# Create an OTA user policy
<a name="create-ota-user-policy"></a>

You must grant your user permission to perform over-the-air updates. Your user must have permissions to:
+ Access the S3 bucket where your firmware updates are stored.
+ Access certificates stored in Amazon Certificate Manager.
+ Access the Amazon IoT MQTT-based file delivery feature.
+ Access FreeRTOS OTA updates.
+ Access Amazon IoT jobs.
+ Access IAM.
+ Access Code Signing for Amazon IoT. See [Grant access to code signing for Amazon IoT](code-sign-policy.md).
+ List FreeRTOS hardware platforms.
+ Tag and untag Amazon IoT resources.

To grant your user the required permissions, see [IAM Policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html). Also see [Authorizing users and cloud services to use Amazon IoT Jobs](https://docs.amazonaws.cn/iot/latest/developerguide/iam-policy-users-jobs.html).

To provide access, add permissions to your users, groups, or roles:
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.