This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

iam¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.iam.AccessKey(resource_name, opts=None, pgp_key=None, status=None, user=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.

import pulumi
import pulumi_aws as aws

lb_user = aws.iam.User("lbUser", path="/system/")
lb_access_key = aws.iam.AccessKey("lbAccessKey",
    pgp_key="keybase:some_person_that_exists",
    user=lb_user.name)
lb_ro = aws.iam.UserPolicy("lbRo",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

""",
    user=lb_user.name)
pulumi.export("secret", lb_access_key.encrypted_secret)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
pgp_key (pulumi.Input[str]) – Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.
status (pulumi.Input[str]) – The access key status to apply. Defaults to Active. Valid values are Active and Inactive.
user (pulumi.Input[str]) – The IAM user to associate with this access key.

encrypted_secret: pulumi.Output[str] = None¶: The encrypted secret, base64 encoded, if pgp_key was specified.
NOTE: The encrypted secret may be decrypted using the command line,

key_fingerprint: pulumi.Output[str] = None¶: The fingerprint of the PGP key used to encrypt the secret

pgp_key: pulumi.Output[str] = None¶: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

secret: pulumi.Output[str] = None¶: The secret access key. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

ses_smtp_password: pulumi.Output[str] = None¶: DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion

ses_smtp_password_v4: pulumi.Output[str] = None¶: The secret access key converted into an SES SMTP password by applying AWS’s documented Sigv4 conversion algorithm. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions

status: pulumi.Output[str] = None¶: The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user: pulumi.Output[str] = None¶: The IAM user to associate with this access key.

static get(resource_name, id, opts=None, encrypted_secret=None, key_fingerprint=None, pgp_key=None, secret=None, ses_smtp_password=None, ses_smtp_password_v4=None, status=None, user=None)¶

Get an existing AccessKey resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
encrypted_secret (pulumi.Input[str]) – The encrypted secret, base64 encoded, if pgp_key was specified.

> **NOTE:** The encrypted secret may be decrypted using the command line,

Parameters

key_fingerprint (pulumi.Input[str]) – The fingerprint of the PGP key used to encrypt the secret
pgp_key (pulumi.Input[str]) – Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.
secret (pulumi.Input[str]) – The secret access key. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
ses_smtp_password (pulumi.Input[str]) – DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion
ses_smtp_password_v4 (pulumi.Input[str]) –
The secret access key converted into an SES SMTP password by applying AWS’s documented Sigv4 conversion algorithm. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions
status (pulumi.Input[str]) – The access key status to apply. Defaults to Active. Valid values are Active and Inactive.
user (pulumi.Input[str]) – The IAM user to associate with this access key.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.AccountAlias(resource_name, opts=None, account_alias=None, __props__=None, __name__=None, __opts__=None)¶

Note: There is only a single account alias per AWS account.

Manages the account alias for the AWS Account.

import pulumi
import pulumi_aws as aws

alias = aws.iam.AccountAlias("alias", account_alias="my-account-alias")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
account_alias (pulumi.Input[str]) – The account alias

account_alias: pulumi.Output[str] = None¶: The account alias

static get(resource_name, id, opts=None, account_alias=None)¶

Get an existing AccountAlias resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
account_alias (pulumi.Input[str]) – The account alias

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.AccountPasswordPolicy(resource_name, opts=None, allow_users_to_change_password=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None, __props__=None, __name__=None, __opts__=None)¶

Note: There is only a single policy allowed per AWS account. An existing policy will be lost when using this resource as an effect of this limitation.

Manages Password Policy for the AWS Account. See more about Account Password Policy in the official AWS docs.

import pulumi
import pulumi_aws as aws

strict = aws.iam.AccountPasswordPolicy("strict",
    allow_users_to_change_password=True,
    minimum_password_length=8,
    require_lowercase_characters=True,
    require_numbers=True,
    require_symbols=True,
    require_uppercase_characters=True)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
allow_users_to_change_password (pulumi.Input[bool]) – Whether to allow users to change their own password
hard_expiry (pulumi.Input[bool]) – Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)
max_password_age (pulumi.Input[float]) – The number of days that an user password is valid.
minimum_password_length (pulumi.Input[float]) – Minimum length to require for user passwords.
password_reuse_prevention (pulumi.Input[float]) – The number of previous passwords that users are prevented from reusing.
require_lowercase_characters (pulumi.Input[bool]) – Whether to require lowercase characters for user passwords.
require_numbers (pulumi.Input[bool]) – Whether to require numbers for user passwords.
require_symbols (pulumi.Input[bool]) – Whether to require symbols for user passwords.
require_uppercase_characters (pulumi.Input[bool]) – Whether to require uppercase characters for user passwords.

allow_users_to_change_password: pulumi.Output[bool] = None¶: Whether to allow users to change their own password

expire_passwords: pulumi.Output[bool] = None¶: Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present.

hard_expiry: pulumi.Output[bool] = None¶: Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)

max_password_age: pulumi.Output[float] = None¶: The number of days that an user password is valid.

minimum_password_length: pulumi.Output[float] = None¶: Minimum length to require for user passwords.

password_reuse_prevention: pulumi.Output[float] = None¶: The number of previous passwords that users are prevented from reusing.

require_lowercase_characters: pulumi.Output[bool] = None¶: Whether to require lowercase characters for user passwords.

require_numbers: pulumi.Output[bool] = None¶: Whether to require numbers for user passwords.

require_symbols: pulumi.Output[bool] = None¶: Whether to require symbols for user passwords.

require_uppercase_characters: pulumi.Output[bool] = None¶: Whether to require uppercase characters for user passwords.

static get(resource_name, id, opts=None, allow_users_to_change_password=None, expire_passwords=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None)¶

Get an existing AccountPasswordPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
allow_users_to_change_password (pulumi.Input[bool]) – Whether to allow users to change their own password
expire_passwords (pulumi.Input[bool]) – Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present.
hard_expiry (pulumi.Input[bool]) – Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)
max_password_age (pulumi.Input[float]) – The number of days that an user password is valid.
minimum_password_length (pulumi.Input[float]) – Minimum length to require for user passwords.
password_reuse_prevention (pulumi.Input[float]) – The number of previous passwords that users are prevented from reusing.
require_lowercase_characters (pulumi.Input[bool]) – Whether to require lowercase characters for user passwords.
require_numbers (pulumi.Input[bool]) – Whether to require numbers for user passwords.
require_symbols (pulumi.Input[bool]) – Whether to require symbols for user passwords.
require_uppercase_characters (pulumi.Input[bool]) – Whether to require uppercase characters for user passwords.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.AwaitableGetAccountAliasResult(account_alias=None, id=None)¶

class pulumi_aws.iam.AwaitableGetGroupResult(arn=None, group_id=None, group_name=None, id=None, path=None, users=None)¶

class pulumi_aws.iam.AwaitableGetInstanceProfileResult(arn=None, create_date=None, id=None, name=None, path=None, role_arn=None, role_id=None, role_name=None)¶

class pulumi_aws.iam.AwaitableGetPolicyDocumentResult(id=None, json=None, override_json=None, policy_id=None, source_json=None, statements=None, version=None)¶

class pulumi_aws.iam.AwaitableGetPolicyResult(arn=None, description=None, id=None, name=None, path=None, policy=None)¶

class pulumi_aws.iam.AwaitableGetRoleResult(arn=None, assume_role_policy=None, create_date=None, description=None, id=None, max_session_duration=None, name=None, path=None, permissions_boundary=None, tags=None, unique_id=None)¶

class pulumi_aws.iam.AwaitableGetServerCertificateResult(arn=None, certificate_body=None, certificate_chain=None, expiration_date=None, id=None, latest=None, name=None, name_prefix=None, path=None, path_prefix=None, upload_date=None)¶

class pulumi_aws.iam.AwaitableGetUserResult(arn=None, id=None, path=None, permissions_boundary=None, user_id=None, user_name=None)¶

class pulumi_aws.iam.GetAccountAliasResult(account_alias=None, id=None)¶

A collection of values returned by getAccountAlias.

