Configure the group role - AWS IoT Greengrass

AWS IoT Greengrass Version 1 no longer receives feature updates, and will receive only security patches and bug fixes until June 30, 2023. For more information, see the AWS IoT Greengrass V1 maintenance policy. We strongly recommend that you migrate to AWS IoT Greengrass Version 2, which adds significant new features and support for additional platforms.

Configure the group role

The group role is an IAM role that you create and attach to your Greengrass group. This role contains the permissions that deployed Lambda functions (and other AWS IoT Greengrass features) use to access AWS services. For more information, see Greengrass group role.

You use the following high-level steps to create a group role in the IAM console.

  1. Create a policy that allows or denies actions on one or more resources.

  2. Create a role that uses the Greengrass service as a trusted entity.

  3. Attach your policy to the role.

Then, in the AWS IoT console, you add the role to the Greengrass group.


A Greengrass group has one group role. If you want to add permissions, you can edit attached policies or attach more policies.


For this tutorial, you create a permissions policy that allows describe, create, and update actions on an Amazon DynamoDB table. Then, you attach the policy to a new role and associate the role with your Greengrass group.

First, create a customer-managed policy that grants permissions required by the Lambda function in this module.

  1. In the IAM console, in the navigation pane, choose Policies, and then choose Create policy.

  2. On the JSON tab, replace the placeholder content with the following policy. The Lambda function in this module uses these permissions to create and update a DynamoDB table named CarStats.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionsForModule6", "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/CarStats" } ] }
  3. Choose Next: Tags, and then choose Next: Review. Tags aren't used in this tutorial.

  4. For Name, enter greengrass_CarStats_Table, and then choose Create policy.


    Next, create a role that uses the new policy.

  5. In the navigation pane, choose Roles, and then choose Create role.

  6. Under Trusted entity type, choose AWS service.

  7. Under Use case, Use cases for other AWS services choose Greengrass, select Greengrass, and then choose Next.

  8. Under Permissions policies, select the new greengrass_CarStats_Table policy, and then choose Next.

  9. For Role name, enter Greengrass_Group_Role.

  10. For Description, enter Greengrass group role for connectors and user-defined Lambda functions.

  11. Choose Create role.

    Now, add the role to your Greengrass group.

  12. In the AWS IoT console navigation pane, under Manage, expand Greengrass devices, and then choose Groups (V1).

  13. Under Greengrass groups, choose your group.

  14. Choose Settings, and then choose Associate role.

  15. Choose Greengrass_Group_Role from your list of roles, and then choose Associate role.