How do I grant specified permissions to an IAM group and adds an existing IAM user to it?

2 minute read

I want to grant specified permissions to an AWS Identity and Access Management (IAM) group and add an existing an IAM user to it.

Short description

You can use the AWS Systems Manager AWSSupport-GrantPermissionsToIAMUser runbook to grant specific permissions to an IAM group and add an existing IAM user to it.

You can use the following IAM policies to do this:

Note: If you use an existing IAM group, then all current IAM users in that group receive the new permissions. To turn on billing access for IAM, activate IAM user and federated user access to the Billing and Cost Management pages.

Resolution

Prerequisites

Before you start the runbook, make sure that your AWS Identify and Access Management (IAM) user or role has the required permissions. For more information, see Required IAM permissions in AWSSupport-GrantPermissionsToIAMUser.

Run the AWSSupport-GrantPermissionsToIAMUser runbook

Open the AWSSupport-GrantPermissionsToIAMUser runbook.
Choose Execute automation.
For the input parameters, enter the following:

AutomationAssumeRole (optional): Enter the ARN of the IAM role that allows Automation to perform actions for you. If a role isn't specified, then Automation uses the permissions of the user that starts the runbook.
IAMGroupName (required): The group can be a new or existing group and must comply with IAM name requirements.
IAMUserName (required): This IAM username must be an existing user.
Permissions (required): Choose either SupportFullAccess, BillingFullAccess, or SupportAndBillingFullAccess.

SupportFullAccess grants full access to the Support center.
BillingFullAccess grants full access to the Billing dashboard.
SupportAndBillingFullAccess grants full access to both Support center and the Billing dashboard.

Choose Execute. The runbook performs this step: aws:executeScript: Sets the IAM permissions for the IAM group and adds the existing IAM user.
After the runbook completes, check the details of all the listed resources in the runbook's Output section:

configureIAM.AddedPermissionsarn: The policy ARN of the permission added to the group.
IAM.LoginUrl: https://Account-Id.signin.aws.amazon.com/console

Note: To help you troubleshoot, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the Systems Manager provided predefined runbooks. These runbooks are prefixed with "AWSSupport-" or "AWSPremiumSupport-".

Related information

Run an automation

Setting up Automation

Topics

Management & Governance End User Computing

Relevant content

How do i give IAM Permissions to a Group to manage a Specific EC2 Instance.
Tech Monster
asked a year ago
How to Restrict an IAM role to a VPC using permission boundary
Amit
asked a year ago
Can I keep existing IAM users and add SSO to our accounts
dlynch
asked 3 years ago
How to grant group to resources using Cognito and IAM
Accepted Answer
rePost-User-8472021
asked 5 months ago
How do I grant DescribeAvailabilityZones permission to an Admin?
Chris
asked 2 years ago
How can I attach an IAM managed policy to an IAM role in AWS CloudFormation?
AWS OFFICIALUpdated 2 years ago
How do I assign an existing IAM role to an EC2 instance?
AWS OFFICIALUpdated a year ago
How do I grant an IAM user access to submit support cases?
AWS OFFICIALUpdated 5 months ago
How do I create an IAM policy to explicitly grant permissions to create and manage EC2 instances in a specified VPC that has tags?
AWS OFFICIALUpdated 17 days ago
How to add tags to existing jobs in AWS Elemental MediaConvert
EXPERT
Bo_L
published 5 months ago