AWS IoT Greengrass
Developer Guide

Configure IAM Roles

When you create Lambda functions that access AWS services, you must grant sufficient permissions in the Greengrass group role to allow the functions to access those services. The group role is an IAM role that you attach to your group.

In this module, you create a role that allows a Greengrass Lambda function to access DynamoDB. For more information about IAM, see the AWS Identity and Access Management documentation.

  1. In the IAM console, in the navigation pane, choose Roles, and then choose Create Role.

  2. Under Select type of trusted entity, choose AWS service.

  3. Under Choose the service that will use this role, choose Greengrass, and then choose Next: Permissions.

  4. On the Attach permissions policies page, select the following policies, and then choose Next: Tags.

    • AWSGreengrassResourceAccessRolePolicy

    • AWSGreengrassFullAccess

    • AmazonDynamoDBFullAccess

  5. Choose Next: Review. You don't need to create tags for this tutorial.

  6. Enter the following values, and then choose Create role.

    • For Role name, enter Greengrass_DynamoDB_Role.

    • For Role description, enter Greengrass group role.

     

    
                            Screenshot of the Review page displaying the role name, description, and selected policies.
  7. Repeat the previous step to create the role for the AWS Lambda service. Select the same policies (AWSGreengrassResourceAccessRolePolicy, AWSGreengrassFullAccess, and AmazonDynamoDBFullAccess). For Role name, enter Lambda_DynamoDB_Role.

  8. In the AWS IoT Core console, under Greengrass, choose Groups, and then choose your AWS IoT Greengrass group.

  9. Choose Settings, and then choose Add Role.

    
                            Group settings page with Add Role
                                highlighted.
  10. Choose Greengrass_DynamoDB_Role from the list of roles, and then choose Save.