Creates single IAM role which can be assumed by trusted resources using OpenID Connect Federated Users.
Creating IAM OIDC Identity Providers
This module supports IAM Roles for kubernetes service accounts as described in the EKS documentation.
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 4.0 |
Name | Version |
---|---|
aws | >= 4.0 |
No modules.
Name | Type |
---|---|
aws_iam_role.this | resource |
aws_iam_role_policy_attachment.custom | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.assume_role_with_oidc | data source |
aws_partition.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
allow_self_assume_role | Determines whether to allow the role to be assume itself | bool |
false |
no |
aws_account_id | The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider | string |
"" |
no |
create_role | Whether to create a role | bool |
false |
no |
force_detach_policies | Whether policies should be detached from this role when destroying | bool |
false |
no |
max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number |
3600 |
no |
number_of_role_policy_arns | Number of IAM policies to attach to IAM role | number |
null |
no |
oidc_fully_qualified_audiences | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | set(string) |
[] |
no |
oidc_fully_qualified_subjects | The fully qualified OIDC subjects to be added to the role policy | set(string) |
[] |
no |
oidc_subjects_with_wildcards | The OIDC subject using wildcards to be added to the role policy | set(string) |
[] |
no |
provider_url | URL of the OIDC Provider. Use provider_urls to specify several URLs. | string |
"" |
no |
provider_urls | List of URLs of the OIDC Providers | list(string) |
[] |
no |
role_description | IAM Role description | string |
"" |
no |
role_name | IAM role name | string |
null |
no |
role_name_prefix | IAM role name prefix | string |
null |
no |
role_path | Path of IAM role | string |
"/" |
no |
role_permissions_boundary_arn | Permissions boundary ARN to use for IAM role | string |
"" |
no |
role_policy_arns | List of ARNs of IAM policies to attach to IAM role | list(string) |
[] |
no |
tags | A map of tags to add to IAM role resources | map(string) |
{} |
no |
Name | Description |
---|---|
iam_role_arn | ARN of IAM role |
iam_role_name | Name of IAM role |
iam_role_path | Path of IAM role |
iam_role_unique_id | Unique ID of IAM role |