Skip to main content
← back to extensions

@swamp/aws/iam

v2026.04.23.3

AWS IAM infrastructure models

Repository

https://github.com/systeminit/swamp-extensions

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

awsiamcloudinfrastructure

Contents

models

Quality score

Verified by Swamp

How well-documented and verifiable this extension is.

100%

Grade A

  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Has description1/1earned
  • At least one platform tag (or universal)1/1earned
  • Two or more platform tags (or universal)1/1earned
  • License declared1/1earned
  • Verified public repository2/2earned

Install

$ swamp extension pull @swamp/aws/iam

@swamp/aws/iam/groupv2026.04.23.2group.ts

Global Arguments

ArgumentTypeDescription
GroupName?stringThe name of the group to create. Do not include the path in this value. The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don\
ManagedPolicyArns?arrayThe Amazon Resource Name (ARN) of the IAM policy you want to attach. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*.
Path?stringThe path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes.
Policies?arrayAdds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see [Declaring an Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group). The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. For information about limits on the number of inline policies that you can embed in a group, see
createCreate a IAM Group
getGet a IAM Group
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM Group
updateUpdate a IAM Group
deleteDelete a IAM Group
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM Group
syncSync IAM Group state from AWS

Resources

state(infinite)— IAM Group resource state
@swamp/aws/iam/group-policyv2026.04.23.2group_policy.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
PolicyDocument?stringThe policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the e
PolicyNamestringThe name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
GroupNamestringThe name of the group to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.
createCreate a IAM GroupPolicy
getGet a IAM GroupPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM GroupPolicy
updateUpdate a IAM GroupPolicy
deleteDelete a IAM GroupPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM GroupPolicy
syncSync IAM GroupPolicy state from AWS

Resources

state(infinite)— IAM GroupPolicy resource state
@swamp/aws/iam/instance-profilev2026.04.23.2instance_profile.ts

Global Arguments

ArgumentTypeDescription
Path?stringThe path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forwa
RolesarrayThe name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
InstanceProfileName?stringThe name of the instance profile to create. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
createCreate a IAM InstanceProfile
getGet a IAM InstanceProfile
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM InstanceProfile
updateUpdate a IAM InstanceProfile
deleteDelete a IAM InstanceProfile
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM InstanceProfile
syncSync IAM InstanceProfile state from AWS

Resources

state(infinite)— IAM InstanceProfile resource state
@swamp/aws/iam/managed-policyv2026.04.23.2managed_policy.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Description?stringA friendly description of the policy. Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables." The policy description is immutable. After a value is assigned, it cannot be changed.
Groups?arrayThe name (friendly name, not ARN) of the group to attach the policy to. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
ManagedPolicyName?stringThe friendly name of the policy. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\
Path?stringThe path for the policy. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashe
PolicyDocumentstringThe JSON policy document that you want to use as the content for the new policy. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces,
Roles?arrayThe name (friendly name, not ARN) of the role to attach the policy to. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to t
Users?arrayThe name (friendly name, not ARN) of the IAM user to attach the policy to. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
createCreate a IAM ManagedPolicy
getGet a IAM ManagedPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ManagedPolicy
updateUpdate a IAM ManagedPolicy
deleteDelete a IAM ManagedPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ManagedPolicy
syncSync IAM ManagedPolicy state from AWS

Resources

state(infinite)— IAM ManagedPolicy resource state
@swamp/aws/iam/oidcproviderv2026.04.23.2oidcprovider.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
ClientIdList?array
Url?string
ThumbprintList?array
Tags?array
createCreate a IAM OIDCProvider
getGet a IAM OIDCProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM OIDCProvider
updateUpdate a IAM OIDCProvider
deleteDelete a IAM OIDCProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM OIDCProvider
syncSync IAM OIDCProvider state from AWS

Resources

state(infinite)— IAM OIDCProvider resource state
@swamp/aws/iam/rolev2026.04.23.2role.ts

Global Arguments

ArgumentTypeDescription
AssumeRolePolicyDocumentstringThe trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples). For more information about the elements that you can use in an IAM policy, see [Policy Elements Reference](https://docs.aws.ama
Description?stringA description of the role that you provide.
ManagedPolicyArns?arrayA list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*.
MaxSessionDuration?numberThe maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default value of one hour is applied. This setting can have a value from 1 hour to 12 hours. Anyone who assumes the role from the CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds
Path?stringThe path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes.
PermissionsBoundary?stringThe ARN of the policy used to set the permissions boundary for the role. For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
Policies?arrayAdds or updates an inline policy document that is embedded in the specified IAM role. When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html). A role c
RoleName?stringA name for the IAM role, up to 64 characters in length. For valid values, see the RoleName parameter for the [CreateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *User Guide*. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role
Tags?arrayA list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
createCreate a IAM Role
getGet a IAM Role
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM Role
updateUpdate a IAM Role
deleteDelete a IAM Role
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM Role
syncSync IAM Role state from AWS

