Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. AWS
  3. API Docs
  4. iam
  5. getSessionContext
AWS v6.75.0 published on Wednesday, Apr 2, 2025 by Pulumi
pulumi/pulumi-aws

aws.iam.getSessionContext

Explore with Pulumi AI

AWS v6.75.0 published on Wednesday, Apr 2, 2025 by Pulumi
pulumi/pulumi-aws

This data source provides information on the IAM source role of an STS assumed role. For non-role ARNs, this data source simply passes the ARN through in issuer_arn.

For some AWS resources, multiple types of principals are allowed in the same argument (e.g., IAM users and IAM roles). However, these arguments often do not allow assumed-role (i.e., STS, temporary credential) principals. Given an STS ARN, this data source provides the ARN for the source IAM role.

Example Usage

Basic Example

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = aws.iam.getSessionContext({
    arn: "arn:aws:sts::123456789012:assumed-role/Audien-Heaven/MatyNoyes",
});
Copy
import pulumi
import pulumi_aws as aws

example = aws.iam.get_session_context(arn="arn:aws:sts::123456789012:assumed-role/Audien-Heaven/MatyNoyes")
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.GetSessionContext(ctx, &iam.GetSessionContextArgs{
			Arn: "arn:aws:sts::123456789012:assumed-role/Audien-Heaven/MatyNoyes",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = Aws.Iam.GetSessionContext.Invoke(new()
    {
        Arn = "arn:aws:sts::123456789012:assumed-role/Audien-Heaven/MatyNoyes",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetSessionContextArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = IamFunctions.getSessionContext(GetSessionContextArgs.builder()
            .arn("arn:aws:sts::123456789012:assumed-role/Audien-Heaven/MatyNoyes")
            .build());

    }
}
Copy
variables:
  example:
    fn::invoke:
      function: aws:iam:getSessionContext
      arguments:
        arn: arn:aws:sts::123456789012:assumed-role/Audien-Heaven/MatyNoyes
Copy

Find the Runner’s Source Role

Combined with aws.getCallerIdentity, you can get the current user’s source IAM role ARN (issuer_arn) if you’re using an assumed role. If you’re not using an assumed role, the caller’s (e.g., an IAM user’s) ARN will simply be passed through. In environments where both IAM users and individuals using assumed roles need to apply the same configurations, this data source enables seamless use.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const current = aws.getCallerIdentity({});
const example = current.then(current => aws.iam.getSessionContext({
    arn: current.arn,
}));
Copy
import pulumi
import pulumi_aws as aws

current = aws.get_caller_identity()
example = aws.iam.get_session_context(arn=current.arn)
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
		if err != nil {
			return err
		}
		_, err = iam.GetSessionContext(ctx, &iam.GetSessionContextArgs{
			Arn: current.Arn,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var current = Aws.GetCallerIdentity.Invoke();

    var example = Aws.Iam.GetSessionContext.Invoke(new()
    {
        Arn = current.Apply(getCallerIdentityResult => getCallerIdentityResult.Arn),
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetSessionContextArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AwsFunctions.getCallerIdentity();

        final var example = IamFunctions.getSessionContext(GetSessionContextArgs.builder()
            .arn(current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.arn()))
            .build());

    }
}
Copy
variables:
  current:
    fn::invoke:
      function: aws:getCallerIdentity
      arguments: {}
  example:
    fn::invoke:
      function: aws:iam:getSessionContext
      arguments:
        arn: ${current.arn}
Copy

Using getSessionContext

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getSessionContext(args: GetSessionContextArgs, opts?: InvokeOptions): Promise<GetSessionContextResult>
function getSessionContextOutput(args: GetSessionContextOutputArgs, opts?: InvokeOptions): Output<GetSessionContextResult>
Copy
def get_session_context(arn: Optional[str] = None,
                        opts: Optional[InvokeOptions] = None) -> GetSessionContextResult
def get_session_context_output(arn: Optional[pulumi.Input[str]] = None,
                        opts: Optional[InvokeOptions] = None) -> Output[GetSessionContextResult]
Copy
func GetSessionContext(ctx *Context, args *GetSessionContextArgs, opts ...InvokeOption) (*GetSessionContextResult, error)
func GetSessionContextOutput(ctx *Context, args *GetSessionContextOutputArgs, opts ...InvokeOption) GetSessionContextResultOutput
Copy

> Note: This function is named GetSessionContext in the Go SDK.

public static class GetSessionContext 
{
    public static Task<GetSessionContextResult> InvokeAsync(GetSessionContextArgs args, InvokeOptions? opts = null)
    public static Output<GetSessionContextResult> Invoke(GetSessionContextInvokeArgs args, InvokeOptions? opts = null)
}
Copy
public static CompletableFuture<GetSessionContextResult> getSessionContext(GetSessionContextArgs args, InvokeOptions options)
public static Output<GetSessionContextResult> getSessionContext(GetSessionContextArgs args, InvokeOptions options)
Copy
fn::invoke:
  function: aws:iam/getSessionContext:getSessionContext
  arguments:
    # arguments dictionary
Copy

The following arguments are supported:

Arn This property is required. string

ARN for an assumed role.

