Planton logoPlanton

Loading...

AWS IAM User

Deploys an AWS IAM User with optional managed policy attachments, inline policy documents, and access key creation. The component creates the user, attaches policies, optionally generates an access key pair, and exports credentials and identifiers for use by other components.

What Gets Created

When you deploy an AwsIamUser resource, Planton provisions:

  • IAM User — an iam.User resource with the specified username and tags
  • Managed Policy Attachments — one iam.UserPolicyAttachment per entry in managedPolicyArns, linking the user to existing AWS-managed or customer-managed policies
  • Inline Policies — one iam.UserPolicy per entry in inlinePolicies, embedding policy documents directly on the user
  • Access Key — an iam.AccessKey resource created by default, providing an access key ID and base64-encoded secret key; skipped when disableAccessKeys is true

Prerequisites

  • AWS credentials configured via environment variables or Planton provider config
  • Policy ARNs for any managed policies you want to attach (ARNs must start with arn:aws:iam::)

Quick Start

Create a file iam-user.yaml:

apiVersion: aws.planton.dev/v1
kind: AwsIamUser
metadata:
  name: my-ci-user
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: dev.AwsIamUser.my-ci-user
spec:
  region: us-east-1
  userName: my-ci-user

Deploy:

planton apply -f iam-user.yaml

This creates an IAM user named my-ci-user with one active access key pair and no policies attached.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
regionstringThe AWS region where the resource will be created.Required
userNamestringIAM user name. Must be 1-64 characters.Pattern: ^[a-zA-Z0-9+=,.@_-]{1,64}$

Optional Fields

FieldTypeDefaultDescription
managedPolicyArnsstring[][]ARNs of AWS-managed or customer-managed IAM policies to attach. Must be unique. Each ARN must match ^arn:aws:iam::.
inlinePoliciesmap<string, object>{}Map of inline policy names to IAM policy documents. Keys are policy names (max 128 characters); values are google.protobuf.Struct policy documents.
disableAccessKeysboolfalseWhen true, prevents creation of access keys for this user. When false, one active access key pair is created.

Examples

CI/CD Pipeline User with S3 Access

A user for a CI pipeline that needs to push artifacts to an S3 bucket:

apiVersion: aws.planton.dev/v1
kind: AwsIamUser
metadata:
  name: ci-deploy-user
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: dev.AwsIamUser.ci-deploy-user
spec:
  region: us-east-1
  userName: ci-deploy-user
  managedPolicyArns:
    - arn:aws:iam::aws:policy/AmazonS3FullAccess

Service Account with Inline Policy

A user for a third-party integration with a scoped inline policy granting read access to a specific DynamoDB table:

apiVersion: aws.planton.dev/v1
kind: AwsIamUser
metadata:
  name: analytics-service
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: prod.AwsIamUser.analytics-service
spec:
  region: us-east-1
  userName: analytics-service
  inlinePolicies:
    dynamodb-read:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - dynamodb:GetItem
            - dynamodb:Query
            - dynamodb:Scan
          Resource: arn:aws:dynamodb:us-east-1:123456789012:table/events

User Without Access Keys

A user intended for AWS Management Console access only, with no programmatic access keys:

apiVersion: aws.planton.dev/v1
kind: AwsIamUser
metadata:
  name: audit-viewer
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: prod.AwsIamUser.audit-viewer
spec:
  region: us-east-1
  userName: audit-viewer
  disableAccessKeys: true
  managedPolicyArns:
    - arn:aws:iam::aws:policy/ReadOnlyAccess

Full-Featured User with Multiple Policies

A production service account with both managed and inline policies for SQS and CloudWatch access:

apiVersion: aws.planton.dev/v1
kind: AwsIamUser
metadata:
  name: worker-service
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: prod.AwsIamUser.worker-service
spec:
  region: us-east-1
  userName: worker-service
  managedPolicyArns:
    - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
  inlinePolicies:
    sqs-consumer:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - sqs:ReceiveMessage
            - sqs:DeleteMessage
            - sqs:GetQueueAttributes
          Resource: arn:aws:sqs:us-east-1:123456789012:task-queue
    s3-results:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - s3:PutObject
          Resource: arn:aws:s3:::results-bucket/*

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
user_arnstringARN of the created IAM user
user_namestringFriendly name of the IAM user
user_idstringStable unique ID of the IAM user
access_key_idstringAccess key ID for the user (present only if access keys are enabled)
secret_access_keystringBase64-encoded secret key associated with the access key (sensitive; present only if access keys are enabled)
console_urlstringAWS Management Console sign-in URL (https://signin.aws.amazon.com/console)

Related Components

  • AwsIamRole — creates IAM roles for service-level permission delegation via temporary credentials
  • AwsS3Bucket — bucket policies can reference IAM user ARNs for access control
  • AwsEksCluster — IAM user credentials are sometimes used for programmatic cluster access

Next article

AWS Internet Gateway

AWS Internet Gateway Create an internet gateway and attach it to an AWS VPC. An internet gateway is the VPC's door to the public internet — the route target a public subnet sends its default route to so that internet-facing resources can be reached and reach out. What Gets Created An EC2 internet gateway, attached to the specified VPC. When vpcId changes on a later apply: the gateway is re-attached to the new VPC (it is not recreated). Prerequisites An existing AwsVpc (or a literal vpc-id) to...
Read next article
Presets
2 ready-to-deploy configurationsView presets →