Allow users and groups to create and modify roles

IAM principals (users and groups) who create, modify, and specify roles for a cluster, including default roles, must be allowed to perform the following actions. For details about each action, see Actions in the IAM API Reference.

iam:CreateRole
iam:PutRolePolicy
iam:CreateInstanceProfile
iam:AddRoleToInstanceProfile
iam:ListRoles
iam:GetPolicy
iam:GetInstanceProfile
iam:GetPolicyVersion
iam:AttachRolePolicy
iam:PassRole

The iam:PassRole permission allows cluster creation. The remaining permissions allow the creation of the default roles.

For information about assigning permissions to a user, see Changing permissions for a user in the IAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Use IAM roles with applications that call AWS services directly

Identity-based policy examples