("lbUser", new Aws.Iam.UserArgs
{
Path = "/system/",
});
var lbRo = new Aws.Iam.UserPolicy("lbRo", new Aws.Iam.UserPolicyArgs
{
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Action"": [
""ec2:Describe*""
],
""Effect"": ""Allow"",
""Resource"": ""*""
}
]
}
",
User = lbUser.Name,
});
var lbAccessKey = new Aws.Iam.AccessKey("lbAccessKey", new Aws.Iam.AccessKeyArgs
{
User = lbUser.Name,
});
}
}
UserPolicyArgs
UserPolicyAttachment
Attaches a Managed IAM Policy to an IAM user
NOTE: The usage of this resource conflicts with the
aws.iam.PolicyAttachmentresource and will permanently show a difference if both are defined.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var user = new Aws.Iam.User("user", new Aws.Iam.UserArgs
{
});
var policy = new Aws.Iam.Policy("policy", new Aws.Iam.PolicyArgs
{
Description = "A test policy",
Policy = "",
});
// insert policy here
var test_attach = new Aws.Iam.UserPolicyAttachment("test-attach", new Aws.Iam.UserPolicyAttachmentArgs
{
PolicyArn = policy.Arn,
User = user.Name,
});
}
}