OpenMCF logoOpenMCF

Loading...

AWS IAM Role

Deploys an AWS IAM Role with a configurable trust policy, optional managed policy attachments, and optional inline policy documents. The component creates the role, attaches any specified policies, and exports the role ARN and name for use by other components.

What Gets Created

When you deploy an AwsIamRole resource, OpenMCF provisions:

  • IAM Role — an iam.Role resource with the specified name, trust (assume-role) policy, optional description, and IAM path
  • Managed Policy Attachments — one iam.RolePolicyAttachment per entry in managedPolicyArns, linking the role to existing AWS-managed or customer-managed policies
  • Inline Policies — one iam.RolePolicy per entry in inlinePolicies, embedding policy documents directly on the role

Prerequisites

  • AWS credentials configured via environment variables or OpenMCF provider config
  • A trust policy document defining which principals (services, accounts, or users) may assume this role
  • Policy ARNs for any managed policies you want to attach (AWS-managed or customer-managed)

Quick Start

Create a file iam-role.yaml:

apiVersion: aws.openmcf.org/v1
kind: AwsIamRole
metadata:
  name: my-ecs-task-role
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.AwsIamRole.my-ecs-task-role
spec:
  region: us-east-1
  trustPolicy:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Principal:
          Service: ecs-tasks.amazonaws.com
        Action: sts:AssumeRole

Deploy:

openmcf apply -f iam-role.yaml

This creates an IAM role that can be assumed by ECS tasks, with no additional policies attached.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
regionstringThe AWS region where the resource will be created (e.g., us-east-1).Required
trustPolicyobjectJSON trust policy document defining which principals may assume this role. Serialized as a google.protobuf.Struct.Required

Optional Fields

FieldTypeDefaultDescription
descriptionstring""Human-readable description of the IAM role's purpose.
pathstring"/"IAM path for the role, used for organizational grouping (e.g., /service-roles/).
managedPolicyArnsstring[][]ARNs of AWS-managed or customer-managed IAM policies to attach. Must be unique.
inlinePoliciesmap<string, object>{}Map of inline policy names to IAM policy documents. Keys are policy names; values are google.protobuf.Struct policy documents.

Examples

EC2 Instance Role with Managed Policies

A role that EC2 instances can assume, with the SSM managed policy attached:

apiVersion: aws.openmcf.org/v1
kind: AwsIamRole
metadata:
  name: ec2-instance-role
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.AwsIamRole.ec2-instance-role
spec:
  region: us-east-1
  description: Allows EC2 instances to call AWS services
  trustPolicy:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Principal:
          Service: ec2.amazonaws.com
        Action: sts:AssumeRole
  managedPolicyArns:
    - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

Lambda Execution Role with Inline Policy

A role for Lambda functions with an inline policy granting DynamoDB access:

apiVersion: aws.openmcf.org/v1
kind: AwsIamRole
metadata:
  name: lambda-exec-role
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.AwsIamRole.lambda-exec-role
spec:
  region: us-east-1
  description: Execution role for order-processing Lambda
  path: /service-roles/
  trustPolicy:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Principal:
          Service: lambda.amazonaws.com
        Action: sts:AssumeRole
  managedPolicyArns:
    - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
  inlinePolicies:
    dynamodb-access:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:Query
          Resource: arn:aws:dynamodb:us-east-1:123456789012:table/orders

Cross-Account Assume Role

A role that allows a different AWS account to assume it, useful for cross-account resource access:

apiVersion: aws.openmcf.org/v1
kind: AwsIamRole
metadata:
  name: cross-account-reader
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.AwsIamRole.cross-account-reader
spec:
  region: us-east-1
  description: Allows account 111111111111 to read S3 buckets in this account
  trustPolicy:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Principal:
          AWS: arn:aws:iam::111111111111:root
        Action: sts:AssumeRole
        Condition:
          StringEquals:
            sts:ExternalId: unique-external-id-abc123
  managedPolicyArns:
    - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

ECS Task Role with Multiple Inline Policies

A role combining managed and inline policies for fine-grained ECS task permissions:

apiVersion: aws.openmcf.org/v1
kind: AwsIamRole
metadata:
  name: ecs-worker-role
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.AwsIamRole.ecs-worker-role
spec:
  region: us-east-1
  description: Worker task role with SQS and S3 permissions
  trustPolicy:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Principal:
          Service: ecs-tasks.amazonaws.com
        Action: sts:AssumeRole
  managedPolicyArns:
    - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
  inlinePolicies:
    sqs-access:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - sqs:ReceiveMessage
            - sqs:DeleteMessage
            - sqs:GetQueueAttributes
          Resource: arn:aws:sqs:us-east-1:123456789012:worker-queue
    s3-upload:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - s3:PutObject
          Resource: arn:aws:s3:::output-bucket/*

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
role_arnstringARN of the created IAM role
role_namestringName of the IAM role in AWS

Related Components

  • AwsIamUser — creates long-lived IAM users for programmatic access
  • AwsEksCluster — EKS clusters frequently use IAM roles for node groups and service accounts
  • AwsS3Bucket — bucket policies often reference IAM role ARNs for access control

Next article

AWS IAM User

AWS IAM User Deploys an AWS IAM User with optional managed policy attachments, inline policy documents, and access key creation. The component creates the user, attaches policies, optionally generates an access key pair, and exports credentials and identifiers for use by other components. What Gets Created When you deploy an AwsIamUser resource, OpenMCF provisions: IAM User — an iam.User resource with the specified username and tags Managed Policy Attachments — one iam.UserPolicyAttachment per...
Read next article
Presets
3 ready-to-deploy configurationsView presets →