Role

iam.services.k8s.aws/v1alpha1

TypeLink
GoDociam-controller/apis/v1alpha1#Role

Metadata

PropertyValue
ScopeNamespaced
KindRole
ListKindRoleList
Pluralroles
Singularrole

Contains information about an IAM role. This structure is returned as a response element in several API operations that interact with roles.

Spec

assumeRolePolicyDocument: string
description: string
inlinePolicies: {}
maxSessionDuration: integer
name: string
path: string
permissionsBoundary: string
permissionsBoundaryRef: 
  from: 
    name: string
    namespace: string
policies:
- string
policyRefs:
  from: 
    name: string
    namespace: string
tags:
- key: string
  value: string
FieldDescription
assumeRolePolicyDocument
Required
string
The trust relationship policy document that grants an entity permission to
assume the role.

In IAM, you must provide a JSON policy that has been converted to a string.
However, for CloudFormation templates formatted in YAML, you can provide
the policy in JSON or YAML format. CloudFormation always converts a YAML
policy to JSON format before submitting it to IAM.

The regex pattern (http://wikipedia.org/wiki/regex) used to validate this
parameter is a string of characters consisting of the following:

* Any printable ASCII character ranging from the space character (\u0020)
through the end of the ASCII character range

* The printable characters in the Basic Latin and Latin-1 Supplement character
set (through \u00FF)

* The special characters tab (\u0009), line feed (\u000A), and carriage
return (\u000D)

Upon success, the response includes the same trust policy in JSON format.
description
Optional
string
A description of the role.
inlinePolicies
Optional
object
maxSessionDuration
Optional
integer
The maximum session duration (in seconds) that you want to set for the specified
role. If you do not specify a value for this setting, the default value of
one hour is applied. This setting can have a value from 1 hour to 12 hours.

Anyone who assumes the role from the CLI or API can use the DurationSeconds
API parameter or the duration-seconds CLI parameter to request a longer session.
The MaxSessionDuration setting determines the maximum duration that can be
requested using the DurationSeconds parameter. If users don’t specify a value
for the DurationSeconds parameter, their security credentials are valid for
one hour by default. This applies when you use the AssumeRole* API operations
or the assume-role* CLI operations but does not apply when you use those
operations to create a console URL. For more information, see Using IAM roles
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the
IAM User Guide.
name
Required
string
The name of the role to create.

IAM user, group, role, and policy names must be unique within the account.
Names are not distinguished by case. For example, you cannot create resources
named both “MyResource” and “myresource”.

This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex))
a string of characters consisting of upper and lowercase alphanumeric characters
with no spaces. You can also include any of the following characters: _+=,.@-
path
Optional
string
The path to the role. For more information about paths, see IAM Identifiers
(https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
in the IAM User Guide.

This parameter is optional. If it is not included, it defaults to a slash
(/).

This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex))
a string of characters consisting of either a forward slash (/) by itself
or a string that must begin and end with forward slashes. In addition, it
can contain any ASCII character from the ! (\u0021) through the DEL character
(\u007F), including most punctuation characters, digits, and upper and lowercased
letters.
permissionsBoundary
Optional
string
The ARN of the managed policy that is used to set the permissions boundary
for the role.

A permissions boundary policy defines the maximum permissions that identity-based
policies can grant to an entity, but does not grant permissions. Permissions
boundaries do not define the maximum permissions that a resource-based policy
can grant to an entity. To learn more, see Permissions boundaries for IAM
entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
in the IAM User Guide.

For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
in the IAM User Guide.
permissionsBoundaryRef
Optional
object
AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference
type to provide more user friendly syntax for references using ‘from’ field
Ex:
APIIDRef:

from:
name: my-api
permissionsBoundaryRef.from
Optional
object
AWSResourceReference provides all the values necessary to reference another
k8s resource for finding the identifier(Id/ARN/Name)
permissionsBoundaryRef.from.name
Optional
string
permissionsBoundaryRef.from.namespace
Optional
string
policies
Optional
array
policies.[]
Required
string
policyRefs.[]
Required
object
AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference
type to provide more user friendly syntax for references using ‘from’ field
Ex:
APIIDRef:
from:
  name: my-api || **policyRefs.[].from**<br/>Optional | **object**<br/>AWSResourceReference provides all the values necessary to reference another<br/>k8s resource for finding the identifier(Id/ARN/Name) |

| policyRefs.[].from.name
Optional | string
| | policyRefs.[].from.namespace
Optional | string
| | tags
Optional | array
A list of tags that you want to attach to the new role. Each tag consists
of a key name and an associated value. For more information about tagging,
see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)
in the IAM User Guide.

If any one of the tags is invalid or if you exceed the allowed maximum number
of tags, then the entire request fails and the resource is not created. | | tags.[]
Required | object
A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the IAM User Guide. || tags.[].key
Optional | string
| | tags.[].value
Optional | string
|

Status

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  region: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createDate: string
roleID: string
roleLastUsed: 
  lastUsedDate: string
  region: string
FieldDescription
ackResourceMetadata
Optional
object
All CRs managed by ACK have a common Status.ACKResourceMetadata member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
ackResourceMetadata.arn
Optional
string
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an “adopted” resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR’s Spec field values.
https://github.com/aws/aws-controllers-k8s/issues/270
ackResourceMetadata.ownerAccountID
Required
string
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
ackResourceMetadata.region
Required
string
Region is the AWS region in which the resource exists or will exist.
conditions
Optional
array
All CRS managed by ACK have a common Status.Conditions member that
contains a collection of ackv1alpha1.Condition objects that describe
the various terminal states of the CR and its backend AWS service API
resource
conditions.[]
Required
object
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
conditions.[].message
Optional
string
A human readable message indicating details about the transition.
conditions.[].reason
Optional
string
The reason for the condition’s last transition.
conditions.[].status
Optional
string
Status of the condition, one of True, False, Unknown.
conditions.[].type
Optional
string
Type is the type of the Condition
createDate
Optional
string
The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
when the role was created.
roleID
Optional
string
The stable and unique string identifying the role. For more information about
IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
in the IAM User Guide.
roleLastUsed
Optional
object
Contains information about the last time that an IAM role was used. This
includes the date and time and the Region in which the role was last used.
Activity is only reported for the trailing 400 days. This period can be shorter
if your Region began supporting these features within the last year. The
role might have been used more than 400 days ago. For more information, see
Regions where data is tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period)
in the IAM user Guide.
roleLastUsed.lastUsedDate
Optional
string
roleLastUsed.region
Optional
string