Add a resource-based policy to a profiling group (console)Add a resource-based policy to a profiling group (AWS CLI)Add a resource-based policy to a profiling group (AWS SDKs)

Resource-based policies in CodeGuru Profiler

You control access to profiling groups in Amazon CodeGuru Profiler using profiling group resource-based policies.

AWS defines a profiling group as a resource in CodeGuru Profiler. You, as the account administrator, control access to a resource in an AWS service. For profiling groups, resource-based policies support the agent-related actions ConfigureAgent and PostAgentProfile.

In CodeGuru Profiler, permissions policies are resource-based policies that are attached directly to profiling groups. You can use resource-based policies to manage the IAM roles or users that have permission to submit profiling data and configure the agent. You can also grant access with identity-based policies. For an example, see Permissions required by the CodeGuru Profiler profiling agent. For more information about IAM policies, see Identity-based policies and resource-based policies in the AWS Identity and Access Management User Guide.

You can use the console, the SDK, or the AWS CLI to specify resource-based permissions on a profiling group

Topics

Add a resource-based policy to a profiling group (console)
Add a resource-based policy to a profiling group (AWS CLI)
Add a resource-based policy to a profiling group (AWS SDKs)

Add a resource-based policy to a profiling group (console)

Open the Amazon CodeGuru Profiler console at https://console.aws.amazon.com/codeguru/profiler.
In the navigation pane, choose Profiling groups.
Choose the profiling group to add a resource-based policy to.
Choose Actions, and then choose Manage permissions.
From Application permissions, select the users and roles you want to grant access to the profiling group.
Choose Save.

For more information, see Set permissions.

Add a resource-based policy to a profiling group (AWS CLI)

Run the following AWS CLI command to add a resource-based policy to a profiling group. Use your profiling group name and the Amazon Resource Names (ARNs) of the roles and users you want to grant access to the profiling group.

The only valid value for the action-group argument is the agentPermissions action group. agentPermissions grants the ConfigureAgent and PostAgentProfile permissions on a profiling group to the roles and users listed in the principals argument.


aws codeguruprofiler put-permission --action-group agentPermissions \ 
            --profiling-group-name "my-profiling-group-name" \
            --principals "arn:aws:iam::123456789012:user/my-user-name"

The following is an example output that grants access to a profiling group named my-profiling-group to an AWS user specified using its ARN, arn:aws:iam::123456789012:user/my-user-name.


{
    "policy": "{\n  \"Version\" : \"2012-10-17\",\n  \"Statement\" : [ {\n    \"Sid\" : \"agentPermissions-statement\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"arn:aws:iam::123456789012:user/my-user-name\"\n    },\n    \"Action\" : [ \"codeguru-profiler:ConfigureAgent\", \"codeguru-profiler:PostAgentProfile\" ],\n    \"Resource\" : \"arn:aws:codeguru-profiler:us-west-2:123456789012:profilingGroup/my-profiling-group-name\"\n  } ]\n}",
    "revisionId": "125820ee-98c7-4df9-8739-442ffad7b3a0"
}

Add a resource-based policy to a profiling group (AWS SDKs)

To add a resource-based policy using an AWS SDK, use the PutPermission method. For more information, see PutPermission in the Amazon CodeGuru Profiler API Reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using identity-based policies

CodeGuru Profiler permissions reference