account_alias = None¶: The alias associated with the AWS account.

id = None¶: The provider-assigned unique ID for this managed resource.

class pulumi_aws.iam.GetGroupResult(arn=None, group_id=None, group_name=None, id=None, path=None, users=None)¶

A collection of values returned by getGroup.

arn = None¶: The Amazon Resource Name (ARN) specifying the iam user.

group_id = None¶: The stable and unique string identifying the group.

id = None¶: The provider-assigned unique ID for this managed resource.

path = None¶: The path to the iam user.

users = None¶: List of objects containing group member information. See supported fields below.

class pulumi_aws.iam.GetInstanceProfileResult(arn=None, create_date=None, id=None, name=None, path=None, role_arn=None, role_id=None, role_name=None)¶

A collection of values returned by getInstanceProfile.

arn = None¶: The Amazon Resource Name (ARN) specifying the instance profile.

create_date = None¶: The string representation of the date the instance profile was created.

id = None¶: The provider-assigned unique ID for this managed resource.

path = None¶: The path to the instance profile.

role_arn = None¶: The role arn associated with this instance profile.

role_id = None¶: The role id associated with this instance profile.

role_name = None¶: The role name associated with this instance profile.

class pulumi_aws.iam.GetPolicyDocumentResult(id=None, json=None, override_json=None, policy_id=None, source_json=None, statements=None, version=None)¶

A collection of values returned by getPolicyDocument.

id = None¶: The provider-assigned unique ID for this managed resource.

json = None¶: The above arguments serialized as a standard JSON policy document.

class pulumi_aws.iam.GetPolicyResult(arn=None, description=None, id=None, name=None, path=None, policy=None)¶

A collection of values returned by getPolicy.

arn = None¶: The Amazon Resource Name (ARN) specifying the policy.

description = None¶: The description of the policy.

id = None¶: The provider-assigned unique ID for this managed resource.

name = None¶: The name of the IAM policy.

path = None¶: The path to the policy.

policy = None¶: The policy document of the policy.

class pulumi_aws.iam.GetRoleResult(arn=None, assume_role_policy=None, create_date=None, description=None, id=None, max_session_duration=None, name=None, path=None, permissions_boundary=None, tags=None, unique_id=None)¶

A collection of values returned by getRole.

arn = None¶: The Amazon Resource Name (ARN) specifying the role.

assume_role_policy = None¶: The policy document associated with the role.

create_date = None¶: Creation date of the role in RFC 3339 format.

description = None¶: Description for the role.

id = None¶: The provider-assigned unique ID for this managed resource.

max_session_duration = None¶: Maximum session duration.

path = None¶: The path to the role.

permissions_boundary = None¶: The ARN of the policy that is used to set the permissions boundary for the role.

tags = None¶: The tags attached to the role.

unique_id = None¶: The stable and unique string identifying the role.

class pulumi_aws.iam.GetServerCertificateResult(arn=None, certificate_body=None, certificate_chain=None, expiration_date=None, id=None, latest=None, name=None, name_prefix=None, path=None, path_prefix=None, upload_date=None)¶

A collection of values returned by getServerCertificate.

id = None¶: The provider-assigned unique ID for this managed resource.

class pulumi_aws.iam.GetUserResult(arn=None, id=None, path=None, permissions_boundary=None, user_id=None, user_name=None)¶

A collection of values returned by getUser.

arn = None¶: The Amazon Resource Name (ARN) assigned by AWS for this user.

id = None¶: The provider-assigned unique ID for this managed resource.

path = None¶: Path in which this user was created.

permissions_boundary = None¶: The ARN of the policy that is used to set the permissions boundary for the user.

user_id = None¶: The unique ID assigned by AWS for this user.

user_name = None¶: The name associated to this User

class pulumi_aws.iam.Group(resource_name, opts=None, name=None, path=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM group.

import pulumi
import pulumi_aws as aws

developers = aws.iam.Group("developers", path="/users/")

Parameters

resource*name (str) –
The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
name (pulumi.Input[str]) – The group’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-*.. Group names are not distinguished by case. For example, you cannot create groups named both “ADMINS” and “admins”.
path (pulumi.Input[str]) – Path in which to create the group.

arn: pulumi.Output[str] = None¶: The ARN assigned by AWS for this group.

name: pulumi.Output[str] = None¶: The group’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. Group names are not distinguished by case. For example, you cannot create groups named both “ADMINS” and “admins”.

path: pulumi.Output[str] = None¶: Path in which to create the group.

unique_id: pulumi.Output[str] = None¶: The [unique ID][1] assigned by AWS.

static get(resource_name, id, opts=None, arn=None, name=None, path=None, unique_id=None)¶

Get an existing Group resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource*name (str) –
The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The ARN assigned by AWS for this group.
name (pulumi.Input[str]) – The group’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-*.. Group names are not distinguished by case. For example, you cannot create groups named both “ADMINS” and “admins”.
path (pulumi.Input[str]) – Path in which to create the group.
unique_id (pulumi.Input[str]) – The [unique ID][1] assigned by AWS.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.GroupMembership(resource_name, opts=None, group=None, name=None, users=None, __props__=None, __name__=None, __opts__=None)¶

WARNING: Multiple iam.GroupMembership resources with the same group name will produce inconsistent behavior!

Provides a top level resource to manage IAM Group membership for IAM Users. For more information on managing IAM Groups or IAM Users, see IAM Groups or IAM Users

Note: iam.GroupMembership will conflict with itself if used more than once with the same group. To non-exclusively manage the users in a group, see the [iam.UserGroupMembership resource][3].

import pulumi
import pulumi_aws as aws

group = aws.iam.Group("group")
user_one = aws.iam.User("userOne")
user_two = aws.iam.User("userTwo")
team = aws.iam.GroupMembership("team",
    group=group.name,
    users=[
        user_one.name,
        user_two.name,
    ])

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
group (pulumi.Input[str]) – The IAM Group name to attach the list of users to
name (pulumi.Input[str]) – The name to identify the Group Membership
users (pulumi.Input[list]) – A list of IAM User names to associate with the Group

group: pulumi.Output[str] = None¶: The IAM Group name to attach the list of users to

name: pulumi.Output[str] = None¶: The name to identify the Group Membership

users: pulumi.Output[list] = None¶: A list of IAM User names to associate with the Group

static get(resource_name, id, opts=None, group=None, name=None, users=None)¶

Get an existing GroupMembership resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
group (pulumi.Input[str]) – The IAM Group name to attach the list of users to
name (pulumi.Input[str]) – The name to identify the Group Membership
users (pulumi.Input[list]) – A list of IAM User names to associate with the Group

