Creating a role using custom trust policies (console) - AWS Identity and Access Management

Creating a role using custom trust policies (console)

You can create a custom trust policy to delegate access and allow others to perform actions in your AWS account. For more information, see Creating IAM policies.

For information about how to use roles to delegate permissions, see Roles terms and concepts.

Creating an IAM role using a custom trust policy (console)

You can use the AWS Management Console to create a role that an IAM user can assume. For example, assume that your organization has multiple AWS accounts to isolate a development environment from a production environment. For high-level information about creating a role that allows users in the development account to access resources in the production account, see Example scenario using separate development and production accounts.

To create a role using a custom trust policy (console)
  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane of the console, choose Roles and then choose Create role.

  3. Choose the Custom trust policy role type.

  4. In the Custom trust policy section, enter or paste the custom trust policy for the role. For more information, see Creating IAM policies.

  5. Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Next.

  6. Select the check box next to the custom trust policy you created.

  7. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles.

    Open the Permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions boundary.

  8. Choose Next.

  9. For Role name, the degree of role name customization is defined by the service. If the service defines the role's name, this option is not editable. In other cases, the service might define a prefix for the role and allow you to enter an optional suffix. Some services allow you to specify the entire name of your role.

    If possible, enter a role name or role name suffix. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because other AWS resources might reference the role, you cannot edit the name of the role after it has been created.

  10. (Optional) For Description, enter a description for the new role.

  11. Choose Edit in the Step 1: Select trusted entities or Step 2: Add permissions sections to edit the custom policy and permissions for the role.

  12. (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM resources.

  13. Review the role and then choose Create role.