Granting permissions for using Amazon Resource Groups and Tag Editor
To add a policy for using Amazon Resource Groups and Tag Editor to a user, do the following.
-
Open the IAM console
. -
In the navigation pane, choose Users.
-
Find the user to whom you want to grant Amazon Resource Groups and Tag Editor permissions. Choose the user's name to open the user properties page.
-
Choose Add permissions.
-
Choose Attach existing policies directly.
-
Choose Create policy.
-
On the JSON tab, paste the following policy statement.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "resource-groups:*", "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "tag:GetResources", "tag:TagResources", "tag:UntagResources", "tag:getTagKeys", "tag:getTagValues", "resource-explorer:*" ], "Resource": "*" } ] }
Note
This example policy statement grants permissions only for Amazon Resource Groups and Tag Editor actions. It does not allow access to Amazon Systems Manager tasks in the Amazon Resource Groups console. For example, this policy does not grant permissions for you to use Systems Manager Automation commands. To perform Systems Manager tasks on resource groups, you must have Systems Manager permissions attached to your policy (such as
ssm:*
). For more information about granting access to Systems Manager, see Configuring access to Systems Manager in the Amazon Systems Manager User Guide. -
Choose Review policy.
-
Give the new policy a name and description. (for example,
AWSResourceGroupsQueryAPIAccess
). -
Choose Create policy.
-
Now that the policy is saved in IAM, you can attach it to other users. For more information about how to add a policy to a user, see Adding permissions by attaching policies directly to the user in the IAM User Guide.