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.GroupPolicy(resource_name, opts=None, group=None, name=None, name_prefix=None, policy=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM policy attached to a group.

import pulumi
import pulumi_aws as aws

my_developers = aws.iam.Group("myDevelopers", path="/users/")
my_developer_policy = aws.iam.GroupPolicy("myDeveloperPolicy",
    group=my_developers.id,
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

""")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
group (pulumi.Input[str]) – The IAM group to attach to the policy.
name (pulumi.Input[str]) – The name of the policy. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
policy (pulumi.Input[dict]) – The policy document. This is a JSON formatted string.

group: pulumi.Output[str] = None¶: The IAM group to attach to the policy.

name: pulumi.Output[str] = None¶: The name of the policy. If omitted, this provider will assign a random, unique name.

name_prefix: pulumi.Output[str] = None¶: Creates a unique name beginning with the specified prefix. Conflicts with name.

policy: pulumi.Output[str] = None¶: The policy document. This is a JSON formatted string.

static get(resource_name, id, opts=None, group=None, name=None, name_prefix=None, policy=None)¶

Get an existing GroupPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
group (pulumi.Input[str]) – The IAM group to attach to the policy.
name (pulumi.Input[str]) – The name of the policy. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
policy (pulumi.Input[dict]) – The policy document. This is a JSON formatted string.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.GroupPolicyAttachment(resource_name, opts=None, group=None, policy_arn=None, __props__=None, __name__=None, __opts__=None)¶

Attaches a Managed IAM Policy to an IAM group

NOTE: The usage of this resource conflicts with the iam.PolicyAttachment resource and will permanently show a difference if both are defined.

import pulumi
import pulumi_aws as aws

group = aws.iam.Group("group")
policy = aws.iam.Policy("policy",
    description="A test policy",
    policy="")
# insert policy here
test_attach = aws.iam.GroupPolicyAttachment("test-attach",
    group=group.name,
    policy_arn=policy.arn)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
group (pulumi.Input[dict]) – The group the policy should be applied to
policy_arn (pulumi.Input[str]) – The ARN of the policy you want to apply

group: pulumi.Output[str] = None¶: The group the policy should be applied to

policy_arn: pulumi.Output[str] = None¶: The ARN of the policy you want to apply

static get(resource_name, id, opts=None, group=None, policy_arn=None)¶

Get an existing GroupPolicyAttachment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
group (pulumi.Input[dict]) – The group the policy should be applied to
policy_arn (pulumi.Input[str]) – The ARN of the policy you want to apply

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.InstanceProfile(resource_name, opts=None, name=None, name_prefix=None, path=None, role=None, roles=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM instance profile.

import pulumi
import pulumi_aws as aws

role = aws.iam.Role("role",
    assume_role_policy="""{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "ec2.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}

""",
    path="/")
test_profile = aws.iam.InstanceProfile("testProfile", role=role.name)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
name (pulumi.Input[str]) – The profile’s name. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
path (pulumi.Input[str]) – Path in which to create the profile.
role (pulumi.Input[dict]) – The role name to include in the profile.
roles (pulumi.Input[list]) – A list of role names to include in the profile. The current default is 1. If you see an error message similar to Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1, then you must contact AWS support and ask for a limit increase.

arn: pulumi.Output[str] = None¶: The ARN assigned by AWS to the instance profile.

create_date: pulumi.Output[str] = None¶: The creation timestamp of the instance profile.

name: pulumi.Output[str] = None¶: The profile’s name. If omitted, this provider will assign a random, unique name.

name_prefix: pulumi.Output[str] = None¶: Creates a unique name beginning with the specified prefix. Conflicts with name.

path: pulumi.Output[str] = None¶: Path in which to create the profile.

role: pulumi.Output[str] = None¶: The role name to include in the profile.

roles: pulumi.Output[list] = None¶: A list of role names to include in the profile. The current default is 1. If you see an error message similar to Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1, then you must contact AWS support and ask for a limit increase.

unique_id: pulumi.Output[str] = None¶: The [unique ID][1] assigned by AWS.

static get(resource_name, id, opts=None, arn=None, create_date=None, name=None, name_prefix=None, path=None, role=None, roles=None, unique_id=None)¶

Get an existing InstanceProfile resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The ARN assigned by AWS to the instance profile.
create_date (pulumi.Input[str]) – The creation timestamp of the instance profile.
name (pulumi.Input[str]) – The profile’s name. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
path (pulumi.Input[str]) – Path in which to create the profile.
role (pulumi.Input[dict]) – The role name to include in the profile.
roles (pulumi.Input[list]) – A list of role names to include in the profile. The current default is 1. If you see an error message similar to Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1, then you must contact AWS support and ask for a limit increase.
unique_id (pulumi.Input[str]) – The [unique ID][1] assigned by AWS.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.OpenIdConnectProvider(resource_name, opts=None, client_id_lists=None, thumbprint_lists=None, url=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM OpenID Connect provider.

import pulumi
import pulumi_aws as aws

default = aws.iam.OpenIdConnectProvider("default",
    client_id_lists=["266362248691-342342xasdasdasda-apps.googleusercontent.com"],
    thumbprint_lists=[],
    url="https://accounts.google.com")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
client_id_lists (pulumi.Input[list]) – A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that’s sent as the client_id parameter on OAuth requests.)
thumbprint_lists (pulumi.Input[list]) – A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider’s server certificate(s).
url (pulumi.Input[str]) – The URL of the identity provider. Corresponds to the iss claim.

arn: pulumi.Output[str] = None¶: The ARN assigned by AWS for this provider.

client_id_lists: pulumi.Output[list] = None¶: A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that’s sent as the client_id parameter on OAuth requests.)

thumbprint_lists: pulumi.Output[list] = None¶: A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider’s server certificate(s).

url: pulumi.Output[str] = None¶: The URL of the identity provider. Corresponds to the iss claim.

static get(resource_name, id, opts=None, arn=None, client_id_lists=None, thumbprint_lists=None, url=None)¶

Get an existing OpenIdConnectProvider resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The ARN assigned by AWS for this provider.
client_id_lists (pulumi.Input[list]) – A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that’s sent as the client_id parameter on OAuth requests.)
thumbprint_lists (pulumi.Input[list]) – A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider’s server certificate(s).
url (pulumi.Input[str]) – The URL of the identity provider. Corresponds to the iss claim.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.Policy(resource_name, opts=None, description=None, name=None, name_prefix=None, path=None, policy=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM policy.

import pulumi
import pulumi_aws as aws

policy = aws.iam.Policy("policy",
    description="My test policy",
    path="/",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

""")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
description (pulumi.Input[str]) – Description of the IAM policy.
name (pulumi.Input[str]) – The name of the policy. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
path (pulumi.Input[str]) – Path in which to create the policy. See IAM Identifiers for more information.
policy (pulumi.Input[dict]) – The policy document. This is a JSON formatted string.

arn: pulumi.Output[str] = None¶: The ARN assigned by AWS to this policy.

description: pulumi.Output[str] = None¶: Description of the IAM policy.

name: pulumi.Output[str] = None¶: The name of the policy. If omitted, this provider will assign a random, unique name.

