Amazon AppStream 2.0
Administration Guide

Using AWS Managed Policies and Linked Roles to Manage Administrator Access to AppStream 2.0 Resources

This topic describes the AWS managed policies and IAM roles that are required to manage administrator access to AppStream 2.0 resources, and to create and scale AppStream 2.0 fleets.

IAM roles and policies control administrator access to AppStream 2.0 resources. For a simplified way to manage end user access to AppStream 2.0, you can use the AppStream 2.0 user pool. For more information, see Manage Access Using the AppStream 2.0 User Pool.

AWS Managed Policies Required to Access AppStream 2.0 Resources

By default, IAM users and groups don't have permissions to access AppStream 2.0 resources. To provide full administrative or read-only access to AppStream 2.0, you must attach one of the following AWS managed policies to the appropriate IAM users or groups. An AWS managed policy is a standalone policy that is created and administered by AWS. For more information, see AWS Managed Policies in the IAM User Guide.

AmazonAppStreamFullAccess

This managed policy provides full administrative access to AppStream 2.0 resources. To manage AppStream 2.0 resources and perform API actions through the AWS Command Line Interface (AWS CLI), AWS SDK, or AWS Management Console, you must have the permissions defined in this policy.

If you sign into the AppStream 2.0 console as an IAM user, you must attach this policy to your IAM user account. If you sign in through console federation, you must attach this policy to the IAM role that was used for federation.

AmazonAppStreamReadOnlyAccess

This managed policy provides read-only access to AppStream 2.0 resources.

The AppStream 2.0 console uses two additional actions that provide functionality that is not available through the AWS CLI or AWS SDK. The AmazonAppStreamFullAccess and AmazonAppStreamReadOnlyAccess policies both provide permissions for these actions.

Action Description Access Level
GetImageBuilders Grants permission to retrieve a list that describes one or more specified image builders, if the image builder names are provided. Otherwise, all image builders in the account are described. Read
GetParametersForThemeAssetUpload Grants permission to upload theme assets for custom branding. For more information, see Add Your Custom Branding to Amazon AppStream 2.0. Write

Roles Required for AppStream 2.0 and Application Auto Scaling

In AWS, IAM roles are used to give permissions to an AWS service so it can access AWS resources. The policies that are attached to the role determine which AWS resources the service can access and what it can do with those resources. For AppStream 2.0, in addition to having the permissions defined in the AmazonAppStreamFullAccess policy, you must also have the following roles in your AWS account, with the required policies attached.

These roles are automatically created for you, with the required IAM policies attached, when you get started with the AppStream 2.0 service in an AWS Region. To get started with AppStream 2.0, you must have either of the following permissions:

  • AdministratorAccess permissions

  • Permissions to create an IAM role and attach IAM policies to a role

Note

To create the AWSServiceRoleForApplicationAutoScaling_AppStreamFleet role, you must have also have the iam:CreateServiceLinkedRole permission.

AmazonAppStreamServiceAccess

While AppStream 2.0 resources are being created, the AppStream 2.0 service makes API calls to other AWS services on your behalf by assuming this role. To create fleets, you must have this service role in your account. If this service role is not in your AWS account and the required IAM permissions and trust relationship policies are not attached, you cannot create AppStream 2.0 fleets.

ApplicationAutoScalingForAmazonAppStreamAccess

Automatic scaling is a feature of AppStream 2.0 fleets. To configure scaling policies, you must have this service role in your AWS account. If this service role is not in your AWS account and the required IAM permissions and trust relationship policies are not attached, you cannot scale AppStream 2.0 fleets.

AWSServiceRoleForApplicationAutoScaling_AppStreamFleet

Application Auto Scaling uses a service-linked role to perform automatic scaling on your behalf. A service-linked role is an IAM role that is linked directly to an AWS service. This role includes all the permissions that the service requires to call other AWS services on your behalf.

For more information, see Service-Linked Roles in the Application Auto Scaling User Guide.

Checking for the AmazonAppStreamServiceAccess Service Role and Policies

Complete the steps in this section to check whether the AmazonAppStreamServiceAccess service role is present and has the correct policies attached. If this role is not in your account and must be created, you or an administrator with the required permissions must perform the steps to get started with AppStream 2.0 in your AWS account.

