AwsIamRoleTemplate
See Template Schema Validation to learn how to validate templates automatically in your IDE.
Description
A base model class that provides additional helper methods and configurations for other models used in IAMbic.
Properties
included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
expires_at: The date and time the resource will be/was set to deleted.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
deleted(boolean): Denotes whether the resource has been removed from AWS.Upon being set to true, the resource will be deleted the next time iambic is ran. Default:false.expires_at_default: A value that is set by IAMbic at run time and should not be set by the user.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
template_type(string): Default:"NOQ::AWS::IAM::Role".template_schema_url(string): Default:"https://docs.iambic.org/reference/schemas/aws_iam_role_template".owner(string): Owner of the role.notes(string)iambic_managed: Controls the directionality of Iambic changes. Default:"undefined".- All of
- : Refer to #/definitions/IambicManaged.
- All of
identifier(string)properties: Properties of the role.- All of
- : Refer to #/definitions/RoleProperties.
- All of
access_rules(array): Used to define users and groups who can access the role via Noq credential brokering. Default:[].- Items: Refer to #/definitions/RoleAccess.
Definitions
IambicManaged: An enumeration. Must be one of:["undefined", "read_and_write", "import_only", "enforced", "disabled"].
Description(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
description(string): Default:"".
MaxSessionDuration(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
max_session_duration(integer, required)
Path(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
PermissionBoundary(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
expires_at: The date and time the resource will be/was set to deleted.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
deleted(boolean): Denotes whether the resource has been removed from AWS.Upon being set to true, the resource will be deleted the next time iambic is ran. Default:false.expires_at_default: A value that is set by IAMbic at run time and should not be set by the user.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
policy_arn(string, required)permissions_boundary_type(string)
Principal(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.aws- Any of
- string
- array
- Items (string)
- Any of
service- Any of
- string
- array
- Items (string)
- Any of
canonical_user- Any of
- string
- array
- Items (string)
- Any of
federated- Any of
- string
- array
- Items (string)
- Any of
PolicyStatement(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.expires_at: The date and time the resource will be/was set to deleted.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
deleted(boolean): Denotes whether the resource has been removed from AWS.Upon being set to true, the resource will be deleted the next time iambic is ran. Default:false.expires_at_default: A value that is set by IAMbic at run time and should not be set by the user.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
effect(string, required): Allow | Deny.principal- Any of
- : Refer to #/definitions/Principal.
- string
- Any of
not_principal- Any of
- : Refer to #/definitions/Principal.
- string
- Any of
action: A single regex or list of regexes. Values are the actions that can be performed on the resources in the policy statement.- Any of
- array
- Items (string)
- string
- array
- Any of
not_action: An advanced policy element that explicitly matches everything except the specified list of actions.DON'T use this with effect: allow in the same statement OR policy.- Any of
- array
- Items (string)
- string
- array
- Any of
resource: A single regex or list of regexes. Values specified are the resources the statement applies to.- Any of
- array
- Items (string)
- string
- array
- Any of
not_resource: An advanced policy element that explicitly matches every resource except those specified.DON'T use this with effect: allow and action: '*'.- Any of
- array
- Items (string)
- string
- array
- Any of
condition(object): An optional set of conditions to determine of the policy applies to a resource.sid(string): The Policy Statement ID.
AssumeRolePolicyDocument(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
version(string): Default:"2008-10-17".statement- Any of
- array
- Items: Refer to #/definitions/PolicyStatement.
- : Refer to #/definitions/PolicyStatement.
- array
- Any of
Tag(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
expires_at: The date and time the resource will be/was set to deleted.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
deleted(boolean): Denotes whether the resource has been removed from AWS.Upon being set to true, the resource will be deleted the next time iambic is ran. Default:false.expires_at_default: A value that is set by IAMbic at run time and should not be set by the user.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
key(string, required)value(string, required)
ManagedPolicyRef(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.expires_at: The date and time the resource will be/was set to deleted.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
deleted(boolean): Denotes whether the resource has been removed from AWS.Upon being set to true, the resource will be deleted the next time iambic is ran. Default:false.expires_at_default: A value that is set by IAMbic at run time and should not be set by the user.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
policy_arn(string, required)policy_name(string)
PolicyDocument(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.expires_at: The date and time the resource will be/was set to deleted.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
deleted(boolean): Denotes whether the resource has been removed from AWS.Upon being set to true, the resource will be deleted the next time iambic is ran. Default:false.expires_at_default: A value that is set by IAMbic at run time and should not be set by the user.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
policy_name(string, required): The name of the policy.version(string)statement: List of policy statements.- Any of
- array
- Items: Refer to #/definitions/PolicyStatement.
- : Refer to #/definitions/PolicyStatement.
- array
- Any of
id(string): The Id element specifies an optional identifier for the policy. The ID is used differently in different services.
RoleProperties(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.role_name(string, required): Name of the role.description: Description of the role. Default:"".- Any of
- string
- array
- Items: Refer to #/definitions/Description.
- Any of
max_session_duration: Default:3600.- Any of
- integer
- array
- Items: Refer to #/definitions/MaxSessionDuration.
- Any of
path: Default:"/".- Any of
- string
- array
- Items: Refer to #/definitions/Path.
- Any of
permissions_boundary- Any of
- : Refer to #/definitions/PermissionBoundary.
- array
- Items: Refer to #/definitions/PermissionBoundary.
- Any of
assume_role_policy_document: Who can assume the Role. Default:[].- Any of
- array
- Items: Refer to #/definitions/AssumeRolePolicyDocument.
- : Refer to #/definitions/AssumeRolePolicyDocument.
- array
- Any of
tags(array): List of tags attached to the role. Default:[].- Items: Refer to #/definitions/Tag.
managed_policies(array): Managed policy arns attached to the role. Default:[].- Items: Refer to #/definitions/ManagedPolicyRef.
inline_policies(array): List of the role's inline policies. Default:[].- Items: Refer to #/definitions/PolicyDocument.
RoleAccess(object): A base model class that provides additional helper methods and configurations for other models used in IAMbic.included_accounts(array): A list of account ids and/or account names this statement applies to. Account ids/names can be represented as a regex and string. Default:["*"].- Items (string)
excluded_accounts(array): A list of account ids and/or account names this statement explicitly does not apply to. Account ids/names can be represented as a regex and string. Default:[].- Items (string)
included_orgs(array): A list of AWS organization ids this statement applies to. Org ids can be represented as a regex and string. Default:["*"].- Items (string)
excluded_orgs(array): A list of AWS organization ids this statement explicitly does not apply to. Org ids can be represented as a regex and string. Default:[].- Items (string)
expires_at: The date and time the resource will be/was set to deleted.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
deleted(boolean): Denotes whether the resource has been removed from AWS.Upon being set to true, the resource will be deleted the next time iambic is ran. Default:false.expires_at_default: A value that is set by IAMbic at run time and should not be set by the user.- Any of
- string
- string (date-time)
- string (date)
Examples:
in 3 days
...'2023-09-01''2023-08-31T12:00:00'- Any of
users(array): List of users who can assume into the role. Default:[].- Items (string)
groups(array): List of groups. Users in one or more of the groups can assume into the role. Default:[].- Items (string)