Aws/iam
@swamp/aws/iamv2026.06.15.1
01README
AWS IAM infrastructure models
02Release Notes
- Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
03Models
group.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| GroupName? | string | The name of the group to create. Do not include the path in this value. The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don\'t specify a name, CFN generates a unique physical ID and uses that ID for the group name. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\'s capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}. |
| ManagedPolicyArns? | array | The Amazon Resource Name (ARN) of the IAM policy you want to attach. For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*. |
| Path? | string | The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters. |
| Policies? | array | Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see [Declaring an Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group). The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. For information about limits on the number of inline policies that you can embed in a group, see [Limitations on Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *User Guide*. |
fn create()
Create a IAM Group
fn get(identifier: string)
Get a IAM Group
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM Group |
fn update()
Update a IAM Group
fn delete(identifier: string)
Delete a IAM Group
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM Group |
fn sync()
Sync IAM Group state from AWS
group_policy.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| PolicyDocument? | record | The policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the end of the ASCII character range The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF) The special characters tab ( \\u0009), line feed ( \\u000A), and carriage return ( \\u000D) |
| PolicyName | string | The name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- |
| GroupName | string | The name of the group to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. |
fn create()
Create a IAM GroupPolicy
fn get(identifier: string)
Get a IAM GroupPolicy
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM GroupPolicy |
fn update()
Update a IAM GroupPolicy
fn delete(identifier: string)
Delete a IAM GroupPolicy
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM GroupPolicy |
fn sync()
Sync IAM GroupPolicy state from AWS
instance_profile.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| Path? | string | The path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters. |
| Roles | array | The name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions. |
| InstanceProfileName? | string | The name of the instance profile to create. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- |
fn create()
Create a IAM InstanceProfile
fn get(identifier: string)
Get a IAM InstanceProfile
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM InstanceProfile |
fn update()
Update a IAM InstanceProfile
fn delete(identifier: string)
Delete a IAM InstanceProfile
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM InstanceProfile |
fn sync()
Sync IAM InstanceProfile state from AWS
managed_policy.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| Description? | string | A friendly description of the policy. Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables." The policy description is immutable. After a value is assigned, it cannot be changed. |
| Groups? | array | The name (friendly name, not ARN) of the group to attach the policy to. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- |
| ManagedPolicyName? | string | The friendly name of the policy. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\'s capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}. |
| Path? | string | The path for the policy. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters. You cannot use an asterisk (*) in the path name. |
| PolicyDocument | record | The JSON policy document that you want to use as the content for the new policy. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length). To learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide*. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the end of the ASCII character range The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF) The special characters tab ( \\u0009), line feed ( \\u000A), and carriage return ( \\u000D) |
| Roles? | array | The name (friendly name, not ARN) of the role to attach the policy to. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that CFN deletes the AWS::ECS::Service resource before deleting its role's policy. |
| Users? | array | The name (friendly name, not ARN) of the IAM user to attach the policy to. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- |
fn create()
Create a IAM ManagedPolicy
fn get(identifier: string)
Get a IAM ManagedPolicy
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM ManagedPolicy |
fn update()
Update a IAM ManagedPolicy
fn delete(identifier: string)
Delete a IAM ManagedPolicy
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM ManagedPolicy |
fn sync()
Sync IAM ManagedPolicy state from AWS
oidcprovider.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| ClientIdList? | array | |
| Url? | string | |
| ThumbprintList? | array | |
| Tags? | array |
fn create()
Create a IAM OIDCProvider
fn get(identifier: string)
Get a IAM OIDCProvider
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM OIDCProvider |
fn update()
Update a IAM OIDCProvider
fn delete(identifier: string)
Delete a IAM OIDCProvider
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM OIDCProvider |