name_prefix: pulumi.Output[str] = None¶: Creates a unique name beginning with the specified prefix. Conflicts with name.

path: pulumi.Output[str] = None¶: Path in which to create the policy. See IAM Identifiers for more information.

policy: pulumi.Output[str] = None¶: The policy document. This is a JSON formatted string.

static get(resource_name, id, opts=None, arn=None, description=None, name=None, name_prefix=None, path=None, policy=None)¶

Get an existing Policy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The ARN assigned by AWS to this policy.
description (pulumi.Input[str]) – Description of the IAM policy.
name (pulumi.Input[str]) – The name of the policy. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
path (pulumi.Input[str]) –
Path in which to create the policy. See IAM Identifiers for more information.
policy (pulumi.Input[dict]) – The policy document. This is a JSON formatted string.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.PolicyAttachment(resource_name, opts=None, groups=None, name=None, policy_arn=None, roles=None, users=None, __props__=None, __name__=None, __opts__=None)¶

Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)

!> WARNING: The iam.PolicyAttachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider iam.RolePolicyAttachment, iam.UserPolicyAttachment, or iam.GroupPolicyAttachment instead. These resources do not enforce exclusive attachment of an IAM policy.

NOTE: The usage of this resource conflicts with the iam.GroupPolicyAttachment, iam.RolePolicyAttachment, and iam.UserPolicyAttachment resources and will permanently show a difference if both are defined.

import pulumi
import pulumi_aws as aws

user = aws.iam.User("user")
role = aws.iam.Role("role", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
group = aws.iam.Group("group")
policy = aws.iam.Policy("policy",
    description="A test policy",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

""")
test_attach = aws.iam.PolicyAttachment("test-attach",
    groups=[group.name],
    policy_arn=policy.arn,
    roles=[role.name],
    users=[user.name])

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
groups (pulumi.Input[list]) – The group(s) the policy should be applied to
name (pulumi.Input[str]) – The name of the attachment. This cannot be an empty string.
policy_arn (pulumi.Input[str]) – The ARN of the policy you want to apply
roles (pulumi.Input[list]) – The role(s) the policy should be applied to
users (pulumi.Input[list]) – The user(s) the policy should be applied to

groups: pulumi.Output[list] = None¶: The group(s) the policy should be applied to

name: pulumi.Output[str] = None¶: The name of the attachment. This cannot be an empty string.

policy_arn: pulumi.Output[str] = None¶: The ARN of the policy you want to apply

roles: pulumi.Output[list] = None¶: The role(s) the policy should be applied to

users: pulumi.Output[list] = None¶: The user(s) the policy should be applied to

static get(resource_name, id, opts=None, groups=None, name=None, policy_arn=None, roles=None, users=None)¶

Get an existing PolicyAttachment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
groups (pulumi.Input[list]) – The group(s) the policy should be applied to
name (pulumi.Input[str]) – The name of the attachment. This cannot be an empty string.
policy_arn (pulumi.Input[str]) – The ARN of the policy you want to apply
roles (pulumi.Input[list]) – The role(s) the policy should be applied to
users (pulumi.Input[list]) – The user(s) the policy should be applied to

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.Role(resource_name, opts=None, assume_role_policy=None, description=None, force_detach_policies=None, max_session_duration=None, name=None, name_prefix=None, path=None, permissions_boundary=None, tags=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM role.

NOTE: If policies are attached to the role via the iam.PolicyAttachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The iam.RolePolicyAttachment resource (recommended) does not have this requirement.

import pulumi
import pulumi_aws as aws

test_role = aws.iam.Role("testRole",
    assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""",
    tags={
        "tag-key": "tag-value",
    })

import pulumi
import pulumi_aws as aws

instance_assume_role_policy = aws.iam.get_policy_document(statements=[{
    "actions": ["sts:AssumeRole"],
    "principals": [{
        "identifiers": ["ec2.amazonaws.com"],
        "type": "Service",
    }],
}])
instance = aws.iam.Role("instance",
    assume_role_policy=instance_assume_role_policy.json,
    path="/system/")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
assume_role_policy (pulumi.Input[dict]) – The policy that grants an entity permission to assume the role.
description (pulumi.Input[str]) – The description of the role.
force_detach_policies (pulumi.Input[bool]) – Specifies to force detaching any policies the role has before destroying it. Defaults to false.
max_session_duration (pulumi.Input[float]) – The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name (pulumi.Input[str]) – The name of the role. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
path (pulumi.Input[str]) –
The path to the role. See IAM Identifiers for more information.
permissions_boundary (pulumi.Input[str]) – The ARN of the policy that is used to set the permissions boundary for the role.
tags (pulumi.Input[dict]) – Key-value map of tags for the IAM role

arn: pulumi.Output[str] = None¶: The Amazon Resource Name (ARN) specifying the role.

assume_role_policy: pulumi.Output[str] = None¶: The policy that grants an entity permission to assume the role.

create_date: pulumi.Output[str] = None¶: The creation date of the IAM role.

description: pulumi.Output[str] = None¶: The description of the role.

force_detach_policies: pulumi.Output[bool] = None¶: Specifies to force detaching any policies the role has before destroying it. Defaults to false.

max_session_duration: pulumi.Output[float] = None¶: The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

name: pulumi.Output[str] = None¶: The name of the role. If omitted, this provider will assign a random, unique name.

name_prefix: pulumi.Output[str] = None¶: Creates a unique name beginning with the specified prefix. Conflicts with name.

path: pulumi.Output[str] = None¶: The path to the role. See IAM Identifiers for more information.

permissions_boundary: pulumi.Output[str] = None¶: The ARN of the policy that is used to set the permissions boundary for the role.

tags: pulumi.Output[dict] = None¶: Key-value map of tags for the IAM role

unique_id: pulumi.Output[str] = None¶: The stable and unique string identifying the role.

static get(resource_name, id, opts=None, arn=None, assume_role_policy=None, create_date=None, description=None, force_detach_policies=None, max_session_duration=None, name=None, name_prefix=None, path=None, permissions_boundary=None, tags=None, unique_id=None)¶

Get an existing Role resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) specifying the role.
assume_role_policy (pulumi.Input[dict]) – The policy that grants an entity permission to assume the role.
create_date (pulumi.Input[str]) – The creation date of the IAM role.
description (pulumi.Input[str]) – The description of the role.
force_detach_policies (pulumi.Input[bool]) – Specifies to force detaching any policies the role has before destroying it. Defaults to false.
max_session_duration (pulumi.Input[float]) – The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name (pulumi.Input[str]) – The name of the role. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
path (pulumi.Input[str]) –
The path to the role. See IAM Identifiers for more information.
permissions_boundary (pulumi.Input[str]) – The ARN of the policy that is used to set the permissions boundary for the role.
tags (pulumi.Input[dict]) – Key-value map of tags for the IAM role
unique_id (pulumi.Input[str]) – The stable and unique string identifying the role.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.RolePolicy(resource_name, opts=None, name=None, name_prefix=None, policy=None, role=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM role inline policy.

import pulumi
import pulumi_aws as aws

test_role = aws.iam.Role("testRole", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
""")
test_policy = aws.iam.RolePolicy("testPolicy",
    role=test_role.id,
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
""")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
name (pulumi.Input[str]) – The name of the role policy. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
policy (pulumi.Input[dict]) – The policy document. This is a JSON formatted string.
role (pulumi.Input[dict]) – The IAM role to attach to the policy.

