Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. AWS
  3. API Docs
  4. iam
  5. Role
AWS v6.76.0 published on Tuesday, Apr 8, 2025 by Pulumi
pulumi/pulumi-aws

aws.iam.Role

Explore with Pulumi AI

AWS v6.76.0 published on Tuesday, Apr 8, 2025 by Pulumi
pulumi/pulumi-aws

Provides an IAM role.

NOTE: If policies are attached to the role via the aws.iam.PolicyAttachment resource and you are modifying the role name or path, the force_detach_policies argument must be set to true and applied before attempting the operation otherwise you will encounter a DeleteConflict error. The aws.iam.RolePolicyAttachment resource (recommended) does not have this requirement.

NOTE: If you use this resource’s managed_policy_arns argument or inline_policy configuration blocks, this resource will take over exclusive management of the role’s respective policy types (e.g., both policy types if both arguments are used). These arguments are incompatible with other ways of managing a role’s policies, such as aws.iam.PolicyAttachment, aws.iam.RolePolicyAttachment, and aws.iam.RolePolicy. If you attempt to manage a role’s policies by multiple means, you will get resource cycling and/or errors.

NOTE: We suggest using explicit JSON encoding or aws.iam.getPolicyDocument when assigning a value to policy. They seamlessly translate configuration to JSON, enabling you to maintain consistency within your configuration without the need for context switches. Also, you can sidestep potential complications arising from formatting discrepancies, whitespace inconsistencies, and other nuances inherent to JSON.

Example Usage

Basic Example

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const testRole = new aws.iam.Role("test_role", {
    name: "test_role",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Effect: "Allow",
            Sid: "",
            Principal: {
                Service: "ec2.amazonaws.com",
            },
        }],
    }),
    tags: {
        "tag-key": "tag-value",
    },
});
Copy
import pulumi
import json
import pulumi_aws as aws

test_role = aws.iam.Role("test_role",
    name="test_role",
    assume_role_policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Sid": "",
            "Principal": {
                "Service": "ec2.amazonaws.com",
            },
        }],
    }),
    tags={
        "tag-key": "tag-value",
    })
Copy
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Sid":    "",
					"Principal": map[string]interface{}{
						"Service": "ec2.amazonaws.com",
					},
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = iam.NewRole(ctx, "test_role", &iam.RoleArgs{
			Name:             pulumi.String("test_role"),
			AssumeRolePolicy: pulumi.String(json0),
			Tags: pulumi.StringMap{
				"tag-key": pulumi.String("tag-value"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var testRole = new Aws.Iam.Role("test_role", new()
    {
        Name = "test_role",
        AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["Version"] = "2012-10-17",
            ["Statement"] = new[]
            {
                new Dictionary<string, object?>
                {
                    ["Action"] = "sts:AssumeRole",
                    ["Effect"] = "Allow",
                    ["Sid"] = "",
                    ["Principal"] = new Dictionary<string, object?>
                    {
                        ["Service"] = "ec2.amazonaws.com",
                    },
                },
            },
        }),
        Tags = 
        {
            { "tag-key", "tag-value" },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var testRole = new Role("testRole", RoleArgs.builder()
            .name("test_role")
            .assumeRolePolicy(serializeJson(
                jsonObject(
                    jsonProperty("Version", "2012-10-17"),
                    jsonProperty("Statement", jsonArray(jsonObject(
                        jsonProperty("Action", "sts:AssumeRole"),
                        jsonProperty("Effect", "Allow"),
                        jsonProperty("Sid", ""),
                        jsonProperty("Principal", jsonObject(
                            jsonProperty("Service", "ec2.amazonaws.com")
                        ))
                    )))
                )))
            .tags(Map.of("tag-key", "tag-value"))
            .build());

    }
}
Copy
resources:
  testRole:
    type: aws:iam:Role
    name: test_role
    properties:
      name: test_role
      assumeRolePolicy:
        fn::toJSON:
          Version: 2012-10-17
          Statement:
            - Action: sts:AssumeRole
              Effect: Allow
              Sid: ""
              Principal:
                Service: ec2.amazonaws.com
      tags:
        tag-key: tag-value
Copy

