Docs Home
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi
aws-iam.RoleForServiceAccountsEks
Explore with Pulumi AI
This resources helps you create an IAM role which can be assumed by AWS EKS ServiceAccounts with optional policies for commonly used controllers/custom resources within EKS. The optional policies you can specify are:
- Cert-Manager
- Cluster Autoscaler
- EBS CSI Driver
- EFS CSI Driver
- External DNS
- External Secrets
- FSx for Lustre CSI Driver
- Karpenter
- Load Balancer Controller
- Load Balancer Controller Target Group Binding Only
- App Mesh Controller
- App Mesh Envoy Proxy
- Managed Service for Prometheus
- Node Termination Handler
- Velero
- VPC CNI
Example Usage
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
class MyStack : Stack
{
public MyStack()
{
var roleForServiceAccountEks = new RoleForServiceAccountsEks("role-for-service-account-eks", new RoleForServiceAccountsEksArgs
{
Role = new EKSServiceAccountRoleArgs
{
Name = "vpn-cni",
},
Tags = {
{"Name", "vpc-cni-irsa"},
},
OidcProviders = {
{"main", new OIDCProviderArgs
{
ProviderArn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
NamespaceServiceAccounts = {"default:my-app", "canary:my-app"},
}},
},
Policies = new EKSRolePoliciesArgs
{
VpnCni = new EKSVPNCNIPolicyArgs
{
Attach = true,
EnableIpv4 = true,
},
},
});
this.RoleForServiceAccountEks = Output.Create<RoleForServiceAccountsEks>(roleForServiceAccountEks);
}
[Output]
public Output<RoleForServiceAccountsEks> RoleForServiceAccountEks { get; set; }
}
package main
import (
iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
roleForServiceAccountsEKS, err := iam.NewRoleForServiceAccountsEks(ctx, "role-for-service-accounts-eks", &iam.RoleForServiceAccountsEksArgs{
Role: iam.EKSServiceAccountRolePtr(&iam.EKSServiceAccountRoleArgs{
Name: pulumi.String("vpc-cni"),
}),
Tags: pulumi.ToStringMap(map[string]string{
"Name": "vpc-cni-irsa",
}),
OidcProviders: iam.OIDCProviderMap{
"main": iam.OIDCProviderArgs{
ProviderArn: pulumi.String("arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"),
NamespaceServiceAccounts: pulumi.ToStringArray([]string{"default:my-app", "canary:my-app"}),
},
},
Policies: iam.EKSRolePoliciesPtr(&iam.EKSRolePoliciesArgs{
VpnCni: iam.EKSVPNCNIPolicyPtr(&iam.EKSVPNCNIPolicyArgs{
Attach: pulumi.Bool(true),
EnableIpv4: pulumi.BoolPtr(true),
}),
}),
})
if err != nil {
return err
}
ctx.Export("roleForServiceAccountsEKS", roleForServiceAccountsEKS)
return nil
})
}
Coming soon!
import * as iam from "@pulumi/aws-iam";
export const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks("aws-iam-example-role-for-service-accounts-eks", {
role: {
name: "vpc-cni"
},
tags: {
Name: "vpc-cni-irsa",
},
oidcProviders: {
main: {
providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
namespaceServiceAccounts: ["default:my-app", "canary:my-app"],
}
},
policies: {
vpnCni: {
attach: true,
enableIpv4: true,
},
},
});
import pulumi
import pulumi_aws_iam as iam
role_for_service_account_eks = iam.RoleForServiceAccountsEks(
'role_for_service_account_eks',
role=iam.RoleArgs(
name='vpc-cni'
),
tags={
'Name': 'vpc-cni-irsa',
},
oidc_providers={
'main': iam.OIDCProviderArgs(
provider_arn='arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D',
namespace_service_accounts=['default:my-app', 'canary:my-app'],
),
},
policies=iam.EKSRolePoliciesArgs(
vpn_cni=iam.EKSVPNCNIPolicyArgs(
attach=True,
enable_ipv4=True,
),
),
)
pulumi.export('role_for_service_account_eks', role_for_service_account_eks)
name: awsiam-yaml
runtime: yaml
resources:
roleForServiceAccountsEks:
type: "aws-iam:index:RoleForServiceAccountsEks"
properties:
role:
name: "vpc-cni"
tags:
Name: "vpc-cni-irsa"
oidcProviders:
main:
providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
namespaceServiceAccounts:
- "default:my-app"
- "canary:my-app"
policies:
vpnCni:
attach: true
enableIpv4: true
outputs:
roleForServiceAccountsEks: ${roleForServiceAccountsEks}
Create RoleForServiceAccountsEks Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new RoleForServiceAccountsEks(name: string, args?: RoleForServiceAccountsEksArgs, opts?: ComponentResourceOptions);@overload
def RoleForServiceAccountsEks(resource_name: str,
args: Optional[RoleForServiceAccountsEksArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def RoleForServiceAccountsEks(resource_name: str,
opts: Optional[ResourceOptions] = None,
assume_role_condition_test: Optional[str] = None,
force_detach_policies: Optional[bool] = None,
max_session_duration: Optional[int] = None,
oidc_providers: Optional[Mapping[str, OIDCProviderArgs]] = None,
policies: Optional[EKSRolePoliciesArgs] = None,
policy_name_prefix: Optional[str] = None,
role: Optional[EKSServiceAccountRoleArgs] = None,
tags: Optional[Mapping[str, str]] = None)func NewRoleForServiceAccountsEks(ctx *Context, name string, args *RoleForServiceAccountsEksArgs, opts ...ResourceOption) (*RoleForServiceAccountsEks, error)public RoleForServiceAccountsEks(string name, RoleForServiceAccountsEksArgs? args = null, ComponentResourceOptions? opts = null)
public RoleForServiceAccountsEks(String name, RoleForServiceAccountsEksArgs args)
public RoleForServiceAccountsEks(String name, RoleForServiceAccountsEksArgs args, ComponentResourceOptions options)
type: aws-iam:RoleForServiceAccountsEks
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RoleForServiceAccountsEksArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RoleForServiceAccountsEksArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RoleForServiceAccountsEksArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RoleForServiceAccountsEksArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RoleForServiceAccountsEksArgs
- The arguments to resource properties.