name: pulumi.Output[str] = None¶: The name of the role policy. If omitted, this provider will assign a random, unique name.

name_prefix: pulumi.Output[str] = None¶: Creates a unique name beginning with the specified prefix. Conflicts with name.

policy: pulumi.Output[str] = None¶: The policy document. This is a JSON formatted string.

role: pulumi.Output[str] = None¶: The IAM role to attach to the policy.

static get(resource_name, id, opts=None, name=None, name_prefix=None, policy=None, role=None)¶

Get an existing RolePolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
name (pulumi.Input[str]) – The name of the role policy. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
policy (pulumi.Input[dict]) – The policy document. This is a JSON formatted string.
role (pulumi.Input[dict]) – The IAM role to attach to the policy.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.RolePolicyAttachment(resource_name, opts=None, policy_arn=None, role=None, __props__=None, __name__=None, __opts__=None)¶

Attaches a Managed IAM Policy to an IAM role

NOTE: The usage of this resource conflicts with the iam.PolicyAttachment resource and will permanently show a difference if both are defined.

import pulumi
import pulumi_aws as aws

role = aws.iam.Role("role", assume_role_policy="""    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Effect": "Allow",
          "Sid": ""
        }
      ]
    }

""")
policy = aws.iam.Policy("policy",
    description="A test policy",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

""")
test_attach = aws.iam.RolePolicyAttachment("test-attach",
    policy_arn=policy.arn,
    role=role.name)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
policy_arn (pulumi.Input[str]) – The ARN of the policy you want to apply
role (pulumi.Input[dict]) – The role the policy should be applied to

policy_arn: pulumi.Output[str] = None¶: The ARN of the policy you want to apply

role: pulumi.Output[str] = None¶: The role the policy should be applied to

static get(resource_name, id, opts=None, policy_arn=None, role=None)¶

Get an existing RolePolicyAttachment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
policy_arn (pulumi.Input[str]) – The ARN of the policy you want to apply
role (pulumi.Input[dict]) – The role the policy should be applied to

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.SamlProvider(resource_name, opts=None, name=None, saml_metadata_document=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM SAML provider.

import pulumi
import pulumi_aws as aws

default = aws.iam.SamlProvider("default", saml_metadata_document=(lambda path: open(path).read())("saml-metadata.xml"))

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
name (pulumi.Input[str]) – The name of the provider to create.
saml_metadata_document (pulumi.Input[str]) – An XML document generated by an identity provider that supports SAML 2.0.

arn: pulumi.Output[str] = None¶: The ARN assigned by AWS for this provider.

name: pulumi.Output[str] = None¶: The name of the provider to create.

saml_metadata_document: pulumi.Output[str] = None¶: An XML document generated by an identity provider that supports SAML 2.0.

valid_until: pulumi.Output[str] = None¶: The expiration date and time for the SAML provider in RFC1123 format, e.g. Mon, 02 Jan 2006 15:04:05 MST.

static get(resource_name, id, opts=None, arn=None, name=None, saml_metadata_document=None, valid_until=None)¶

Get an existing SamlProvider resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The ARN assigned by AWS for this provider.
name (pulumi.Input[str]) – The name of the provider to create.
saml_metadata_document (pulumi.Input[str]) – An XML document generated by an identity provider that supports SAML 2.0.
valid_until (pulumi.Input[str]) – The expiration date and time for the SAML provider in RFC1123 format, e.g. Mon, 02 Jan 2006 15:04:05 MST.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.ServerCertificate(resource_name, opts=None, arn=None, certificate_body=None, certificate_chain=None, name=None, name_prefix=None, path=None, private_key=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM Server Certificate resource to upload Server Certificates. Certs uploaded to IAM can easily work with other AWS services such as:

AWS Elastic Beanstalk
Elastic Load Balancing
CloudFront
AWS OpsWorks

For information about server certificates in IAM, see [Managing Server Certificates][2] in AWS Documentation.

Note: All arguments including the private key will be stored in the raw state as plain-text.

import pulumi
import pulumi_aws as aws

test_cert = aws.iam.ServerCertificate("testCert",
    certificate_body=(lambda path: open(path).read())("self-ca-cert.pem"),
    private_key=(lambda path: open(path).read())("test-key.pem"))

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) specifying the server certificate.
certificate_body (pulumi.Input[str]) – The contents of the public key certificate in PEM-encoded format.
certificate_chain (pulumi.Input[str]) – The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.
name (pulumi.Input[str]) – The name of the Server Certificate. Do not include the path in this value. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
path (pulumi.Input[str]) –
The IAM path for the server certificate. If it is not included, it defaults to a slash (/). If this certificate is for use with AWS CloudFront, the path must be in format /cloudfront/your_path_here. See IAM Identifiers for more details on IAM Paths.
private_key (pulumi.Input[str]) – The contents of the private key in PEM-encoded format.

arn: pulumi.Output[str] = None¶: The Amazon Resource Name (ARN) specifying the server certificate.

certificate_body: pulumi.Output[str] = None¶: The contents of the public key certificate in PEM-encoded format.

certificate_chain: pulumi.Output[str] = None¶: The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.

name: pulumi.Output[str] = None¶: The name of the Server Certificate. Do not include the path in this value. If omitted, this provider will assign a random, unique name.

name_prefix: pulumi.Output[str] = None¶: Creates a unique name beginning with the specified prefix. Conflicts with name.

path: pulumi.Output[str] = None¶: The IAM path for the server certificate. If it is not included, it defaults to a slash (/). If this certificate is for use with AWS CloudFront, the path must be in format /cloudfront/your_path_here. See IAM Identifiers for more details on IAM Paths.

private_key: pulumi.Output[str] = None¶: The contents of the private key in PEM-encoded format.

static get(resource_name, id, opts=None, arn=None, certificate_body=None, certificate_chain=None, name=None, name_prefix=None, path=None, private_key=None)¶

Get an existing ServerCertificate resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) specifying the server certificate.
certificate_body (pulumi.Input[str]) – The contents of the public key certificate in PEM-encoded format.
certificate_chain (pulumi.Input[str]) – The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.
name (pulumi.Input[str]) – The name of the Server Certificate. Do not include the path in this value. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
path (pulumi.Input[str]) –
The IAM path for the server certificate. If it is not included, it defaults to a slash (/). If this certificate is for use with AWS CloudFront, the path must be in format /cloudfront/your_path_here. See IAM Identifiers for more details on IAM Paths.
private_key (pulumi.Input[str]) – The contents of the private key in PEM-encoded format.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.ServiceLinkedRole(resource_name, opts=None, aws_service_name=None, custom_suffix=None, description=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM service-linked role.

import pulumi
import pulumi_aws as aws

elasticbeanstalk = aws.iam.ServiceLinkedRole("elasticbeanstalk", aws_service_name="elasticbeanstalk.amazonaws.com")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
aws_service_name (pulumi.Input[str]) – The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com. To find the full list of services that support service-linked roles, check the docs.
custom_suffix (pulumi.Input[str]) – Additional string appended to the role name. Not all AWS services support custom suffixes.
description (pulumi.Input[str]) – The description of the role.

arn: pulumi.Output[str] = None¶: The Amazon Resource Name (ARN) specifying the role.