Example of Using Data Source for Assume Role Policy

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const instanceAssumeRolePolicy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRole"],
        principals: [{
            type: "Service",
            identifiers: ["ec2.amazonaws.com"],
        }],
    }],
});
const instance = new aws.iam.Role("instance", {
    name: "instance_role",
    path: "/system/",
    assumeRolePolicy: instanceAssumeRolePolicy.then(instanceAssumeRolePolicy => instanceAssumeRolePolicy.json),
});
Copy
import pulumi
import pulumi_aws as aws

instance_assume_role_policy = aws.iam.get_policy_document(statements=[{
    "actions": ["sts:AssumeRole"],
    "principals": [{
        "type": "Service",
        "identifiers": ["ec2.amazonaws.com"],
    }],
}])
instance = aws.iam.Role("instance",
    name="instance_role",
    path="/system/",
    assume_role_policy=instance_assume_role_policy.json)
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		instanceAssumeRolePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				{
					Actions: []string{
						"sts:AssumeRole",
					},
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						{
							Type: "Service",
							Identifiers: []string{
								"ec2.amazonaws.com",
							},
						},
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "instance", &iam.RoleArgs{
			Name:             pulumi.String("instance_role"),
			Path:             pulumi.String("/system/"),
			AssumeRolePolicy: pulumi.String(instanceAssumeRolePolicy.Json),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var instanceAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Actions = new[]
                {
                    "sts:AssumeRole",
                },
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Type = "Service",
                        Identifiers = new[]
                        {
                            "ec2.amazonaws.com",
                        },
                    },
                },
            },
        },
    });

    var instance = new Aws.Iam.Role("instance", new()
    {
        Name = "instance_role",
        Path = "/system/",
        AssumeRolePolicy = instanceAssumeRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var instanceAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .actions("sts:AssumeRole")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("ec2.amazonaws.com")
                    .build())
                .build())
            .build());

        var instance = new Role("instance", RoleArgs.builder()
            .name("instance_role")
            .path("/system/")
            .assumeRolePolicy(instanceAssumeRolePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());

    }
}
Copy
resources:
  instance:
    type: aws:iam:Role
    properties:
      name: instance_role
      path: /system/
      assumeRolePolicy: ${instanceAssumeRolePolicy.json}
variables:
  instanceAssumeRolePolicy:
    fn::invoke:
      function: aws:iam:getPolicyDocument
      arguments:
        statements:
          - actions:
              - sts:AssumeRole
            principals:
              - type: Service
                identifiers:
                  - ec2.amazonaws.com
Copy

Example of Exclusive Inline Policies

The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Pulumi should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well.

This example creates an IAM role with two inline IAM policies. If someone adds another inline policy out-of-band, on the next apply, this provider will remove that policy. If someone deletes these policies out-of-band, this provider will recreate them.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const inlinePolicy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["ec2:DescribeAccountAttributes"],
        resources: ["*"],
    }],
});
const example = new aws.iam.Role("example", {
    name: "yak_role",
    assumeRolePolicy: instanceAssumeRolePolicy.json,
    inlinePolicies: [
        {
            name: "my_inline_policy",
            policy: JSON.stringify({
                Version: "2012-10-17",
                Statement: [{
                    Action: ["ec2:Describe*"],
                    Effect: "Allow",
                    Resource: "*",
                }],
            }),
        },
        {
            name: "policy-8675309",
            policy: inlinePolicy.then(inlinePolicy => inlinePolicy.json),
        },
    ],
});
Copy
import pulumi
import json
import pulumi_aws as aws

inline_policy = aws.iam.get_policy_document(statements=[{
    "actions": ["ec2:DescribeAccountAttributes"],
    "resources": ["*"],
}])
example = aws.iam.Role("example",
    name="yak_role",
    assume_role_policy=instance_assume_role_policy["json"],
    inline_policies=[
        {
            "name": "my_inline_policy",
            "policy": json.dumps({
                "Version": "2012-10-17",
                "Statement": [{
                    "Action": ["ec2:Describe*"],
                    "Effect": "Allow",
                    "Resource": "*",
                }],
            }),
        },
        {
            "name": "policy-8675309",
            "policy": inline_policy.json,
        },
    ])
Copy
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		inlinePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				{
					Actions: []string{
						"ec2:DescribeAccountAttributes",
					},
					Resources: []string{
						"*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": []string{
						"ec2:Describe*",
					},
					"Effect":   "Allow",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
			Name:             pulumi.String("yak_role"),
			AssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),
			InlinePolicies: iam.RoleInlinePolicyArray{
				&iam.RoleInlinePolicyArgs{
					Name:   pulumi.String("my_inline_policy"),
					Policy: pulumi.String(json0),
				},
				&iam.RoleInlinePolicyArgs{
					Name:   pulumi.String("policy-8675309"),
					Policy: pulumi.String(inlinePolicy.Json),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var inlinePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Actions = new[]
                {
                    "ec2:DescribeAccountAttributes",
                },
                Resources = new[]
                {
                    "*",
                },
            },
        },
    });

