Skip to main content

Aws/iam

@swamp/aws/iamv2026.06.15.1· 22d agoMODELS
01README

AWS IAM infrastructure models

02Release Notes
  • Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
03Models13
group.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
GroupName?stringThe name of the group to create. Do not include the path in this value. The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don\'t specify a name, CFN generates a unique physical ID and uses that ID for the group name. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\'s capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
ManagedPolicyArns?arrayThe Amazon Resource Name (ARN) of the IAM policy you want to attach. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*.
Path?stringThe path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters.
Policies?arrayAdds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see [Declaring an Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group). The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. For information about limits on the number of inline policies that you can embed in a group, see [Limitations on Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *User Guide*.
fn create()
Create a IAM Group
fn get(identifier: string)
Get a IAM Group
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM Group
fn update()
Update a IAM Group
fn delete(identifier: string)
Delete a IAM Group
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM Group
fn sync()
Sync IAM Group state from AWS
group_policy.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
PolicyDocument?recordThe policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the end of the ASCII character range The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF) The special characters tab ( \\u0009), line feed ( \\u000A), and carriage return ( \\u000D)
PolicyNamestringThe name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
GroupNamestringThe name of the group to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.
fn create()
Create a IAM GroupPolicy
fn get(identifier: string)
Get a IAM GroupPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM GroupPolicy
fn update()
Update a IAM GroupPolicy
fn delete(identifier: string)
Delete a IAM GroupPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM GroupPolicy
fn sync()
Sync IAM GroupPolicy state from AWS
instance_profile.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
Path?stringThe path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters.
RolesarrayThe name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
InstanceProfileName?stringThe name of the instance profile to create. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
fn create()
Create a IAM InstanceProfile
fn get(identifier: string)
Get a IAM InstanceProfile
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM InstanceProfile
fn update()
Update a IAM InstanceProfile
fn delete(identifier: string)
Delete a IAM InstanceProfile
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM InstanceProfile
fn sync()
Sync IAM InstanceProfile state from AWS
managed_policy.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
Description?stringA friendly description of the policy. Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables." The policy description is immutable. After a value is assigned, it cannot be changed.
Groups?arrayThe name (friendly name, not ARN) of the group to attach the policy to. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
ManagedPolicyName?stringThe friendly name of the policy. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\'s capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
Path?stringThe path for the policy. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters. You cannot use an asterisk (*) in the path name.
PolicyDocumentrecordThe JSON policy document that you want to use as the content for the new policy. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length). To learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide*. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the end of the ASCII character range The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF) The special characters tab ( \\u0009), line feed ( \\u000A), and carriage return ( \\u000D)
Roles?arrayThe name (friendly name, not ARN) of the role to attach the policy to. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that CFN deletes the AWS::ECS::Service resource before deleting its role's policy.
Users?arrayThe name (friendly name, not ARN) of the IAM user to attach the policy to. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
fn create()
Create a IAM ManagedPolicy
fn get(identifier: string)
Get a IAM ManagedPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ManagedPolicy
fn update()
Update a IAM ManagedPolicy
fn delete(identifier: string)
Delete a IAM ManagedPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ManagedPolicy
fn sync()
Sync IAM ManagedPolicy state from AWS
oidcprovider.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
ClientIdList?array
Url?string
ThumbprintList?array
Tags?array
fn create()
Create a IAM OIDCProvider
fn get(identifier: string)
Get a IAM OIDCProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM OIDCProvider
fn update()
Update a IAM OIDCProvider
fn delete(identifier: string)
Delete a IAM OIDCProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM OIDCProvider
fn sync()
Sync IAM OIDCProvider state from AWS
role.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
AssumeRolePolicyDocumentrecordThe trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples). For more information about the elements that you can use in an IAM policy, see [Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *User Guide*.
Description?stringA description of the role that you provide.
ManagedPolicyArns?arrayA list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*.
MaxSessionDuration?numberThe maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default value of one hour is applied. This setting can have a value from 1 hour to 12 hours. Anyone who assumes the role from the CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide*.
Path?stringThe path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters.
PermissionsBoundary?stringThe ARN of the policy used to set the permissions boundary for the role. For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
Policies?arrayAdds or updates an inline policy document that is embedded in the specified IAM role. When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html). A role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *User Guide*. For information about limits on the number of inline policies that you can embed with a role, see [Limitations on Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *User Guide*. If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that CFN deletes the AWS::ECS::Service resource before deleting its role's policy.
RoleName?stringA name for the IAM role, up to 64 characters in length. For valid values, see the RoleName parameter for the [CreateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *User Guide*. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both "Role1" and "role1". If you don\'t specify a name, CFN generates a unique physical ID and uses that ID for the role name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\'s capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
Tags?arrayA list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
fn create()
Create a IAM Role
fn get(identifier: string)
Get a IAM Role
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM Role
