Menu
Amazon WorkSpaces Application Manager
Administration Guide

Controlling Access to Amazon WAM Resources

Amazon WAM must have permission to perform certain actions on your behalf. You can grant this access using IAM roles.

By default, IAM users don't have permission to access Amazon WAM resources. To allow an IAM user to perform actions on Amazon WAM resources, you must create a policy that grants the user permission to access Amazon WAM.

Create the Application Packaging Role

This IAM role allows the Amazon WAM packaging instance to access your application package catalog. If you have not already done so, create the AmazonWamAppPackaging role using the following steps.

To create an IAM role to access your Amazon WAM application catalog

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles and then choose Create new role.

  3. On the Select role type page, choose AWS Service Role, and then choose Select next to Amazon EC2.

  4. On the Attach Policy page, select the check box for the AmazonWorkSpacesApplicationManagerAdminAccess policy and then choose Next Step.

  5. On the Set role name and review page, type AmazonWamAppPackaging as the name of the role and then choose Create role.

    Important

    If you do not specify AmazonWamAppPackaging as the name of the role, the packaging and validation applications can't access your packages.

Create the AWS Marketplace Access Role

This IAM role allows Amazon WAM to access the AWS Marketplace on your behalf. The first time you log in to the Amazon WAM console, you are prompted to create a role with the name AmazonWamMarketplace_Default_Role. You must allow this role to be created.

The following is the IAM policy for the AmazonWamMarketplace_Default_Role role.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "catalog-admin:Describe*", "catalog-admin:Get*", "catalog-admin:Search*", "catalog-admin:List*", "catalog-admin:CreateListing", "catalog-admin:UpdateListing", "catalog-admin:DeleteListing", "catalog-user:SimulateView*", "catalog-user:SimulateGet*", "catalog-user:SimulateBrowse*" ], "Resource": "*" } ] }

(Optional) Grant an IAM User Access to Amazon WAM

The following IAM policy allows an IAM user or group of users to administer Amazon WAM.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "catalog-admin:*", "ds:*", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:CreateRole", "iam:PutRolePolicy" ], "Resource": "*" } ] }

For more information about embedding a policy in a user or group, see Working with Inline Policies in the IAM User Guide.