    var example = new Aws.Iam.Role("example", new()
    {
        Name = "yak_role",
        AssumeRolePolicy = instanceAssumeRolePolicy.Json,
        InlinePolicies = new[]
        {
            new Aws.Iam.Inputs.RoleInlinePolicyArgs
            {
                Name = "my_inline_policy",
                Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
                {
                    ["Version"] = "2012-10-17",
                    ["Statement"] = new[]
                    {
                        new Dictionary<string, object?>
                        {
                            ["Action"] = new[]
                            {
                                "ec2:Describe*",
                            },
                            ["Effect"] = "Allow",
                            ["Resource"] = "*",
                        },
                    },
                }),
            },
            new Aws.Iam.Inputs.RoleInlinePolicyArgs
            {
                Name = "policy-8675309",
                Policy = inlinePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var inlinePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .actions("ec2:DescribeAccountAttributes")
                .resources("*")
                .build())
            .build());

        var example = new Role("example", RoleArgs.builder()
            .name("yak_role")
            .assumeRolePolicy(instanceAssumeRolePolicy.json())
            .inlinePolicies(            
                RoleInlinePolicyArgs.builder()
                    .name("my_inline_policy")
                    .policy(serializeJson(
                        jsonObject(
                            jsonProperty("Version", "2012-10-17"),
                            jsonProperty("Statement", jsonArray(jsonObject(
                                jsonProperty("Action", jsonArray("ec2:Describe*")),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Resource", "*")
                            )))
                        )))
                    .build(),
                RoleInlinePolicyArgs.builder()
                    .name("policy-8675309")
                    .policy(inlinePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                    .build())
            .build());

    }
}
Copy
resources:
  example:
    type: aws:iam:Role
    properties:
      name: yak_role
      assumeRolePolicy: ${instanceAssumeRolePolicy.json}
      inlinePolicies:
        - name: my_inline_policy
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Statement:
                - Action:
                    - ec2:Describe*
                  Effect: Allow
                  Resource: '*'
        - name: policy-8675309
          policy: ${inlinePolicy.json}
variables:
  inlinePolicy:
    fn::invoke:
      function: aws:iam:getPolicyDocument
      arguments:
        statements:
          - actions:
              - ec2:DescribeAccountAttributes
            resources:
              - '*'
Copy

Example of Removing Inline Policies

The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Pulumi should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well.

This example creates an IAM role with what appears to be empty IAM inline_policy argument instead of using inline_policy as a configuration block. The result is that if someone were to add an inline policy out-of-band, on the next apply, this provider will remove that policy.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.iam.Role("example", {
    inlinePolicies: [{}],
    name: "yak_role",
    assumeRolePolicy: instanceAssumeRolePolicy.json,
});
Copy
import pulumi
import pulumi_aws as aws

example = aws.iam.Role("example",
    inline_policies=[{}],
    name="yak_role",
    assume_role_policy=instance_assume_role_policy["json"])
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
			InlinePolicies: iam.RoleInlinePolicyArray{
				&iam.RoleInlinePolicyArgs{},
			},
			Name:             pulumi.String("yak_role"),
			AssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Iam.Role("example", new()
    {
        InlinePolicies = new[]
        {
            null,
        },
        Name = "yak_role",
        AssumeRolePolicy = instanceAssumeRolePolicy.Json,
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Role("example", RoleArgs.builder()
            .inlinePolicies()
            .name("yak_role")
            .assumeRolePolicy(instanceAssumeRolePolicy.json())
            .build());

    }
}
Copy
resources:
  example:
    type: aws:iam:Role
    properties:
      inlinePolicies:
        - {}
      name: yak_role
      assumeRolePolicy: ${instanceAssumeRolePolicy.json}
Copy

Example of Exclusive Managed Policies

The managed_policy_arns argument is deprecated. Use the aws.iam.RolePolicyAttachment resource instead. If Pulumi should exclusively manage all managed policy attachments (the current behavior of this argument), use the aws.iam.RolePolicyAttachmentsExclusive resource as well.

