How do I grant specified permissions to an IAM group and add an existing IAM user to it?

2 minute read
0

I want to grant specified permissions to an AWS Identity and Access Management (IAM) group and add an existing an IAM user to it.

Short description

You can use the AWS Systems Manager AWSSupport-GrantPermissionsToIAMUser runbook to grant specific permissions to an IAM group and add an existing IAM user to it.

You can use the following IAM policies to do this:

Note: If you use an existing IAM group, then all current IAM users in that group receive the new permissions. For more information, see Initial IAM service set up for your account.

Resolution

Prerequisites:

Before you start the runbook, make sure that your AWS Identify and Access Management (IAM) user or role has the required permissions. For more information, see Required IAM permissions in AWSSupport-GrantPermissionsToIAMUser.

Run the AWSSupport-GrantPermissionsToIAMUser runbook

  1. Open the AWSSupport-GrantPermissionsToIAMUser runbook.
  2. Choose Execute automation.
  3. For the input parameters, enter the following:
    AutomationAssumeRole (optional): Enter the ARN of the IAM role that allows Automation to perform actions for you. If a role isn't specified, then Automation uses the permissions of the user that starts the runbook.
    IAMGroupName (required): The group can be a new or existing group and must comply with IAM name requirements.
    IAMUserName (required): This IAM username must be an existing user.
    Permissions (required): Choose either SupportFullAccess, BillingFullAccess, or SupportAndBillingFullAccess. SupportFullAccess grants full access to the Support center. BillingFullAccess grants full access to the Billing dashboard. SupportAndBillingFullAccess grants full access to both Support center and the Billing dashboard.
  4. Choose Execute. The runbook performs this step:
    aws:executeScript: Sets the IAM permissions for the IAM group and adds the existing IAM user.
  5. After the runbook completes, check the details of all the listed resources in the runbook's Output section:
    configureIAM.AddedPermissionsarn: The policy ARN of the permission added to the group.
    IAM.LoginUrl: https://Account-Id.signin.aws.amazon.com/console

Note: To help you troubleshoot, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the Systems Manager provided predefined runbooks. These runbooks are prefixed with AWSSupport- or AWSPremiumSupport-.

Related information

Run an automated operation powered by Systems Manager Automation

Setting up Automation