fn sync()
Sync IAM OIDCProvider state from AWS
role.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| AssumeRolePolicyDocument | record | The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples). For more information about the elements that you can use in an IAM policy, see [Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *User Guide*. |
| Description? | string | A description of the role that you provide. |
| ManagedPolicyArns? | array | A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*. |
| MaxSessionDuration? | number | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default value of one hour is applied. This setting can have a value from 1 hour to 12 hours. Anyone who assumes the role from the CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide*. |
| Path? | string | The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters. |
| PermissionsBoundary? | string | The ARN of the policy used to set the permissions boundary for the role. For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. |
| Policies? | array | Adds or updates an inline policy document that is embedded in the specified IAM role. When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html). A role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *User Guide*. For information about limits on the number of inline policies that you can embed with a role, see [Limitations on Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *User Guide*. If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that CFN deletes the AWS::ECS::Service resource before deleting its role's policy. |
| RoleName? | string | A name for the IAM role, up to 64 characters in length. For valid values, see the RoleName parameter for the [CreateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *User Guide*. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both "Role1" and "role1". If you don\'t specify a name, CFN generates a unique physical ID and uses that ID for the role name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\'s capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}. |
| Tags? | array | A list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. |
fn create()
Create a IAM Role
fn get(identifier: string)
Get a IAM Role
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM Role |
fn update()
Update a IAM Role
fn delete(identifier: string)
Delete a IAM Role
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM Role |
fn sync()
Sync IAM Role state from AWS
role_policy.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| PolicyDocument? | record | The policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the end of the ASCII character range The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF) The special characters tab ( \\u0009), line feed ( \\u000A), and carriage return ( \\u000D) |
| PolicyName | string | The name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- |
| RoleName | string | The name of the role to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- |
fn create()
Create a IAM RolePolicy
fn get(identifier: string)
Get a IAM RolePolicy
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM RolePolicy |
fn update()
Update a IAM RolePolicy
fn delete(identifier: string)
Delete a IAM RolePolicy
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM RolePolicy |
fn sync()
Sync IAM RolePolicy state from AWS
samlprovider.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| Name? | string | |
| SamlMetadataDocument? | string | |
| Tags? | array | |
| AssertionEncryptionMode? | enum | The encryption setting for the SAML provider |
| AddPrivateKey? | string | The private key from your external identity provider |
| RemovePrivateKey? | string | The Key ID of the private key to remove |
| PrivateKeyList? | array |
fn create()
Create a IAM SAMLProvider
fn get(identifier: string)
Get a IAM SAMLProvider
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM SAMLProvider |
fn update()
Update a IAM SAMLProvider
fn delete(identifier: string)
Delete a IAM SAMLProvider
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM SAMLProvider |
fn sync()
Sync IAM SAMLProvider state from AWS
server_certificate.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| CertificateBody? | string | |
| CertificateChain? | string | |
| ServerCertificateName? | string | |
| Path? | string | |
| PrivateKey? | string | |
| Tags? | array |
fn create()
Create a IAM ServerCertificate
fn get(identifier: string)
Get a IAM ServerCertificate
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM ServerCertificate |
fn update()
Update a IAM ServerCertificate
fn delete(identifier: string)
Delete a IAM ServerCertificate
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM ServerCertificate |
fn sync()
Sync IAM ServerCertificate state from AWS
service_linked_role.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| CustomSuffix? | string | A string that you provide, which is combined with the service-provided prefix to form the complete role name. |
| Description? | string | The description of the role. |
| AWSServiceName? | string | The service principal for the AWS service to which this role is attached. |
fn create()
Create a IAM ServiceLinkedRole
fn get(identifier: string)
Get a IAM ServiceLinkedRole
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM ServiceLinkedRole |
fn update()
Update a IAM ServiceLinkedRole
fn delete(identifier: string)
Delete a IAM ServiceLinkedRole
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM ServiceLinkedRole |
fn sync()
Sync IAM ServiceLinkedRole state from AWS