This example creates an IAM role and attaches two managed IAM policies. If someone attaches another managed policy out-of-band, on the next apply, this provider will detach that policy. If someone detaches these policies out-of-band, this provider will attach them again.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const policyOne = new aws.iam.Policy("policy_one", {
    name: "policy-618033",
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: ["ec2:Describe*"],
            Effect: "Allow",
            Resource: "*",
        }],
    }),
});
const policyTwo = new aws.iam.Policy("policy_two", {
    name: "policy-381966",
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:HeadBucket",
            ],
            Effect: "Allow",
            Resource: "*",
        }],
    }),
});
const example = new aws.iam.Role("example", {
    name: "yak_role",
    assumeRolePolicy: instanceAssumeRolePolicy.json,
    managedPolicyArns: [
        policyOne.arn,
        policyTwo.arn,
    ],
});
Copy
import pulumi
import json
import pulumi_aws as aws

policy_one = aws.iam.Policy("policy_one",
    name="policy-618033",
    policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Action": ["ec2:Describe*"],
            "Effect": "Allow",
            "Resource": "*",
        }],
    }))
policy_two = aws.iam.Policy("policy_two",
    name="policy-381966",
    policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:HeadBucket",
            ],
            "Effect": "Allow",
            "Resource": "*",
        }],
    }))
example = aws.iam.Role("example",
    name="yak_role",
    assume_role_policy=instance_assume_role_policy["json"],
    managed_policy_arns=[
        policy_one.arn,
        policy_two.arn,
    ])
Copy
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": []string{
						"ec2:Describe*",
					},
					"Effect":   "Allow",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		policyOne, err := iam.NewPolicy(ctx, "policy_one", &iam.PolicyArgs{
			Name:   pulumi.String("policy-618033"),
			Policy: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		tmpJSON1, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": []string{
						"s3:ListAllMyBuckets",
						"s3:ListBucket",
						"s3:HeadBucket",
					},
					"Effect":   "Allow",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json1 := string(tmpJSON1)
		policyTwo, err := iam.NewPolicy(ctx, "policy_two", &iam.PolicyArgs{
			Name:   pulumi.String("policy-381966"),
			Policy: pulumi.String(json1),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
			Name:             pulumi.String("yak_role"),
			AssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),
			ManagedPolicyArns: pulumi.StringArray{
				policyOne.Arn,
				policyTwo.Arn,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var policyOne = new Aws.Iam.Policy("policy_one", new()
    {
        Name = "policy-618033",
        PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["Version"] = "2012-10-17",
            ["Statement"] = new[]
            {
                new Dictionary<string, object?>
                {
                    ["Action"] = new[]
                    {
                        "ec2:Describe*",
                    },
                    ["Effect"] = "Allow",
                    ["Resource"] = "*",
                },
            },
        }),
    });

    var policyTwo = new Aws.Iam.Policy("policy_two", new()
    {
        Name = "policy-381966",
        PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["Version"] = "2012-10-17",
            ["Statement"] = new[]
            {
                new Dictionary<string, object?>
                {
                    ["Action"] = new[]
                    {
                        "s3:ListAllMyBuckets",
                        "s3:ListBucket",
                        "s3:HeadBucket",
                    },
                    ["Effect"] = "Allow",
                    ["Resource"] = "*",
                },
            },
        }),
    });

    var example = new Aws.Iam.Role("example", new()
    {
        Name = "yak_role",
        AssumeRolePolicy = instanceAssumeRolePolicy.Json,
        ManagedPolicyArns = new[]
        {
            policyOne.Arn,
            policyTwo.Arn,
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var policyOne = new Policy("policyOne", PolicyArgs.builder()
            .name("policy-618033")
            .policy(serializeJson(
                jsonObject(
                    jsonProperty("Version", "2012-10-17"),
                    jsonProperty("Statement", jsonArray(jsonObject(
                        jsonProperty("Action", jsonArray("ec2:Describe*")),
                        jsonProperty("Effect", "Allow"),
                        jsonProperty("Resource", "*")
                    )))
                )))
            .build());

        var policyTwo = new Policy("policyTwo", PolicyArgs.builder()
            .name("policy-381966")
            .policy(serializeJson(
                jsonObject(
                    jsonProperty("Version", "2012-10-17"),
                    jsonProperty("Statement", jsonArray(jsonObject(
                        jsonProperty("Action", jsonArray(
                            "s3:ListAllMyBuckets", 
                            "s3:ListBucket", 
                            "s3:HeadBucket"
                        )),
                        jsonProperty("Effect", "Allow"),
                        jsonProperty("Resource", "*")
                    )))
                )))
            .build());

        var example = new Role("example", RoleArgs.builder()
            .name("yak_role")
            .assumeRolePolicy(instanceAssumeRolePolicy.json())
            .managedPolicyArns(            
                policyOne.arn(),
                policyTwo.arn())
            .build());

