Amazon IoT SiteWise IAM roles
An IAM role is an entity within your Amazon Web Services account that has specific permissions.
Using temporary credentials with Amazon IoT SiteWise
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling Amazon STS API operations such as AssumeRole or GetFederationToken.
Amazon IoT SiteWise supports using temporary credentials.
SiteWise Monitor supports federated users to access portals. Portal users authenticate with their IAM credentials.
Important
Users or roles must have the iotsitewise:DescribePortal
permission to sign in to the portal.
When a user signs in to a portal, SiteWise Monitor generates a session policy that provides the following permissions:
-
Read-only access to the assets and asset data in Amazon IoT SiteWise in your account to which that portal's role provides access.
-
Access to projects in that portal to which the user has administrator (project owner) or read-only (project viewer) access.
For more information about federated portal user permissions, see Using service roles for Amazon IoT SiteWise Monitor.
Forward access sessions (FAS) for Amazon IoT SiteWise
|
Supports forward access sessions (FAS) |
Yes |
When you use an IAM user or role to perform actions in Amazon, you are considered a principal. When you use some services, you might perform an action that then initiates another action in a different service. FAS uses the permissions of the principal calling an Amazon Web Service, combined with the requesting Amazon Web Service to make requests to downstream services. FAS requests are only made when a service receives a request that requires interactions with other Amazon Web Services or resources to complete. In this case, you must have permissions to perform both actions. For policy details when making FAS requests, see Forward access sessions.
Service-linked roles
Service-linked roles allow Amazon services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your Amazon Web Services account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.
Amazon IoT SiteWise supports service-linked roles. For details about creating or managing Amazon IoT SiteWise service-linked roles, see Using service-linked roles for Amazon IoT SiteWise.
Service roles
This feature allows a service to assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your Amazon Web Services account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.
Amazon IoT SiteWise uses a service role to allow SiteWise Monitor portal users to access some of your Amazon IoT SiteWise resources on your behalf. For more information, see Using service roles for Amazon IoT SiteWise Monitor.
You must have required permissions before you can create Amazon IoT Events alarm models in Amazon IoT SiteWise. For more information, see Setting up permissions for Amazon IoT Events alarms.
Choosing an IAM role in Amazon IoT SiteWise
When you create a portal resource in Amazon IoT SiteWise, you must choose a role to
allow the federated users of your SiteWise Monitor portal to access Amazon IoT SiteWise on your behalf. If you
have previously created a service role, then Amazon IoT SiteWise provides you with a list of roles to
choose from. Otherwise, you can create a role with the required permissions when you
create a portal. It's important to choose a role that allows access to your assets and
asset data. For more information, see Using service roles for Amazon IoT SiteWise Monitor.