# Use service-linked roles for AWS IoT SiteWise
AWS IoT SiteWise uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html). A service-linked role is a unique type of IAM role that is linked directly to AWS IoT SiteWise. service-linked roles are predefined by AWS IoT SiteWise and include all the permissions that the service requires to call other AWS services on your behalf.
Service-linked roles simplify the configuration of AWS IoT SiteWise by automatically including all necessary permissions. AWS IoT SiteWise defines the permissions of its service-linked roles, and unless defined otherwise, only AWS IoT SiteWise can assume its roles. The defined permissions include the trust policy and the permissions policy. And that permissions policy can't be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your AWS IoT SiteWise resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
**Topics**
+ [Service-linked role permissions](service-linked-role-permissions.md)
+ [Create a service-linked role](create-service-linked-role.md)
+ [Update a service-linked role](edit-service-linked-role.md)
+ [Delete a service-linked role](delete-service-linked-role.md)
+ [Supported regions](#slr-regions)
+ [Use service roles for SiteWise Monitor](monitor-service-role.md)
# Service-linked role permissions for AWS IoT SiteWise
AWS IoT SiteWise uses the service-linked role named **AWSServiceRoleForIoTSiteWise**. AWS IoT SiteWise uses this service-linked role to deploy SiteWise Edge gateways (which run on AWS IoT Greengrass) and perform logging.
The `AWSServiceRoleForIoTSiteWise` service-linked role uses the `AWSServiceRoleForIoTSiteWise` policy with the following permissions. This policy:
+ Allows AWS IoT SiteWise to deploy SiteWise Edge gateways (which run on `AWS IoT Greengrass`).
+ Allows AWS IoT SiteWise to perform logging.
+ Allows AWS IoT SiteWise to run a metadata search query, against the AWS IoT TwinMaker database.
For more information on the allowed actions in `AWSServiceRoleForIoTSiteWise`, see [AWS managed policies for AWS IoT SiteWise](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSServiceRoleForIoTSiteWise).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSiteWiseReadGreenGrass",
"Effect": "Allow",
"Action": [
"greengrass:GetAssociatedRole",
"greengrass:GetCoreDefinition",
"greengrass:GetCoreDefinitionVersion",
"greengrass:GetGroup",
"greengrass:GetGroupVersion"
],
"Resource": "*"
},
{
"Sid": "AllowSiteWiseAccessLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DescribeLogGroups"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/iotsitewise*"
},
{
"Sid": "AllowSiteWiseAccessLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
},
{
"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
"Effect": "Allow",
"Action": [
"iottwinmaker:GetWorkspace",
"iottwinmaker:ExecuteQuery"
],
"Resource": "arn:aws:iottwinmaker:*:*:workspace/*",
"Condition": {
"ForAnyValue:StringEquals": {
"iottwinmaker:linkedServices": [
"IOTSITEWISE"
]
}
}
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSiteWiseReadGreenGrass",
"Effect": "Allow",
"Action": [
"greengrass:GetAssociatedRole",
"greengrass:GetCoreDefinition",
"greengrass:GetCoreDefinitionVersion",
"greengrass:GetGroup",
"greengrass:GetGroupVersion"
],
"Resource": "*"
},
{
"Sid": "AllowSiteWiseAccessLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DescribeLogGroups"
],
"Resource": "arn:aws-us-gov:logs:*:*:log-group:/aws/iotsitewise*"
},
{
"Sid": "AllowSiteWiseAccessLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "arn:aws-us-gov:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
},
{
"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
"Effect": "Allow",
"Action": [
"iottwinmaker:GetWorkspace",
"iottwinmaker:ExecuteQuery"
],
"Resource": "arn:aws-us-gov:iottwinmaker:*:*:workspace/*",
"Condition": {
"ForAnyValue:StringEquals": {
"iottwinmaker:linkedServices": [
"IOTSITEWISE"
]
}
}
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSiteWiseReadGreenGrass",
"Effect": "Allow",
"Action": [
"greengrass:GetAssociatedRole",
"greengrass:GetCoreDefinition",
"greengrass:GetCoreDefinitionVersion",
"greengrass:GetGroup",
"greengrass:GetGroupVersion"
],
"Resource": "*"
},
{
"Sid": "AllowSiteWiseAccessLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DescribeLogGroups"
],
"Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*"
},
{
"Sid": "AllowSiteWiseAccessLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
},
{
"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
"Effect": "Allow",
"Action": [
"iottwinmaker:GetWorkspace",
"iottwinmaker:ExecuteQuery"
],
"Resource": "arn:aws-cn:iottwinmaker:*:*:workspace/*",
"Condition": {
"ForAnyValue:StringEquals": {
"iottwinmaker:linkedServices": [
"IOTSITEWISE"
]
}
}
}
]
}
```
------
You can use the logs to monitor and troubleshoot your SiteWise Edge gateways. For more information, see [Monitor SiteWise Edge gateway logs](monitor-gateway-logs.md).
To allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role, first configure permissions. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#service-linked-role-permissions) in the *IAM User Guide*.
# Create a service-linked role for AWS IoT SiteWise
AWS IoT SiteWise requires a service-linked role to perform certain actions and to access resources on your behalf. A service-linked role is a unique type of AWS Identity and Access Management (IAM) role that is linked directly to AWS IoT SiteWise. By creating this role, you grant AWS IoT SiteWise the necessary permissions to access other AWS services and resources required for its operation, such as Amazon S3 for data storage or AWS IoT for device communication.