    }
}
Copy
resources:
  example:
    type: aws:iam:Role
    properties:
      name: yak_role
      assumeRolePolicy: ${instanceAssumeRolePolicy.json}
      managedPolicyArns:
        - ${policyOne.arn}
        - ${policyTwo.arn}
  policyOne:
    type: aws:iam:Policy
    name: policy_one
    properties:
      name: policy-618033
      policy:
        fn::toJSON:
          Version: 2012-10-17
          Statement:
            - Action:
                - ec2:Describe*
              Effect: Allow
              Resource: '*'
  policyTwo:
    type: aws:iam:Policy
    name: policy_two
    properties:
      name: policy-381966
      policy:
        fn::toJSON:
          Version: 2012-10-17
          Statement:
            - Action:
                - s3:ListAllMyBuckets
                - s3:ListBucket
                - s3:HeadBucket
              Effect: Allow
              Resource: '*'
Copy

Example of Removing Managed Policies

The managed_policy_arns argument is deprecated. Use the aws.iam.RolePolicyAttachment resource instead. If Pulumi should exclusively manage all managed policy attachments (the current behavior of this argument), use the aws.iam.RolePolicyAttachmentsExclusive resource as well.

This example creates an IAM role with an empty managed_policy_arns argument. If someone attaches a policy out-of-band, on the next apply, this provider will detach that policy.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.iam.Role("example", {
    name: "yak_role",
    assumeRolePolicy: instanceAssumeRolePolicy.json,
    managedPolicyArns: [],
});
Copy
import pulumi
import pulumi_aws as aws

example = aws.iam.Role("example",
    name="yak_role",
    assume_role_policy=instance_assume_role_policy["json"],
    managed_policy_arns=[])
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
			Name:              pulumi.String("yak_role"),
			AssumeRolePolicy:  pulumi.Any(instanceAssumeRolePolicy.Json),
			ManagedPolicyArns: pulumi.StringArray{},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Iam.Role("example", new()
    {
        Name = "yak_role",
        AssumeRolePolicy = instanceAssumeRolePolicy.Json,
        ManagedPolicyArns = new[] {},
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Role("example", RoleArgs.builder()
            .name("yak_role")
            .assumeRolePolicy(instanceAssumeRolePolicy.json())
            .managedPolicyArns()
            .build());

    }
}
Copy
resources:
  example:
    type: aws:iam:Role
    properties:
      name: yak_role
      assumeRolePolicy: ${instanceAssumeRolePolicy.json}
      managedPolicyArns: []
Copy

Create Role Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);
@overload
def Role(resource_name: str,
         args: RoleArgs,
         opts: Optional[ResourceOptions] = None)

@overload
def Role(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         assume_role_policy: Optional[str] = None,
         description: Optional[str] = None,
         force_detach_policies: Optional[bool] = None,
         inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
         managed_policy_arns: Optional[Sequence[str]] = None,
         max_session_duration: Optional[int] = None,
         name: Optional[str] = None,
         name_prefix: Optional[str] = None,
         path: Optional[str] = None,
         permissions_boundary: Optional[str] = None,
         tags: Optional[Mapping[str, str]] = None)
func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)
public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)
public Role(String name, RoleArgs args)
public Role(String name, RoleArgs args, CustomResourceOptions options)

