iam-role
iam-role
Features
- Create IAM roles with customizable trust policies
- Attach AWS managed or customer managed policies
- Define inline policies for role-specific permissions
- Optional instance profile creation for EC2 use cases
- Permissions boundary support for delegated administration
- Comprehensive input validation with helpful error messages
When to Use
Use this module when you need to:
- Create execution roles for Lambda functions, ECS tasks, or Step Functions
- Set up EC2 instance roles with automatic instance profile creation
- Enable cross-account access with proper security controls
- Implement GitHub Actions OIDC federation for keyless CI/CD
- Delegate role creation to teams while enforcing permissions boundaries
Usage
Basic Usage
module "lambda_role" {
source = "../../"
name = "example-lambda-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = { Service = "lambda.amazonaws.com" }
Action = "sts:AssumeRole"
}]
})
managed_policy_arns = [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
tags = {
Environment = "example"
}
}
Complete Example
See examples/complete for a full-featured example demonstrating all module capabilities.
Inputs
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| assume_role_policy | string | true | n/a | JSON trust policy document that grants entities pe… |
| create_instance_profile | bool | false | n/a | Whether to create an EC2 instance profile for this… |
| description | string | false | n/a | Human-readable description of the role’s purpose. … |
| force_detach_policies | bool | false | n/a | Whether to force detach policies before destroying… |
| inline_policies | map(string) | false | {} | Map of inline policy names to JSON policy document… |
| instance_profile_name | string | false | n/a | Name of the instance profile. Defaults to the role… |
| managed_policy_arns | set(string) | false | [] | Set of managed policy ARNs to attach to the role. … |
| max_session_duration | number | false | 3600 | Maximum session duration in seconds for role assum… |
| name | string | true | n/a | The name of the IAM role. Must be unique within yo… |
| path | string | false | / | Path for the IAM role. Use paths to organize roles… |
| permissions_boundary | string | false | n/a | ARN of the policy to use as a permissions boundary… |
| tags | map(string) | false | {} | Map of tags to apply to all resources created by t… |
For detailed input documentation including examples, see the registry page.
Outputs
| Name | Description |
|---|---|
| create_date | Timestamp when the role was created (ISO 8601 format). Usef… |
| instance_profile_arn | ARN of the instance profile (if created). Only populated wh… |
| instance_profile_id | Unique identifier for the instance profile (if created). On… |
| instance_profile_name | Name of the instance profile (if created). Only populated w… |
| role_arn | ARN of the IAM role. Use this ARN when: - Configuring Lambd… |
| role_id | Stable and unique string identifying the role. This ID rema… |
| role_name | Name of the IAM role. Use the name (not ARN) when: - Attach… |
| unique_id | Unique identifier assigned by AWS (format: AROA…). This i… |
Principle of Least Privilege
Always grant the minimum permissions required. Prefer specific resource ARNs over wildcards, and use inline policies for role-specific permissions that shouldn’t be reused.
Permissions Boundaries
Use permissions boundaries when delegating role creation to development teams. Boundaries set the maximum permissions a role can have, regardless of what policies are attached. This prevents privilege escalation in multi-tenant environments.
External IDs for Third-Party Access
Always use external IDs when granting cross-account access to third parties. This prevents the “confused deputy” problem where a malicious actor could trick a service into accessing your resources.
Session Duration
Use the shortest session duration that meets your needs. Shorter sessions reduce the window of exposure if credentials are compromised:
- 1 hour (3600): Default, suitable for most automated tasks
- 4 hours (14400): Long CI/CD pipelines
- 8 hours (28800): Workday console sessions
- 12 hours (43200): Maximum, rarely needed
OIDC Trust Policies
When using OIDC federation (e.g., GitHub Actions), always scope trust policies to specific repositories and branches. Never allow all repositories or all branches to assume production roles.
Common Trust Policy Patterns
| Service | Principal |
|---|---|
| Lambda | lambda.amazonaws.com |
| ECS Tasks | ecs-tasks.amazonaws.com |
| EC2 | ec2.amazonaws.com |
| Step Functions | states.amazonaws.com |
| API Gateway | apigateway.amazonaws.com |
| CodeBuild | codebuild.amazonaws.com |
| CodePipeline | codepipeline.amazonaws.com |
| CloudWatch Events | events.amazonaws.com |
| SNS | sns.amazonaws.com |
| SQS | sqs.amazonaws.com |
Condition Keys
Common condition keys for trust policies:
| Condition Key | Use Case |
|---|---|
sts:ExternalId | Third-party cross-account access |
aws:MultiFactorAuthPresent | Require MFA for role assumption |
aws:SourceIp | Restrict by IP address |
aws:SourceVpc | Restrict to specific VPC |
aws:PrincipalOrgID | Restrict to AWS Organization |
sts:RoleSessionName | Audit/track who assumed the role |
Related Modules
- kms-key - Create KMS keys for encryption
- secrets-manager - Manage secrets with IAM access
- security-group - Network security for EC2/ECS
This README was generated from structured documentation. See spec.yaml for the complete module specification.