• The Amazon Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Configuring roles and permissions for Change Manager
**Change Manager availability change**
Amazon Systems Manager Change Manager will no longer be open to new customers starting November 7, 2025. If you would like to use Change Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [Amazon Systems Manager Change Manager availability change](https://docs.amazonaws.cn/systems-manager/latest/userguide/change-manager-availability-change.html).
By default, Change Manager doesn't have permission to perform actions on your resources. You must grant access by using an Amazon Identity and Access Management (IAM) service role, or *assume role*. This role enables Change Manager to securely run the runbook workflows specified in an approved change request on your behalf. The role grants Amazon Security Token Service (Amazon STS) [AssumeRole](https://docs.amazonaws.cn/STS/latest/APIReference/API_AssumeRole.html) trust to Change Manager.
By providing these permissions to a role to act on behalf of users in an organization, users don't need to be granted that array of permissions themselves. The actions allowed by the permissions are limited to approved operations only.
When users in your account or organization create a change request, they can select this assume role to perform the change operations.
You can create a new assume role for Change Manager or update an existing role with the needed permissions.
If you need to create a service role for Change Manager, complete the following tasks.
**Topics**
+ [
## Task 1: Creating an assume role policy for Change Manager
](#change-manager-role-policy)
+ [
## Task 2: Creating an assume role for Change Manager
](#change-manager-role)
+ [
## Task 3: Attaching the `iam:PassRole` policy to other roles
](#change-manager-passpolicy)
+ [
## Task 4: Adding inline policies to an assume role to invoke other Amazon Web Services services
](#change-manager-role-add-inline-policy)
+ [
## Task 5: Configuring user access to Change Manager
](#change-manager-passrole)
## Task 1: Creating an assume role policy for Change Manager
Use the following procedure to create the policy that you will attach to your Change Manager assume role.
**To create an assume role policy for Change Manager**
1. Open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/).
1. In the navigation pane, choose **Policies**, and then choose **Create Policy**.
1. On the **Create policy** page, choose the **JSON** tab and replace the default content with the following, which you will modify for your own Change Manager operations in following steps.
**Note**
If you're creating a policy to use with a single Amazon Web Services account, and not an organization with multiple accounts and Amazon Web Services Regions, you can omit the first statement block. The `iam:PassRole` permission isn't required in the case of a single account using Change Manager.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws-cn:iam::111122223333:role/AWS-SystemsManager-job-functionAdministrationRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ssm.amazonaws.com.cn"
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument",
"ssm:GetDocument",
"ssm:StartChangeRequestExecution"
],
"Resource": [
"arn:aws-cn:ssm:us-east-1::document/template-name",
"arn:aws-cn:ssm:us-east-1:111122223333:automation-execution/*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:ListOpsItemEvents",
"ssm:GetOpsItem",
"ssm:ListDocuments",
"ssm:DescribeOpsItems"
],
"Resource": "*"
}
]
}
```
------
1. For the `iam:PassRole` action, update the `Resource` value to include the ARNs of all job functions defined for your organization that you want to grant permissions to initiate runbook workflows.
1. Replace the *region*, *account-id*, *template-name*, *delegated-admin-account-id*, and *job-function* placeholders with values for your Change Manager operations.
1. For the second `Resource` statement, modify the list to include all change templates that you want to grant permissions for. Alternatively, specify `"Resource": "*"` to grant permissions for all change templates in your organization.
1. Choose **Next: Tags**.
1. (Optional) Add one or more tag-key value pairs to organize, track, or control access for this policy.
1. Choose **Next: Review**.
1. On the **Review policy** page, enter a name in the **Name** box, such as **MyChangeManagerAssumeRole**, and then enter an optional description.
1. Choose **Create policy**, and continue to [Task 2: Creating an assume role for Change Manager](#change-manager-role).
## Task 2: Creating an assume role for Change Manager
Use the following procedure to create a Change Manager assume role, a type of service role, for Change Manager.
**To create an assume role for Change Manager**
1. Open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/).
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. For **Select trusted entity**, make the following choices:
1. For **Trusted entity type**, choose **Amazon service**
1. For **Use cases for other Amazon Web Services services**, choose **Systems Manager**
1. Choose **Systems Manager**.
1. Choose **Next**.
1. On the **Attached permissions policy** page, search for the assume role policy you created in [Task 1: Creating an assume role policy for Change Manager](#change-manager-role-policy), such as **MyChangeManagerAssumeRole**.
1. Select the check box next to the assume role policy name, and then choose **Next: Tags**.
1. For **Role name**, enter a name for your new instance profile, such as **MyChangeManagerAssumeRole**.
1. (Optional) For **Description**, update the description for this instance role.
1. (Optional) Add one or more tag-key value pairs to organize, track, or control access for this role.
1. Choose **Next: Review**.
1. (Optional) For **Tags**, add one or more tag-key value pairs to organize, track, or control access for this role, and then choose **Create role**. The system returns you to the **Roles** page.