type: aws:iam:Role
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. RoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. RoleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. RoleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. RoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. RoleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var roleResource = new Aws.Iam.Role("roleResource", new()
{
    AssumeRolePolicy = "string",
    Description = "string",
    ForceDetachPolicies = false,
    InlinePolicies = new[]
    {
        new Aws.Iam.Inputs.RoleInlinePolicyArgs
        {
            Name = "string",
            Policy = "string",
        },
    },
    ManagedPolicyArns = new[]
    {
        "string",
    },
    MaxSessionDuration = 0,
    Name = "string",
    NamePrefix = "string",
    Path = "string",
    PermissionsBoundary = "string",
    Tags = 
    {
        { "string", "string" },
    },
});
Copy
example, err := iam.NewRole(ctx, "roleResource", &iam.RoleArgs{
	AssumeRolePolicy:    pulumi.Any("string"),
	Description:         pulumi.String("string"),
	ForceDetachPolicies: pulumi.Bool(false),
	InlinePolicies: iam.RoleInlinePolicyArray{
		&iam.RoleInlinePolicyArgs{
			Name:   pulumi.String("string"),
			Policy: pulumi.String("string"),
		},
	},
	ManagedPolicyArns: pulumi.StringArray{
		pulumi.String("string"),
	},
	MaxSessionDuration:  pulumi.Int(0),
	Name:                pulumi.String("string"),
	NamePrefix:          pulumi.String("string"),
	Path:                pulumi.String("string"),
	PermissionsBoundary: pulumi.String("string"),
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
})
Copy
var roleResource = new Role("roleResource", RoleArgs.builder()
    .assumeRolePolicy("string")
    .description("string")
    .forceDetachPolicies(false)
    .inlinePolicies(RoleInlinePolicyArgs.builder()
        .name("string")
        .policy("string")
        .build())
    .managedPolicyArns("string")
    .maxSessionDuration(0)
    .name("string")
    .namePrefix("string")
    .path("string")
    .permissionsBoundary("string")
    .tags(Map.of("string", "string"))
    .build());
Copy
role_resource = aws.iam.Role("roleResource",
    assume_role_policy="string",
    description="string",
    force_detach_policies=False,
    inline_policies=[{
        "name": "string",
        "policy": "string",
    }],
    managed_policy_arns=["string"],
    max_session_duration=0,
    name="string",
    name_prefix="string",
    path="string",
    permissions_boundary="string",
    tags={
        "string": "string",
    })
Copy
const roleResource = new aws.iam.Role("roleResource", {
    assumeRolePolicy: "string",
    description: "string",
    forceDetachPolicies: false,
    inlinePolicies: [{
        name: "string",
        policy: "string",
    }],
    managedPolicyArns: ["string"],
    maxSessionDuration: 0,
    name: "string",
    namePrefix: "string",
    path: "string",
    permissionsBoundary: "string",
    tags: {
        string: "string",
    },
});
Copy
type: aws:iam:Role
properties:
    assumeRolePolicy: string
    description: string
    forceDetachPolicies: false
    inlinePolicies:
        - name: string
          policy: string
    managedPolicyArns:
        - string
    maxSessionDuration: 0
    name: string
    namePrefix: string
    path: string
    permissionsBoundary: string
    tags:
        string: string
Copy

Role Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Role resource accepts the following input properties:

AssumeRolePolicy This property is required. string | string

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

Description string
Description of the role.
ForceDetachPolicies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
InlinePolicies List<RoleInlinePolicy>
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
ManagedPolicyArns List<string>
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
MaxSessionDuration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name Changes to this property will trigger replacement. string
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
NamePrefix Changes to this property will trigger replacement. string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
Path Changes to this property will trigger replacement. string
Path to the role. See IAM Identifiers for more information.
PermissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
Tags Dictionary<string, string>
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
AssumeRolePolicy This property is required. string | string

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

Description string
Description of the role.
ForceDetachPolicies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
InlinePolicies []RoleInlinePolicyArgs
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
ManagedPolicyArns []string
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
MaxSessionDuration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name Changes to this property will trigger replacement. string
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
NamePrefix Changes to this property will trigger replacement. string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
Path Changes to this property will trigger replacement. string
Path to the role. See IAM Identifiers for more information.
PermissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
Tags map[string]string
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
assumeRolePolicy This property is required. String | String

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

description String
Description of the role.
forceDetachPolicies Boolean
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inlinePolicies List<RoleInlinePolicy>
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
managedPolicyArns List<String>
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
maxSessionDuration Integer
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name Changes to this property will trigger replacement. String
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
namePrefix Changes to this property will trigger replacement. String
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path Changes to this property will trigger replacement. String
Path to the role. See IAM Identifiers for more information.
permissionsBoundary String
ARN of the policy that is used to set the permissions boundary for the role.
tags Map<String,String>
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
assumeRolePolicy This property is required. string | PolicyDocument

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

description string
Description of the role.
forceDetachPolicies boolean
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inlinePolicies RoleInlinePolicy[]
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
managedPolicyArns string[]
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
maxSessionDuration number
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name Changes to this property will trigger replacement. string
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
namePrefix Changes to this property will trigger replacement. string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path Changes to this property will trigger replacement. string
Path to the role. See IAM Identifiers for more information.
permissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
tags {[key: string]: string}
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
assume_role_policy This property is required. str | str