To check whether the AmazonAppStreamServiceAccess IAM service role is present

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. In the search box, type amazonappstreamservice to narrow the list of roles to select, and then choose AmazonAppStreamServiceAccess. If this role is listed, select it to view the role Summary page.

  4. On the Permissions tab, confirm whether the AmazonAppStreamServiceAccess permissions policy is attached.

  5. Return to the role Summary page.

  6. On the Trust relationships tab, choose Show policy document, and then confirm whether the AmazonAppStreamServiceAccess trust relationship policy is attached and follows the correct format. If so, the trust relationship is correctly configured. Choose Cancel and close the IAM console.

AmazonAppStreamServiceAccess trust relationship policy

The AmazonAppStreamServiceAccess trust relationship policy must include the AppStream 2.0 service as the principal. A principal is an entity in AWS that can perform actions and access resources. This policy must also include the sts:AssumeRole action. The following policy configuration defines AppStream 2.0 as a trusted entity.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Checking for the ApplicationAutoScalingForAmazonAppStreamAccess Service Role and Policies

Complete the steps in this section to check whether the ApplicationAutoScalingForAmazonAppStreamAccess service role is present and has the correct policies attached. If this role is not in your account and must be created, you or an administrator with the required permissions must perform the steps to get started with AppStream 2.0 in your AWS account.

To check whether the ApplicationAutoScalingForAmazonAppStreamAccess IAM service role is present

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. In the search box, type applicationautoscaling to narrow the list of roles to select, and then choose ApplicationAutoScalingForAmazonAppStreamAccess. If this role is listed, select it to view the role Summary page.

  4. On the Permissions tab, confirm whether the ApplicationAutoScalingForAmazonAppStreamAccess permissions policy is attached.

  5. Return to the role Summary page.

  6. On the Trust relationships tab, choose Show policy document, and then confirm whether the ApplicationAutoScalingForAmazonAppStreamAccess trust relationship policy is attached and follows the correct format. If so, the trust relationship is correctly configured. Choose Cancel and close the IAM console.

ApplicationAutoScalingForAmazonAppStreamAccess trust relationship policy

The ApplicationAutoScalingForAmazonAppStreamAccess trust relationship policy must include the Application Auto Scaling service as the principal. This policy must also include the sts:AssumeRole action. The following policy configuration defines Application Auto Scaling as a trusted entity.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "application-autoscaling.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Checking for the AWSServiceRoleForApplicationAutoScaling_AppStreamFleet Service-Linked Role and Policies

Complete the steps in this section to check whether the AWSServiceRoleForApplicationAutoScaling_AppStreamFleet service-linked role is present and has the correct policies attached. If this role is not in your account and must be created, you or an administrator with the required permissions must perform the steps to get started with AppStream 2.0 in your AWS account.

To check whether the AWSServiceRoleForApplicationAutoScaling_AppStreamFleet IAM service-linked role is present

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. In the search box, type applicationautoscaling to narrow the list of roles to select, and then choose AWSServiceRoleForApplicationAutoScaling_AppStreamFleet. If this role is listed, select it to view the role Summarypage.

  4. On the Permissions tab, confirm whether the AWSApplicationAutoscalingAppStreamFleetPolicy permissions policy is attached.

  5. Return to the Role summary page.

  6. On the Trust relationships tab, choose Show policy document, and then confirm whether the AWSServiceRoleForApplicationAutoScaling_AppStreamFleet trust relationship policy is attached and follows the correct format. If so, the trust relationship is correctly configured. Choose Cancel and close the IAM console.

AWSServiceRoleForApplicationAutoScaling_AppStreamFleet trust relationship policy

The AWSServiceRoleForApplicationAutoScaling_AppStreamFleet trust relationship policy must include appstream.application-autoscaling.amazonaws.com as the principal. This policy must also include the sts:AssumeRole action. The following policy configuration defines appstream.application-autoscaling.amazonaws.com as a trusted entity.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appstream.application-autoscaling.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }