Creating a role using custom trust policies (console) - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a role using custom trust policies (console)

You can create a custom trust policy to delegate access and allow others to perform actions in your Amazon Web Services account. For more information, see Creating IAM policies.

For information about how to use roles to delegate permissions, see Roles terms and concepts.

Creating an IAM role using a custom trust policy (console)

You can use the Amazon Web Services Management Console to create a role that an IAM user can assume. For example, assume that your organization has multiple Amazon Web Services accounts to isolate a development environment from a production environment. For high-level information about creating a role that allows users in the development account to access resources in the production account, see Example scenario using separate development and production accounts.

To create a role using a custom trust policy (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at

  2. In the navigation pane of the console, choose Roles and then choose Create role.

  3. Choose the Custom trust policy role type.

  4. In the Custom trust policy section, enter or paste the custom trust policy for the role. For more information, see Creating IAM policies.

  5. Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Next.

  6. Select the check box next to the custom trust policy you created.

  7. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles.

    Open the Permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. IAM includes a list of the Amazon managed and customer managed policies in your account. Select the policy to use for the permissions boundary.

  8. Choose Next.

  9. For Role name, the degree of role name customization is defined by the service. If the service defines the role's name, this option is not editable. In other cases, the service might define a prefix for the role and allow you to enter an optional suffix. Some services allow you to specify the entire name of your role.

    If possible, enter a role name or role name suffix. Role names must be unique within your Amazon Web Services account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because other Amazon resources might reference the role, you cannot edit the name of the role after it has been created.

  10. (Optional) For Description, enter a description for the new role.

  11. Choose Edit in the Step 1: Select trusted entities or Step 2: Add permissions sections to edit the custom policy and permissions for the role.

  12. (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM resources.

  13. Review the role and then choose Create role.