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

description str
Description of the role.
force_detach_policies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inline_policies Sequence[RoleInlinePolicyArgs]
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
managed_policy_arns Sequence[str]
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
max_session_duration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name Changes to this property will trigger replacement. str
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
name_prefix Changes to this property will trigger replacement. str
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path Changes to this property will trigger replacement. str
Path to the role. See IAM Identifiers for more information.
permissions_boundary str
ARN of the policy that is used to set the permissions boundary for the role.
tags Mapping[str, str]
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
assumeRolePolicy This property is required. String |

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

description String
Description of the role.
forceDetachPolicies Boolean
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inlinePolicies List<Property Map>
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
managedPolicyArns List<String>
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
maxSessionDuration Number
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name Changes to this property will trigger replacement. String
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
namePrefix Changes to this property will trigger replacement. String
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path Changes to this property will trigger replacement. String
Path to the role. See IAM Identifiers for more information.
permissionsBoundary String
ARN of the policy that is used to set the permissions boundary for the role.
tags Map<String>
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Outputs

All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:

Arn string
Amazon Resource Name (ARN) specifying the role.
CreateDate string
Creation date of the IAM role.
Id string
The provider-assigned unique ID for this managed resource.
TagsAll Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

UniqueId string
Stable and unique string identifying the role.
Arn string
Amazon Resource Name (ARN) specifying the role.
CreateDate string
Creation date of the IAM role.
Id string
The provider-assigned unique ID for this managed resource.
TagsAll map[string]string
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

UniqueId string
Stable and unique string identifying the role.
arn String
Amazon Resource Name (ARN) specifying the role.
createDate String
Creation date of the IAM role.
id String
The provider-assigned unique ID for this managed resource.
tagsAll Map<String,String>
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

uniqueId String
Stable and unique string identifying the role.
arn string
Amazon Resource Name (ARN) specifying the role.
createDate string
Creation date of the IAM role.
id string
The provider-assigned unique ID for this managed resource.
tagsAll {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

uniqueId string
Stable and unique string identifying the role.
arn str
Amazon Resource Name (ARN) specifying the role.
create_date str
Creation date of the IAM role.
id str
The provider-assigned unique ID for this managed resource.
tags_all Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

unique_id str
Stable and unique string identifying the role.
arn String
Amazon Resource Name (ARN) specifying the role.
createDate String
Creation date of the IAM role.
id String
The provider-assigned unique ID for this managed resource.
tagsAll Map<String>
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

uniqueId String
Stable and unique string identifying the role.

Look up Existing Role Resource

Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        assume_role_policy: Optional[str] = None,
        create_date: Optional[str] = None,
        description: Optional[str] = None,
        force_detach_policies: Optional[bool] = None,
        inline_policies: Optional[Sequence[RoleInlinePolicyArgs]] = None,
        managed_policy_arns: Optional[Sequence[str]] = None,
        max_session_duration: Optional[int] = None,
        name: Optional[str] = None,
        name_prefix: Optional[str] = None,
        path: Optional[str] = None,
        permissions_boundary: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        unique_id: Optional[str] = None) -> Role
func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)
public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)
public static Role get(String name, Output<String> id, RoleState state, CustomResourceOptions options)
resources:  _:    type: aws:iam:Role    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Arn string
Amazon Resource Name (ARN) specifying the role.
AssumeRolePolicy string | string

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

CreateDate string
Creation date of the IAM role.
Description string
Description of the role.
ForceDetachPolicies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
InlinePolicies List<RoleInlinePolicy>
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
ManagedPolicyArns List<string>
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
MaxSessionDuration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name Changes to this property will trigger replacement. string
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
NamePrefix Changes to this property will trigger replacement. string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
Path Changes to this property will trigger replacement. string
Path to the role. See IAM Identifiers for more information.
PermissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
Tags Dictionary<string, string>
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

UniqueId string
Stable and unique string identifying the role.
Arn string
Amazon Resource Name (ARN) specifying the role.
AssumeRolePolicy string | string

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

CreateDate string
Creation date of the IAM role.
Description string
Description of the role.
ForceDetachPolicies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
InlinePolicies []RoleInlinePolicyArgs
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
ManagedPolicyArns []string
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
MaxSessionDuration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Name Changes to this property will trigger replacement. string
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
NamePrefix Changes to this property will trigger replacement. string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
Path Changes to this property will trigger replacement. string
Path to the role. See IAM Identifiers for more information.
PermissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
Tags map[string]string
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