fn update()
Update a IAM Role
fn delete(identifier: string)
Delete a IAM Role
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM Role
fn sync()
Sync IAM Role state from AWS
role_policy.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
PolicyDocument?recordThe policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the end of the ASCII character range The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF) The special characters tab ( \\u0009), line feed ( \\u000A), and carriage return ( \\u000D)
PolicyNamestringThe name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
RoleNamestringThe name of the role to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
fn create()
Create a IAM RolePolicy
fn get(identifier: string)
Get a IAM RolePolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM RolePolicy
fn update()
Update a IAM RolePolicy
fn delete(identifier: string)
Delete a IAM RolePolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM RolePolicy
fn sync()
Sync IAM RolePolicy state from AWS
samlprovider.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
Name?string
SamlMetadataDocument?string
Tags?array
AssertionEncryptionMode?enumThe encryption setting for the SAML provider
AddPrivateKey?stringThe private key from your external identity provider
RemovePrivateKey?stringThe Key ID of the private key to remove
PrivateKeyList?array
fn create()
Create a IAM SAMLProvider
fn get(identifier: string)
Get a IAM SAMLProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM SAMLProvider
fn update()
Update a IAM SAMLProvider
fn delete(identifier: string)
Delete a IAM SAMLProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM SAMLProvider
fn sync()
Sync IAM SAMLProvider state from AWS
server_certificate.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
CertificateBody?string
CertificateChain?string
ServerCertificateName?string
Path?string
PrivateKey?string
Tags?array
fn create()
Create a IAM ServerCertificate
fn get(identifier: string)
Get a IAM ServerCertificate
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ServerCertificate
fn update()
Update a IAM ServerCertificate
fn delete(identifier: string)
Delete a IAM ServerCertificate
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ServerCertificate
fn sync()
Sync IAM ServerCertificate state from AWS
service_linked_role.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
CustomSuffix?stringA string that you provide, which is combined with the service-provided prefix to form the complete role name.
Description?stringThe description of the role.
AWSServiceName?stringThe service principal for the AWS service to which this role is attached.
fn create()
Create a IAM ServiceLinkedRole
fn get(identifier: string)
Get a IAM ServiceLinkedRole
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ServiceLinkedRole
fn update()
Update a IAM ServiceLinkedRole
fn delete(identifier: string)
Delete a IAM ServiceLinkedRole
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ServiceLinkedRole
fn sync()
Sync IAM ServiceLinkedRole state from AWS
user.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
Path?stringThe path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters.
ManagedPolicyArns?arrayA list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user. For more information about ARNs, see [Amazon Resource Names (ARNs) and Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*.
Policies?arrayAdds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user). The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. For information about limits on the number of inline policies that you can embed in a user, see [Limitations on Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *User Guide*.
UserName?stringThe name of the user to create. Do not include the path in this value. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john". If you don\'t specify a name, CFN generates a unique physical ID and uses that ID for the user name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\'s capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
Groups?arrayA list of group names to which you want to add the user.
LoginProfile?objectSpecifies whether the user is required to set a new password on next sign-in.
Tags?arrayA list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
PermissionsBoundary?stringThe ARN of the managed policy that is used to set the permissions boundary for the user. A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. For more information about policy types, see [Policy types](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) in the *IAM User Guide*.
fn create()
Create a IAM User
fn get(identifier: string)
Get a IAM User
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM User
fn update()
Update a IAM User
fn delete(identifier: string)
Delete a IAM User
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM User
fn sync()
Sync IAM User state from AWS
user_policy.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
PolicyDocument?recordThe policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the end of the ASCII character range The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF) The special characters tab ( \\u0009), line feed ( \\u000A), and carriage return ( \\u000D)
PolicyNamestringThe name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
UserNamestringThe name of the user to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
fn create()
Create a IAM UserPolicy
fn get(identifier: string)
Get a IAM UserPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM UserPolicy
fn update()
Update a IAM UserPolicy
fn delete(identifier: string)
Delete a IAM UserPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM UserPolicy
fn sync()
Sync IAM UserPolicy state from AWS
virtual_mfadevice.tsv2026.06.15.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
accessKeyId?stringAWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault.
secretAccessKey?stringAWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault.
sessionToken?stringAWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
region?stringAWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1.
VirtualMfaDeviceName?string
Path?string
Usersarray
Tags?array
fn create()
Create a IAM VirtualMFADevice
fn get(identifier: string)
Get a IAM VirtualMFADevice
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM VirtualMFADevice
fn update()
Update a IAM VirtualMFADevice
fn delete(identifier: string)
Delete a IAM VirtualMFADevice
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM VirtualMFADevice
fn sync()
Sync IAM VirtualMFADevice state from AWS
04Previous Versions10
2026.06.08.2Jun 8, 2026
  • Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.06.06.1Jun 6, 2026
  • Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.05.27.1May 27, 2026
  • Updated: group, group_policy, managed_policy, role, role_policy, user, user_policy
2026.05.19.1May 18, 2026
2026.04.23.3Apr 23, 2026
2026.04.23.2Apr 23, 2026
  • Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.04.03.2Apr 3, 2026
  • Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.03.19.1Mar 19, 2026
  • Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.03.16.1Mar 16, 2026
  • Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.03.10.5Mar 10, 2026
05Stats
B
85 / 100
Downloads
134
Archive size
3.0 MB
Verified by Swamp
  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types (deprecated)1/1earned
  • Dependencies pass trust audit0/2missing
  • Has description1/1earned
  • Platform support declared (or universal)2/2earned
  • License declared1/1earned
  • Verified public repository2/2earned
06Platforms
07Labels