{ "description": "Role is the Schema for the Roles API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "RoleSpec defines the desired state of Role.\n\nContains information about an IAM role. This structure is returned as a response\nelement in several API operations that interact with roles.", "properties": { "assumeRolePolicyDocument": { "description": "The trust relationship policy document that grants an entity permission to\nassume the role.\n\nIn IAM, you must provide a JSON policy that has been converted to a string.\nHowever, for CloudFormation templates formatted in YAML, you can provide\nthe policy in JSON or YAML format. CloudFormation always converts a YAML\npolicy to JSON format before submitting it to IAM.\n\nThe regex pattern (http://wikipedia.org/wiki/regex) used to validate this\nparameter is a string of characters consisting of the following:\n\n - Any printable ASCII character ranging from the space character (\\u0020)\n through the end of the ASCII character range\n\n - The printable characters in the Basic Latin and Latin-1 Supplement character\n set (through \\u00FF)\n\n - The special characters tab (\\u0009), line feed (\\u000A), and carriage\n return (\\u000D)\n\nUpon success, the response includes the same trust policy in JSON format.", "type": "string" }, "description": { "description": "A description of the role.", "type": "string" }, "inlinePolicies": { "additionalProperties": { "type": "string" }, "type": "object" }, "maxSessionDuration": { "description": "The maximum session duration (in seconds) that you want to set for the specified\nrole. If you do not specify a value for this setting, the default value of\none hour is applied. This setting can have a value from 1 hour to 12 hours.\n\nAnyone who assumes the role from the CLI or API can use the DurationSeconds\nAPI parameter or the duration-seconds CLI parameter to request a longer session.\nThe MaxSessionDuration setting determines the maximum duration that can be\nrequested using the DurationSeconds parameter. If users don't specify a value\nfor the DurationSeconds parameter, their security credentials are valid for\none hour by default. This applies when you use the AssumeRole* API operations\nor the assume-role* CLI operations but does not apply when you use those\noperations to create a console URL. For more information, see Using IAM roles\n(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the\nIAM User Guide.", "format": "int64", "type": "integer" }, "name": { "description": "The name of the role to create.\n\nIAM user, group, role, and policy names must be unique within the account.\nNames are not distinguished by case. For example, you cannot create resources\nnamed both \"MyResource\" and \"myresource\".\n\nThis parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex))\na string of characters consisting of upper and lowercase alphanumeric characters\nwith no spaces. You can also include any of the following characters: _+=,.@-", "type": "string" }, "path": { "description": "The path to the role. For more information about paths, see IAM Identifiers\n(https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)\nin the IAM User Guide.\n\nThis parameter is optional. If it is not included, it defaults to a slash\n(/).\n\nThis parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex))\na string of characters consisting of either a forward slash (/) by itself\nor a string that must begin and end with forward slashes. In addition, it\ncan contain any ASCII character from the ! (\\u0021) through the DEL character\n(\\u007F), including most punctuation characters, digits, and upper and lowercased\nletters.", "type": "string" }, "permissionsBoundary": { "description": "The ARN of the managed policy that is used to set the permissions boundary\nfor the role.\n\nA permissions boundary policy defines the maximum permissions that identity-based\npolicies can grant to an entity, but does not grant permissions. Permissions\nboundaries do not define the maximum permissions that a resource-based policy\ncan grant to an entity. To learn more, see Permissions boundaries for IAM\nentities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)\nin the IAM User Guide.\n\nFor more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)\nin the IAM User Guide.", "type": "string" }, "permissionsBoundaryRef": { "description": "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t name: my-api", "properties": { "from": { "description": "AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "policies": { "items": { "type": "string" }, "type": "array" }, "policyRefs": { "items": { "description": "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t name: my-api", "properties": { "from": { "description": "AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "tags": { "description": "A list of tags that you want to attach to the new role. Each tag consists\nof a key name and an associated value. For more information about tagging,\nsee Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)\nin the IAM User Guide.\n\nIf any one of the tags is invalid or if you exceed the allowed maximum number\nof tags, then the entire request fails and the resource is not created.", "items": { "description": "A structure that represents user-provided metadata that can be associated\nwith an IAM resource. For more information about tagging, see Tagging IAM\nresources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)\nin the IAM User Guide.", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "assumeRolePolicyDocument", "name" ], "type": "object", "additionalProperties": false }, "status": { "description": "RoleStatus defines the observed state of Role", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states of the CR and its backend AWS\nservice API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "createDate": { "description": "The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),\nwhen the role was created.", "format": "date-time", "type": "string" }, "roleID": { "description": "The stable and unique string identifying the role. For more information about\nIDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)\nin the IAM User Guide.", "type": "string" }, "roleLastUsed": { "description": "Contains information about the last time that an IAM role was used. This\nincludes the date and time and the Region in which the role was last used.\nActivity is only reported for the trailing 400 days. This period can be shorter\nif your Region began supporting these features within the last year. The\nrole might have been used more than 400 days ago. For more information, see\nRegions where data is tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period)\nin the IAM user Guide.", "properties": { "lastUsedDate": { "format": "date-time", "type": "string" }, "region": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object" }