AWS OpsWorks Stacks Permissions Levels

Important

The AWS OpsWorks Stacks service reached end of life on May 26, 2024 and has been disabled for both new and existing customers. We strongly recommend customers migrate their workloads to other solutions as soon as possible. If you have questions about migration, reach out to the AWS Support Team on AWS re:Post or through AWS Premium Support.

This section lists the actions that are allowed by the Show, Deploy, and Manage permissions levels on the AWS OpsWorks Stacks Permissions page. It also includes a list of actions that you can grant permissions only by applying an IAM policy to the user.

Show

The Show level allows DescribeXYZ commands, with the following exceptions:


DescribePermissions
DescribeUserProfiles
DescribeMyUserProfile
DescribeStackProvisioningParameters

If an administrative user has enabled self-management for the user, Show users can also use DescribeMyUserProfile and UpdateMyUserProfile. For more information on self management, see Editing User Settings.

Deploy

The following actions are allowed by the Deploy level, in addition to the actions allowed by the Show level.


CreateDeployment
UpdateApp

Manage

The following actions are allowed by the Manage level, in addition to the actions allowed by the Deploy and Show levels.


AssignInstance
AssignVolume
AssociateElasticIp
AttachElasticLoadBalancer
CreateApp
CreateInstance
CreateLayer
DeleteApp
DeleteInstance
DeleteLayer
DeleteStack
DeregisterElasticIp
DeregisterInstance
DeregisterRdsDbInstance
DeregisterVolume
DescribePermissions
DetachElasticLoadBalancer
DisassociateElasticIp
GrantAccess
GetHostnameSuggestion
RebootInstance
RegisterElasticIp
RegisterInstance
RegisterRdsDbInstance
RegisterVolume
SetLoadBasedAutoScaling
SetPermission
SetTimeBasedAutoScaling
StartInstance
StartStack
StopInstance
StopStack
UnassignVolume
UpdateElasticIp
UpdateInstance
UpdateLayer
UpdateRdsDbInstance
UpdateStack
UpdateVolume

Permissions That Require an IAM Policy

You must grant permissions for the following actions by applying an appropriate IAM policy to the user. For some examples, see Example Policies.


CloneStack
CreateStack
CreateUserProfile
DeleteUserProfile
DescribeUserProfiles
UpdateUserProfile

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Example Policies

Allowing AWS OpsWorks Stacks to Act on Your Behalf