Managing access to the Amazon Web Services Support App
After you have permissions to the Amazon Web Services Support App widget, you must also create an Amazon Identity and Access Management (IAM) role. This role performs actions from other Amazon Web Services services for you, such as the Amazon Web Services Support API and Service Quotas.
You then attach an IAM policy to this role so that the role has the required permissions to complete these actions. You choose this role when you create your Slack channel configuration in the Support Center Console.
Users in your Slack channel have the same permissions that you grant to the IAM role. For example, if you specify read-only access to your support cases, then users in your Slack channel can view your support cases, but can't update them.
Important
When you request a live chat with a support agent and choose new private channel as your live chat channel preference, the Amazon Web Services Support App creates a separate Slack channel. This Slack channel has the same permissions as the channel where you created the case or initiated the chat.
If you change the IAM role or the IAM policy, your changes apply to the Slack channel that you configured and to any new live chat Slack channels that the Amazon Web Services Support App creates for you.
Follow these procedures to create your IAM role and policy.
Topics
Use an Amazon managed policy or create a customer managed policy
To grant your role permissions, you can use either an Amazon managed policy or a customer managed policy.
Tip
If you don't want to create a policy manually, we recommend that you use an Amazon managed policy instead and skip this procedure. Managed policies automatically have the required permissions for the Amazon Web Services Support App. You don't need to update the policies manually. For more information, see Amazon managed policies for Amazon Web Services Support App in Slack.
Follow this procedure to create a customer managed policy for your role. This procedure uses the JSON policy editor in the IAM console.
To create a customer managed policy for the Amazon Web Services Support App
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create policy.
-
Choose the JSON tab.
-
Enter your JSON, and then replace the default JSON in the editor. You can use the example policy.
-
Choose Next: Tags.
-
(Optional) You can use tags as key–value pairs to add metadata to the policy.
-
Choose Next: Review.
-
On the Review policy page, enter a Name, such as
, and a Description (optional).AWSSupportAppRolePolicy
-
Review the Summary page to see the permissions that the policy allows and then choose Create policy.
This policy defines the actions that the role can take. For more information, see Creating IAM policies (console) in the IAM User Guide.
Example IAM policy
You can attach the following example policy to your IAM role. This policy allows the role to have full permissions to all required actions for the Amazon Web Services Support App. After you configure a Slack channel with the role, any user in your channel has the same permissions.
Note
For a list of Amazon managed policies, see Amazon managed policies for Amazon Web Services Support App in Slack.
You can update the policy to remove a permission from the Amazon Web Services Support App.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicequotas:GetRequestedServiceQuotaChange", "servicequotas:GetServiceQuota", "servicequotas:RequestServiceQuotaIncrease", "support:AddAttachmentsToSet", "support:AddCommunicationToCase", "support:CreateCase", "support:DescribeCases", "support:DescribeCommunications", "support:DescribeSeverityLevels", "support:InitiateChatForCase", "support:ResolveCase" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": {"iam:AWSServiceName": "servicequotas.amazonaws.com"} } } ] }
For descriptions for each action, see the following topics in the Service Authorization Reference:
Create an IAM role
After you have your policy, you must create an IAM role, and then attach the policy to that role. You choose this role when you create a Slack channel configuration in the Support Center Console.
To create a role for the Amazon Web Services Support App
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles, and then choose Create role.
-
For Select trusted entity, choose Amazon Web Services service.
-
Choose Amazon Web Services Support App.
-
Choose Next: Permissions.
-
Enter the policy name. You can choose the Amazon managed policy or choose a customer managed policy that you created, such as
. Then select the check box next to the policy.AWSSupportAppRolePolicy
-
Choose Next: Tags.
-
(Optional) You can use tags as key–value pairs to add metadata to the role.
-
Choose Next: Review.
-
For Role name, enter a name, such as
.AWSSupportAppRole
-
(Optional) For Role description, enter a description for the role.
-
Review the role and then choose Create role. You can now choose this role when you configure a Slack channel in the Support Center Console. See Configuring a Slack channel.
For more information, see Creating a role for an Amazon service in the IAM User Guide.
Troubleshooting
See the following topics to manage access to the Amazon Web Services Support App.
Contents
- I want to restrict specific users in my Slack channel from specific actions
- When I configure a Slack channel, I don't see the IAM role that I created
- My IAM role is missing a permission
- A Slack error says that my IAM role isn't valid
- The Amazon Web Services Support App says that I'm missing an IAM role for Service Quotas
I want to restrict specific users in my Slack channel from specific actions
By default, users in your Slack channel have the same permissions specified in the IAM policy that you attach to the IAM role that you create. This means anyone in the channel has read or write access to your support cases, whether or not they have an Amazon Web Services account or an IAM user.
We recommend the following best practices:
-
Configure private Slack channels with the Amazon Web Services Support App
-
Only invite users to your channel who need access to your support cases
-
Use an IAM policy that has the minimum required permissions to the Amazon Web Services Support App. See Amazon managed policies for Amazon Web Services Support App in Slack.
When I configure a Slack channel, I don't see the IAM role that I created
If your IAM role doesn't appear in the IAM role for the Amazon Web Services Support App list, this means that the role doesn't have the Amazon Web Services Support App as a trusted entity, or that the role was deleted. You can update the existing role, or create another one. See Create an IAM role.
My IAM role is missing a permission
The IAM role that you create for your Slack channel needs permissions to perform
the actions that you want. For example, if you want your users in Slack to create
support cases, the role must have the support:CreateCase
permission.
The Amazon Web Services Support App assumes this role to perform these actions for you.
If you receive an error about a missing permission from the Amazon Web Services Support App, verify that the policy attached to your role has the required permission.
See the previous Example IAM policy.
A Slack error says that my IAM role isn't valid
Verify that you chose the correct role for your channel configuration.
To verify your role
-
Sign in to the Amazon Support Center Console at https://console.amazonaws.cn/support/app#/config
page. -
Choose the channel that you configured with the Amazon Web Services Support App.
-
From the Permissions section, find the IAM role name that you chose.
-
To change the role, choose Edit, choose another role, and then choose Save.
-
To update the role or the policy attached to the role, sign in to the IAM console
.
-
The Amazon Web Services Support App says that I'm missing an IAM role for Service Quotas
You must have the AWSServiceRoleForServiceQuotas
role in your account
to request quota increases from Service Quotas. If you receive an error about a missing
resource, complete one of the following steps:
-
Use the Service Quotas
console to request a quota increase. After you make a successful request, Service Quotas creates this role for you automatically. Then, you can use the Amazon Web Services Support App to request quota increases in Slack. For more information, see Requesting a quota increase. -
Update the IAM policy attached to your role. This grants the role permission to Service Quotas. The following section in the Example IAM policy allows the Amazon Web Services Support App to create the Service Quotas role for you.
{ "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": {"iam:AWSServiceName": "servicequotas.amazonaws.com"} } }
If you delete the IAM role that you configure for your channel, you must manually create the role or update the IAM policy to allow the Amazon Web Services Support App to create one for you.