Granting permissions to use identity-aware console sessions
Identity-aware console sessions enables Amazon IAM Identity Center user and session IDs to be included in users' Amazon console sessions when they sign in. For example, Amazon Q Developer Pro uses identity-aware console sessions to personalize the service experience. For more information about identity-aware console sessions, see Enabling identity-aware console sessions in the Amazon IAM Identity Center User Guide. For information about Amazon Q Developer setup, see Setting up Amazon Q Developer in the Amazon Q Developer User Guide.
For identity-aware console sessions to be available to a user, you must use an
identity-based policy to grant the IAM principal the sts:SetContext permission
for the resource that represents their own console session.
Important
By default, users do not have permission to set context for their identity-aware console
sessions. To allow this, you must grant the IAM principal the sts:SetContext
permission in an identity-based policy as shown in the policy example below.
The following example identity-based policy grants the sts:SetContext
permission to an IAM principal, allowing the principal to set identity-aware console session
context for their own Amazon console sessions. The policy resource,
arn:aws:sts::, represents the
caller’s Amazon session. The account-id:selfaccount-id ARN segment can be replaced with a wildcard
character * in cases where the same permission policy is deployed across multiple
accounts, such as when this policy is deployed using IAM Identity Center permission sets.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:SetContext", "Resource": "arn:aws:sts::account-id:self" } ] }