aws_service_name: pulumi.Output[str] = None¶: The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com. To find the full list of services that support service-linked roles, check the docs.

create_date: pulumi.Output[str] = None¶: The creation date of the IAM role.

custom_suffix: pulumi.Output[str] = None¶: Additional string appended to the role name. Not all AWS services support custom suffixes.

description: pulumi.Output[str] = None¶: The description of the role.

name: pulumi.Output[str] = None¶: The name of the role.

path: pulumi.Output[str] = None¶: The path of the role.

unique_id: pulumi.Output[str] = None¶: The stable and unique string identifying the role.

static get(resource_name, id, opts=None, arn=None, aws_service_name=None, create_date=None, custom_suffix=None, description=None, name=None, path=None, unique_id=None)¶

Get an existing ServiceLinkedRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) specifying the role.
aws_service_name (pulumi.Input[str]) –
The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com. To find the full list of services that support service-linked roles, check the docs.
create_date (pulumi.Input[str]) – The creation date of the IAM role.
custom_suffix (pulumi.Input[str]) – Additional string appended to the role name. Not all AWS services support custom suffixes.
description (pulumi.Input[str]) – The description of the role.
name (pulumi.Input[str]) – The name of the role.
path (pulumi.Input[str]) – The path of the role.
unique_id (pulumi.Input[str]) – The stable and unique string identifying the role.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.SshKey(resource_name, opts=None, encoding=None, public_key=None, status=None, username=None, __props__=None, __name__=None, __opts__=None)¶

Uploads an SSH public key and associates it with the specified IAM user.

import pulumi
import pulumi_aws as aws

user_user = aws.iam.User("userUser", path="/")
user_ssh_key = aws.iam.SshKey("userSshKey",
    encoding="SSH",
    public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 mytest@mydomain.com",
    username=user_user.name)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
encoding (pulumi.Input[str]) – Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.
public_key (pulumi.Input[str]) – The SSH public key. The public key must be encoded in ssh-rsa format or PEM format.
status (pulumi.Input[str]) – The status to assign to the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used. Default is active.
username (pulumi.Input[str]) – The name of the IAM user to associate the SSH public key with.

encoding: pulumi.Output[str] = None¶: Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.

fingerprint: pulumi.Output[str] = None¶: The MD5 message digest of the SSH public key.

public_key: pulumi.Output[str] = None¶: The SSH public key. The public key must be encoded in ssh-rsa format or PEM format.

ssh_public_key_id: pulumi.Output[str] = None¶: The unique identifier for the SSH public key.

status: pulumi.Output[str] = None¶: The status to assign to the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used. Default is active.

username: pulumi.Output[str] = None¶: The name of the IAM user to associate the SSH public key with.

static get(resource_name, id, opts=None, encoding=None, fingerprint=None, public_key=None, ssh_public_key_id=None, status=None, username=None)¶

Get an existing SshKey resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
encoding (pulumi.Input[str]) – Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.
fingerprint (pulumi.Input[str]) – The MD5 message digest of the SSH public key.
public_key (pulumi.Input[str]) – The SSH public key. The public key must be encoded in ssh-rsa format or PEM format.
ssh_public_key_id (pulumi.Input[str]) – The unique identifier for the SSH public key.
status (pulumi.Input[str]) – The status to assign to the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used. Default is active.
username (pulumi.Input[str]) – The name of the IAM user to associate the SSH public key with.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.User(resource_name, opts=None, force_destroy=None, name=None, path=None, permissions_boundary=None, tags=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM user.

NOTE: If policies are attached to the user via the iam.PolicyAttachment resource and you are modifying the user name or path, the force_destroy argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The iam.UserPolicyAttachment resource (recommended) does not have this requirement.

import pulumi
import pulumi_aws as aws

lb_user = aws.iam.User("lbUser",
    path="/system/",
    tags={
        "tag-key": "tag-value",
    })
lb_access_key = aws.iam.AccessKey("lbAccessKey", user=lb_user.name)
lb_ro = aws.iam.UserPolicy("lbRo",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

""",
    user=lb_user.name)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
force_destroy (pulumi.Input[bool]) – When destroying this user, destroy even if it has non-provider-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-provider-managed access keys and login profile will fail to be destroyed.
name (pulumi.Input[str]) – The user’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both “TESTUSER” and “testuser”.
path (pulumi.Input[str]) – Path in which to create the user.
permissions_boundary (pulumi.Input[str]) – The ARN of the policy that is used to set the permissions boundary for the user.
tags (pulumi.Input[dict]) – Key-value mapping of tags for the IAM user

arn: pulumi.Output[str] = None¶: The ARN assigned by AWS for this user.

force_destroy: pulumi.Output[bool] = None¶: When destroying this user, destroy even if it has non-provider-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-provider-managed access keys and login profile will fail to be destroyed.

name: pulumi.Output[str] = None¶: The user’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both “TESTUSER” and “testuser”.

path: pulumi.Output[str] = None¶: Path in which to create the user.

permissions_boundary: pulumi.Output[str] = None¶: The ARN of the policy that is used to set the permissions boundary for the user.

tags: pulumi.Output[dict] = None¶: Key-value mapping of tags for the IAM user

unique_id: pulumi.Output[str] = None¶: The [unique ID][1] assigned by AWS.

static get(resource_name, id, opts=None, arn=None, force_destroy=None, name=None, path=None, permissions_boundary=None, tags=None, unique_id=None)¶

Get an existing User resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The ARN assigned by AWS for this user.
force_destroy (pulumi.Input[bool]) – When destroying this user, destroy even if it has non-provider-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-provider-managed access keys and login profile will fail to be destroyed.
name (pulumi.Input[str]) – The user’s name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both “TESTUSER” and “testuser”.
path (pulumi.Input[str]) – Path in which to create the user.
permissions_boundary (pulumi.Input[str]) – The ARN of the policy that is used to set the permissions boundary for the user.
tags (pulumi.Input[dict]) – Key-value mapping of tags for the IAM user
unique_id (pulumi.Input[str]) – The [unique ID][1] assigned by AWS.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.UserGroupMembership(resource_name, opts=None, groups=None, user=None, __props__=None, __name__=None, __opts__=None)¶

Provides a resource for adding an IAM User to IAM Groups. This resource can be used multiple times with the same user for non-overlapping groups.

To exclusively manage the users in a group, see the [iam.GroupMembership resource][3].

import pulumi
import pulumi_aws as aws

user1 = aws.iam.User("user1")
group1 = aws.iam.Group("group1")
group2 = aws.iam.Group("group2")
example1 = aws.iam.UserGroupMembership("example1",
    groups=[
        group1.name,
        group2.name,
    ],
    user=user1.name)
group3 = aws.iam.Group("group3")
example2 = aws.iam.UserGroupMembership("example2",
    groups=[group3.name],
    user=user1.name)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
groups (pulumi.Input[list]) –
A list of IAM Groups to add the user to
user (pulumi.Input[str]) –
The name of the IAM User to add to groups

groups: pulumi.Output[list] = None¶: A list of IAM Groups to add the user to

user: pulumi.Output[str] = None¶: The name of the IAM User to add to groups

static get(resource_name, id, opts=None, groups=None, user=None)¶

Get an existing UserGroupMembership resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
groups (pulumi.Input[list]) –
A list of IAM Groups to add the user to
user (pulumi.Input[str]) –
The name of the IAM User to add to groups

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.UserLoginProfile(resource_name, opts=None, password_length=None, password_reset_required=None, pgp_key=None, user=None, __props__=None, __name__=None, __opts__=None)¶

Manages an IAM User Login Profile with limited support for password creation during this provider resource creation. Uses PGP to encrypt the password for safe transport to the user. PGP keys can be obtained from Keybase.

