Skip to content

Data Source: awsIamRoles

Use this data source to get the ARNs and Names of IAM Roles.

Example Usage

All roles in an account

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsIamRoles.DataAwsIamRoles(this, "roles", {});

Roles filtered by name regex

Roles whose role-name contains project

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsIamRoles.DataAwsIamRoles(this, "roles", {
  nameRegex: ".*project.*",
});

Roles filtered by path prefix

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsIamRoles.DataAwsIamRoles(this, "roles", {
  pathPrefix: "/custom-path",
});

Roles provisioned by AWS SSO

Roles in the account filtered by path prefix

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsIamRoles.DataAwsIamRoles(this, "roles", {
  pathPrefix: "/aws-reserved/sso.amazonaws.com/",
});

Specific role in the account filtered by name regex and path prefix

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsIamRoles.DataAwsIamRoles(this, "roles", {
  nameRegex: "AWSReservedSSO_permission_set_name_.*",
  pathPrefix: "/aws-reserved/sso.amazonaws.com/",
});

Role ARNs with paths removed

For services like Amazon EKS that do not permit a path in the role ARN when used in a cluster's configuration map

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamRolesRoles = new aws.dataAwsIamRoles.DataAwsIamRoles(
  this,
  "roles",
  {
    pathPrefix: "/aws-reserved/sso.amazonaws.com/",
  }
);
new cdktf.TerraformOutput(this, "arns", {
  value: [
    `\${[
    for parts in [for arn in ${dataAwsIamRolesRoles.arns} : split("/", arn)] :
    format("%s/%s", parts[0], element(parts, length(parts) - 1))
  ]}`,
  ],
});

Argument Reference

The following arguments are supported:

  • nameRegex - (Optional) Regex string to apply to the IAM roles list returned by AWS. This allows more advanced filtering not supported from the AWS API. This filtering is done locally on what AWS returns, and could have a performance impact if the result is large. Combine this with other options to narrow down the list AWS returns.
  • pathPrefix - (Optional) Path prefix for filtering the results. For example, the prefix /applicationAbc/componentXyz/ gets all roles whose path starts with /applicationAbc/componentXyz/. If it is not included, it defaults to a slash (/), listing all roles. For more details, check out list-roles in the AWS CLI reference.

Attributes Reference

  • arns - Set of ARNs of the matched IAM roles.
  • names - Set of Names of the matched IAM roles.