- options ComponentResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var roleForServiceAccountsEksResource = new AwsIam.RoleForServiceAccountsEks("roleForServiceAccountsEksResource", new()
{
AssumeRoleConditionTest = "string",
ForceDetachPolicies = false,
MaxSessionDuration = 0,
OidcProviders =
{
{ "string", new AwsIam.Inputs.OIDCProviderArgs
{
NamespaceServiceAccounts = new[]
{
"string",
},
ProviderArn = "string",
} },
},
Policies = new AwsIam.Inputs.EKSRolePoliciesArgs
{
AmazonManagedServicePrometheus = new AwsIam.Inputs.EKSAmazonManagedServicePrometheusPolicyArgs
{
Attach = false,
WorkspaceArns = new[]
{
"string",
},
},
Appmesh = new AwsIam.Inputs.EKSAppmeshPolicyArgs
{
Controller = false,
EnvoyProxy = false,
},
CertManager = new AwsIam.Inputs.EKSCertManagerPolicyArgs
{
Attach = false,
HostedZoneArns = new[]
{
"string",
},
},
ClusterAutoScaling = new AwsIam.Inputs.EKSClusterAutoscalerPolicyArgs
{
Attach = false,
ClusterIds = new[]
{
"string",
},
},
EbsCsi = new AwsIam.Inputs.EKSEBSCSIPolicyArgs
{
Attach = false,
KmsCmkIds = new[]
{
"string",
},
},
EfsCsi = new AwsIam.Inputs.EKSEFSCSIPolicyArgs
{
Attach = false,
},
ExternalDns = new AwsIam.Inputs.EKSExternalDNSPolicyArgs
{
Attach = false,
HostedZoneArns = new[]
{
"string",
},
},
ExternalSecrets = new AwsIam.Inputs.EKSExternalSecretsPolicyArgs
{
Attach = false,
SecretsManagerArns = new[]
{
"string",
},
SsmParameterArns = new[]
{
"string",
},
},
FsxLustreCsi = new AwsIam.Inputs.FSxLustreCSIPolicyArgs
{
Attach = false,
ServiceRoleArns = new[]
{
"string",
},
},
KarpenterController = new AwsIam.Inputs.EKSKarpenterControllerPolicyArgs
{
Attach = false,
ClusterId = "string",
NodeIamRoleArns = new[]
{
"string",
},
SsmParameterArns = new[]
{
"string",
},
SubnetAccountId = "string",
TagKey = "string",
},
LoadBalancer = new AwsIam.Inputs.EKSLoadBalancerPolicyArgs
{
Controller = false,
TargetGroupBindingOnly = false,
},
NodeTerminationHandler = new AwsIam.Inputs.EKSNodeTerminationHandlerPolicyArgs
{
Attach = false,
SqsQueueArns = new[]
{
"string",
},
},
Velero = new AwsIam.Inputs.EKSVeleroPolicyArgs
{
Attach = false,
S3BucketArns = new[]
{
"string",
},
},
VpnCni = new AwsIam.Inputs.EKSVPNCNIPolicyArgs
{
Attach = false,
EnableIpv4 = false,
EnableIpv6 = false,
},
},
PolicyNamePrefix = "string",
Role = new AwsIam.Inputs.EKSServiceAccountRoleArgs
{
Description = "string",
Name = "string",
NamePrefix = "string",
Path = "string",
PermissionsBoundaryArn = "string",
PolicyArns = new[]
{
"string",
},
},
Tags =
{
{ "string", "string" },
},
});
example, err := awsiam.NewRoleForServiceAccountsEks(ctx, "roleForServiceAccountsEksResource", &awsiam.RoleForServiceAccountsEksArgs{
AssumeRoleConditionTest: pulumi.String("string"),
ForceDetachPolicies: pulumi.Bool(false),
MaxSessionDuration: pulumi.Int(0),
OidcProviders: awsiam.OIDCProviderMap{
"string": &awsiam.OIDCProviderArgs{
NamespaceServiceAccounts: pulumi.StringArray{
pulumi.String("string"),
},
ProviderArn: pulumi.String("string"),
},
},
Policies: &awsiam.EKSRolePoliciesArgs{
AmazonManagedServicePrometheus: &awsiam.EKSAmazonManagedServicePrometheusPolicyArgs{
Attach: pulumi.Bool(false),
WorkspaceArns: pulumi.StringArray{
pulumi.String("string"),
},
},
Appmesh: &awsiam.EKSAppmeshPolicyArgs{
Controller: pulumi.Bool(false),
EnvoyProxy: pulumi.Bool(false),
},
CertManager: &awsiam.EKSCertManagerPolicyArgs{
Attach: pulumi.Bool(false),
HostedZoneArns: pulumi.StringArray{
pulumi.String("string"),
},
},
ClusterAutoScaling: &awsiam.EKSClusterAutoscalerPolicyArgs{
Attach: pulumi.Bool(false),
ClusterIds: pulumi.StringArray{
pulumi.String("string"),
},
},
EbsCsi: &awsiam.EKSEBSCSIPolicyArgs{
Attach: pulumi.Bool(false),
KmsCmkIds: pulumi.StringArray{
pulumi.String("string"),
},
},
EfsCsi: &awsiam.EKSEFSCSIPolicyArgs{
Attach: pulumi.Bool(false),
},
ExternalDns: &awsiam.EKSExternalDNSPolicyArgs{
Attach: pulumi.Bool(false),
HostedZoneArns: pulumi.StringArray{
pulumi.String("string"),
},
},
ExternalSecrets: &awsiam.EKSExternalSecretsPolicyArgs{
Attach: pulumi.Bool(false),
SecretsManagerArns: pulumi.StringArray{
pulumi.String("string"),
},
SsmParameterArns: pulumi.StringArray{
pulumi.String("string"),
},
},
FsxLustreCsi: &awsiam.FSxLustreCSIPolicyArgs{
Attach: pulumi.Bool(false),
ServiceRoleArns: pulumi.StringArray{
pulumi.String("string"),
},
},
KarpenterController: &awsiam.EKSKarpenterControllerPolicyArgs{
Attach: pulumi.Bool(false),
ClusterId: pulumi.String("string"),
NodeIamRoleArns: pulumi.StringArray{
pulumi.String("string"),
},
SsmParameterArns: pulumi.StringArray{
pulumi.String("string"),
},
SubnetAccountId: pulumi.String("string"),
TagKey: pulumi.String("string"),
},
LoadBalancer: &awsiam.EKSLoadBalancerPolicyArgs{
Controller: pulumi.Bool(false),
TargetGroupBindingOnly: pulumi.Bool(false),
},
NodeTerminationHandler: &awsiam.EKSNodeTerminationHandlerPolicyArgs{
Attach: pulumi.Bool(false),
SqsQueueArns: pulumi.StringArray{
pulumi.String("string"),
},
},
Velero: &awsiam.EKSVeleroPolicyArgs{
Attach: pulumi.Bool(false),
S3BucketArns: pulumi.StringArray{
pulumi.String("string"),
},
},
VpnCni: &awsiam.EKSVPNCNIPolicyArgs{
