# Minimal IAM policy for installer to provision resources When you install the Amazon IoT Greengrass Core software, you can provision required Amazon resources, such as an Amazon IoT thing and an IAM role for your device. You can also deploy local development tools to the device. The installer requires Amazon credentials so that it can perform these actions in your Amazon Web Services account. For more information, see [Install the Amazon IoT Greengrass Core software](install-greengrass-core-v2.md). The following example policy includes the minimum set of actions that the installer requires to provision these resources. These permissions are required if you specify the `--provision` argument for the installer. Replace *account-id* with your Amazon Web Services account ID, and replace *GreengrassV2TokenExchangeRole* with the name of the token exchange role that you specify with the `--tes-role-name` [installer argument](configure-installer.md). **Note** The `DeployDevTools` policy statement is required only if you specify the `--deploy-dev-tools` argument for the installer. ------ #### [ Greengrass nucleus v2.5.0 and later ] ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateTokenExchangeRole", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetRole", "iam:PassRole" ], "Resource": [ "arn:aws-cn:iam::123456789012:role/GreengrassV2TokenExchangeRole", "arn:aws-cn:iam::123456789012:policy/GreengrassV2TokenExchangeRoleAccess", "arn:aws-cn:iam::aws:policy/GreengrassV2TokenExchangeRoleAccess" ] }, { "Sid": "CreateIoTResources", "Effect": "Allow", "Action": [ "iot:AddThingToThingGroup", "iot:AttachPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateRoleAlias", "iot:CreateThing", "iot:CreateThingGroup", "iot:DescribeEndpoint", "iot:DescribeRoleAlias", "iot:DescribeThingGroup", "iot:GetPolicy" ], "Resource": "*" }, { "Sid": "DeployDevTools", "Effect": "Allow", "Action": [ "greengrass:CreateDeployment", "iot:CancelJob", "iot:CreateJob", "iot:DeleteThingShadow", "iot:DescribeJob", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:GetThingShadow", "iot:UpdateJob", "iot:UpdateThingShadow" ], "Resource": "*" } ] } ``` ------ ------ #### [ Earlier than v2.5.0 ] ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateTokenExchangeRole", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetRole", "iam:PassRole" ], "Resource": [ "arn:aws-cn:iam::123456789012:role/GreengrassV2TokenExchangeRole", "arn:aws-cn:iam::123456789012:policy/GreengrassV2TokenExchangeRoleAccess", "arn:aws-cn:iam::aws:policy/GreengrassV2TokenExchangeRoleAccess" ] }, { "Sid": "CreateIoTResources", "Effect": "Allow", "Action": [ "iot:AddThingToThingGroup", "iot:AttachPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateRoleAlias", "iot:CreateThing", "iot:CreateThingGroup", "iot:DescribeEndpoint", "iot:DescribeRoleAlias", "iot:DescribeThingGroup", "iot:GetPolicy" ], "Resource": "*" }, { "Sid": "DeployDevTools", "Effect": "Allow", "Action": [ "greengrass:CreateDeployment", "iot:CancelJob", "iot:CreateJob", "iot:DeleteThingShadow", "iot:DescribeJob", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:GetThingShadow", "iot:UpdateJob", "iot:UpdateThingShadow" ], "Resource": "*" } ] } ``` ------ ------