Administrative Permissions Manage Permissions Deploy Permissions

Example Policies

Important

The AWS OpsWorks Stacks service reached end of life on May 26, 2024 and has been disabled for both new and existing customers. We strongly recommend customers migrate their workloads to other solutions as soon as possible. If you have questions about migration, reach out to the AWS Support Team on AWS re:Post or through AWS Premium Support.

This section describes example IAM policies that can be applied to AWS OpsWorks Stacks users.

Administrative Permissions describes policies used to grant permissions to administrative users.
Manage Permissions and Deploy Permissions show examples of policies that can be applied to a user to augment or restrict the Manage and Deploy permissions levels.

AWS OpsWorks Stacks determines the user's permissions by evaluating the permissions granted by IAM policies as well as the permissions granted by the Permissions page. For more information, see Controlling access to AWS resources using policies. For more information on the Permissions page permissions, see AWS OpsWorks Stacks Permissions Levels.

Administrative Permissions

Use the IAM console, https://console.aws.amazon.com/iam/, to access the AWSOpsWorks_FullAccess policy, Attach this policy to a user to grant them permissions to perform all AWS OpsWorks Stacks actions. The IAM permissions are required, among other things, to allow an administrative user to import users.

You must create an IAM roles that allows AWS OpsWorks Stacks to act on your behalf to access other AWS resources, such as Amazon EC2 instances. You typically handle this task by having an administrative user create the first stack, and letting AWS OpsWorks Stacks create the role for you. You can then use that role for all subsequent stacks. For more information, see Allowing AWS OpsWorks Stacks to Act on Your Behalf.

The administrative user who creates the first stack must have permissions for some IAM actions that are not included in the AWSOpsWorks_FullAccess policy. Add the following permissions to the Actions section of the policy. For proper JSON syntax, be sure to add commas between actions and remove the trailing comma at the end of the list of actions.


"iam:PutRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole"

Manage Permissions

The Manage permissions level allows a user to perform a variety of stack management actions, including adding or deleting layers. This topic describes several policies that you can use to Manage users to augment or restrict the standard permissions.

Deny a Manage user the ability to add or delete layers

You can restrict the Manage permissions level to allow a user perform all Manage actions except adding or deleting layers by using the following IAM policy. Replace region, account_id, and stack_id with values appropriate to your configuration.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "opsworks:CreateLayer",
        "opsworks:DeleteLayer"
      ],
      "Resource": "arn:aws:opsworks:region:account_id:stack/stack_id/"
    }
  ]
}

Allow a Manage user to create or clone stacks

The Manage permissions level doesn't allow users to create or clone stacks. You can change the Manage permissions to allow a user to create or clone stacks by applying the following IAM policy. Replace region and account_id with values appropriate to your configuration.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRolePolicy",
        "iam:ListRoles",
        "iam:ListInstanceProfiles",
        "iam:ListUsers",
        "opsworks:DescribeUserProfiles",
        "opsworks:CreateUserProfile",
        "opsworks:DeleteUserProfile"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:opsworks::account_id:stack/*/",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "opsworks.amazonaws.com"
        }
      }
    }
  ]
}

Deny a Manage user the ability to register or deregister resources

The Manage permissions level allows the user to register and deregister Amazon EBS and Elastic IP address resources with the stack. You can restrict the Manage permissions to allow the user to perform all Manage actions except registering resources by applying the following policy.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "opsworks:RegisterVolume",
        "opsworks:RegisterElasticIp"
      ],
      "Resource": "*"
    }
  ]
}

Allow a Manage user to import users

The Manage permissions level doesn't allow users to import users into AWS OpsWorks Stacks. You can augment the Manage permissions to allow a user to import and delete users by applying the following IAM policy. Replace region and account_id with values appropriate to your configuration.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRolePolicy",
        "iam:ListRoles",
        "iam:ListInstanceProfiles",
        "iam:ListUsers",
        "iam:PassRole",
        "opsworks:DescribeUserProfiles",
        "opsworks:CreateUserProfile",
        "opsworks:DeleteUserProfile"
      ],
      "Resource": "arn:aws:iam:region:account_id:user/*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "opsworks.amazonaws.com"
        }
      }
    }
  ]
}

Deploy Permissions

The Deploy permissions level doesn't allow users to create or delete apps. You can augment the Deploy permissions to allow a user to create and delete apps by applying the following IAM policy. Replace region, account_id, and stack_id with values appropriate to your configuration.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "opsworks:CreateApp",
        "opsworks:DeleteApp"
      ],
      "Resource": "arn:aws:opsworks:region:account_id:stack/stack_id/"
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Attaching an IAM Policy

Permissions Levels