Resource-based policies in CodeGuru Profiler
You control access to profiling groups in Amazon CodeGuru Profiler using profiling group resource-based policies.
AWS defines a profiling group as a resource
in CodeGuru Profiler. You, as the account administrator, control access to a resource in an AWS
service. For profiling groups, resource-based policies support the agent-related actions
ConfigureAgent
and PostAgentProfile
.
In CodeGuru Profiler, permissions policies are resource-based policies that are attached directly to profiling groups. You can use resource-based policies to manage the IAM roles or users that have permission to submit profiling data and configure the agent. You can also grant access with identity-based policies. For an example, see Permissions required by the CodeGuru Profiler profiling agent. For more information about IAM policies, see Identity-based policies and resource-based policies in the AWS Identity and Access Management User Guide.
You can use the console, the SDK, or the AWS CLI to specify resource-based permissions on a profiling group
Topics
Add a resource-based policy to a profiling group (console)
-
Open the Amazon CodeGuru Profiler console at https://console.aws.amazon.com/codeguru/profiler
. -
In the navigation pane, choose Profiling groups.
-
Choose the profiling group to add a resource-based policy to.
-
Choose Actions, and then choose Manage permissions.
-
From Application permissions, select the users and roles you want to grant access to the profiling group.
-
Choose Save.
For more information, see Set permissions.
Add a resource-based policy to a profiling group (AWS CLI)
Run the following AWS CLI command to add a resource-based policy to a profiling group. Use your profiling group name and the Amazon Resource Names (ARNs) of the roles and users you want to grant access to the profiling group.
The only valid value for the action-group
argument is the
agentPermissions
action group. agentPermissions
grants the
ConfigureAgent
and PostAgentProfile
permissions on a
profiling group to the roles and users listed in the principals
argument.
aws codeguruprofiler put-permission --action-group agentPermissions \ --profiling-group-name "
my-profiling-group-name
" \ --principals "arn:aws:iam::123456789012
:user/my-user-name
"
The following is an example output that grants access to a profiling group named
my-profiling-group
to an AWS user specified using its ARN,
arn:aws:iam::123456789012:user/my-user-name
.
{ "policy": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Sid\" : \"agentPermissions-statement\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"arn:aws:iam::
123456789012
:user/my-user-name
\"\n },\n \"Action\" : [ \"codeguru-profiler:ConfigureAgent\", \"codeguru-profiler:PostAgentProfile\" ],\n \"Resource\" : \"arn:aws:codeguru-profiler:us-west-2:123456789012
:profilingGroup/my-profiling-group-name
\"\n } ]\n}", "revisionId": "125820ee-98c7-4df9-8739-442ffad7b3a0" }
Add a resource-based policy to a profiling group (AWS SDKs)
To add a resource-based policy using an AWS SDK, use the
PutPermission
method. For more information, see PutPermission in the Amazon CodeGuru Profiler API Reference.