user.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| Path? | string | The path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the! ( \\u0021) through the DEL character ( \\u007F), including most punctuation characters, digits, and upper and lowercased letters. |
| ManagedPolicyArns? | array | A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user. For more information about ARNs, see [Amazon Resource Names (ARNs) and Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *General Reference*. |
| Policies? | array | Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user). The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. For information about limits on the number of inline policies that you can embed in a user, see [Limitations on Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *User Guide*. |
| UserName? | string | The name of the user to create. Do not include the path in this value. This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john". If you don\'t specify a name, CFN generates a unique physical ID and uses that ID for the user name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template\'s capabilities. For more information, see [Acknowledging Resources in Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities). Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}. |
| Groups? | array | A list of group names to which you want to add the user. |
| LoginProfile? | object | Specifies whether the user is required to set a new password on next sign-in. |
| Tags? | array | A list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. |
| PermissionsBoundary? | string | The ARN of the managed policy that is used to set the permissions boundary for the user. A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. For more information about policy types, see [Policy types](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) in the *IAM User Guide*. |
fn create()
Create a IAM User
fn get(identifier: string)
Get a IAM User
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM User |
fn update()
Update a IAM User
fn delete(identifier: string)
Delete a IAM User
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM User |
fn sync()
Sync IAM User state from AWS
user_policy.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| PolicyDocument? | record | The policy document. You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM. The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: Any printable ASCII character ranging from the space character ( \\u0020) through the end of the ASCII character range The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF) The special characters tab ( \\u0009), line feed ( \\u000A), and carriage return ( \\u000D) |
| PolicyName | string | The name of the policy document. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- |
| UserName | string | The name of the user to associate the policy with. This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- |
fn create()
Create a IAM UserPolicy
fn get(identifier: string)
Get a IAM UserPolicy
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM UserPolicy |
fn update()
Update a IAM UserPolicy
fn delete(identifier: string)
Delete a IAM UserPolicy
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM UserPolicy |
fn sync()
Sync IAM UserPolicy state from AWS
virtual_mfadevice.tsv2026.06.15.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| accessKeyId? | string | AWS access key ID; overrides AWS_ACCESS_KEY_ID environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| secretAccessKey? | string | AWS secret access key; overrides AWS_SECRET_ACCESS_KEY environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| sessionToken? | string | AWS session token for temporary credentials; overrides AWS_SESSION_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| region? | string | AWS region; overrides AWS_REGION / AWS_DEFAULT_REGION environment variables and ~/.aws/config profile region. Defaults to us-east-1. |
| VirtualMfaDeviceName? | string | |
| Path? | string | |
| Users | array | |
| Tags? | array |
fn create()
Create a IAM VirtualMFADevice
fn get(identifier: string)
Get a IAM VirtualMFADevice
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM VirtualMFADevice |
fn update()
Update a IAM VirtualMFADevice
fn delete(identifier: string)
Delete a IAM VirtualMFADevice
| Argument | Type | Description |
|---|---|---|
| identifier | string | The primary identifier of the IAM VirtualMFADevice |
fn sync()
Sync IAM VirtualMFADevice state from AWS
04Previous Versions
2026.06.08.2Jun 8, 2026
- Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.06.06.1Jun 6, 2026
- Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.05.27.1May 27, 2026
- Updated: group, group_policy, managed_policy, role, role_policy, user, user_policy
2026.05.19.1May 18, 2026
2026.04.23.3Apr 23, 2026
2026.04.23.2Apr 23, 2026
- Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.04.03.2Apr 3, 2026
- Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.03.19.1Mar 19, 2026
- Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.03.16.1Mar 16, 2026
- Updated: group, group_policy, instance_profile, managed_policy, oidcprovider, role, role_policy, samlprovider, server_certificate, service_linked_role, user, user_policy, virtual_mfadevice
2026.03.10.5Mar 10, 2026
05Stats
B
85 / 100
Downloads
134
Archive size
3.0 MB
Verified by Swamp
- Has README or module doc2/2earned
- README has a code example1/1earned
- README is substantive1/1earned
- Most symbols documented1/1earned
- No slow types (deprecated)1/1earned
- Dependencies pass trust audit0/2missing
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared1/1earned
- Verified public repository2/2earned
06Platforms
07Labels