If arn is a non-role ARN, Pulumi gives no error and issuer_arn will be equal to the arn value. For STS assumed-role ARNs, Pulumi gives an error if the identified IAM role does not exist.

Arn This property is required. string

ARN for an assumed role.

If arn is a non-role ARN, Pulumi gives no error and issuer_arn will be equal to the arn value. For STS assumed-role ARNs, Pulumi gives an error if the identified IAM role does not exist.

arn This property is required. String

ARN for an assumed role.

If arn is a non-role ARN, Pulumi gives no error and issuer_arn will be equal to the arn value. For STS assumed-role ARNs, Pulumi gives an error if the identified IAM role does not exist.

arn This property is required. string

ARN for an assumed role.

If arn is a non-role ARN, Pulumi gives no error and issuer_arn will be equal to the arn value. For STS assumed-role ARNs, Pulumi gives an error if the identified IAM role does not exist.

arn This property is required. str

ARN for an assumed role.

If arn is a non-role ARN, Pulumi gives no error and issuer_arn will be equal to the arn value. For STS assumed-role ARNs, Pulumi gives an error if the identified IAM role does not exist.

arn This property is required. String

ARN for an assumed role.

If arn is a non-role ARN, Pulumi gives no error and issuer_arn will be equal to the arn value. For STS assumed-role ARNs, Pulumi gives an error if the identified IAM role does not exist.

getSessionContext Result

The following output properties are available:

Arn string
Id string
The provider-assigned unique ID for this managed resource.
IssuerArn string
IAM source role ARN if arn corresponds to an STS assumed role. Otherwise, issuer_arn is equal to arn.
IssuerId string
Unique identifier of the IAM role that issues the STS assumed role.
IssuerName string
Name of the source role. Only available if arn corresponds to an STS assumed role.
SessionName string
Name of the STS session. Only available if arn corresponds to an STS assumed role.
Arn string
Id string
The provider-assigned unique ID for this managed resource.
IssuerArn string
IAM source role ARN if arn corresponds to an STS assumed role. Otherwise, issuer_arn is equal to arn.
IssuerId string
Unique identifier of the IAM role that issues the STS assumed role.
IssuerName string
Name of the source role. Only available if arn corresponds to an STS assumed role.
SessionName string
Name of the STS session. Only available if arn corresponds to an STS assumed role.
arn String
id String
The provider-assigned unique ID for this managed resource.
issuerArn String
IAM source role ARN if arn corresponds to an STS assumed role. Otherwise, issuer_arn is equal to arn.
issuerId String
Unique identifier of the IAM role that issues the STS assumed role.
issuerName String
Name of the source role. Only available if arn corresponds to an STS assumed role.
sessionName String
Name of the STS session. Only available if arn corresponds to an STS assumed role.
arn string
id string
The provider-assigned unique ID for this managed resource.
issuerArn string
IAM source role ARN if arn corresponds to an STS assumed role. Otherwise, issuer_arn is equal to arn.
issuerId string
Unique identifier of the IAM role that issues the STS assumed role.
issuerName string
Name of the source role. Only available if arn corresponds to an STS assumed role.
sessionName string
Name of the STS session. Only available if arn corresponds to an STS assumed role.
arn str
id str
The provider-assigned unique ID for this managed resource.
issuer_arn str
IAM source role ARN if arn corresponds to an STS assumed role. Otherwise, issuer_arn is equal to arn.
issuer_id str
Unique identifier of the IAM role that issues the STS assumed role.
issuer_name str
Name of the source role. Only available if arn corresponds to an STS assumed role.
session_name str
Name of the STS session. Only available if arn corresponds to an STS assumed role.
arn String
id String
The provider-assigned unique ID for this managed resource.
issuerArn String
IAM source role ARN if arn corresponds to an STS assumed role. Otherwise, issuer_arn is equal to arn.
issuerId String
Unique identifier of the IAM role that issues the STS assumed role.
issuerName String
Name of the source role. Only available if arn corresponds to an STS assumed role.
sessionName String
Name of the STS session. Only available if arn corresponds to an STS assumed role.

Package Details

Repository
AWS Classic pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.
AWS v6.75.0 published on Wednesday, Apr 2, 2025 by Pulumi
pulumi/pulumi-aws