Configure the group role - AWS IoT Greengrass

You are viewing the documentation for AWS IoT Greengrass Version 1. AWS IoT Greengrass Version 2 is the latest major version of AWS IoT Greengrass. For more information about using AWS IoT Greengrass V2, see the AWS IoT Greengrass Version 2 Developer Guide.

Configure the group role

The group role is an IAM role that you create and attach to your Greengrass group. This role contains the permissions that deployed Lambda functions (and other AWS IoT Greengrass features) use to access AWS services. For more information, see Greengrass group role.

You use the following high-level steps to create a group role in the IAM console.

  1. Create a policy that allows or denies actions on one or more resources.

  2. Create a role that uses the Greengrass service as a trusted entity.

  3. Attach your policy to the role.

Then, in the AWS IoT console, you add the role to the Greengrass group.


A Greengrass group has one group role. If you want to add permissions, you can edit attached policies or attach more policies.


For this tutorial, you create a permissions policy that allows describe, create, and update actions on an Amazon DynamoDB table. Then, you attach the policy to a new role and associate the role with your Greengrass group.

First, create a customer-managed policy that grants permissions required by the Lambda function in this module.

  1. In the IAM console, in the navigation pane, choose Policies, and then choose Create policy.

  2. On the JSON tab, replace the placeholder content with the following policy. The Lambda function in this module uses these permissions to create and update a DynamoDB table named CarStats.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionsForModule6", "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/CarStats" } ] }
  3. Choose Review policy.

  4. For Name, enter greengrass_CarStats_Table, and then choose Create policy.


    Next, create a role that uses the new policy.

  5. In the navigation pane, choose Roles, and then choose Create role.

  6. Under Select type of trusted entity, choose AWS service.

  7. Under Choose the service that will use this role, choose Greengrass, and then choose Next: Permissions.

  8. Under Attach permissions policies, select the new greengrass_CarStats_Table policy.

                            Screenshot of the Attach permissions policies page with the new
                                policy selected.
  9. Choose Next: Tags, and then choose Next: Review. Tags aren't used in this tutorial.

  10. For Role name, enter Greengrass_Group_Role.

  11. For Role description, enter Greengrass group role for connectors and user-defined Lambda functions.

                            Screenshot of the Review page displaying the role name,
                                description, and policies.
  12. Choose Create role.


    Now, add the role to your Greengrass group.

  13. In the AWS IoT console, in the navigation pane, choose Greengrass, Classic (V1), Groups.

  14. Under Greengrass groups, choose your group.

  15. Choose Settings, and then choose Add Role.

                            Group settings page with Add Role highlighted.
  16. Choose Greengrass_Group_Role from your list of roles, and then choose Save.