| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Creating a Role
You can create a role by using the AWS Management Console, CLI, or the API. If you use the CLI or API to create roles for Amazon EC2 instances, you must also create an instance profile and add the role to the instance profile.
Note
Role names have character limitations. The number of roles and policy size are also limited. For more information, see Limitations on IAM Entities. After you create a role, you cannot rename it.
Create a Role (AWS Management Console)
If you use the AWS Management Console to work with IAM, you can create a role for an AWS service or for an AWS account by using the Create New Role wizard.
To create a role for an AWS service
In the navigation pane, click Roles, and then click Create New Role.
In the Role name box, enter a role name that can help you identify the purpose of this role.
Because various entities might reference the role, you cannot edit the name of the role after it has been created.
Click AWS Service Roles, and then select the service that you will allow to assume this role.
Depending on the role that you selected, review the predefined policy or create a policy.
If the role included a predefined policy, you can modify the policy name or policy document, and then click Continue to review the role.
If the role that you selected doesn't include a predefined policy, select a method for creating the policy document by clicking Select Policy Template, Policy Generator, or Custom Policy.
Policy templates are predefined policies that have one or more permissions specified. If you are specifying permissions that match or are related to a template, select the template and then make any modifications on the next screen.
The policy generator helps you create permissions for a policy by providing drop-down menus where you can select services, actions, conditions, and keys. The generator creates the policy document for you.
If you want to fully write and customize a policy, select Custom Policy.
How you complete the next step depends on the method you selected to create the policy.
If you are using a template to create the policy, review the policy content in the dialog box.
If you are using the policy generator, select the appropriate Effect, AWS Service, and Actions options, enter the ARN (if applicable), and add any conditions you want to include. Then click Add Statement. You can add as many statements as you want to the policy. When you are finished adding statements, click Continue.
If you are using a custom policy, enter a name for the policy under Policy Name and write the policy or paste the policy document from your text editor into the Policy Document box.
Note
There are limitations on policy names and on policy size. For information about policy limitations, see Limitations on IAM Entities.
Click Continue to review the role.
After reviewing the role, click Create Role to complete the wizard.
To create a role that IAM users can assume
In the navigation pane of the console, click Roles, and then click Create New Role.
In the Role name box, enter a role name that can help you identify the purpose of this role.
Because various entities might reference the role, you cannot edit the name of the role after it has been created.
Click Roles for Cross-Account Access, and then select the type of role that you want to create.
Specify an AWS account ID that you want to establish trust with.
Any IAM user from the trusted AWS account can assume this role, as long as they are granted permission to call the role.
If you selected a role for a third party, enter the external ID provided by the third party.
For more information about the external ID, see About the External ID.
Click Continue.
Set the permissions for the role to specify what actions can be done on specific resources (similar to setting permissions for IAM groups).
The permissions that you specify are available to entities that assumes the role. By default, roles have no permissions.
Choose the method for creating the policy document by clicking Select Policy Template, Policy Generator, or Custom Policy, and then click Select.
Policy templates are predefined policies that have one or more permissions specified. If you are specifying permissions that match or are related to a template, select the template and then make any modifications on the next screen.
The policy generator helps you create permissions for a policy by providing drop-down menus where you can select services, actions, conditions, and keys. The generator creates the policy document for you.
If you want to fully write and customize a policy, select Custom Policy.
How you complete the next step depends on the method you selected to create the policy.
If you are using a template to create the policy, review the policy content in the dialog box.
If you are using the policy generator, select the appropriate Effect, AWS Service, and Actions options, enter the ARN (if applicable), and add any conditions you want to include. Then click Add Statement. You can add as many statements as you want to the policy. When you are finished adding statements, click Continue.
If you are using a custom policy, enter a name for the policy under Policy Name and write the policy or paste the policy document from your text editor into the Policy Document box.
Note
There are limitations on policy names and on policy size. For information about policy limitations, see Limitations on IAM Entities.
Click Continue to review the role.
After reviewing the role, click Create Role to complete the wizard.
Create a Role (CLI)
This topic shows the process for using the IAM CLI to create a role.
To create a role with the CLI
Create a role by entering the following command:
iam-rolecreate-rrole_name[-fpolicy_document_file| -sservice_endpointFor the role's trust policy, you can specify a file location or a service endpoint. The policy document file can contain multiple entities that can assume the role and any conditions for assuming the role.
Associate a policy to the role by entering the following command:
iam-roleaddpolicy-rrole_name-ppolicy_name-eAllow_or_Deny{-aaction ...} {-cARN ...If you are launching an Amazon EC2 instance with this role, create and add the role to an instance profile by entering the following command:
iam-instanceprofilecreate-rrole_name-sinstance_profile_nameAn instance profile is a container for a role. Each instance profile can contain only one role. For more information about instance profiles, see Instance Profiles.
Create a Role (API)
This topic shows the process for using the IAM API to create a role.
To create a role with the API
Create a role by calling
CreateRoleAssociate a policy to the role by calling
PutRolePolicyIf you are launching an Amazon EC2 with this role, you must complete the following steps:
Create an instance profile by calling
CreateInstanceProfileAdd the role to the instance profile by calling
AddRoleToInstanceProfileAn instance profile is a container for a role. Each instance profile can contain only one role. For more information about instance profiles, see Instance Profiles.
Related Information
For information about how to launch an instance with the role you just created, see Using IAM roles with Amazon EC2 instances in the Amazon Elastic Compute Cloud User Guide.
For information about cross-account access with roles, see Enabling Cross-Account API Access.
For information about managing policies, see Managing IAM Policies.
For more information about IAM CLI commands or API actions, see AWS Identity and Access Management Command Line Interface Reference or AWS Identity and Access Management API Reference.
