Interface MdaaRoleRef

Full IAM role ARN for cross-account role references and explicit role identification.

Use cases: Cross-account role references; Explicit role binding; Multi-account deployments

AWS: Full IAM role ARN (arn:aws:iam::ACCOUNT:role/ROLE-NAME)

Validation: Optional; must be a valid IAM role ARN if provided

IAM role unique identifier for role resolution using the role's AWS-generated ID.

Use cases: Stable role references; Role resolution by unique ID; Immutable role binding

AWS: IAM role unique ID (e.g., AROA...)

Validation: Optional; must be a valid IAM role unique ID if provided

Flag indicating whether the referenced role should be treated as immutable and not modified by MDAA operations.

Use cases: Pre-existing role protection; Externally managed roles; Read-only role references

AWS: Controls whether MDAA attaches policies or modifies the referenced IAM role

Validation: Optional boolean; defaults to false

IAM role name for role resolution within the same AWS account.

Use cases: Same-account role references; Role name-based resolution; Local IAM role binding

AWS: IAM role name resolved via GetRole within the deployment account

Validation: Optional; must be a valid IAM role name; mutually preferred with arn/id for resolution

Unique identifier for the role reference within a configuration scope, enabling role lookup and deduplication.

Use cases: Role reference identification; Configuration deduplication; Role lookup key

AWS: Logical identifier for IAM role references within MDAA configuration

Validation: Optional; must be unique within the configuration scope if provided

Flag indicating the role should be resolved as an AWS SSO auto-generated role.

Use cases: AWS IAM Identity Center integration; SSO permission set role binding; Federated access

AWS: Resolves role via AWS SSO/Identity Center auto-generated role naming convention

Validation: Optional boolean; defaults to false