{"id":13677106,"url":"https://github.com/terraform-aws-modules/terraform-aws-iam","last_synced_at":"2025-05-13T22:01:56.443Z","repository":{"id":37663142,"uuid":"108381514","full_name":"terraform-aws-modules/terraform-aws-iam","owner":"terraform-aws-modules","description":"Terraform module to create AWS IAM resources 🇺🇦","archived":false,"fork":false,"pushed_at":"2025-04-14T18:39:30.000Z","size":687,"stargazers_count":819,"open_issues_count":2,"forks_count":1036,"subscribers_count":20,"default_branch":"master","last_synced_at":"2025-04-28T17:06:06.933Z","etag":null,"topics":["aws","aws-iam","iam","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/terraform-aws-modules/iam/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/terraform-aws-modules.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["antonbabenko"],"custom":"https://www.paypal.me/antonbabenko"}},"created_at":"2017-10-26T08:13:55.000Z","updated_at":"2025-04-24T00:35:59.000Z","dependencies_parsed_at":"2022-07-18T03:30:40.856Z","dependency_job_id":"d5b70c98-dcf3-4278-8cff-99ba8ea102d7","html_url":"https://github.com/terraform-aws-modules/terraform-aws-iam","commit_stats":{"total_commits":373,"total_committers":121,"mean_commits":"3.0826446280991737","dds":0.7238605898123325,"last_synced_commit":"89fe17a6549728f1dc7e7a8f7b707486dfb45d89"},"previous_names":[],"tags_count":184,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-iam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-iam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-iam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-iam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/terraform-aws-modules","download_url":"https://codeload.github.com/terraform-aws-modules/terraform-aws-iam/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254036807,"owners_count":22003651,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-iam","iam","terraform-module"],"created_at":"2024-08-02T13:00:37.013Z","updated_at":"2025-05-13T22:01:56.255Z","avatar_url":"https://github.com/terraform-aws-modules.png","language":"HCL","funding_links":["https://github.com/sponsors/antonbabenko","https://www.paypal.me/antonbabenko"],"categories":["HCL"],"sub_categories":[],"readme":"# AWS Identity and Access Management (IAM) Terraform module\n\n[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)\n\n## Features\n\n1. **Cross-account access.** Define IAM roles using `iam_assumable_role` or `iam_assumable_roles` submodules in \"resource AWS accounts (prod, staging, dev)\" and IAM groups and users using `iam-group-with-assumable-roles-policy` submodule in \"IAM AWS Account\" to setup access controls between accounts. See [iam-group-with-assumable-roles-policy example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) for more details.\n2. **Individual IAM resources (users, roles, policies).** See usage snippets and [examples](https://github.com/terraform-aws-modules/terraform-aws-iam#examples) listed below.\n\n## Usage\n\n`iam-account`:\n\n```hcl\nmodule \"iam_account\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-account\"\n\n  account_alias = \"awesome-company\"\n\n  minimum_password_length = 37\n  require_numbers         = false\n}\n```\n\n`iam-assumable-role`:\n\n```hcl\nmodule \"iam_assumable_role\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-assumable-role\"\n\n  trusted_role_arns = [\n    \"arn:aws:iam::307990089504:root\",\n    \"arn:aws:iam::835367859851:user/anton\",\n  ]\n\n  create_role = true\n\n  role_name         = \"custom\"\n  role_requires_mfa = true\n\n  custom_role_policy_arns = [\n    \"arn:aws:iam::aws:policy/AmazonCognitoReadOnly\",\n    \"arn:aws:iam::aws:policy/AlexaForBusinessFullAccess\",\n  ]\n  number_of_custom_role_policy_arns = 2\n}\n```\n\n`iam-assumable-role-with-oidc`:\n\n```hcl\nmodule \"iam_assumable_role_with_oidc\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc\"\n\n  create_role = true\n\n  role_name = \"role-with-oidc\"\n\n  tags = {\n    Role = \"role-with-oidc\"\n  }\n\n  provider_url = \"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8\"\n\n  role_policy_arns = [\n    \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\",\n  ]\n  number_of_role_policy_arns = 1\n}\n```\n\n`iam-assumable-role-with-saml`:\n\n```hcl\nmodule \"iam_assumable_role_with_saml\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-saml\"\n\n  create_role = true\n\n  role_name = \"role-with-saml\"\n\n  tags = {\n    Role = \"role-with-saml\"\n  }\n\n  provider_id = \"arn:aws:iam::235367859851:saml-provider/idp_saml\"\n\n  role_policy_arns = [\n    \"arn:aws:iam::aws:policy/ReadOnlyAccess\"\n  ]\n  number_of_role_policy_arns = 1\n}\n```\n\n`iam-assumable-roles`:\n\n```hcl\nmodule \"iam_assumable_roles\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-assumable-roles\"\n\n  trusted_role_arns = [\n    \"arn:aws:iam::307990089504:root\",\n    \"arn:aws:iam::835367859851:user/anton\",\n  ]\n\n  create_admin_role = true\n\n  create_poweruser_role = true\n  poweruser_role_name   = \"developer\"\n\n  create_readonly_role       = true\n  readonly_role_requires_mfa = false\n}\n```\n\n`iam-assumable-roles-with-saml`:\n\n```hcl\nmodule \"iam_assumable_roles_with_saml\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-assumable-roles-with-saml\"\n\n  create_admin_role = true\n\n  create_poweruser_role = true\n  poweruser_role_name   = \"developer\"\n\n  create_readonly_role = true\n\n  provider_id   = \"arn:aws:iam::235367859851:saml-provider/idp_saml\"\n}\n```\n\n`iam-eks-role`:\n\n```hcl\nmodule \"iam_eks_role\" {\n  source      = \"terraform-aws-modules/iam/aws//modules/iam-eks-role\"\n\n  role_name   = \"my-app\"\n\n  cluster_service_accounts = {\n    \"cluster1\" = [\"default:my-app\"]\n    \"cluster2\" = [\n      \"default:my-app\",\n      \"canary:my-app\",\n    ]\n  }\n\n  tags = {\n    Name = \"eks-role\"\n  }\n\n  role_policy_arns = {\n    AmazonEKS_CNI_Policy = \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"\n  }\n}\n```\n\n`iam-github-oidc-provider`:\n\n```hcl\nmodule \"iam_github_oidc_provider\" {\n  source    = \"terraform-aws-modules/iam/aws//modules/iam-github-oidc-provider\"\n\n  tags = {\n    Environment = \"test\"\n  }\n}\n```\n\n`iam-github-oidc-role`:\n\n```hcl\nmodule \"iam_github_oidc_role\" {\n  source    = \"terraform-aws-modules/iam/aws//modules/iam-github-oidc-role\"\n\n  # This should be updated to suit your organization, repository, references/branches, etc.\n  subjects = [\"terraform-aws-modules/terraform-aws-iam:*\"]\n\n  policies = {\n    S3ReadOnly = \"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess\"\n  }\n\n  tags = {\n    Environment = \"test\"\n  }\n}\n```\n\n`iam-group-with-assumable-roles-policy`:\n\n```hcl\nmodule \"iam_group_with_assumable_roles_policy\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy\"\n\n  name = \"production-readonly\"\n\n  assumable_roles = [\n    \"arn:aws:iam::835367859855:role/readonly\"  # these roles can be created using `iam_assumable_roles` submodule\n  ]\n\n  group_users = [\n    \"user1\",\n    \"user2\"\n  ]\n}\n```\n\n`iam-group-with-policies`:\n\n```hcl\nmodule \"iam_group_with_policies\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-group-with-policies\"\n\n  name = \"superadmins\"\n\n  group_users = [\n    \"user1\",\n    \"user2\"\n  ]\n\n  attach_iam_self_management_policy = true\n\n  custom_group_policy_arns = [\n    \"arn:aws:iam::aws:policy/AdministratorAccess\",\n  ]\n\n  custom_group_policies = [\n    {\n      name   = \"AllowS3Listing\"\n      policy = data.aws_iam_policy_document.sample.json\n    }\n  ]\n}\n```\n\n`iam-policy`:\n\n```hcl\nmodule \"iam_policy\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-policy\"\n\n  name        = \"example\"\n  path        = \"/\"\n  description = \"My example policy\"\n\n  policy = \u003c\u003cEOF\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"ec2:Describe*\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"*\"\n    }\n  ]\n}\nEOF\n}\n```\n\n`iam-read-only-policy`:\n\n```hcl\nmodule \"iam_read_only_policy\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-read-only-policy\"\n\n  name        = \"example\"\n  path        = \"/\"\n  description = \"My example read-only policy\"\n\n  allowed_services = [\"rds\", \"dynamo\", \"health\"]\n}\n```\n\n`iam-role-for-service-accounts-eks`:\n\n```hcl\nmodule \"vpc_cni_irsa\" {\n  source      = \"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks\"\n\n  role_name   = \"vpc-cni\"\n\n  attach_vpc_cni_policy = true\n  vpc_cni_enable_ipv4   = true\n\n  oidc_providers = {\n    main = {\n      provider_arn               = \"arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D\"\n      namespace_service_accounts = [\"kube-system:aws-node\"]\n    }\n  }\n\n  tags = {\n    Name = \"vpc-cni-irsa\"\n  }\n}\n```\n\n`iam-user`:\n\n```hcl\nmodule \"iam_user\" {\n  source  = \"terraform-aws-modules/iam/aws//modules/iam-user\"\n\n  name          = \"vasya.pupkin\"\n  force_destroy = true\n\n  pgp_key = \"keybase:test\"\n\n  password_reset_required = false\n}\n```\n\n## IAM Best Practices\n\nAWS published [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) and this Terraform module was created to help with some of points listed there:\n\n1. Create Individual IAM Users\n\nUse [iam-user module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-user) module to manage IAM users.\n\n2. Use AWS Defined Policies to Assign Permissions Whenever Possible\n\nUse [iam-assumable-roles module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-assumable-roles) to create IAM roles with managed policies to support common tasks (admin, poweruser or readonly).\n\n3. Use Groups to Assign Permissions to IAM Users\n\nUse [iam-group-with-assumable-roles-policy module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-group-with-assumable-roles-policy) to manage IAM groups of users who can assume roles.