AWS Systems Manager
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Getting Started with Automation

To set up Automation, you must verify user access to the Automation service and situationally configure roles so that the service can perform actions on your resources. To ensure proper access to Systems Manager Automation, review the following user and service role requirements.

Verify user access

Verify that you have permission to run Automation workflows. If your AWS Identity and Access Management (IAM) user account, group, or role is assigned administrator permissions, then you have access to Systems Manager Automation. If you don't have administrator permissions, then an administrator must give you permission by assigning the AmazonSSMFullAccess managed policy, or a policy that provides comparable permissions, to your IAM account, group, or role.

Important

The IAM policy AmazonSSMFullAccess grants permissions to Systems Manager actions. However, some Automation documents require permissions to other services, such as the document AWS-ReleaseElasticIP, which requires IAM permissions for ec2:ReleaseAddress. Therefore, you must review the actions taken in an Automation document to ensure your IAM user account, group, or role is assigned the necessary permissions to perform the actions included in the document.

Configure service role access (situational)

Automation workflows can be initiated under the context of a service role (or assume role). This allows the service to perform actions on your behalf. If you do not specify an assume role, Automation uses the context of the user who invoked the execution.

However, the following situations require that you specify a service role for Automation:

  • When you want to restrict a user's privileges on a resource, but you want the user to run an Automation workflow that requires elevated privileges. In this scenario, you can create a service role with elevated privileges and allow the user to run the workflow.

  • When you create a State Manager Association that runs an Automation workflow.

  • When you have operations that you expect to run longer than 12 hours.

If you need to create a service role for Automation, you can use one of the following methods.