# Granting AWS Managed Microsoft AD users and groups access to AWS resources with IAM roles
AWS Directory Service provides the ability to give your AWS Managed Microsoft AD users and groups access to AWS services and resources, such as access to the Amazon EC2 console. Similar to granting IAM users access to manage directories as described in [Identity-based policies (IAM policies)](IAM_Auth_Access_Overview.md#IAM_Auth_Access_ManagingAccess_IdentityBased), in order for users in your directory to have access to other AWS resources, such as Amazon EC2 you must assign IAM roles and policies to those users and groups. For more information, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *IAM User Guide*.
For information about how to grant users access to the AWS Management Console, see [Enabling AWS Management Console access with AWS Managed Microsoft AD credentials](ms_ad_management_console_access.md).
**Topics**
+ [Creating a new IAM role](create_role.md)
+ [Editing the trust relationship for an existing IAM role](edit_trust.md)
+ [Assigning users or groups to an existing IAM role](assign_role.md)
+ [Viewing users and groups assigned to a role](view_role_details.md)
+ [Removing a user or group from an IAM role](remove_role_users.md)
+ [Using AWS managed policies with Directory Service](ms_ad_managed_policies.md)
# Creating a new IAM role
If you need to create a new IAM role for use with Directory Service, you must create it using the IAM console. Once the role has been created, you must then set up a trust relationship with that role before you can see that role in the Directory Service console. For more information, see [Editing the trust relationship for an existing IAM role](edit_trust.md).
**Note**
The user performing this task must have permission to perform the following IAM actions. For more information, see [Identity-based policies (IAM policies)](IAM_Auth_Access_Overview.md#IAM_Auth_Access_ManagingAccess_IdentityBased).
iam:PassRole
iam:GetRole
iam:CreateRole
iam:PutRolePolicy
**To create a new role in the IAM console**
1. In the navigation pane of the IAM console, choose **Roles**. For more information, see [Creating a role (AWS Management Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
1. Choose **Create role**.
1. Under **Choose the service that will use this role**, choose **Directory Service**, and then choose **Next**.
1. Select the check box next to the policy (for example, **AmazonEC2FullAccess**) that you want to apply to your directory users, and then choose **Next**.
1. If necessary, add a tag to the role, and then choose **Next**.
1. Provide a **Role name** and optional **Description**, and then choose **Create role**.
**Example: Create a role to enable AWS Management Console access**
The following checklist provides an example of the tasks you must complete to create a new IAM role that will give specific AWS Managed Microsoft AD users access to the Amazon EC2 console.
1. Create a role with the IAM console using the procedure above. When prompted for a policy, choose **AmazonEC2FullAccess**.
1. Use the steps in [Editing the trust relationship for an existing IAM role](edit_trust.md) to edit the role you just created, and then add the required trust relationship information to the policy document. This step is necessary for the role to be visible immediately after you enable access to the AWS Management Console in the next step.
1. Follow the steps in [Enabling AWS Management Console access with AWS Managed Microsoft AD credentials](ms_ad_management_console_access.md) to configure general access to the AWS Management Console.
1. Follow the steps in [Assigning users or groups to an existing IAM role](assign_role.md) to add the users who need full access to EC2 resources to the new role.
# Editing the trust relationship for an existing IAM role
You can assign your existing IAM roles to your Directory Service users and groups. To do this, however, the role must have a trust relationship with Directory Service. When you use Directory Service to create a role using the procedure in [Creating a new IAM role](create_role.md), this trust relationship is automatically set.
**Note**
You only need to establish this trust relationship for IAM roles that are not created by Directory Service.
**To establish a trust relationship for an existing IAM role to Directory Service**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the IAM console, under **Access management**, choose **Roles**.
The console displays the roles for your account.
1. Choose the name of the role that you want to modify, and once on the role's page, select the **Trust relationships** tab.
1. Choose **Edit trust policy**.
1. Under **Edit trust policy**, paste the following, and then choose **Update policy**.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
You can also update this policy document using the AWS CLI. For more information, see [update-trust](https://docs.aws.amazon.com/cli/latest/reference/ds/update-trust.html) in the *AWS CLI Command Reference*.
# Assigning users or groups to an existing IAM role
You can assign an existing IAM role to an AWS Managed Microsoft AD user or group. To do this, make sure you have completed the following.
**Prerequisites**
+ [ Create an AWS Managed Microsoft AD](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/ms_ad_getting_started.html#ms_ad_getting_started_create_directory).
+ [Create an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_create.html) or [create a IAM group](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_groups_create.html).
+ [Create a role](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/create_role.html) that has a trust relationship with Directory Service. For existing IAM roles, you will need to [edit the trust relationship for an existing role](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/edit_trust.html).
**Important**
Access for AWS Managed Microsoft AD users in nested groups within your directory are not supported. Members of the parent group have console access, but members of child groups do not.
