Resource-based policies in CodeGuru Profiler - Amazon CodeGuru Profiler

Resource-based policies in CodeGuru Profiler

You control access to profiling groups in Amazon CodeGuru Profiler using profiling group resource-based policies.

AWS defines a profiling group as a resource in CodeGuru Profiler. You, as the account administrator, control access to a resource in an AWS service. For profiling groups, resource-based policies support the agent-related actions ConfigureAgent and PostAgentProfile.

In CodeGuru Profiler, permissions policies are resource-based policies that are attached directly to profiling groups. You can use resource-based policies to manage the roles or IAM users that have permission to submit profiling data and configure the agent. After you grant permissions for a role or user, you don't need to attach IAM permissions. For more information, see Identity-based policies and resource-based policies in the AWS Identity and Access Management User Guide.

You can use the console, the SDK, or the AWS CLI to specify resource-based permissions on a profiling group

Add a resource-based policy to a profiling group (console)

  1. Open the Amazon CodeGuru Profiler console at https://console.aws.amazon.com/codeguru/profiler.

  2. In the navigation pane, choose Profiling groups.

  3. Choose the profiling group to add a resource-based policy to.

  4. Choose Actions, and then choose Manage permissions.

  5. From Application permissions, select the users and roles you want to grant access to the profiling group.

  6. Choose Save.

For more information, see Set permissions.

Add a resource-based policy to a profiling group (AWS CLI)

Run the following AWS CLI command to add a resource-based policy to a profiling group. Use your profiling group name and the Amazon Resource Names (ARNs) of the roles and users you want to grant access to the profiling group.

The only valid value for the action-group argument is the agentPermissions action group. agentPermissions grants the ConfigureAgent and PostAgentProfile permissions on a profiling group to the roles and users listed in the principals argument.

aws codeguruprofiler put-permission --action-group agentPermissions \ --profiling-group-name "my-profiling-group-name" \ --principals "arn:aws:iam::123456789012:user/my-user-name"

The following is an example output that grants access to a profiling group named my-profiling-group to an AWS user specified using its ARN, arn:aws:iam::123456789012:user/my-user-name.

{ "policy": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Sid\" : \"agentPermissions-statement\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"arn:aws:iam::123456789012:user/my-user-name\"\n },\n \"Action\" : [ \"codeguru-profiler:ConfigureAgent\", \"codeguru-profiler:PostAgentProfile\" ],\n \"Resource\" : \"arn:aws:codeguru-profiler:us-west-2:123456789012:profilingGroup/my-profiling-group-name\"\n } ]\n}", "revisionId": "125820ee-98c7-4df9-8739-442ffad7b3a0" }

Add a resource-based policy to a profiling group (AWS SDKs)

To add a resource-based policy using an AWS SDK, use the PutPermission method. For more information, see PutPermission in the Amazon CodeGuru Profiler API Reference.