AWS Systems Manager
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Method 1: Use AWS CloudFormation to Configure a Service Role for Automation

You can create a service role for Automation from an AWS CloudFormation template. After you create the service role, you can specify the service role in Automation workflows using the parameter AutomationAssumeRole. For information about how to run an Automation workflow using the Automation service role, see Running an Automation Workflow by Using an IAM Service Role.

Create the Service Role Using AWS CloudFormation

Use the following procedure to create the required IAM role for Systems Manager Automation by using AWS CloudFormation.

To create the required IAM role

  1. Download the folder. This folder includes the AWS-SystemsManager-AutomationServiceRole.yaml AWS CloudFormation template file.

  2. Open the AWS CloudFormation console at

  3. Choose Create Stack.

  4. In the Choose a template section, choose Upload a template to Amazon S3.

  5. Choose Browse, and then choose the AWS-SystemsManager-AutomationServiceRole.yaml AWS CloudFormation template file.

  6. Choose Next.

  7. On the Specify Details page, in the Stack Name field, enter a name.

  8. On the Options page, you don’t need to make any selections. Choose Next.

  9. On the Review page, scroll down and choose the I acknowledge that AWS CloudFormation might create IAM resources option.

  10. Choose Create.

AWS CloudFormation shows the CREATE_IN_PROGRESS status for approximately three minutes. The status changes to CREATE_COMPLETE after the stack is created and your roles are ready to use.


If you run an automation that invokes other services by using an AWS Identity and Access Management (IAM) service role, be aware that the service role must be configured with permission to invoke those services. This requirement applies to all AWS Automation documents (AWS-* documents) such as the AWS-ConfigureS3BucketLogging, AWS-CreateDynamoDBBackup, and AWS-RestartEC2Instance documents, to name a few. This requirement also applies to any custom Automation documents you create that invoke other AWS services by using actions that call other services. For example, if you use the aws:executeAwsApi, aws:CreateStack, or aws:copyImage actions, to name a few, then you must configure the service role with permission to invoke those services. You can enable permissions to other AWS services by adding an IAM inline policy to the role. For more information, see (Optional) Add an Automation Inline Policy to Invoke Other AWS Services.

Copy Role Information for Automation

Use the following procedure to copy information about the Automation service role from the AWS CloudFormation console. You must specify these roles when you run an Automation document.


You do not need to copy role information using this procedure if you run the AWS-UpdateLinuxAmi or AWS-UpdateWindowsAmi documents. These documents already have the required roles specified as default values. The roles specified in these documents use IAM managed policies.

To copy the role names

  1. Open the AWS CloudFormation console at

  2. Select the check box next to the Automation stack you created in the previous procedure.

  3. Choose the Resources tab.

  4. Choose the Physical ID link for AutomationServiceRole. The IAM console opens to a summary of the Automation service role.

  5. Copy the Amazon Resource Name (ARN) next to Role ARN. The ARN is similar to the following: arn:aws:iam::12345678:role/AutomationServiceRole

  6. Paste the ARN into a text file to use later.

You have finished configuring the service role for Automation. You can now use the Automation service role ARN in your Automation documents.