Managing access to the Amazon Web Services Support App - Amazon Web Services Support
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing access to the Amazon Web Services Support App

After you have permissions to the Amazon Web Services Support App widget, you must also create an Amazon Identity and Access Management (IAM) role. This role performs actions from other Amazon Web Services services for you, such as the Amazon Web Services Support API and Service Quotas.

You then attach an IAM policy to this role so that the role has the required permissions to complete these actions. You choose this role when you create your Slack channel configuration in the Support Center Console.

Users in your Slack channel have the same permissions that you grant to the IAM role. For example, if you specify read-only access to your support cases, then users in your Slack channel can view your support cases, but can't update them.

Important

When you request a live chat with a support agent and choose new private channel as your live chat channel preference, the Amazon Web Services Support App creates a separate Slack channel. This Slack channel has the same permissions as the channel where you created the case or initiated the chat.

If you change the IAM role or the IAM policy, your changes apply to the Slack channel that you configured and to any new live chat Slack channels that the Amazon Web Services Support App creates for you.

Follow these procedures to create your IAM role and policy.

Use an Amazon managed policy or create a customer managed policy

To grant your role permissions, you can use either an Amazon managed policy or a customer managed policy.

Tip

If you don't want to create a policy manually, we recommend that you use an Amazon managed policy instead and skip this procedure. Managed policies automatically have the required permissions for the Amazon Web Services Support App. You don't need to update the policies manually. For more information, see Amazon managed policies for Amazon Web Services Support App in Slack.

Follow this procedure to create a customer managed policy for your role. This procedure uses the JSON policy editor in the IAM console.

To create a customer managed policy for the Amazon Web Services Support App
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Enter your JSON, and then replace the default JSON in the editor. You can use the example policy.

  6. Choose Next: Tags.

  7. (Optional) You can use tags as key–value pairs to add metadata to the policy.

  8. Choose Next: Review.

  9. On the Review policy page, enter a Name, such as AWSSupportAppRolePolicy, and a Description (optional).

  10. Review the Summary page to see the permissions that the policy allows and then choose Create policy.

This policy defines the actions that the role can take. For more information, see Creating IAM policies (console) in the IAM User Guide.

Example IAM policy

You can attach the following example policy to your IAM role. This policy allows the role to have full permissions to all required actions for the Amazon Web Services Support App. After you configure a Slack channel with the role, any user in your channel has the same permissions.

Note

You can update the policy to remove a permission from the Amazon Web Services Support App.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicequotas:GetRequestedServiceQuotaChange", "servicequotas:GetServiceQuota", "servicequotas:RequestServiceQuotaIncrease", "support:AddAttachmentsToSet", "support:AddCommunicationToCase", "support:CreateCase", "support:DescribeCases", "support:DescribeCommunications", "support:DescribeSeverityLevels", "support:InitiateChatForCase", "support:ResolveCase" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": {"iam:AWSServiceName": "servicequotas.amazonaws.com"} } } ] }

For descriptions for each action, see the following topics in the Service Authorization Reference:

Create an IAM role

After you have your policy, you must create an IAM role, and then attach the policy to that role. You choose this role when you create a Slack channel configuration in the Support Center Console.

To create a role for the Amazon Web Services Support App
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

  3. For Select trusted entity, choose Amazon Web Services service.

  4. Choose Amazon Web Services Support App.

  5. Choose Next: Permissions.

  6. Enter the policy name. You can choose the Amazon managed policy or choose a customer managed policy that you created, such as AWSSupportAppRolePolicy. Then select the check box next to the policy.

  7. Choose Next: Tags.

  8. (Optional) You can use tags as key–value pairs to add metadata to the role.

  9. Choose Next: Review.

  10. For Role name, enter a name, such as AWSSupportAppRole.

  11. (Optional) For Role description, enter a description for the role.

  12. Review the role and then choose Create role. You can now choose this role when you configure a Slack channel in the Support Center Console. See Configuring a Slack channel.

For more information, see Creating a role for an Amazon service in the IAM User Guide.

Troubleshooting

See the following topics to manage access to the Amazon Web Services Support App.

I want to restrict specific users in my Slack channel from specific actions

By default, users in your Slack channel have the same permissions specified in the IAM policy that you attach to the IAM role that you create. This means anyone in the channel has read or write access to your support cases, whether or not they have an Amazon Web Services account or an IAM user.

We recommend the following best practices:

When I configure a Slack channel, I don't see the IAM role that I created

If your IAM role doesn't appear in the IAM role for the Amazon Web Services Support App list, this means that the role doesn't have the Amazon Web Services Support App as a trusted entity, or that the role was deleted. You can update the existing role, or create another one. See Create an IAM role.

My IAM role is missing a permission

The IAM role that you create for your Slack channel needs permissions to perform the actions that you want. For example, if you want your users in Slack to create support cases, the role must have the support:CreateCase permission. The Amazon Web Services Support App assumes this role to perform these actions for you.

If you receive an error about a missing permission from the Amazon Web Services Support App, verify that the policy attached to your role has the required permission.

See the previous Example IAM policy.

A Slack error says that my IAM role isn't valid

Verify that you chose the correct role for your channel configuration.

To verify your role
  1. Sign in to the Amazon Support Center Console at https://console.amazonaws.cn/support/app#/config page.

  2. Choose the channel that you configured with the Amazon Web Services Support App.

  3. From the Permissions section, find the IAM role name that you chose.

    • To change the role, choose Edit, choose another role, and then choose Save.

    • To update the role or the policy attached to the role, sign in to the IAM console.

The Amazon Web Services Support App says that I'm missing an IAM role for Service Quotas

You must have the AWSServiceRoleForServiceQuotas role in your account to request quota increases from Service Quotas. If you receive an error about a missing resource, complete one of the following steps:

  • Use the Service Quotas console to request a quota increase. After you make a successful request, Service Quotas creates this role for you automatically. Then, you can use the Amazon Web Services Support App to request quota increases in Slack. For more information, see Requesting a quota increase.

  • Update the IAM policy attached to your role. This grants the role permission to Service Quotas. The following section in the Example IAM policy allows the Amazon Web Services Support App to create the Service Quotas role for you.

    { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": {"iam:AWSServiceName": "servicequotas.amazonaws.com"} } }

If you delete the IAM role that you configure for your channel, you must manually create the role or update the IAM policy to allow the Amazon Web Services Support App to create one for you.