Assigning users or groups to an existing role - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Assigning users or groups to an existing role

You can assign an existing IAM role to an Amazon Directory Service user or group. To do this, make sure you have completed the following.

Prerequisites
Note

Access for users in nested groups within your directory are not supported. Members of the parent group have console access, but members of child groups do not.

To assign users or groups to an existing IAM role

  1. In the Amazon Directory Service console navigation pane, under Active Directory, choose Directories.

  2. On the Directories page, choose your directory ID.

  3. On the Directory details page, do one of the following:

    • If you do not have any Regions showing under Multi-Region replication, choose the Application management tab.

    • If you have multiple Regions showing under Multi-Region replication, select the Region where you want to make your assignments, and then choose the Application management tab. For more information, see Primary vs additional Regions.

  4. Scroll down to the Amazon Web Services Management Console section, choose Actions and Enable.

  5. Under the Delegate console access section, choose the IAM role name for the existing IAM role that you want to assign users to.

  6. On the Selected role page, under Manage users and groups for this role, choose Add.

  7. On the Add users and groups to the role page, under Select Active Directory Forest, choose either the Amazon Managed Microsoft AD forest (this forest) or the on-premises forest (trusted forest), whichever contains where the accounts that need access to the Amazon Web Services Management Console. For more information about how to set up a trusted forest, see Tutorial: Create a trust relationship between your Amazon Managed Microsoft AD and your self-managed Active Directory domain.

  8. Under Specify which users or groups to add, select either Find by user or Find by group, and then type the name of the user or group. In the list of possible matches, choose the user or group that you want to add.

  9. Choose Add to finish assigning the users and groups to the role.