Configure the group role - Amazon IoT Greengrass
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IoT Greengrass Version 1 entered the extended life phase on June 30, 2023. For more information, see the Amazon IoT Greengrass V1 maintenance policy. After this date, Amazon IoT Greengrass V1 won't release updates that provide features, enhancements, bug fixes, or security patches. Devices that run on Amazon IoT Greengrass V1 won't be disrupted and will continue to operate and to connect to the cloud. We strongly recommend that you migrate to Amazon IoT Greengrass Version 2, which adds significant new features and support for additional platforms.

Configure the group role

The group role is an IAM role that you create and attach to your Greengrass group. This role contains the permissions that deployed Lambda functions (and other Amazon IoT Greengrass features) use to access Amazon services. For more information, see Greengrass group role.

You use the following high-level steps to create a group role in the IAM console.

  1. Create a policy that allows or denies actions on one or more resources.

  2. Create a role that uses the Greengrass service as a trusted entity.

  3. Attach your policy to the role.

Then, in the Amazon IoT console, you add the role to the Greengrass group.


A Greengrass group has one group role. If you want to add permissions, you can edit attached policies or attach more policies.


For this tutorial, you create a permissions policy that allows describe, create, and update actions on an Amazon DynamoDB table. Then, you attach the policy to a new role and associate the role with your Greengrass group.

First, create a customer-managed policy that grants permissions required by the Lambda function in this module.

  1. In the IAM console, in the navigation pane, choose Policies, and then choose Create policy.

  2. On the JSON tab, replace the placeholder content with the following policy. The Lambda function in this module uses these permissions to create and update a DynamoDB table named CarStats.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionsForModule6", "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/CarStats" } ] }
  3. Choose Next: Tags, and then choose Next: Review. Tags aren't used in this tutorial.

  4. For Name, enter greengrass_CarStats_Table, and then choose Create policy.


    Next, create a role that uses the new policy.

  5. In the navigation pane, choose Roles, and then choose Create role.

  6. Under Trusted entity type, choose Amazon service.

  7. Under Use case, Use cases for other Amazon services choose Greengrass, select Greengrass, and then choose Next.

  8. Under Permissions policies, select the new greengrass_CarStats_Table policy, and then choose Next.

  9. For Role name, enter Greengrass_Group_Role.

  10. For Description, enter Greengrass group role for connectors and user-defined Lambda functions.

  11. Choose Create role.

    Now, add the role to your Greengrass group.

  12. In the Amazon IoT console navigation pane, under Manage, expand Greengrass devices, and then choose Groups (V1).

  13. Under Greengrass groups, choose your group.

  14. Choose Settings, and then choose Associate role.

  15. Choose Greengrass_Group_Role from your list of roles, and then choose Associate role.