Attach: pulumi.Bool(false),
EnableIpv4: pulumi.Bool(false),
EnableIpv6: pulumi.Bool(false),
},
},
PolicyNamePrefix: pulumi.String("string"),
Role: &awsiam.EKSServiceAccountRoleArgs{
Description: pulumi.String("string"),
Name: pulumi.String("string"),
NamePrefix: pulumi.String("string"),
Path: pulumi.String("string"),
PermissionsBoundaryArn: pulumi.String("string"),
PolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var roleForServiceAccountsEksResource = new RoleForServiceAccountsEks("roleForServiceAccountsEksResource", RoleForServiceAccountsEksArgs.builder()
.assumeRoleConditionTest("string")
.forceDetachPolicies(false)
.maxSessionDuration(0)
.oidcProviders(Map.of("string", Map.ofEntries(
Map.entry("namespaceServiceAccounts", "string"),
Map.entry("providerArn", "string")
)))
.policies(EKSRolePoliciesArgs.builder()
.amazonManagedServicePrometheus(EKSAmazonManagedServicePrometheusPolicyArgs.builder()
.attach(false)
.workspaceArns("string")
.build())
.appmesh(EKSAppmeshPolicyArgs.builder()
.controller(false)
.envoyProxy(false)
.build())
.certManager(EKSCertManagerPolicyArgs.builder()
.attach(false)
.hostedZoneArns("string")
.build())
.clusterAutoScaling(EKSClusterAutoscalerPolicyArgs.builder()
.attach(false)
.clusterIds("string")
.build())
.ebsCsi(EKSEBSCSIPolicyArgs.builder()
.attach(false)
.kmsCmkIds("string")
.build())
.efsCsi(EKSEFSCSIPolicyArgs.builder()
.attach(false)
.build())
.externalDns(EKSExternalDNSPolicyArgs.builder()
.attach(false)
.hostedZoneArns("string")
.build())
.externalSecrets(EKSExternalSecretsPolicyArgs.builder()
.attach(false)
.secretsManagerArns("string")
.ssmParameterArns("string")
.build())
.fsxLustreCsi(FSxLustreCSIPolicyArgs.builder()
.attach(false)
.serviceRoleArns("string")
.build())
.karpenterController(EKSKarpenterControllerPolicyArgs.builder()
.attach(false)
.clusterId("string")
.nodeIamRoleArns("string")
.ssmParameterArns("string")
.subnetAccountId("string")
.tagKey("string")
.build())
.loadBalancer(EKSLoadBalancerPolicyArgs.builder()
.controller(false)
.targetGroupBindingOnly(false)
.build())
.nodeTerminationHandler(EKSNodeTerminationHandlerPolicyArgs.builder()
.attach(false)
.sqsQueueArns("string")
.build())
.velero(EKSVeleroPolicyArgs.builder()
.attach(false)
.s3BucketArns("string")
.build())
.vpnCni(EKSVPNCNIPolicyArgs.builder()
.attach(false)
.enableIpv4(false)
.enableIpv6(false)
.build())
.build())
.policyNamePrefix("string")
.role(EKSServiceAccountRoleArgs.builder()
.description("string")
.name("string")
.namePrefix("string")
.path("string")
.permissionsBoundaryArn("string")
.policyArns("string")
.build())
.tags(Map.of("string", "string"))
.build());
role_for_service_accounts_eks_resource = aws_iam.RoleForServiceAccountsEks("roleForServiceAccountsEksResource",
assume_role_condition_test="string",
force_detach_policies=False,
max_session_duration=0,
oidc_providers={
"string": {
"namespace_service_accounts": ["string"],
"provider_arn": "string",
},
},
policies={
"amazon_managed_service_prometheus": {
"attach": False,
"workspace_arns": ["string"],
},
"appmesh": {
"controller": False,
"envoy_proxy": False,
},
"cert_manager": {
"attach": False,
"hosted_zone_arns": ["string"],
},
"cluster_auto_scaling": {
"attach": False,
"cluster_ids": ["string"],
},
"ebs_csi": {
"attach": False,
"kms_cmk_ids": ["string"],
},
"efs_csi": {
"attach": False,
},
"external_dns": {
"attach": False,
"hosted_zone_arns": ["string"],
},
"external_secrets": {
"attach": False,
"secrets_manager_arns": ["string"],
"ssm_parameter_arns": ["string"],
},
"fsx_lustre_csi": {
"attach": False,
"service_role_arns": ["string"],
},
"karpenter_controller": {
"attach": False,
"cluster_id": "string",
"node_iam_role_arns": ["string"],
"ssm_parameter_arns": ["string"],
"subnet_account_id": "string",
"tag_key": "string",
},
"load_balancer": {
"controller": False,
"target_group_binding_only": False,
},
"node_termination_handler": {
"attach": False,
"sqs_queue_arns": ["string"],
},
"velero": {
"attach": False,
"s3_bucket_arns": ["string"],
},
"vpn_cni": {
"attach": False,
"enable_ipv4": False,
"enable_ipv6": False,
},
},
policy_name_prefix="string",
role={
"description": "string",
"name": "string",
"name_prefix": "string",
"path": "string",
"permissions_boundary_arn": "string",
"policy_arns": ["string"],
},
tags={
"string": "string",
})
const roleForServiceAccountsEksResource = new aws_iam.RoleForServiceAccountsEks("roleForServiceAccountsEksResource", {
assumeRoleConditionTest: "string",
forceDetachPolicies: false,
maxSessionDuration: 0,
oidcProviders: {
string: {
namespaceServiceAccounts: ["string"],
providerArn: "string",
},
},
policies: {
amazonManagedServicePrometheus: {
attach: false,
workspaceArns: ["string"],
},
appmesh: {
controller: false,
envoyProxy: false,
},
certManager: {
attach: false,
hostedZoneArns: ["string"],
},
clusterAutoScaling: {
attach: false,
clusterIds: ["string"],
},
ebsCsi: {
attach: false,
kmsCmkIds: ["string"],
},
efsCsi: {
attach: false,
},
externalDns: {
attach: false,
hostedZoneArns: ["string"],
},
externalSecrets: {
attach: false,
secretsManagerArns: ["string"],