\nUse [iam-group-with-policies module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-group-with-policies) to manage IAM groups of users where specified IAM policies are allowed.\n\n4. Configure a Strong Password Policy for Your Users\n\nUse [iam-account module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-account) to set password policy for your IAM users.\n\n5. Enable MFA for Privileged Users\n\nUse [iam-assumable-roles module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-assumable-roles) to create IAM roles that require MFA.\n\n6. Delegate by Using Roles Instead of by Sharing Credentials\n\n[iam-assumable-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-assumable-role), [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-assumable-roles), [iam-assumable-roles-with-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-assumable-roles-with-saml) and [iam-group-with-assumable-roles-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-group-with-assumable-roles-policy) modules provide complete set of functionality required for this.\n\n7. Use Policy Conditions for Extra Security\n\n[iam-assumable-roles module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-assumable-roles) can be configured to require valid MFA token when different roles are assumed (for example, admin role requires MFA, but readonly - does not).\n\n8. Create IAM Policies\n\nUse [iam-policy module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-policy) module to manage IAM policy.\nUse [iam-read-only-policy module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-read-only-policy) module to manage IAM read-only policies.\n\n## Examples\n\n- [iam-account](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-account) - Set AWS account alias and password policy\n- [iam-assumable-role-with-oidc](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-role-with-oidc) - Create individual IAM role which can be assumed from specified subjects federated with a OIDC Identity Provider\n- [iam-assumable-role-with-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-role-with-saml) - Create individual IAM role which can be assumed by users with a SAML Identity Provider\n- [iam-assumable-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-role) - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)\n- [iam-assumable-roles-with-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles-with-saml) - Create several IAM roles which can be assumed by users with a SAML Identity Provider\n- [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create several IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)\n- [iam-eks-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-eks-role) - Create an IAM role that can be assumed by one or more EKS `ServiceAccount`\n- [iam-group-complete](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-complete) - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies\n- [iam-group-with-assumable-roles-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) - IAM group with users who are allowed to assume IAM roles in the same or in separate AWS account\n- [iam-group-with-policies](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-policies) - IAM group with users who are allowed specified IAM policies (eg, \"manage their own IAM user\")\n- [iam-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-policy) - Create IAM policy\n- [iam-read-only-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-read-only-policy) - Create IAM read-only policy\n- [iam-role-for-service-accounts-eks](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-for-service-accounts-eks) - Create IAM role for service accounts (IRSA) for use within EKS clusters\n- [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys (with PGP enabled or disabled)\n\n## Authors\n\nModule is maintained by [Anton Babenko](https://github.com/antonbabenko) with help from [these awesome contributors](https://github.com/terraform-aws-modules/terraform-aws-iam/graphs/contributors).\n\n## License\n\nApache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/LICENSE) for full details.\n\n## Additional information for users from Russia and Belarus\n\n* Russia has [illegally annexed Crimea in 2014](https://en.wikipedia.org/wiki/Annexation_of_Crimea_by_the_Russian_Federation) and [brought the war in Donbas](https://en.wikipedia.org/wiki/War_in_Donbas) followed by [full-scale invasion of Ukraine in 2022](https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine).\n* Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.\n* [Putin khuylo!](https://en.wikipedia.org/wiki/Putin_khuylo!)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-iam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-iam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-iam/lists"}