Autogenerated using pop-create-idem

hub.exec.boto3.client.iam.create_role hub.exec.boto3.client.iam.delete_role hub.exec.boto3.client.iam.get_role hub.exec.boto3.client.iam.list_roles hub.exec.boto3.client.iam.tag_role hub.exec.boto3.client.iam.untag_role hub.exec.boto3.client.iam.update_role resource = await hub.tool.boto3.resource.create(ctx, “iam”, “Role”, name) hub.tool.boto3.resource.exec(resource, attach_policy, *args, **kwargs) hub.tool.boto3.resource.exec(resource, delete, *args, **kwargs) hub.tool.boto3.resource.exec(resource, detach_policy, *args, **kwargs)

async, ctx, name: str, assume_role_policy_document: Dict, resource_id: str = None, description: str = None, max_session_duration: int = None, path: str = None, permissions_boundary: str = None, tags: Dict[str, Any] = None, timeout: Timeout = None) Dict[str, Any][source]#

Autogenerated function

Creates a new role for your Amazon Web Services account. For more information about roles, see IAM roles. For information about quotas for role names and the number of roles you can create, see IAM and STS quotas in the IAM User Guide.

  • name (str) – The name of the IAM role.

  • assume_role_policy_document (Dict or Text) – The trust relationship policy document that grants an entity permission to assume the role. This can be either a dictionary or a json string.

  • resource_id (str, Optional) – AWS IAM Role Name.

  • description (str, Optional) – A description of the role. Defaults to None.

  • max_session_duration (int, Optional) –

    The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied.

    This setting can have a value from 1 hour to 12 hours.

  • path (str, Optional) – The path to the role. For more information about paths, see IAM Identifiers in the IAM User Guide.

  • permissions_boundary (str, Optional) – The ARN of the policy that is used to set the permissions boundary for the role.

  • tags (Dict or List, Optional) –

    Dict in the format of {tag-key: tag-value} or List of tags in the format of [{“Key”: tag-key, “Value”: tag-value}] to associate with the new role. Each tag consists of a key name and an associated value. Defaults to None. * (Key): The key name that can be used to look up or retrieve the associated value. For example,

    Department or Cost Center are common choices.

    • (Value): The value associated with this tag. For example, tags with a key name of Department could have

      values such as Human Resources, Accounting, and Support. Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values. Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

  • timeout (Dict, Optional) –

    Timeout configuration for create/update/deletion of AWS IAM Policy. * create (Dict): Timeout configuration for creating AWS IAM Policy

    • delay (int, Optional): The amount of time in seconds to wait between attempts.

    • max_attempts (int, Optional): Customized timeout configuration containing delay and max attempts.

    • update(Dict, Optional): Timeout configuration for updating AWS IAM Policy
      • delay (int, Optional): The amount of time in seconds to wait between attempts.

      • max_attempts: (int, Optional) Customized timeout configuration containing delay and max attempts.

Request Syntax:

aws.iam.role.present: - name: ‘string’ - resource_id: ‘string’ - assume_role_policy_document: ‘dict or string’ - description: ‘string’ - max_session_duration: ‘integer’ - permissions_boundary: ‘string’ - tags:

  • Key: ‘string’ Value: ‘string’


Dict[str, Any]


    - assume_role_policy_document:
        - Action: sts:AssumeRole
          Effect: Allow
      Version: '2012-10-17'
    - description: Default EC2 Spot Service Linked Role
    - max_session_duration: 3600
    - tags:
      - Key: tag-key
        Value: tag-value
async, ctx, name: str, resource_id: str = None, detach_role_policies: bool = False) Dict[str, Any][source]#

Autogenerated function

Deletes the specified role. The role must not have any policies attached. For more information about roles, see Working with roles. Make sure that you do not have any Amazon EC2 instances running with the role you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications running on the instance.

  • name (str) – AWS IAM Role Name.

  • resource_id (str, Optional) – AWS IAM Role Name to identify the IAM role on AWS.

  • detach_role_policies(Bool – False): if true role is detached from policies before deleted

  • Default – False): if true role is detached from policies before deleted


Dict[str, Any]


    - resource_id: value
    - detach_role_policies: True
async, ctx) Dict[str, Dict[str, Any]][source]#

Autogenerated function

Describe the resource in a way that can be recreated/managed with the corresponding “present” function

Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list. For more information about roles, see Working with roles. IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a role, see GetRole. You can paginate the results using the MaxItems and Marker parameters.


Dict[str, Any]


$ idem describe aws.iam.role