ssmParameterArns: ["string"],
},
fsxLustreCsi: {
attach: false,
serviceRoleArns: ["string"],
},
karpenterController: {
attach: false,
clusterId: "string",
nodeIamRoleArns: ["string"],
ssmParameterArns: ["string"],
subnetAccountId: "string",
tagKey: "string",
},
loadBalancer: {
controller: false,
targetGroupBindingOnly: false,
},
nodeTerminationHandler: {
attach: false,
sqsQueueArns: ["string"],
},
velero: {
attach: false,
s3BucketArns: ["string"],
},
vpnCni: {
attach: false,
enableIpv4: false,
enableIpv6: false,
},
},
policyNamePrefix: "string",
role: {
description: "string",
name: "string",
namePrefix: "string",
path: "string",
permissionsBoundaryArn: "string",
policyArns: ["string"],
},
tags: {
string: "string",
},
});
type: aws-iam:RoleForServiceAccountsEks
properties:
assumeRoleConditionTest: string
forceDetachPolicies: false
maxSessionDuration: 0
oidcProviders:
string:
namespaceServiceAccounts:
- string
providerArn: string
policies:
amazonManagedServicePrometheus:
attach: false
workspaceArns:
- string
appmesh:
controller: false
envoyProxy: false
certManager:
attach: false
hostedZoneArns:
- string
clusterAutoScaling:
attach: false
clusterIds:
- string
ebsCsi:
attach: false
kmsCmkIds:
- string
efsCsi:
attach: false
externalDns:
attach: false
hostedZoneArns:
- string
externalSecrets:
attach: false
secretsManagerArns:
- string
ssmParameterArns:
- string
fsxLustreCsi:
attach: false
serviceRoleArns:
- string
karpenterController:
attach: false
clusterId: string
nodeIamRoleArns:
- string
ssmParameterArns:
- string
subnetAccountId: string
tagKey: string
loadBalancer:
controller: false
targetGroupBindingOnly: false
nodeTerminationHandler:
attach: false
sqsQueueArns:
- string
velero:
attach: false
s3BucketArns:
- string
vpnCni:
attach: false
enableIpv4: false
enableIpv6: false
policyNamePrefix: string
role:
description: string
name: string
namePrefix: string
path: string
permissionsBoundaryArn: string
policyArns:
- string
tags:
string: string
RoleForServiceAccountsEks Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The RoleForServiceAccountsEks resource accepts the following input properties:
- Assume
Role stringCondition Test - Name of the IAM condition operator to evaluate when assuming the role.
- Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Oidc
Providers Dictionary<string, Pulumi.Aws Iam. Inputs. OIDCProvider Args> - Map of OIDC providers.
- Policies
Pulumi.
Aws Iam. Inputs. EKSRole Policies - Policy
Name stringPrefix - IAM policy name prefix.
- Role
Pulumi.
Aws Iam. Inputs. EKSService Account Role - Dictionary<string, string>
- A map of tags to add.
- Assume
Role stringCondition Test - Name of the IAM condition operator to evaluate when assuming the role.
- Force
Detach boolPolicies - Whether policies should be detached from this role when destroying.
- Max
Session intDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- Oidc
Providers map[string]OIDCProviderArgs - Map of OIDC providers.
- Policies
EKSRole
Policies Args - Policy
Name stringPrefix - IAM policy name prefix.
- Role
EKSService
Account Role Args - map[string]string
- A map of tags to add.
- assume
Role StringCondition Test - Name of the IAM condition operator to evaluate when assuming the role.
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session IntegerDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- oidc
Providers Map<String,OIDCProviderArgs> - Map of OIDC providers.
- policies
EKSRole
Policies - policy
Name StringPrefix - IAM policy name prefix.
- role
EKSService
Account Role - Map<String,String>
- A map of tags to add.
- assume
Role stringCondition Test - Name of the IAM condition operator to evaluate when assuming the role.
- force
Detach booleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session numberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- oidc
Providers {[key: string]: OIDCProviderArgs} - Map of OIDC providers.
- policies
EKSRole
Policies - policy
Name stringPrefix - IAM policy name prefix.
- role
EKSService
Account Role - {[key: string]: string}
- A map of tags to add.
- assume_
role_ strcondition_ test - Name of the IAM condition operator to evaluate when assuming the role.
- force_
detach_ boolpolicies - Whether policies should be detached from this role when destroying.
- max_
session_ intduration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- oidc_
providers Mapping[str, OIDCProviderArgs] - Map of OIDC providers.
- policies
EKSRole
Policies Args - policy_
name_ strprefix - IAM policy name prefix.
- role
EKSService
Account Role Args - Mapping[str, str]
- A map of tags to add.
- assume
Role StringCondition Test - Name of the IAM condition operator to evaluate when assuming the role.
- force
Detach BooleanPolicies - Whether policies should be detached from this role when destroying.
- max
Session NumberDuration - Maximum CLI/API session duration in seconds between 3600 and 43200.
- oidc
Providers Map<Property Map> - Map of OIDC providers.
- policies Property Map
- policy
Name StringPrefix - IAM policy name prefix.
- role Property Map
- Map<String>
- A map of tags to add.
