Skip to main content

IAM policies & roles

IAM lets you grant scoped access to your storage instead of sharing the root account's access keys. You write policies (JSON permission documents) and attach them to roles (assumable identities with a trust policy).

Policies

The Policies page lists your managed policies — Name, Type (AWS managed / Customer managed), Attachments count and Updated date. Filter by type.

Policies list

Create a policy

Create policy starts from a Quick template (Read-only, Read & write, Full access, List buckets only, Single bucket read & write) which prefills the JSON — then tweak the document and name it.

Create policy

  • Name — 1–128 chars (letters, digits and + = , . @ - _).
  • Policy document (JSON) — a standard IAM policy; Format JSON tidies it and validates.

A policy's detail page shows its type, ARN, what it's attached to, and the document (editable for customer-managed policies). AWS-managed policies are read-only. Deleting a customer-managed policy is permanent.

Roles

A role grants temporary access to whoever can assume it. The Roles page lists them by Name and Created.

Roles list

Create a role

Create role takes a Name and a Trust policy (JSON) — the assume-role document that says who may assume the role (pre-filled with a sensible default).

Create role

A role's detail page shows its trust policy and lets you attach / detach managed policies (which define what the role can do once assumed).

tip

Model it like AWS IAM: policies answer "what actions on which resources", roles answer "who may assume this and get those permissions". Grant the least privilege that works — start from Read-only and widen only as needed.