1. Choose **Create role**. The system returns you to the **Roles** page.
1. On the **Roles** page, choose the role you just created to open the **Summary** page.
## Task 3: Attaching the `iam:PassRole` policy to other roles
Use the following procedure to attach the `iam:PassRole` policy to an IAM instance profile or IAM service role. (The Systems Manager service uses IAM instance profiles to communicate with EC2 instances. For non-EC2 managed nodes in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment, an IAM service role is used instead.)
By attaching the `iam:PassRole` policy, the Change Manager service can pass assume role permissions to other services or Systems Manager tools when running runbook workflows.
**To attach the `iam:PassRole` policy to an IAM instance profile or service role**
1. Open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/).
1. In the navigation pane, choose **Roles**.
1. Search for the Change Manager assume role you created, such as **MyChangeManagerAssumeRole**, and choose its name.
1. In the **Summary** page for the assume role, choose the **Permissions** tab.
1. Choose **Add permissions, Create inline policy**.
1. On the **Create policy** page, choose the **Visual editor** tab.
1. Choose **Service**, and then choose **IAM**.
1. In the **Filter actions** text box, enter **PassRole**, and then choose the **PassRole** option.
1. Expand **Resources**. Verify that **Specific** is selected, and then choose **Add ARN**.
1. In the **Specify ARN for role** field, enter the ARN of the IAM instance profile role or IAM service role to which you want to pass assume role permissions. The system populates the **Account** and **Role name with path** fields.
1. Choose **Add**.
1. Choose **Review policy**.
1. For **Name**, enter a name to identify this policy, and then choose **Create policy**.
**More info**
+ [Configure instance permissions required for Systems Manager](setup-instance-permissions.md)
+ [Create the IAM service role required for Systems Manager in hybrid and multicloud environments](hybrid-multicloud-service-role.md)
## Task 4: Adding inline policies to an assume role to invoke other Amazon Web Services services
When a change request invokes other Amazon Web Services services by using the Change Manager assume role, the assume role must be configured with permission to invoke those services. This requirement applies to all Amazon Automation runbooks (AWS-\$1 runbooks) that might be used in a change request, such as the `AWS-ConfigureS3BucketLogging`, `AWS-CreateDynamoDBBackup`, and `AWS-RestartEC2Instance` runbooks. This requirement also applies to any custom runbooks you create that invoke other Amazon Web Services services by using actions that call other services. For example, if you use the `aws:executeAwsApi`, `aws:CreateStack`, or `aws:copyImage` actions, then you must configure the service role with permission to invoke those services. You can enable permissions to other Amazon Web Services services by adding an IAM inline policy to the role.
**To add an inline policy to an assume role to invoke other Amazon Web Services services (IAM console)**
1. Sign in to the Amazon Web Services Management Console and open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/).
1. In the navigation pane, choose **Roles**.
1. In the list, choose the name of the assume role that you want to update, such as `MyChangeManagerAssumeRole`.
1. Choose the **Permissions** tab.
1. Choose **Add permissions, Create inline policy**.
1. Choose the **JSON** tab.
1. Enter a JSON policy document for the Amazon Web Services services you want to invoke. Here are two example JSON policy documents.
**Amazon S3 `PutObject` and `GetObject` example**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws-cn:s3:::amzn-s3-demo-bucket/*"
}
]
}
```
------
**Amazon EC2 `CreateSnapshot` and `DescribeSnapShots` example**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"ec2:CreateSnapshot",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"ec2:DescribeSnapshots",
"Resource":"*"
}
]
}
```
------
For details about the IAM policy language, see [IAM JSON policy reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
1. When you're finished, choose **Review policy**. The [Policy Validator](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_policy-validator.html) reports any syntax errors.
1. For **Name**, enter a name to identify the policy that you're creating. Review the policy **Summary** to see the permissions that are granted by your policy. Then choose **Create policy** to save your work.
1. After you create an inline policy, it's automatically embedded in your role.
## Task 5: Configuring user access to Change Manager
If your user, group, or role is assigned administrator permissions, then you have access to Change Manager. If you don't have administrator permissions, then an administrator must assign the `AmazonSSMFullAccess` managed policy, or a policy that provides comparable permissions, to your user, group, or role.
Use the following procedure to configure a user to use Change Manager. The user you choose will have permission to configure and run Change Manager.
Depending on the identity application that you are using in your organization, you can select any of the three options available to configure user access. While configuring the user access, assign or add the following:
1. Assign the `AmazonSSMFullAccess` policy or a comparable policy that gives permission to access Systems Manager.
1. Assign the `iam:PassRole` policy.
1. Add the ARN for the Change Manager assume role you copied at the end of [Task 2: Creating an assume role for Change Manager](#change-manager-role).
To provide access, add permissions to your users, groups, or roles:
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
You have finished configuring the required roles for Change Manager. You can now use the Change Manager assume role ARN in your Change Manager operations.