Outputs
All input properties are implicitly available as output properties. Additionally, the RoleForServiceAccountsEks resource produces the following output properties:
Supporting Types
EKSAmazonManagedServicePrometheusPolicy, EKSAmazonManagedServicePrometheusPolicyArgs
- Attach bool
- Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
- Workspace
Arns List<string> - List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
- Attach bool
- Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
- Workspace
Arns []string - List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
- attach Boolean
- Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
- workspace
Arns List<String> - List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
- attach boolean
- Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
- workspace
Arns string[] - List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
- attach bool
- Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
- workspace_
arns Sequence[str] - List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
- attach Boolean
- Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role.
- workspace
Arns List<String> - List of AMP Workspace ARNs to read and write metrics. If not provided, a default ARN of "*" will be provided.
EKSAppmeshPolicy, EKSAppmeshPolicyArgs
- Controller bool
- Determines whether to attach the Appmesh Controller policy to the role.
- Envoy
Proxy bool - Determines whether to attach the Appmesh envoy proxy policy to the role.
- Controller bool
- Determines whether to attach the Appmesh Controller policy to the role.
- Envoy
Proxy bool - Determines whether to attach the Appmesh envoy proxy policy to the role.
- controller Boolean
- Determines whether to attach the Appmesh Controller policy to the role.
- envoy
Proxy Boolean - Determines whether to attach the Appmesh envoy proxy policy to the role.
- controller boolean
- Determines whether to attach the Appmesh Controller policy to the role.
- envoy
Proxy boolean - Determines whether to attach the Appmesh envoy proxy policy to the role.
- controller bool
- Determines whether to attach the Appmesh Controller policy to the role.
- envoy_
proxy bool - Determines whether to attach the Appmesh envoy proxy policy to the role.
- controller Boolean
- Determines whether to attach the Appmesh Controller policy to the role.
- envoy
Proxy Boolean - Determines whether to attach the Appmesh envoy proxy policy to the role.
EKSCertManagerPolicy, EKSCertManagerPolicyArgs
- Attach bool
- Determines whether to attach the Cert Manager IAM policy to the role.
- Hosted
Zone List<string>Arns - Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- Attach bool
- Determines whether to attach the Cert Manager IAM policy to the role.
- Hosted
Zone []stringArns - Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- attach Boolean
- Determines whether to attach the Cert Manager IAM policy to the role.
- hosted
Zone List<String>Arns - Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- attach boolean
- Determines whether to attach the Cert Manager IAM policy to the role.
- hosted
Zone string[]Arns - Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- attach bool
- Determines whether to attach the Cert Manager IAM policy to the role.
- hosted_
zone_ Sequence[str]arns - Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- attach Boolean
- Determines whether to attach the Cert Manager IAM policy to the role.
- hosted
Zone List<String>Arns - Route53 hosted zone ARNs to allow Cert manager to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
EKSClusterAutoscalerPolicy, EKSClusterAutoscalerPolicyArgs
- Attach bool
- Determines whether to attach the Cluster Autoscaler IAM policy to the role.
- Cluster
Ids List<string> - List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
- Attach bool
- Determines whether to attach the Cluster Autoscaler IAM policy to the role.
- Cluster
Ids []string - List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
- attach Boolean
- Determines whether to attach the Cluster Autoscaler IAM policy to the role.
- cluster
Ids List<String> - List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
- attach boolean
- Determines whether to attach the Cluster Autoscaler IAM policy to the role.
- cluster
Ids string[] - List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
- attach bool
- Determines whether to attach the Cluster Autoscaler IAM policy to the role.
- cluster_
ids Sequence[str] - List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
- attach Boolean
- Determines whether to attach the Cluster Autoscaler IAM policy to the role.
- cluster
Ids List<String> - List of cluster IDs to appropriately scope permissions within the Cluster Autoscaler IAM policy.
EKSEBSCSIPolicy, EKSEBSCSIPolicyArgs
- attach bool
- Determines whether to attach the EBS CSI IAM policy to the role.
- kms_
cmk_ Sequence[str]ids - KMS CMK IDs to allow EBS CSI to manage encrypted volumes.
EKSEFSCSIPolicy, EKSEFSCSIPolicyArgs
- Attach bool
- Determines whether to attach the EFS CSI IAM policy to the role.
- Attach bool
- Determines whether to attach the EFS CSI IAM policy to the role.
- attach Boolean
- Determines whether to attach the EFS CSI IAM policy to the role.
- attach boolean
- Determines whether to attach the EFS CSI IAM policy to the role.
- attach bool
- Determines whether to attach the EFS CSI IAM policy to the role.
- attach Boolean
- Determines whether to attach the EFS CSI IAM policy to the role.
EKSExternalDNSPolicy, EKSExternalDNSPolicyArgs
- Attach bool
- Determines whether to attach the External DNS IAM policy to the role.
- Hosted
Zone List<string>Arns - Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- Attach bool
- Determines whether to attach the External DNS IAM policy to the role.
- Hosted
Zone []stringArns - Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- attach Boolean
- Determines whether to attach the External DNS IAM policy to the role.
- hosted
Zone List<String>Arns - Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- attach boolean
- Determines whether to attach the External DNS IAM policy to the role.
- hosted
Zone string[]Arns - Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- attach bool
- Determines whether to attach the External DNS IAM policy to the role.
- hosted_
zone_ Sequence[str]arns - Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
- attach Boolean
- Determines whether to attach the External DNS IAM policy to the role.
- hosted
Zone List<String>Arns - Route53 hosted zone ARNs to allow External DNS to manage records. If not provided, the default ARN "arn:aws:route53:::hostedzone/*" will be applied.
EKSExternalSecretsPolicy, EKSExternalSecretsPolicyArgs
- Attach bool
- Determines whether to attach the External Secrets policy to the role.
- Secrets
Manager List<string>Arns - List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
- Ssm
Parameter List<string>Arns - List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
- Attach bool
- Determines whether to attach the External Secrets policy to the role.
- Secrets
Manager []stringArns - List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
- Ssm
Parameter []stringArns - List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
- attach Boolean
- Determines whether to attach the External Secrets policy to the role.
