Provides an IAM role.
resource "aws_iam_role" "test_role" {
name = "test_role"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
tags = {
tag-key = "tag-value"
}
}
data "aws_iam_policy_document" "instance_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "instance" {
name = "instance_role"
path = "/system/"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json
}
This example creates an IAM role with two inline IAM policies. If someone adds another inline policy out-of-band, on the next apply, Terraform will remove that policy. If someone deletes these policies out-of-band, Terraform will recreate them.
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
inline_policy {
name = "my_inline_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ec2:Describe*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
inline_policy {
name = "policy-8675309"
policy = data.aws_iam_policy_document.inline_policy.json
}
}
data "aws_iam_policy_document" "inline_policy" {
statement {
actions = ["ec2:DescribeAccountAttributes"]
resources = ["*"]
}
}
This example creates an IAM role with what appears to be empty IAM inline_policy
argument instead of using inline_policy
as a configuration block. The result is that if someone were to add an inline policy out-of-band, on the next apply, Terraform will remove that policy.
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
inline_policy {}
}
This example creates an IAM role and attaches two managed IAM policies. If someone attaches another managed policy out-of-band, on the next apply, Terraform will detach that policy. If someone detaches these policies out-of-band, Terraform will attach them again.
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
managed_policy_arns = [aws_iam_policy.policy_one.arn, aws_iam_policy.policy_two.arn]
}
resource "aws_iam_policy" "policy_one" {
name = "policy-618033"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ec2:Describe*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy" "policy_two" {
name = "policy-381966"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["s3:ListAllMyBuckets", "s3:ListBucket", "s3:HeadBucket"]
Effect = "Allow"
Resource = "*"
},
]
})
}
This example creates an IAM role with an empty managed_policy_arns
argument. If someone attaches a policy out-of-band, on the next apply, Terraform will detach that policy.
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
managed_policy_arns = []
}
The following argument is required:
assume_role_policy
- (Required) Policy that grants an entity permission to assume the role.The following arguments are optional:
description
- (Optional) Description of the role.force_detach_policies
- (Optional) Whether to force detaching any policies the role has before destroying it. Defaults to false
.inline_policy
- (Optional) Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Terraform will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}
) will cause Terraform to remove _all_ inline policies added out of band on apply
.managed_policy_arns
- (Optional) Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Terraform will ignore policy attachments to this resource. When configured, Terraform will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []
) will cause Terraform to remove _all_ managed policy attachments.max_session_duration
- (Optional) Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.name
- (Optional, Forces new resource) Friendly name of the role. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information.name_prefix
- (Optional, Forces new resource) Creates a unique friendly name beginning with the specified prefix. Conflicts with name
.path
- (Optional) Path to the role. See IAM Identifiers for more information.permissions_boundary
- (Optional) ARN of the policy that is used to set the permissions boundary for the role.tags
- Key-value mapping of tags for the IAM role. If configured with a provider default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.This configuration block supports the following:
name
- (Required) Name of the role policy.policy
- (Required) Policy document as a JSON formatted string. For more information about building IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.This resource exports the following attributes in addition to the arguments above:
arn
- Amazon Resource Name (ARN) specifying the role.create_date
- Creation date of the IAM role.id
- Name of the role.name
- Name of the role.tags_all
- A map of tags assigned to the resource, including those inherited from the provider default_tags
configuration block.unique_id
- Stable and unique string identifying the role.In Terraform v1.5.0 and later, use an import
block to import IAM Roles using the name
. For example:
import {
to = aws_iam_role.developer
id = "developer_name"
}
Using terraform import
, import IAM Roles using the name
. For example:
% terraform import aws_iam_role.developer developer_name