To reset an IAM User login password via this provider, you can use delete and recreate this resource or change any of the arguments.

import pulumi
import pulumi_aws as aws

example_user = aws.iam.User("exampleUser",
    force_destroy=True,
    path="/")
example_user_login_profile = aws.iam.UserLoginProfile("exampleUserLoginProfile",
    pgp_key="keybase:some_person_that_exists",
    user=example_user.name)
pulumi.export("password", example_user_login_profile.encrypted_password)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
password_length (pulumi.Input[float]) – The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
password_reset_required (pulumi.Input[bool]) – Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
pgp_key (pulumi.Input[str]) – Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
user (pulumi.Input[str]) – The IAM user’s name.

encrypted_password: pulumi.Output[str] = None¶: The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.

key_fingerprint: pulumi.Output[str] = None¶: The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.

password_length: pulumi.Output[float] = None¶: The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

password_reset_required: pulumi.Output[bool] = None¶: Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.

pgp_key: pulumi.Output[str] = None¶: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.

user: pulumi.Output[str] = None¶: The IAM user’s name.

static get(resource_name, id, opts=None, encrypted_password=None, key_fingerprint=None, password_length=None, password_reset_required=None, pgp_key=None, user=None)¶

Get an existing UserLoginProfile resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
encrypted_password (pulumi.Input[str]) – The encrypted password, base64 encoded. Only available if password was handled on this provider resource creation, not import.
key_fingerprint (pulumi.Input[str]) – The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on this provider resource creation, not import.
password_length (pulumi.Input[float]) – The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
password_reset_required (pulumi.Input[bool]) – Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument.
pgp_key (pulumi.Input[str]) – Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
user (pulumi.Input[str]) – The IAM user’s name.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.UserPolicy(resource_name, opts=None, name=None, name_prefix=None, policy=None, user=None, __props__=None, __name__=None, __opts__=None)¶

Provides an IAM policy attached to a user.

import pulumi
import pulumi_aws as aws

lb_user = aws.iam.User("lbUser", path="/system/")
lb_ro = aws.iam.UserPolicy("lbRo",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

""",
    user=lb_user.name)
lb_access_key = aws.iam.AccessKey("lbAccessKey", user=lb_user.name)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
name (pulumi.Input[str]) – The name of the policy. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
policy (pulumi.Input[dict]) – The policy document. This is a JSON formatted string.
user (pulumi.Input[str]) – IAM user to which to attach this policy.

name: pulumi.Output[str] = None¶: The name of the policy. If omitted, this provider will assign a random, unique name.

name_prefix: pulumi.Output[str] = None¶: Creates a unique name beginning with the specified prefix. Conflicts with name.

policy: pulumi.Output[str] = None¶: The policy document. This is a JSON formatted string.

user: pulumi.Output[str] = None¶: IAM user to which to attach this policy.

static get(resource_name, id, opts=None, name=None, name_prefix=None, policy=None, user=None)¶

Get an existing UserPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
name (pulumi.Input[str]) – The name of the policy. If omitted, this provider will assign a random, unique name.
name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with name.
policy (pulumi.Input[dict]) – The policy document. This is a JSON formatted string.
user (pulumi.Input[str]) – IAM user to which to attach this policy.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.iam.UserPolicyAttachment(resource_name, opts=None, policy_arn=None, user=None, __props__=None, __name__=None, __opts__=None)¶

Attaches a Managed IAM Policy to an IAM user

NOTE: The usage of this resource conflicts with the iam.PolicyAttachment resource and will permanently show a difference if both are defined.

import pulumi
import pulumi_aws as aws

user = aws.iam.User("user")
policy = aws.iam.Policy("policy",
    description="A test policy",
    policy="")
# insert policy here
test_attach = aws.iam.UserPolicyAttachment("test-attach",
    policy_arn=policy.arn,
    user=user.name)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
policy_arn (pulumi.Input[str]) – The ARN of the policy you want to apply
user (pulumi.Input[dict]) – The user the policy should be applied to

policy_arn: pulumi.Output[str] = None¶: The ARN of the policy you want to apply

user: pulumi.Output[str] = None¶: The user the policy should be applied to

static get(resource_name, id, opts=None, policy_arn=None, user=None)¶

Get an existing UserPolicyAttachment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
policy_arn (pulumi.Input[str]) – The ARN of the policy you want to apply
user (pulumi.Input[dict]) – The user the policy should be applied to

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

pulumi_aws.iam.get_account_alias(opts=None)¶

The IAM Account Alias data source allows access to the account alias for the effective account in which this provider is working.

import pulumi
import pulumi_aws as aws

current = aws.iam.get_account_alias()
pulumi.export("accountId", current.account_alias)

pulumi_aws.iam.get_group(group_name=None, opts=None)¶

This data source can be used to fetch information about a specific IAM group. By using this data source, you can reference IAM group properties without having to hard code ARNs as input.

import pulumi
import pulumi_aws as aws

example = aws.iam.get_group(group_name="an_example_group_name")

Parameters: group_name (str) – The friendly IAM group name to match.

pulumi_aws.iam.get_instance_profile(name=None, opts=None)¶

This data source can be used to fetch information about a specific IAM instance profile. By using this data source, you can reference IAM instance profile properties without having to hard code ARNs as input.

import pulumi
import pulumi_aws as aws

example = aws.iam.get_instance_profile(name="an_example_instance_profile_name")

Parameters: name (str) – The friendly IAM instance profile name to match.

pulumi_aws.iam.get_policy(arn=None, opts=None)¶

This data source can be used to fetch information about a specific IAM policy.

import pulumi
import pulumi_aws as aws

example = aws.iam.get_policy(arn="arn:aws:iam::123456789012:policy/UsersManageOwnCredentials")

Parameters: arn (str) – ARN of the IAM policy.

pulumi_aws.iam.get_policy_document(override_json=None, policy_id=None, source_json=None, statements=None, version=None, opts=None)¶

Generates an IAM policy document in JSON format.

This is a data source which can be used to construct a JSON representation of an IAM policy document, for use with resources which expect policy documents, such as the iam.Policy resource.

import pulumi
import pulumi_aws as aws

example_policy_document = aws.iam.get_policy_document(statements=[
    {
        "actions": [
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation",
        ],
        "resources": ["arn:aws:s3:::*"],
        "sid": "1",
    },
    {
        "actions": ["s3:ListBucket"],
        "condition": [{
            "test": "StringLike",
            "values": [
                "",
                "home/",
                "home/&{aws:username}/",
            ],
            "variable": "s3:prefix",
        }],
        "resources": [f"arn:aws:s3:::{var['s3_bucket_name']}"],
    },
    {
        "actions": ["s3:*"],
        "resources": [
            f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}",
            f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}/*",
        ],
    },
])
example_policy = aws.iam.Policy("examplePolicy",
    path="/",
    policy=example_policy_document.json)

Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings within your configuration, or to use the file interpolation function to read a raw JSON policy document from a file.