- secrets
Manager List<String>Arns - List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
- ssm
Parameter List<String>Arns - List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
- attach boolean
- Determines whether to attach the External Secrets policy to the role.
- secrets
Manager string[]Arns - List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
- ssm
Parameter string[]Arns - List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
- attach bool
- Determines whether to attach the External Secrets policy to the role.
- secrets_
manager_ Sequence[str]arns - List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
- ssm_
parameter_ Sequence[str]arns - List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
- attach Boolean
- Determines whether to attach the External Secrets policy to the role.
- secrets
Manager List<String>Arns - List of Secrets Manager ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:secretsmanager:::secret:*" will be applied.
- ssm
Parameter List<String>Arns - List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets. If not provided, the default ARN "arn:aws:ssm:::parameter/*" will be applied.
EKSKarpenterControllerPolicy, EKSKarpenterControllerPolicyArgs
- Attach bool
- Determines whether to attach the Karpenter Controller policy to the role.
- Cluster
Id string - Cluster ID where the Karpenter controller is provisioned/managing.
- Node
Iam List<string>Role Arns - List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
- Ssm
Parameter List<string>Arns - List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
- Subnet
Account stringId - Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
- Tag
Key string - Tag key (
{key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
- Attach bool
- Determines whether to attach the Karpenter Controller policy to the role.
- Cluster
Id string - Cluster ID where the Karpenter controller is provisioned/managing.
- Node
Iam []stringRole Arns - List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
- Ssm
Parameter []stringArns - List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
- Subnet
Account stringId - Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
- Tag
Key string - Tag key (
{key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
- attach Boolean
- Determines whether to attach the Karpenter Controller policy to the role.
- cluster
Id String - Cluster ID where the Karpenter controller is provisioned/managing.
- node
Iam List<String>Role Arns - List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
- ssm
Parameter List<String>Arns - List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
- subnet
Account StringId - Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
- tag
Key String - Tag key (
{key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
- attach boolean
- Determines whether to attach the Karpenter Controller policy to the role.
- cluster
Id string - Cluster ID where the Karpenter controller is provisioned/managing.
- node
Iam string[]Role Arns - List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
- ssm
Parameter string[]Arns - List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
- subnet
Account stringId - Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
- tag
Key string - Tag key (
{key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
- attach bool
- Determines whether to attach the Karpenter Controller policy to the role.
- cluster_
id str - Cluster ID where the Karpenter controller is provisioned/managing.
- node_
iam_ Sequence[str]role_ arns - List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
- ssm_
parameter_ Sequence[str]arns - List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
- subnet_
account_ strid - Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
- tag_
key str - Tag key (
{key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
- attach Boolean
- Determines whether to attach the Karpenter Controller policy to the role.
- cluster
Id String - Cluster ID where the Karpenter controller is provisioned/managing.
- node
Iam List<String>Role Arns - List of node IAM role ARNs Karpenter can use to launch nodes. If not provided, the default ARN "*" will be applied.
- ssm
Parameter List<String>Arns - List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter. If not provided, the default ARN "arn:aws:ssm:::parameter/aws/service/*" will be applied.
- subnet
Account StringId - Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account.
- tag
Key String - Tag key (
{key = value}) applied to resources launched by Karpenter through the Karpenter provisioner.
EKSLoadBalancerPolicy, EKSLoadBalancerPolicyArgs
- Controller bool
- Determines whether to attach the Load Balancer Controller policy to the role.
- Target
Group boolBinding Only - Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
- Controller bool
- Determines whether to attach the Load Balancer Controller policy to the role.
- Target
Group boolBinding Only - Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
- controller Boolean
- Determines whether to attach the Load Balancer Controller policy to the role.
- target
Group BooleanBinding Only - Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
- controller boolean
- Determines whether to attach the Load Balancer Controller policy to the role.
- target
Group booleanBinding Only - Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
- controller bool
- Determines whether to attach the Load Balancer Controller policy to the role.
- target_
group_ boolbinding_ only - Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
- controller Boolean
- Determines whether to attach the Load Balancer Controller policy to the role.
- target
Group BooleanBinding Only - Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only.
EKSNodeTerminationHandlerPolicy, EKSNodeTerminationHandlerPolicyArgs
- Attach bool
- Determines whether to attach the Node Termination Handler policy to the role.
- Sqs
Queue List<string>Arns - List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
- Attach bool
- Determines whether to attach the Node Termination Handler policy to the role.
- Sqs
Queue []stringArns - List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
- attach Boolean
- Determines whether to attach the Node Termination Handler policy to the role.
- sqs
Queue List<String>Arns - List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
- attach boolean
- Determines whether to attach the Node Termination Handler policy to the role.
- sqs
Queue string[]Arns - List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
- attach bool
- Determines whether to attach the Node Termination Handler policy to the role.
- sqs_
queue_ Sequence[str]arns - List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
- attach Boolean
- Determines whether to attach the Node Termination Handler policy to the role.
- sqs
Queue List<String>Arns - List of SQS ARNs that contain node termination events. If not provided, then a default ARN of "*" will be provided.
EKSRolePolicies, EKSRolePoliciesArgs
- Amazon
Managed Pulumi.Service Prometheus Aws Iam. Inputs. EKSAmazon Managed Service Prometheus Policy - The Amazon Managed Service for Prometheus IAM policy.
- Appmesh
Pulumi.
Aws Iam. Inputs. EKSAppmesh Policy - The Appmesh policies.
- Cert
Manager Pulumi.Aws Iam. Inputs. EKSCert Manager Policy - The Cert Manager IAM policy.
- Cluster
Auto Pulumi.Scaling Aws Iam. Inputs. EKSCluster Autoscaler Policy - The Cluster Autoscaler IAM policy.
- Ebs
Csi Pulumi.Aws Iam. Inputs. EKSEBSCSIPolicy - The EBS CSI IAM policy.
- Efs
Csi Pulumi.Aws Iam. Inputs. EKSEFSCSIPolicy - The EFS CSI IAM policy.
- External
Dns Pulumi.Aws Iam. Inputs. EKSExternal DNSPolicy - The External DNS IAM policy.
- External
Secrets Pulumi.Aws Iam. Inputs. EKSExternal Secrets Policy - The External Secrets policy.
