Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Step 2: Configure permissions for a custom AWS AppConfig extension

Focus mode
Step 2: Configure permissions for a custom AWS AppConfig extension - AWS AppConfig

Use the following procedure to create and configure an AWS Identity and Access Management (IAM) service role (or assume role). AWS AppConfig uses this role to invoke the Lambda function.

To create an IAM service role and allow AWS AppConfig to assume it
  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

  3. Under Select type of trusted entity, choose Custom trust policy.

  4. Paste the following JSON policy into the Custom trust policy field.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appconfig.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

    Choose Next.

  5. On the Add permissions page, choose Create policy. The Create policy page opens in a new tab.

  6. Choose the JSON tab, and then paste the following permission policy into the editor. The lambda:InvokeFunction action is used for PRE_* action points. The lambda:InvokeAsync action is used for ON_* action points. Replace Your Lambda ARN with the Amazon Resource Name (ARN) of your Lambda.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:InvokeFunction", "lambda:InvokeAsync" ], "Resource": "Your Lambda ARN" } ] }
  7. Choose Next: Tags.

  8. On the Add tags (Optional) page, add one or more key-value pairs and then choose Next: Review.

  9. On the Review policy page enter a name and a description, and then choose Create policy.

  10. On the browser tab for your custom trust policy, choose the Refresh icon and then search for the permission policy you just created.

  11. Select the check box for your permission policy and then choose Next.

  12. On the Name, review, and create page, enter a name in the Role name box, and then enter a description.

  13. Choose Create role. The system returns you to the Roles page. Choose View role in the banner.

  14. Copy the ARN. You specify this ARN when you create the extension.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.