Configure the IAM permissions required to use the Amazon DataZone management console
Any user, group or role that wants to use the Amazon DataZone management console, must have the required permissions.
Topics
- Attach required and optional policies to a user, group, or role for Amazon DataZone console access
- Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation
- Create a custom policy for permissions to manage an account associated with an Amazon DataZone domain
- (Optional) Create a custom policy for AWS Identity Center permissions to enable single sign-on (SSO) for your domain
- (Optional) Create a custom policy for AWS Identity Center permissions to add and remove SSO user and SSO group access to your Amazon DataZone domain.
- (Optional) Add your IAM principal as a key user to create your Amazon DataZone domain with a customer-managed key from AWS Key Management Service (KMS)
Attach required and optional policies to a user, group, or role for Amazon DataZone console access
Complete the following procedure to attach the required and optional custom policies to a user, group, or a role. For more information, see AWS managed policies for Amazon DataZone.
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose the following policies to attach to your user, group, or a role.
-
In the list of policies, select the check box next to the AmazonDataZoneFullAccess. You can use the Filter menu and the search box to filter the list of policies. For more information, see AWS managed policy: AmazonDataZoneFullAccess.
-
-
Choose Actions, and then choose Attach.
-
Choose the user, group, or role to which you want to attach the policy. You can use the Filter menu and the search box to filter the list of principal entities. After choosing the user, group, or role, choose Attach policy.
Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation
Complete the following procedure to create a custom inline policy to have the necessary permissions to enable Amazon DataZone to create the necessary roles in the AWS management console on your behalf.
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users or User groups.
-
In the list, choose the name of the user or group to embed a policy in.
-
Choose the Permissions tab and, if necessary, expand the Permissions policies section.
-
Choose Add permissions and Create inline policy link.
-
On the Create Policy screen, in the Policy editor section, choose JSON.
Create a policy document with the following JSON statements, and then choose Next.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreatePolicy", "iam:CreateRole" ], "Resource": [ "arn:aws:iam::*:policy/service-role/AmazonDataZone*", "arn:aws:iam::*:role/service-role/AmazonDataZone*" ] }, { "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/service-role/AmazonDataZone*", "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::aws:policy/AmazonDataZone*", "arn:aws:iam::*:policy/service-role/AmazonDataZone*" ] } } } ] } -
On the Review policy screen, enter a name for the policy. When you're satisfied with the policy, choose Create policy. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
Create a custom policy for permissions to manage an account associated with an Amazon DataZone domain
Complete the following procedure to create a custom inline policy to have the necessary permissions in an associated AWS account to list, accept, and reject resource shares of a domain, and then enable, configure, and disable environment blueprints in the associated account. To enable the optional Amazon DataZone service console simplified role creation available during blueprint configuration, you must also Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation .
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users or User groups.
-
In the list, choose the name of the user or group to embed a policy in.
-
Choose the Permissions tab and, if necessary, expand the Permissions policies section.
-
Choose Add permissions and Create inline policy link.
-
On the Create Policy screen, in the Policy editor section, choose JSON. Create a policy document with the following JSON statements, and then choose Next.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datazone:ListEnvironmentBlueprintConfigurations", "datazone:PutEnvironmentBlueprintConfiguration", "datazone:GetDomain", "datazone:ListDomains", "datazone:GetEnvironmentBlueprintConfiguration", "datazone:ListEnvironmentBlueprints", "datazone:GetEnvironmentBlueprint", "datazone:ListAccountEnvironments", "datazone:DeleteEnvironmentBlueprintConfiguration" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/AmazonDataZone", "arn:aws:iam::*:role/service-role/AmazonDataZone*" ], "Condition": { "StringEquals": { "iam:passedToService": "datazone.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/service-role/AmazonDataZone*", "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::aws:policy/AmazonDataZone*", "arn:aws:iam::*:policy/service-role/AmazonDataZone*" ] } } }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreatePolicy", "iam:CreateRole" ], "Resource": [ "arn:aws:iam::*:policy/service-role/AmazonDataZone*", "arn:aws:iam::*:role/service-role/AmazonDataZone*" ] }, { "Effect": "Allow", "Action": [ "ram:AcceptResourceShareInvitation", "ram:RejectResourceShareInvitation", "ram:GetResourceShareInvitations" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "s3:CreateBucket", "Resource": "arn:aws:s3:::amazon-datazone*" } ] } -
On the Review policy screen, enter a name for the policy. When you're satisfied with the policy, choose Create policy. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
(Optional) Create a custom policy for AWS Identity Center permissions to enable single sign-on (SSO) for your domain
Complete the following procedure to create a custom inline policy to have the necessary permissions to enable single sign-on (SSO) using the AWS IAM Identity Center in Amazon DataZone.
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users or User groups.
-
In the list, choose the name of the user or group to embed a policy in.
-
Choose the Permissions tab and, if necessary, expand the Permissions policies section.
-
Choose Add permissions and Create inline policy.
-
On the Create Policy screen, in the Policy editor section, choose JSON.
Create a policy document with the following JSON statements, and then choose Next.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:DeleteManagedApplicationInstance", "sso:CreateManagedApplicationInstance", "sso:PutApplicationAssignmentConfiguration" ], "Resource": "*" } ] } -
On the Review policy screen, enter a name for the policy. When you're satisfied with the policy, choose Create policy. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
(Optional) Create a custom policy for AWS Identity Center permissions to add and remove SSO user and SSO group access to your Amazon DataZone domain.
Complete the following procedure to create a custom inline policy to have the necessary permissions to add and remove SSO user and SSO group access to your Amazon DataZone domain.
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users or User groups.
-
In the list, choose the name of the user or group to embed a policy in.
-
Choose the Permissions tab and, if necessary, expand the Permissions policies section.
-
Choose Add permissions and Create inline policy.
-
On the Create Policy screen, in the Policy editor section, choose JSON.
Create a policy document with the following JSON statements, and then choose Next.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:GetManagedApplicationInstance", "sso:ListProfiles", "sso:GetProfiles", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile" ], "Resource": "*" } ] } -
On the Review policy screen, enter a name for the policy. When you're satisfied with the policy, choose Create policy. Ensure that no errors appear in a red box at the top of the screen. Correct any that are reported.
(Optional) Add your IAM principal as a key user to create your Amazon DataZone domain with a customer-managed key from AWS Key Management Service (KMS)
Before you can optionally create your Amazon DataZone domain with a customer-managed key (CMK) from the AWS Key Management Service (KMS), complete the following procedure to make your IAM principal a user of your KMS key.
-
Sign in to the AWS Management Console and open the KMS console at https://console.aws.amazon.com/kms/
. -
To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys.
-
In the list of KMS keys, choose the alias or key ID of the KMS key that you want to examine.
-
To add or remove key users, and to allow or disallow external AWS accounts to use the KMS key, use the controls in the Key users section of the page. Key users can use the KMS key in cryptographic operations, such as encrypting, decrypting, re-encrypting, and generating data keys.
