Initiate a temporary delegation request
You can initiate a temporary delegation request only from supported Amazon or AWS Partner products. During a workflow that supports temporary delegation, you will be prompted to grant the product provider temporary, limited permissions to configure required AWS resources in your account. This automated approach provides a more streamlined experience by eliminating the need for you to configure these resources manually.
You can review delegation request details such as the specific IAM roles, policies, and AWS services the product provider needs before granting access. You can either approve the request yourself if you have sufficient permissions, or forward the request to your account administrator for approval. All product provider access is time-bounded and can be monitored and revoked as needed.
To initiate a temporary delegation request
Navigate to the console of a supported product from Amazon or AWS Partners that requires integration with your AWS account.
Select Deploy with IAM temporary delegation. Note that the option name may vary across supported products. Refer to the documentation of the product provider for details.
Note
If you are not already signed in to the AWS Management Console, a new window opens to the AWS sign-in page. We recommend that you sign in to your AWS account before initiating the temporary delegation request from the product console. For more information about how to sign in based on your user type and the AWS resources that you want to access, see the AWS Sign-In User Guide.
Review the request details to confirm the product provider's product name and AWS account. You can also review the AWS identity that the product provider will use to perform actions on your behalf.
Review the Access details for the permissions that will be temporarily delegated by approving this request.
The Permissions summary section provides a high-level overview generated by AI that can help you understand what categories of AWS services can be accessed and what types of actions can be performed in each service.
Choose View JSON to review specific permissions the product provider needs to deploy in your AWS account, including access scope and resource limitations.
If the product provider creates an IAM role as part of a temporary delegation request, a permission boundary must be attached to the role. These IAM roles have permissions that continue to allow access to resources and actions after the requested access duration expires. Choose View details to review the permission boundary, which defines the maximum permissions that the role can have. The product provider will apply additional policies to the role during creation that define its actual permissions. These policies may appear more narrowly focused, or broader, than the boundary depending on how the product provider defines them. However, the permission boundary guarantees that the role's effective permissions will never exceed what you see during request approval, regardless of what policies are attached to the role. For more information, see Permissions boundaries.
Review the permission simulation results. The permission simulation capability automatically evaluates your identity's permissions against those included in the request. Based on this analysis, a recommendation is displayed indicating whether to approve the request with your current identity or forward the request to an administrator. For details, see Permission simulation beta capability .
In the dialog, select how you would like to proceed.
Select Allow access when your identity has sufficient permissions to allow the product provider to perform onboarding procedures on your behalf. When you select this option, the product provider's access duration starts once you provide access.
Select Request approval if your identity doesn't have sufficient permissions to allow the product provider to perform onboarding procedures on your behalf. Then, choose Create approval request. When you select this option, a temporary delegation request link is created that you can share with your account administrator. Your administrator can access the AWS Management Console or use the access link to Review Temporary delegation requests to approve the request and share temporary access with the requestor.
Note
Granting product provider access requires two actions: accepting the delegation request (AcceptDelegationRequest) and releasing the exchange token (SendDelegatedToken).
The AWS Management Console performs both steps automatically when you approve a request. If you use the AWS CLI or API, you must execute both steps separately.
Permission simulation capability -beta
When you receive a temporary delegation request, you can either approve it yourself or forward it to your account administrator for approval. You can only delegate permissions to a product provider if you have permissions to the services and actions included in the temporary delegation request. If you don't have access to the requested services and actions, the product provider won't receive those permissions even if they're included in the request.
For example, a temporary delegation request requires the ability to create an Amazon S3 bucket, start and stop instances in Amazon EC2, and assume an IAM role. The identity that approves the request can start and stop instances in Amazon EC2, and assume an IAM role, but does not have permission to create an Amazon S3 bucket. When this identity approves the request, the product provider is not able to create an Amazon S3 bucket even though these permissions were included in the temporary delegation request.
Since you can only delegate permissions that you already possess, it's crucial to evaluate whether you have the requested permissions before approving. The permission simulation beta capability helps with this evaluation by comparing your permissions against those included in the request. The assessment indicates whether you can approve the request with your current identity or need to forward it to an administrator. If the analysis cannot validate that you have sufficient permissions, forward the request to an administrator for review. This assessment is based on simulated permission analysis and may differ from your live AWS environment, so review requested permissions carefully before proceeding.
Next steps
After you initiate a temporary delegation request, you can manage and monitor the request through its lifecycle. The following procedures help you track, approve, and control temporary access:
Review Temporary delegation requests – Monitor the status of your access requests, and view detailed information about requests to approve or deny temporary delegation requests.
Revoke temporary delegation access – Immediately terminate active temporary delegation sessions before they expire naturally.