Resources

state(infinite)— IAM Role resource state
@swamp/aws/iam/role-policyv2026.04.23.2role_policy.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
PolicyDocument?stringThe policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the e
PolicyNamestringThe name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
RoleNamestringThe name of the role to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
createCreate a IAM RolePolicy
getGet a IAM RolePolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM RolePolicy
updateUpdate a IAM RolePolicy
deleteDelete a IAM RolePolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM RolePolicy
syncSync IAM RolePolicy state from AWS

Resources

state(infinite)— IAM RolePolicy resource state
@swamp/aws/iam/samlproviderv2026.04.23.2samlprovider.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Name?string
SamlMetadataDocument?string
Tags?array
AssertionEncryptionMode?enumThe encryption setting for the SAML provider
AddPrivateKey?stringThe private key from your external identity provider
RemovePrivateKey?stringThe Key ID of the private key to remove
PrivateKeyList?array
createCreate a IAM SAMLProvider
getGet a IAM SAMLProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM SAMLProvider
updateUpdate a IAM SAMLProvider
deleteDelete a IAM SAMLProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM SAMLProvider
syncSync IAM SAMLProvider state from AWS

Resources

state(infinite)— IAM SAMLProvider resource state
@swamp/aws/iam/server-certificatev2026.04.23.2server_certificate.ts

Global Arguments

ArgumentTypeDescription
CertificateBody?string
CertificateChain?string
ServerCertificateName?string
Path?string
PrivateKey?string
Tags?array
createCreate a IAM ServerCertificate
getGet a IAM ServerCertificate
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ServerCertificate
updateUpdate a IAM ServerCertificate
deleteDelete a IAM ServerCertificate
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ServerCertificate
syncSync IAM ServerCertificate state from AWS

Resources

state(infinite)— IAM ServerCertificate resource state
@swamp/aws/iam/service-linked-rolev2026.04.23.2service_linked_role.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
CustomSuffix?stringA string that you provide, which is combined with the service-provided prefix to form the complete role name.
Description?stringThe description of the role.
AWSServiceName?stringThe service principal for the AWS service to which this role is attached.
createCreate a IAM ServiceLinkedRole
getGet a IAM ServiceLinkedRole
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ServiceLinkedRole
updateUpdate a IAM ServiceLinkedRole
deleteDelete a IAM ServiceLinkedRole
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM ServiceLinkedRole
syncSync IAM ServiceLinkedRole state from AWS

Resources

state(infinite)— IAM ServiceLinkedRole resource state
@swamp/aws/iam/userv2026.04.23.2user.ts

Global Arguments

ArgumentTypeDescription
Path?stringThe path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward sla
ManagedPolicyArns?arrayA list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user. For more information about ARNs, see [Amazon Resource Names (ARNs) and Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*.
Policies?arrayAdds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user). The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. For information about limits on the number of inline policies that you can embed in a user, see [Limitation
UserName?stringThe name of the user to create. Do not include the path in this value. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john". If
Groups?arrayA list of group names to which you want to add the user.
LoginProfile?objectCreates a password for the specified IAM user. A password allows an IAM user to access AWS services through the console. You can use the CLI, the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the console. For more information about managing passwords, see [Managing passwords](https:
Tags?arrayA list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
PermissionsBoundary?stringThe ARN of the managed policy that is used to set the permissions boundary for the user. A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the
createCreate a IAM User
getGet a IAM User
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM User
updateUpdate a IAM User
deleteDelete a IAM User
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM User
syncSync IAM User state from AWS

Resources

state(infinite)— IAM User resource state
@swamp/aws/iam/user-policyv2026.04.23.2user_policy.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
PolicyDocument?stringThe policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the e
PolicyNamestringThe name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
UserNamestringThe name of the user to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
createCreate a IAM UserPolicy
getGet a IAM UserPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM UserPolicy
updateUpdate a IAM UserPolicy
deleteDelete a IAM UserPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM UserPolicy
syncSync IAM UserPolicy state from AWS

Resources

state(infinite)— IAM UserPolicy resource state
@swamp/aws/iam/virtual-mfadevicev2026.04.23.2virtual_mfadevice.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VirtualMfaDeviceName?string
Path?string
Usersarray
Tags?array
createCreate a IAM VirtualMFADevice
getGet a IAM VirtualMFADevice
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM VirtualMFADevice
updateUpdate a IAM VirtualMFADevice
deleteDelete a IAM VirtualMFADevice
ArgumentTypeDescription
identifierstringThe primary identifier of the IAM VirtualMFADevice
syncSync IAM VirtualMFADevice state from AWS

Resources

state(infinite)— IAM VirtualMFADevice resource state