- Fsx
Lustre Pulumi.Csi Aws Iam. Inputs. FSx Lustre CSIPolicy - The FSx for Lustre CSI Driver IAM policy.
- Karpenter
Controller Pulumi.Aws Iam. Inputs. EKSKarpenter Controller Policy - The Karpenter Controller policy.
- Load
Balancer Pulumi.Aws Iam. Inputs. EKSLoad Balancer Policy - The Load Balancer policy.
- Node
Termination Pulumi.Handler Aws Iam. Inputs. EKSNode Termination Handler Policy - The Node Termination Handler policy to the role.
- Velero
Pulumi.
Aws Iam. Inputs. EKSVelero Policy - The Velero IAM policy.
- Vpn
Cni Pulumi.Aws Iam. Inputs. EKSVPNCNIPolicy - The VPC CNI IAM policy to the role.
- Amazon
Managed EKSAmazonService Prometheus Managed Service Prometheus Policy - The Amazon Managed Service for Prometheus IAM policy.
- Appmesh
EKSAppmesh
Policy - The Appmesh policies.
- Cert
Manager EKSCertManager Policy - The Cert Manager IAM policy.
- Cluster
Auto EKSClusterScaling Autoscaler Policy - The Cluster Autoscaler IAM policy.
- Ebs
Csi EKSEBSCSIPolicy - The EBS CSI IAM policy.
- Efs
Csi EKSEFSCSIPolicy - The EFS CSI IAM policy.
- External
Dns EKSExternalDNSPolicy - The External DNS IAM policy.
- External
Secrets EKSExternalSecrets Policy - The External Secrets policy.
- Fsx
Lustre FSxCsi Lustre CSIPolicy - The FSx for Lustre CSI Driver IAM policy.
- Karpenter
Controller EKSKarpenterController Policy - The Karpenter Controller policy.
- Load
Balancer EKSLoadBalancer Policy - The Load Balancer policy.
- Node
Termination EKSNodeHandler Termination Handler Policy - The Node Termination Handler policy to the role.
- Velero
EKSVelero
Policy - The Velero IAM policy.
- Vpn
Cni EKSVPNCNIPolicy - The VPC CNI IAM policy to the role.
- amazon
Managed EKSAmazonService Prometheus Managed Service Prometheus Policy - The Amazon Managed Service for Prometheus IAM policy.
- appmesh
EKSAppmesh
Policy - The Appmesh policies.
- cert
Manager EKSCertManager Policy - The Cert Manager IAM policy.
- cluster
Auto EKSClusterScaling Autoscaler Policy - The Cluster Autoscaler IAM policy.
- ebs
Csi EKSEBSCSIPolicy - The EBS CSI IAM policy.
- efs
Csi EKSEFSCSIPolicy - The EFS CSI IAM policy.
- external
Dns EKSExternalDNSPolicy - The External DNS IAM policy.
- external
Secrets EKSExternalSecrets Policy - The External Secrets policy.
- fsx
Lustre FSxCsi Lustre CSIPolicy - The FSx for Lustre CSI Driver IAM policy.
- karpenter
Controller EKSKarpenterController Policy - The Karpenter Controller policy.
- load
Balancer EKSLoadBalancer Policy - The Load Balancer policy.
- node
Termination EKSNodeHandler Termination Handler Policy - The Node Termination Handler policy to the role.
- velero
EKSVelero
Policy - The Velero IAM policy.
- vpn
Cni EKSVPNCNIPolicy - The VPC CNI IAM policy to the role.
- amazon
Managed EKSAmazonService Prometheus Managed Service Prometheus Policy - The Amazon Managed Service for Prometheus IAM policy.
- appmesh
EKSAppmesh
Policy - The Appmesh policies.
- cert
Manager EKSCertManager Policy - The Cert Manager IAM policy.
- cluster
Auto EKSClusterScaling Autoscaler Policy - The Cluster Autoscaler IAM policy.
- ebs
Csi EKSEBSCSIPolicy - The EBS CSI IAM policy.
- efs
Csi EKSEFSCSIPolicy - The EFS CSI IAM policy.
- external
Dns EKSExternalDNSPolicy - The External DNS IAM policy.
- external
Secrets EKSExternalSecrets Policy - The External Secrets policy.
- fsx
Lustre FSxCsi Lustre CSIPolicy - The FSx for Lustre CSI Driver IAM policy.
- karpenter
Controller EKSKarpenterController Policy - The Karpenter Controller policy.
- load
Balancer EKSLoadBalancer Policy - The Load Balancer policy.
- node
Termination EKSNodeHandler Termination Handler Policy - The Node Termination Handler policy to the role.
- velero
EKSVelero
Policy - The Velero IAM policy.
- vpn
Cni EKSVPNCNIPolicy - The VPC CNI IAM policy to the role.
- amazon_
managed_ EKSAmazonservice_ prometheus Managed Service Prometheus Policy - The Amazon Managed Service for Prometheus IAM policy.
- appmesh
EKSAppmesh
Policy - The Appmesh policies.
- cert_
manager EKSCertManager Policy - The Cert Manager IAM policy.
- cluster_
auto_ EKSClusterscaling Autoscaler Policy - The Cluster Autoscaler IAM policy.
- ebs_
csi EKSEBSCSIPolicy - The EBS CSI IAM policy.
- efs_
csi EKSEFSCSIPolicy - The EFS CSI IAM policy.
- external_
dns EKSExternalDNSPolicy - The External DNS IAM policy.
- external_
secrets EKSExternalSecrets Policy - The External Secrets policy.
- fsx_
lustre_ FSxcsi Lustre CSIPolicy - The FSx for Lustre CSI Driver IAM policy.
- karpenter_
controller EKSKarpenterController Policy - The Karpenter Controller policy.
- load_
balancer EKSLoadBalancer Policy - The Load Balancer policy.
- node_
termination_ EKSNodehandler Termination Handler Policy - The Node Termination Handler policy to the role.
- velero
EKSVelero
Policy - The Velero IAM policy.
- vpn_
cni EKSVPNCNIPolicy - The VPC CNI IAM policy to the role.
- amazon
Managed Property MapService Prometheus - The Amazon Managed Service for Prometheus IAM policy.
