Modifying a role trust policy (console)Modifying a role permissions policy (console)Modifying a role description (console)Modifying a role maximum session duration (console)Modifying a role permissions boundary (console)

Modifying a role (console)

You can use the Amazon Web Services Management Console to modify a role. To change the set of tags on a role, see Managing tags on IAM roles (console).

Topics

Modifying a role trust policy (console)
Modifying a role permissions policy (console)
Modifying a role description (console)
Modifying a role maximum session duration (console)
Modifying a role permissions boundary (console)

Modifying a role trust policy (console)

To change who can assume a role, you must modify the role's trust policy. You cannot modify the trust policy for a service-linked role.

Notes

If a user is listed as the principal in a role's trust policy but cannot assume the role, check the user's permissions boundary. If a permissions boundary is set for the user, then it must allow the sts:AssumeRole action.
To allow users to assume the current role again within a role session, specify the role ARN or Amazon Web Services account ARN as a principal in the role trust policy. Amazon Web Services that provide compute resources such as Amazon EC2, Amazon ECS, Amazon EKS, and Lambda provide temporary credentials and automatically update these credentials. This ensures that you always have a valid set of credentials. For these services, it's not necessary to assume the current role again to obtain temporary credentials. However, if you intend to pass session tags or a session policy, you need to assume the current role again.

To modify a role trust policy (console)

Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane of the IAM console, choose Roles.
In the list of roles in your account, choose the name of the role that you want to modify.
Choose the Trust relationships tab, and then choose Edit trust policy.
Edit the trust policy as needed. To add additional principals that can assume the role, specify them in the Principal element. For example, the following policy snippet shows how to reference two Amazon Web Services accounts in the Principal element:
```
"Principal": {
  "AWS": [
    "arn:aws-cn:iam::111122223333:root",
    "arn:aws-cn:iam::444455556666:root"
  ]
},
```
If you specify a principal in another account, adding an account to the trust policy of a role is only half of establishing the cross-account trust relationship. By default, no users in the trusted accounts can assume the role. The administrator for the newly trusted account must grant the users the permission to assume the role. To do that, the administrator must create or edit a policy that is attached to the user to allow the user access to the sts:AssumeRole action. For more information, see the following procedure or Granting a user permissions to switch roles.

The following policy snippet shows how to reference two Amazon services in the Principal element:
```
"Principal": {
  "Service": [
    "opsworks.amazonaws.com.cn",
    "ec2.amazonaws.com.cn"
  ]
},
```
When you are finished editing your trust policy, choose Update policy to save your changes.

For more information about policy structure and syntax, see Policies and permissions in IAM and the IAM JSON policy elements reference.

To allow users in a trusted external account to use the role (console)

For more information and detail about this procedure, see Granting a user permissions to switch roles.

Sign in to the trusted external Amazon Web Services account.
Decide whether to attach the permissions to a user or to a group. In the navigation pane of the IAM console, choose Users or User groups accordingly.
Choose the name of the user or group to which you want to grant access, and then choose the Permissions tab.
Do one of the following:
- To edit a customer managed policy, choose the name of the policy, choose Edit policy, and then choose the JSON tab. You cannot edit an Amazon managed policy. Amazon managed policies appear with the Amazon icon ( ). For more information about the difference between Amazon managed policies and customer managed policies, see Managed policies and inline policies.
- To edit an inline policy, choose the arrow next to the name of the policy and choose Edit policy.
In the policy editor, add a new Statement element that specifies the following:
```
{
  "Effect": "Allow",
  "Action": "sts:AssumeRole",
  "Resource": "arn:aws-cn:iam::ACCOUNT-ID:role/ROLE-NAME"
}
```
Replace the ARN in the statement with the ARN of the role that the user can assume.
Follow the prompts on screen to finish editing the policy.

Modifying a role permissions policy (console)

To change the permissions allowed by the role, modify the role's permissions policy (or policies). You cannot modify the permissions policy for a service-linked role in IAM. You might be able to modify the permissions policy within the service that depends on the role. To check whether a service supports this feature, see Amazon services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to view the service-linked role documentation for that service.

To change the permissions allowed by a role (console)

Open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane of the IAM console, choose Roles.
Choose the name of the role that you want to modify, and then choose the Permissions tab.
Do one of the following:
- To edit an existing customer managed policy, choose the name of the policy and then choose Edit policy.
  
  Note
  You cannot edit an Amazon managed policy. Amazon managed policy appear with the Amazon icon ( ). For more information about the difference between Amazon managed policies and customer managed policies, see Managed policies and inline policies.
- To attach an existing managed policy to the role, choose Add permissions and then choose Attach policies.
- To edit an existing inline policy, expand the policy and choose Edit.
- To embed a new inline policy, choose Add permissions and then choose Create inline policy.

Modifying a role description (console)

To change the description of the role, modify the description text.

To change the description of a role (console)

Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane of the IAM console, choose Roles.
Choose the name of the role to modify.
In the Summary section, choose Edit.
Enter a new description in the box and choose Save changes.

Modifying a role maximum session duration (console)

To specify the maximum session duration setting for roles that are assumed using the console, the Amazon CLI, or Amazon API, modify the maximum session duration setting value. This setting can have a value from 1 hour to 12 hours. If you do not specify a value, the default maximum of 1 hour is applied. This setting does not limit sessions assumed by Amazon services.

To change the maximum session duration setting for roles that are assumed using the console, Amazon CLI, or Amazon API (console)

Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane of the IAM console, choose Roles.
Choose the name of the role to modify.
In the Summary section, choose Edit.
For Maximum session duration, choose a value. Alternatively, choose Custom duration and enter a value (in seconds).
Choose Save changes.

Your changes don't take effect until the next time someone assumes this role. To learn how to revoke existing sessions for this role, see Revoking IAM role temporary security credentials.

In the Amazon Web Services Management Console, IAM user sessions are 12 hours by default. IAM users who switch roles in the console are granted the role maximum session duration, or the remaining time in the user's session, whichever is less.

Anyone who assumes the role from the Amazon CLI or Amazon API can request a longer session, up to this maximum. The MaxSessionDuration setting determines the maximum duration of the role session that can be requested.

To specify a session duration using the Amazon CLI use the duration-seconds parameter. To learn more, see Switching to an IAM role (Amazon CLI).
To specify a session duration using the Amazon API, use the DurationSeconds parameter. To learn more, see Switching to an IAM role (Amazon API).

Modifying a role permissions boundary (console)

To change the maximum permissions allowed for a role, modify the role's permissions boundary.

To change the policy used to set the permissions boundary for a role

Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane, choose Roles.
Choose the name of the role with the permissions boundary that you want to change.
Choose the Permissions tab. If necessary, open the Permissions boundary section and then choose Change boundary.
Select the policy that you want to use for the permissions boundary.
Choose Change boundary.

Your changes don't take effect until the next time someone assumes this role.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Modifying a role

Modifying a role (Amazon CLI)