Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Understanding the
configuration profile IAM role
You can create the IAM role that provides access to the configuration data by using
Amazon AppConfig. Or you can create the IAM role yourself. If you create the role by using Amazon AppConfig, the
system creates the role and specifies one of the following permissions policies, depending on
which type of configuration source you choose.
Configuration source is a Secrets Manager secret
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws-cn:secretsmanager:us-east-1
:111122223333
:secret:secret_name-a1b2c3
"
]
}
]
}
Configuration source is a Parameter Store parameter
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter"
],
"Resource": [
"arn:aws-cn:ssm:us-east-1
:111122223333
:parameter/parameter_name
"
]
}
]
}
Configuration source is an SSM document
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetDocument"
],
"Resource": [
"arn:aws-cn:ssm:us-east-1
:111122223333
:document/document_name
"
]
}
]
}
If you create the role by using Amazon AppConfig, the system also creates the following trust
relationship for the role.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appconfig.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}