Additional information about users and roles - Amazon Tools for PowerShell
Users and permission setsService roles
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Additional information about users and roles

In order to run Tools for PowerShell commands on Amazon, you need to have some combination of users, permission sets, and service roles that are appropriate for your tasks.

The specific users, permission sets, and service roles that you create, and the way in which you use them, will depend on your requirements. The following is some additional information about why they might be used and how to create them.

Users and permission sets

Although it's possible to use an IAM user account with long-term credentials to access Amazon services, this is no longer a best practice and should be avoided. Even during development, it is a best practice to create users and permission sets in Amazon IAM Identity Center and use temporary credentials provided by an identity source.

For development, you can use the user that you created or were given in Configure tool authentication. If you have appropriate Amazon Web Services Management Console permissions, you can also create different permission sets with least privilege for that user or create new users specifically for development projects, providing permission sets with least privilege. The course of action you choose, if any, depends on your circumstances.

For more information about these users and permissions sets and how to create them, see Authentication and access in the Amazon SDKs and Tools Reference Guide and Getting started in the Amazon IAM Identity Center User Guide.

Service roles

You can set up an Amazon service role to access Amazon services on behalf of users. This type of access is appropriate if multiple people will be running your application remotely; for example, on an Amazon EC2 instance that you have created for this purpose.

The process for creating a service role varies depending on the situation, but is essentially the following.

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. Choose Roles, and then choose Create role.

  3. Choose Amazon service, find and select EC2 (for example), and then choose the EC2 use case (for example).

  4. Choose Next and select the appropriate policies for the Amazon services that your application will use.

    Warning

    Do NOT choose the AdministratorAccess policy because that policy enables read and write permissions to almost everything in your account.

  5. Choose Next. Enter a Role name, Description, and any tags you want.

    You can find information about tags in Controlling access using Amazon resource tags in the IAM User Guide.

  6. Choose Create role.

You can find high-level information about IAM roles in IAM Identities (users, user groups, and roles) in the IAM User Guide. Find detailed information about roles in the IAM roles topic.