- appmesh Property Map
- The Appmesh policies.
- cert
Manager Property Map - The Cert Manager IAM policy.
- cluster
Auto Property MapScaling - The Cluster Autoscaler IAM policy.
- ebs
Csi Property Map - The EBS CSI IAM policy.
- efs
Csi Property Map - The EFS CSI IAM policy.
- external
Dns Property Map - The External DNS IAM policy.
- external
Secrets Property Map - The External Secrets policy.
- fsx
Lustre Property MapCsi - The FSx for Lustre CSI Driver IAM policy.
- karpenter
Controller Property Map - The Karpenter Controller policy.
- load
Balancer Property Map - The Load Balancer policy.
- node
Termination Property MapHandler - The Node Termination Handler policy to the role.
- velero Property Map
- The Velero IAM policy.
- vpn
Cni Property Map - The VPC CNI IAM policy to the role.
EKSServiceAccountRole, EKSServiceAccountRoleArgs
- Description string
- IAM Role description.
- Name string
- IAM role name.
- Name
Prefix string - IAM role name prefix.
- Path string
- Path of admin IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- Policy
Arns List<string> - List of policy ARNs to use for the role.
- Description string
- IAM Role description.
- Name string
- IAM role name.
- Name
Prefix string - IAM role name prefix.
- Path string
- Path of admin IAM role.
- Permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- Policy
Arns []string - List of policy ARNs to use for the role.
- description String
- IAM Role description.
- name String
- IAM role name.
- name
Prefix String - IAM role name prefix.
- path String
- Path of admin IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for the role.
- policy
Arns List<String> - List of policy ARNs to use for the role.
- description string
- IAM Role description.
- name string
- IAM role name.
- name
Prefix string - IAM role name prefix.
- path string
- Path of admin IAM role.
- permissions
Boundary stringArn - Permissions boundary ARN to use for the role.
- policy
Arns string[] - List of policy ARNs to use for the role.
- description str
- IAM Role description.
- name str
- IAM role name.
- name_
prefix str - IAM role name prefix.
- path str
- Path of admin IAM role.
- permissions_
boundary_ strarn - Permissions boundary ARN to use for the role.
- policy_
arns Sequence[str] - List of policy ARNs to use for the role.
- description String
- IAM Role description.
- name String
- IAM role name.
- name
Prefix String - IAM role name prefix.
- path String
- Path of admin IAM role.
- permissions
Boundary StringArn - Permissions boundary ARN to use for the role.
- policy
Arns List<String> - List of policy ARNs to use for the role.
EKSVPNCNIPolicy, EKSVPNCNIPolicyArgs
- Attach bool
- Determines whether to attach the VPC CNI IAM policy to the role.
- Enable
Ipv4 bool - Determines whether to enable IPv4 permissions for VPC CNI policy.
- Enable
Ipv6 bool - Determines whether to enable IPv6 permissions for VPC CNI policy.
- Attach bool
- Determines whether to attach the VPC CNI IAM policy to the role.
- Enable
Ipv4 bool - Determines whether to enable IPv4 permissions for VPC CNI policy.
- Enable
Ipv6 bool - Determines whether to enable IPv6 permissions for VPC CNI policy.
- attach Boolean
- Determines whether to attach the VPC CNI IAM policy to the role.
- enable
Ipv4 Boolean - Determines whether to enable IPv4 permissions for VPC CNI policy.
- enable
Ipv6 Boolean - Determines whether to enable IPv6 permissions for VPC CNI policy.
- attach boolean
- Determines whether to attach the VPC CNI IAM policy to the role.
- enable
Ipv4 boolean - Determines whether to enable IPv4 permissions for VPC CNI policy.
- enable
Ipv6 boolean - Determines whether to enable IPv6 permissions for VPC CNI policy.
- attach bool
- Determines whether to attach the VPC CNI IAM policy to the role.
- enable_
ipv4 bool - Determines whether to enable IPv4 permissions for VPC CNI policy.
- enable_
ipv6 bool - Determines whether to enable IPv6 permissions for VPC CNI policy.
- attach Boolean
- Determines whether to attach the VPC CNI IAM policy to the role.
- enable
Ipv4 Boolean - Determines whether to enable IPv4 permissions for VPC CNI policy.
- enable
Ipv6 Boolean - Determines whether to enable IPv6 permissions for VPC CNI policy.
EKSVeleroPolicy, EKSVeleroPolicyArgs
- Attach bool
- Determines whether to attach the Velero IAM policy to the role.
- S3Bucket
Arns List<string> - List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
- Attach bool
- Determines whether to attach the Velero IAM policy to the role.
- S3Bucket
Arns []string - List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
- attach Boolean
- Determines whether to attach the Velero IAM policy to the role.
- s3Bucket
Arns List<String> - List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
- attach boolean
- Determines whether to attach the Velero IAM policy to the role.
- s3Bucket
Arns string[] - List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
- attach bool
- Determines whether to attach the Velero IAM policy to the role.
- s3_
bucket_ Sequence[str]arns - List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
- attach Boolean
- Determines whether to attach the Velero IAM policy to the role.
- s3Bucket
Arns List<String> - List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources. If not provided, a default ARN of "*" will be provided.
FSxLustreCSIPolicy, FSxLustreCSIPolicyArgs
- Attach bool
- Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
- Service
Role List<string>Arns - Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
- Attach bool
- Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
- Service
Role []stringArns - Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
- attach Boolean
- Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
- service
Role List<String>Arns - Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
- attach boolean
- Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
- service
Role string[]Arns - Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
- attach bool
- Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
- service_
role_ Sequence[str]arns - Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
- attach Boolean
- Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role.
- service
Role List<String>Arns - Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles. If not provided, the default ARN "arn:aws:iam:::role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/" will be applied.
OIDCProvider, OIDCProviderArgs
- Namespace
Service List<string>Accounts - Provider
Arn string
- Namespace
Service []stringAccounts - Provider
Arn string
- namespace
Service List<String>Accounts - provider
Arn String
- namespace
Service string[]Accounts - provider
Arn string
- namespace_
service_ Sequence[str]accounts - provider_
arn str
- namespace
Service List<String>Accounts - provider
Arn String
Package Details
- Repository
- aws-iam
- License