Update permissions for a role
Use the following procedures to update a role's permissions policies and permissions boundaries.
Prerequisite: View role access
Before you change the permissions for a role, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see Refine permissions in AWS using last accessed information.
Update the permissions policy for a role
To change the permissions allowed by the role, modify the role's permissions policy (or policies). You cannot modify the permissions policy for a service-linked role in IAM. You might be able to modify the permissions policy within the service that depends on the role. To check whether a service supports this feature, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to view the service-linked role documentation for that service.
To change the permissions allowed by a role (console)
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane of the IAM console, choose Roles.
-
Choose the name of the role that you want to modify, and then choose the Permissions tab.
-
Do one of the following:
-
To edit an existing customer managed policy, choose the name of the policy and then choose Edit policy.
Note
You cannot edit an AWS managed policy. AWS managed policies appear with the AWS icon ( ). For more information about the difference between AWS managed policies and customer managed policies, see Managed policies and inline policies.
-
To attach an existing managed policy to the role, choose Add permissions and then choose Attach policies.
-
To edit an existing inline policy, expand the policy and choose Edit.
-
To embed a new inline policy, choose Add permissions and then choose Create inline policy.
-
To remove an existing policy from the role, select the check box next to the policy name and then choose Remove.
-
To change the permissions allowed by the role, modify the role's permissions policy (or policies). You cannot modify the permissions policy for a service-linked role in IAM. You might be able to modify the permissions policy within the service that depends on the role. To check whether a service supports this feature, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to view the service-linked role documentation for that service.
To change the permissions allowed by a role (AWS CLI)
-
(Optional) To view the current permissions associated with a role, run the following commands:
-
aws iam list-role-policies to list inline policies
-
aws iam list-attached-role-policies to list managed policies
-
-
The command to update permissions for the role differs depending on whether you are updating a managed policy or an inline policy.
To update a managed policy, run the following command to create a new version of the managed policy:
To update an inline policy, run the following command:
To change the permissions allowed by the role, modify the role's permissions policy (or policies). You cannot modify the permissions policy for a service-linked role in IAM. You might be able to modify the permissions policy within the service that depends on the role. To check whether a service supports this feature, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to view the service-linked role documentation for that service.
To change the permissions allowed by a role (AWS API)
-
(Optional) To view the current permissions associated with a role, call the following operations:
-
ListRolePolicies to list inline policies
-
ListAttachedRolePolicies to list managed policies
-
-
The operation to update permissions for the role differs depending on whether you are updating a managed policy or an inline policy.
To update a managed policy, call the following operation to create a new version of the managed policy:
To update an inline policy, call the following operation:
Update the permissions boundary for a role
To change the maximum permissions allowed for a role, modify the role's permissions boundary.
To change the policy used to set the permissions boundary for a role
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
Choose the name of the role with the permissions boundary that you want to change.
-
Choose the Permissions tab. If necessary, open the Permissions boundary section and then choose Change boundary.
-
Select the policy that you want to use for the permissions boundary.
-
Choose Change boundary.
Your changes don't take effect until the next time someone assumes this role.
To change the managed policy used to set the permissions boundary for a role (AWS CLI)
-
(Optional) To view the current permissions boundary for a role, run the following command:
-
To use a different managed policy to update the permissions boundary for a role, run the following command:
A role can have only one managed policy set as a permissions boundary. If you change the permissions boundary, you change the maximum permissions allowed for a role.
To change the managed policy used to set the permissions boundary for a role (AWS API)
-
(Optional) To view the current permissions boundary for a role, call the following operation:
-
To use a different managed policy to update the permissions boundary for a role, call the following operation:
A role can have only one managed policy set as a permissions boundary. If you change the permissions boundary, you change the maximum permissions allowed for a role.