**To assign AWS Managed Microsoft AD users or groups to an existing IAM role**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, under **Active Directory**, choose **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, do one of the following:
1. If you do not have any Regions showing under **Multi-Region replication**, choose the **Application management** tab.
1. If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to make your assignments, and then choose the **Application management** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
1. Scroll down to the **AWS Management Console** section, choose **Actions** and **Enable**.
1. Under the **Delegate console access** section, choose the IAM role name for the existing IAM role that you want to assign users to.
1. On the **Selected role** page, under **Manage users and groups for this role**, choose **Add**.
1. On the **Add users and groups to the role** page, under **Select Active Directory Forest**, choose either the AWS Managed Microsoft AD forest (this forest) or the on-premises forest (trusted forest), whichever contains where the accounts that need access to the AWS Management Console. For more information about how to set up a trusted forest, see [Tutorial: Create a trust relationship between your AWS Managed Microsoft AD and your self-managed Active Directory domain](ms_ad_tutorial_setup_trust.md).
1. Under **Specify which users or groups to add**, select either **Find by user** or **Find by group**, and then type the name of the user or group. In the list of possible matches, choose the user or group that you want to add.
1. Choose **Add** to finish assigning the users and groups to the role.
# Viewing users and groups assigned to a role
To view the AWS Managed Microsoft AD users and groups assigned to an IAM role, perform the following steps.
**Prerequisites**
+ [ Create an AWS Managed Microsoft AD](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/ms_ad_getting_started.html#ms_ad_getting_started_create_directory).
+ [Create an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_create.html) or [create a IAM group](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_groups_create.html).
+ [Create a role](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/create_role.html) that has a trust relationship with Directory Service. For existing IAM roles, you will need to [edit the trust relationship for an existing role](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/edit_trust.html).
+ [Assign your users or groups to an existing IAM role](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/assign_role.html).
**To view AWS Managed Microsoft AD users and group assigned to an IAM role**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, under **Active Directory**, choose **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, do one of the following:
1. If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to view your assignments, and then choose the **Application management** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
1. If you do not have any Regions showing under **Multi-Region replication**, choose the **Application management** tab.
1. Scroll down to the **AWS Management Console** section. The **Status** should be **Enabled**. If not, choose **Actions** and **Enable**. For more information, see [Enabling AWS Management Console access with AWS Managed Microsoft AD credentials](ms_ad_management_console_access.md).
**Note**
You won't see any groups or users if the AWS Management Console is disabled.
1. Under the **Delegate Console Access** section, select the hyperlink of the IAM role you want to view. Alternatively, you can select **View policy in IAM** to view the IAM policy in the IAM console.
1. On the **Selected role** page, under the **Manage users and groups for this role** section, you can view the users and groups assigned to the IAM role.
# Removing a user or group from an IAM role
To remove an AWS Managed Microsoft AD user or group from an IAM role, perform the following steps.
**To remove a user or group from an IAM role**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, do one of the following:
1. If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to remove your assignments, and then choose the **Application management** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
1. If you do not have any Regions showing under **Multi-Region replication**, choose the **Application management** tab.
1. Under the **AWS Management Console** section, choose the IAM role you want to remove users and groups from.
1. On the **Selected role** page, under **Manage users and groups for this role**, select the users or groups to remove the role from and choose **Remove**. The role is removed from the specified users and groups, but the role is not removed from your account.
**Note**
If you want to delete a role, see [Delete roles or instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html).
# Using AWS managed policies with Directory Service
Directory Service provides the following AWS managed policies to give your users and groups access to AWS services and resources, such as access to the Amazon EC2 console. You must log in to the AWS Management Console before you can view these policies.
+ [Read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
+ [Power user access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/PowerUserAccess)
+ [Directory Service full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess)
+ [Directory Service read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSDirectoryServiceReadOnlyAccess)
+ [AWS Directory Service Data full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSDirectoryServiceDataFullAccess)
+ [AWS Directory Service Data read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSDirectoryServiceDataReadOnlyAccess)
+ [Amazon Cloud Directory full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonCloudDirectoryFullAccess)
+ [Amazon Cloud Directory read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonCloudDirectoryReadOnlyAccess)
+ [Amazon EC2 full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEC2FullAccess)
+ [Amazon EC2 read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess)
+ [Amazon VPC full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonVPCFullAccess)
+ [Amazon VPC read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess)
+ [Amazon RDS full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRDSFullAccess)
+ [Amazon RDS read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess)
+ [Amazon DynamoDB full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess)
+ [Amazon DynamoDB read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess)
+ [Amazon S3 full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonS3FullAccess)
+ [Amazon S3 read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess)
+ [AWS CloudTrail full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSCloudTrailFullAccess)
+ [AWS CloudTrail read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess)
+ [Amazon CloudWatch full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/CloudWatchFullAccess)
+ [Amazon CloudWatch read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess)
+ [Amazon CloudWatch Logs full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/CloudWatchLogsFullAccess)
+ [Amazon CloudWatch Logs read only access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess)
For more information on how to create your own policies, see [Example policies for administering AWS resources](https://docs.aws.amazon.com/console/iam/example-policies) in the *IAM User Guide*.