Create and manage a service role for Amazon IoT TwinMaker - Amazon IoT TwinMaker
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create and manage a service role for Amazon IoT TwinMaker

Amazon IoT TwinMaker requires that you use a service role to allow it to access resources in other services on your behalf. This role must have a trust relationship with Amazon IoT TwinMaker. When you create a workspace, you must assign this role to the workspace. This topic contains example policies that show you how to configure permissions for common scenarios.

Assign trust

The following policy establishes a trust relationship between your role and Amazon IoT TwinMaker. Assign this trust relationship to the role that you use for your workspace.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iottwinmaker.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Amazon S3 permissions

The following policy allows your role to read and delete from and write to an Amazon S3 bucket. Workspaces store resources in Amazon S3, so the Amazon S3 permissions are required for all workspaces.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucket*", "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::*/DO_NOT_DELETE_WORKSPACE_*" ] } ] }
Note

When you create a workspace, Amazon IoT TwinMaker creates a file in your Amazon S3 bucket that indicates it's being used by a workspace. This policy gives Amazon IoT TwinMaker permission to delete that file when you delete the workspace.

Amazon IoT TwinMaker places other objects related to your workspace. It's your responsibility to delete these objects when you delete a workspace.

Assign permissions to a specific Amazon S3 bucket

When you create a workspace in the Amazon IoT TwinMaker console, you can choose to have Amazon IoT TwinMaker create an Amazon S3 bucket for you. You can find information about this bucket by using the following Amazon CLI command.

aws iottwinmaker get-workspace --workspace-id workspace name

The following example shows the format of the output of this command.

{ "arn": "arn:aws:iottwinmaker:region:account Id:workspace/workspace name", "creationDateTime": "2021-11-30T11:30:00.000000-08:00", "description": "", "role": "arn:aws:iam::account Id:role/service role name", "s3Location": "arn:aws:s3:::bucket name", "updateDateTime": "2021-11-30T11:30:00.000000-08:00", "workspaceId": "workspace name" }

To update your policy so that it assigns permissions for a specific Amazon S3 bucket, use the value of bucket name.

The following policy allows your role to read and delete from and write to a specific Amazon S3 bucket.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucket*", "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket name", "arn:aws:s3:::bucket name/*" ] }, { "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::iottwinmakerbucket/DO_NOT_DELETE_WORKSPACE_*" ] } ] }

Permissions for built-in connectors

If your workspace interacts with other Amazon services by using built-in connectors, you must include permissions for those services in this policy. If you use the com.amazon.iotsitewise.connector component type, you must include permissions for Amazon IoT SiteWise. For more information about component types, see Using and creating component types.

Note

If you interact with other Amazon services by using a custom component type, you must grant the role permission to run the Lambda function that implements the function in your component type. For more information, see Permissions for a connector to an external data source.

The following example shows how to include Amazon IoT SiteWise in your policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucket*", "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket name", "arn:aws:s3:::bucket name/*" ] }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAsset" ], "Resource": "asset ARN" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel" ], "Resource": "asset model ARN" }, { "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::*/DO_NOT_DELETE_WORKSPACE_*" ] } ] }

If you use the com.amazon.iotsitewise.connector component type and need to read property data from Amazon IoT SiteWise, you must include the following permission in your policy.

... { "Action": [ "iotsitewise:GetPropertyValueHistory", ], "Resource": [ "Amazon IoT SiteWise asset resource ARN" ], "Effect": "Allow" }, ...

If you use the com.amazon.iotsitewise.connector component type and need to write property data to Amazon IoT SiteWise, you must include the following permission in your policy.

... { "Action": [ "iotsitewise:BatchPutPropertyValues", ], "Resource": [ "Amazon IoT SiteWise asset resource ARN" ], "Effect": "Allow" }, ...

If you use the com.amazon.iotsitewise.connector.edgevideo component type, you must include permissions for Amazon IoT SiteWise and Kinesis Video Streams. The following example policy shows how to include Amazon IoT SiteWise and Kinesis Video Streams permissions in your policy.

... { "Action": [ "iotsitewise:DescribeAsset", "iotsitewise:GetAssetPropertyValue" ], "Resource": [ "Amazon IoT SiteWise asset resource ARN for the Edge Connector for Kinesis Video Streams" ], "Effect": "Allow" }, { "Action": [ "iotsitewise:DescribeAssetModel" ], "Resource": [ "Amazon IoT SiteWise model resource ARN for the Edge Connector for Kinesis Video Streams" ], "Effect": "Allow" }, { "Action": [ "kinesisvideo:DescribeStream" ], "Resource": [ "Kinesis Video Streams stream ARN" ], "Effect": "Allow" }, ...

Permissions for a connector to an external data source

If you create a component type that uses a function that connects to an external data source, you must give your service role permission to use the Lambda function that implements the function. For more information about creating component types and functions, see Using and creating component types.

The following example gives permission to your service role to use a Lambda function.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucket*", "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket name", "arn:aws:s3:::bucket name/*" ] }, { "Action": [ "lambda:invokeFunction" ], "Resource": [ "Lambda function ARN" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::*/DO_NOT_DELETE_WORKSPACE_*" ] } ] }

For more information about creating roles and assigning policies and trust relationships to them by using the IAM console, the Amazon CLI, and the IAM API, see Creating a role to delegate permissions to an Amazon Web Services service.

Modify your workspace IAM role to use the Athena data connector

To use the Amazon IoT TwinMaker Athena tabular data connector, you must update your Amazon IoT TwinMaker workspace IAM role. Add the following permissions to your workspace IAM role:

Note

This IAM change only works for Athena tabular data stored with Amazon Glue and Amazon S3. To use Athena with other data sources, you must configure an IAM role for Athena, see Identity and access management in Athena.

{ "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "athena resouces arn" ] },// Athena permission { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetTables", "glue:GetDatabase", "glue:GetDatabases" ], "Resource": [ "glue resouces arn" ] },// This is an example for accessing aws glue { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "Amazon S3 data source bucket resources arn" ] }, // S3 bucket for storing the tabular data. { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:CreateBucket", "s3:PutObject", "s3:PutBucketPublicAccessBlock" ], "Resource": [ "S3 query result bucket resources arn" ] } // Storing the query results

Read the Identity and access management in Athena for more information on Athena IAM configuration.