The IAM policy document format allows context variables to be interpolated into various strings within a statement. The native IAM policy document format uses ${...}-style syntax that is in conflict with interpolation syntax, so this data source instead uses &{...} syntax for interpolations that should be processed by AWS rather than by this provider.

In order to define wildcard principal (a.k.a. anonymous user) use type = "*" and identifiers = ["*"]. In that case the rendered json will contain "Principal": "*". Note, that even though the IAM Documentation states that "Principal": "*" and "Principal": {"AWS": "*"} are equivalent, those principals have different behavior for IAM Role Trust Policy. Therefore this provider will normalize the principal field only in above-mentioned case and principals like type = "AWS" and identifiers = ["*"] will be rendered as "Principal": {"AWS": "*"}.

Showing how you can use this as an assume role policy as well as showing how you can specify multiple principal blocks with different types.

import pulumi
import pulumi_aws as aws

event_stream_bucket_role_assume_role_policy = aws.iam.get_policy_document(statements=[{
    "actions": ["sts:AssumeRole"],
    "principals": [
        {
            "identifiers": ["firehose.amazonaws.com"],
            "type": "Service",
        },
        {
            "identifiers": [var["trusted_role_arn"]],
            "type": "AWS",
        },
        {
            "identifiers": [
                f"arn:aws:iam::{var['account_id']}:saml-provider/{var['provider_name']}",
                "cognito-identity.amazonaws.com",
            ],
            "type": "Federated",
        },
    ],
}])

Showing how you can use source_json and override_json

import pulumi
import pulumi_aws as aws

source = aws.iam.get_policy_document(statements=[
    {
        "actions": ["ec2:*"],
        "resources": ["*"],
    },
    {
        "actions": ["s3:*"],
        "resources": ["*"],
        "sid": "SidToOverwrite",
    },
])
source_json_example = aws.iam.get_policy_document(source_json=source.json,
    statements=[{
        "actions": ["s3:*"],
        "resources": [
            "arn:aws:s3:::somebucket",
            "arn:aws:s3:::somebucket/*",
        ],
        "sid": "SidToOverwrite",
    }])
override = aws.iam.get_policy_document(statements=[{
    "actions": ["s3:*"],
    "resources": ["*"],
    "sid": "SidToOverwrite",
}])
override_json_example = aws.iam.get_policy_document(override_json=override.json,
    statements=[
        {
            "actions": ["ec2:*"],
            "resources": ["*"],
        },
        {
            "actions": ["s3:*"],
            "resources": [
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ],
            "sid": "SidToOverwrite",
        },
    ])

data.aws_iam_policy_document.source_json_example.json will evaluate to:

import pulumi

data.aws_iam_policy_document.override_json_example.json will evaluate to:

import pulumi

You can also combine source_json and override_json in the same document.

Use without a statement:

import pulumi
import pulumi_aws as aws

source = aws.iam.get_policy_document(statements=[{
    "actions": ["ec2:DescribeAccountAttributes"],
    "resources": ["*"],
    "sid": "OverridePlaceholder",
}])
override = aws.iam.get_policy_document(statements=[{
    "actions": ["s3:GetObject"],
    "resources": ["*"],
    "sid": "OverridePlaceholder",
}])
politik = aws.iam.get_policy_document(override_json=override.json,
    source_json=source.json)

data.aws_iam_policy_document.politik.json will evaluate to:

import pulumi

Parameters

override_json (str) – An IAM policy document to import and override the current policy document. Statements with non-blank sids in the override document will overwrite statements with the same sid in the current document. Statements without an sid cannot be overwritten.
policy_id (str) – An ID for the policy document.
source_json (str) – An IAM policy document to import as a base for the current policy document. Statements with non-blank sids in the current policy document will overwrite statements with the same sid in the source json. Statements without an sid cannot be overwritten.
statements (list) – A nested configuration block (described below) configuring one statement to be included in the policy document.
version (str) – IAM policy document version. Valid values: 2008-10-17, 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.

The statements object supports the following:

actions (list) - A list of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
conditions (list) - A nested configuration block (described below) that defines a further, possibly-service-specific condition that constrains whether this statement applies.
- test (str) - The name of the IAM condition operator to evaluate.
- values (list) - The values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. (That is, the tests are combined with the “OR” boolean operation.)
- variable (str) - The name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws:, or service-specific variables prefixed with the service name.
effect (str) - Either “Allow” or “Deny”, to specify whether this statement allows or denies the given actions. The default is “Allow”.
notActions (list) - A list of actions that this statement does not apply to. Used to apply a policy statement to all actions except those listed.
notPrincipals (list) - Like principals except gives resources that the statement does not apply to.
- identifiers (list) - List of identifiers for principals. When type is “AWS”, these are IAM user or role ARNs. When type is “Service”, these are AWS Service roles e.g. lambda.amazonaws.com. When type is “Federated”, these are web identity users or SAML provider ARNs.
- type (str) - The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
notResources (list) - A list of resource ARNs that this statement does not apply to. Used to apply a policy statement to all resources except those listed.
principals (list) - A nested configuration block (described below) specifying a resource (or resource pattern) to which this statement applies.
- identifiers (list) - List of identifiers for principals. When type is “AWS”, these are IAM user or role ARNs. When type is “Service”, these are AWS Service roles e.g. lambda.amazonaws.com. When type is “Federated”, these are web identity users or SAML provider ARNs.
- type (str) - The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
resources (list) - A list of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
sid (str) - An ID for the policy statement.

pulumi_aws.iam.get_role(name=None, tags=None, opts=None)¶

This data source can be used to fetch information about a specific IAM role. By using this data source, you can reference IAM role properties without having to hard code ARNs as input.

import pulumi
import pulumi_aws as aws

example = aws.iam.get_role(name="an_example_role_name")

Parameters

name (str) – The friendly IAM role name to match.
tags (dict) – The tags attached to the role.

pulumi_aws.iam.get_server_certificate(latest=None, name=None, name_prefix=None, path_prefix=None, opts=None)¶

Use this data source to lookup information about IAM Server Certificates.

import pulumi
import pulumi_aws as aws

my_domain = aws.iam.get_server_certificate(latest=True,
    name_prefix="my-domain.org")
elb = aws.elb.LoadBalancer("elb", listeners=[{
    "instance_port": 8000,
    "instanceProtocol": "https",
    "lb_port": 443,
    "lbProtocol": "https",
    "sslCertificateId": my_domain.arn,
}])

The import function will read in certificate body, certificate chain (if it exists), id, name, path, and arn. It will not retrieve the private key which is not available through the AWS API.

Parameters

latest (bool) – sort results by expiration date. returns the certificate with expiration date in furthest in the future.
name (str) – exact name of the cert to lookup
name_prefix (str) – prefix of cert to filter by
path_prefix (str) – prefix of path to filter by

pulumi_aws.iam.get_user(user_name=None, opts=None)¶

This data source can be used to fetch information about a specific IAM user. By using this data source, you can reference IAM user properties without having to hard code ARNs or unique IDs as input.

import pulumi
import pulumi_aws as aws

example = aws.iam.get_user(user_name="an_example_user_name")

Parameters: user_name (str) – The friendly IAM user name to match.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

iam¶

On This Page