Outputs

Name of the IAM role. Use the name (not ARN) when: - Attaching policies via aws_iam_role_policy_attachment - Referencing in aws_iam_instance_profile - Using with AWS CLI commands Use the ARN instead when: - Configuring cross-account access - Setting up service-linked resources

Stable and unique string identifying the role. This ID remains constant even if the role is recreated with the same name. Use for: - CloudWatch log group policies scoped to specific roles - S3 bucket policies with aws:userId condition - Audit trails requiring stable identifiers

Unique identifier assigned by AWS (format: AROA...). This is the principal ID used in: - CloudTrail logs for role assumption events - S3 access logs identifying the caller - Resource policies using aws:userId conditions Unlike role_id, this is the AWS-assigned identifier that appears in audit logs and can be used to trace actions back to this role.

Timestamp when the role was created (ISO 8601 format). Useful for: - Auditing role age - Identifying stale roles for cleanup - Compliance reporting

ARN of the instance profile (if created). Only populated when create_instance_profile = true. Use this ARN when: - Launching EC2 instances with aws_instance.iam_instance_profile - Configuring Auto Scaling launch templates - Setting up ECS container instances

Name of the instance profile (if created). Only populated when create_instance_profile = true. Use the name when referencing in: - AWS CLI commands (aws ec2 associate-iam-instance-profile) - CloudFormation templates - Launch configurations

Unique identifier for the instance profile (if created). Only populated when create_instance_profile = true. Format: AIPA... (similar to role unique_id but for profiles)