Granting permissions to use identity-enhanced console sessions

Identity-enhanced console sessions enables Amazon IAM Identity Center user and session IDs to be included in users' Amazon console sessions when they sign in. For example, Amazon Q Developer Pro uses identity-enhanced console sessions to personalize the service experience. For more information about identity-enhanced console sessions, see Enabling identity-enhanced console sessions in the Amazon IAM Identity Center User Guide. For information about Amazon Q Developer setup, see Setting up Amazon Q Developer in the Amazon Q Developer User Guide.

For identity-enhanced console sessions to be available to a user, you must use an identity-based policy to grant the IAM principal the sts:SetContext permission for the resource that represents their own console session.

Important

By default, users do not have permission to set context for their identity-enhanced console sessions. To allow this, you must grant the IAM principal the sts:SetContext permission in an identity-based policy as shown in the policy example below.

The following example identity-based policy grants the sts:SetContext permission to an IAM principal, allowing the principal to set identity-enhanced console session context for their own Amazon console sessions. The policy resource, arn:aws:sts::account-id:self, represents the caller’s Amazon session. The account-id ARN segment can be replaced with a wildcard character * in cases where the same permission policy is deployed across multiple accounts, such as when this policy is deployed using IAM Identity Center permission sets.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Granting permissions to create credentials

Manage Amazon STS in an Amazon Web Services Region