UniqueId string
Stable and unique string identifying the role.
arn String
Amazon Resource Name (ARN) specifying the role.
assumeRolePolicy String | String

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

createDate String
Creation date of the IAM role.
description String
Description of the role.
forceDetachPolicies Boolean
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inlinePolicies List<RoleInlinePolicy>
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
managedPolicyArns List<String>
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
maxSessionDuration Integer
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name Changes to this property will trigger replacement. String
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
namePrefix Changes to this property will trigger replacement. String
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path Changes to this property will trigger replacement. String
Path to the role. See IAM Identifiers for more information.
permissionsBoundary String
ARN of the policy that is used to set the permissions boundary for the role.
tags Map<String,String>
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String,String>
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

uniqueId String
Stable and unique string identifying the role.
arn string
Amazon Resource Name (ARN) specifying the role.
assumeRolePolicy string | PolicyDocument

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

createDate string
Creation date of the IAM role.
description string
Description of the role.
forceDetachPolicies boolean
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inlinePolicies RoleInlinePolicy[]
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
managedPolicyArns string[]
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
maxSessionDuration number
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name Changes to this property will trigger replacement. string
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
namePrefix Changes to this property will trigger replacement. string
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path Changes to this property will trigger replacement. string
Path to the role. See IAM Identifiers for more information.
permissionsBoundary string
ARN of the policy that is used to set the permissions boundary for the role.
tags {[key: string]: string}
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

uniqueId string
Stable and unique string identifying the role.
arn str
Amazon Resource Name (ARN) specifying the role.
assume_role_policy str | str

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

create_date str
Creation date of the IAM role.
description str
Description of the role.
force_detach_policies bool
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inline_policies Sequence[RoleInlinePolicyArgs]
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
managed_policy_arns Sequence[str]
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
max_session_duration int
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name Changes to this property will trigger replacement. str
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
name_prefix Changes to this property will trigger replacement. str
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path Changes to this property will trigger replacement. str
Path to the role. See IAM Identifiers for more information.
permissions_boundary str
ARN of the policy that is used to set the permissions boundary for the role.
tags Mapping[str, str]
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

unique_id str
Stable and unique string identifying the role.
arn String
Amazon Resource Name (ARN) specifying the role.
assumeRolePolicy String |

Policy that grants an entity permission to assume the role.

NOTE: The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws.iam.Policy resource. However, it can use an aws.iam.getPolicyDocument data source. See the example above of how this works.

The following arguments are optional:

createDate String
Creation date of the IAM role.
description String
Description of the role.
forceDetachPolicies Boolean
Whether to force detaching any policies the role has before destroying it. Defaults to false.
inlinePolicies List<Property Map>
Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Pulumi to remove all inline policies added out of band on apply.
managedPolicyArns List<String>
Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Pulumi will ignore policy attachments to this resource. When configured, Pulumi will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Pulumi to remove all managed policy attachments.
maxSessionDuration Number
Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
name Changes to this property will trigger replacement. String
Friendly name of the role. If omitted, the provider will assign a random, unique name. See IAM Identifiers for more information.
namePrefix Changes to this property will trigger replacement. String
Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
path Changes to this property will trigger replacement. String
Path to the role. See IAM Identifiers for more information.
permissionsBoundary String
ARN of the policy that is used to set the permissions boundary for the role.
tags Map<String>
Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String>
A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Deprecated: Please use tags instead.

uniqueId String
Stable and unique string identifying the role.

Supporting Types

RoleInlinePolicy
, RoleInlinePolicyArgs

Name string
Name of the role policy.
Policy string
Policy document as a JSON formatted string.
Name string
Name of the role policy.
Policy string
Policy document as a JSON formatted string.
name String
Name of the role policy.
policy String
Policy document as a JSON formatted string.
name string
Name of the role policy.
policy string
Policy document as a JSON formatted string.
name str
Name of the role policy.
policy str
Policy document as a JSON formatted string.
name String
Name of the role policy.
policy String
Policy document as a JSON formatted string.

Import

Using pulumi import, import IAM Roles using the name. For example:

$ pulumi import aws:iam/role:Role developer developer_name
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
AWS Classic pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.
AWS v6.76.0 published on Tuesday, Apr 8, 2025 by Pulumi
pulumi/pulumi-aws