You don't need to manually create a service-linked role. When you perform the following operations in the AWS IoT SiteWise console, AWS IoT SiteWise creates the service-linked role for you.
+ Create a Greengrass V1 gateway.
+ Configure the logging option.
+ Choosing the opt-in button in the execute query banner.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you perform any operation in the AWS IoT SiteWise console, AWS IoT SiteWise creates the service-linked role for you again.
You can also use the IAM console or API to create a service-linked role for AWS IoT SiteWise.
+ To do so in the IAM console, create a role with the **AWSServiceRoleForIoTSiteWise** policy and a trust relationship with `iotsitewise.amazonaws.com`.
+ To do so using the AWS CLI or IAM API, create a role with the `arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForIoTSiteWise` policy and a trust relationship with `iotsitewise.amazonaws.com`.
For more information, see [Create a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#create-service-linked-role) in the *IAM User Guide*.
If you delete this service-linked role, you can use this same process to create the role again.
# Update a service-linked role for AWS IoT SiteWise
AWS IoT SiteWise doesn't allow you to edit the AWSServiceRoleForIoTSiteWise service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Update a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-service-linked-role.html) in the *IAM User Guide*.
# Delete a service-linked role for AWS IoT SiteWise
If a feature or service requiring a service-linked role is no longer in use, it's advisable to delete the associated role. This is to avoid having an inactive entity that isn't being monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the AWS IoT SiteWise service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try again.
**To delete AWS IoT SiteWise resources used by the AWSServiceRoleForIoTSiteWise**
1. Disable logging for AWS IoT SiteWise. For more information, see [Change your logging level](monitor-cloudwatch-logs.md#change-logging-level)
1. Delete any active SiteWise Edge gateways.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForIoTSiteWise service-linked role. For more information, see [Delete roles or instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for AWS IoT SiteWise service-linked roles
AWS IoT SiteWise supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS IoT SiteWise Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/iot-sitewise.html).
# Use service roles for AWS IoT SiteWise Monitor
A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
To allow federated SiteWise Monitor portal users to access your AWS IoT SiteWise and AWS IAM Identity Center resources, you must attach a service role to each portal that you create. The service role must specify SiteWise Monitor as a trusted entity and include the [AWSIoTSiteWiseMonitorPortalAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSIoTSiteWiseMonitorPortalAccess) managed policy or define [equivalent permissions](#monitor-service-role-permissions). This policy is maintained by AWS and defines the set of permissions that SiteWise Monitor uses to access your AWS IoT SiteWise and IAM Identity Center resources.
When you create a SiteWise Monitor portal, you must choose a role that allows users of that portal to access your AWS IoT SiteWise and IAM Identity Center resources. The AWS IoT SiteWise console can create and configure the role for you. You can edit the role in IAM later. Your portal users will have issues using their SiteWise Monitor portals if you remove the required permissions from the role or delete the role.
**Note**
Portals created before April 29, 2020 didn't require service roles. If you created portals before this date, you must attach service roles to continue using them. To do so, navigate to the **Portals** page in the [AWS IoT SiteWise console](https://console.aws.amazon.com/iotsitewise/), and then choose **Migrate all portals to use IAM roles**.
The following sections describe how to create and manage the SiteWise Monitor service role in the AWS Management Console or the AWS Command Line Interface.
**Contents**
+ [
## Service role permissions for SiteWise Monitor (Classic)
](#monitor-service-role-permissions)
+ [
## Service role permissions for SiteWise Monitor (AI-aware)
](#monitor-ai-service-role-permissions)
+ [
## Manage the SiteWise Monitor service role (console)
](#manage-portal-role-console)
+ [
### Find a portal's service role (console)
](#find-portal-role-console)
+ [
### Create a SiteWise Monitor service role (AWS IoT SiteWise console)
](#create-portal-role-sitewise-console)
+ [
### Create a SiteWise Monitor service role (IAM console)
](#create-portal-role-iam-console)
+ [
### Change a portal's service role (console)
](#change-portal-role-console)
+ [
## Manage the SiteWise Monitor service role (CLI)
](#manage-portal-role-cli)
+ [
### Find a portal's service role (CLI)
](#find-portal-role-cli)
+ [
### Create the SiteWise Monitor service role (CLI)
](#create-portal-role-cli)
+ [
## SiteWise Monitor updates to AWSIoTSiteWiseMonitorServiceRole
](#monitor-role-permission-updates)
## Service role permissions for SiteWise Monitor (Classic)
When you create a portal, AWS IoT SiteWise lets you create a role whose name starts with **AWSIoTSiteWiseMonitorServiceRole**. This role allows federated SiteWise Monitor users to access your portal configuration, assets, asset data, and IAM Identity Center configuration.
The role trusts the following service to assume the role:
+ `monitor.iotsitewise.amazonaws.com`
The role uses the following permissions policy, which starts with **AWSIoTSiteWiseMonitorServicePortalPolicy**, to allow SiteWise Monitor users to complete actions on resources in your account. The [AWSIoTSiteWiseMonitorPortalAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSIoTSiteWiseMonitorPortalAccess) managed policy defines equivalent permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:DescribePortal",
"iotsitewise:CreateProject",
"iotsitewise:DescribeProject",
"iotsitewise:UpdateProject",
"iotsitewise:DeleteProject",
"iotsitewise:ListProjects",
"iotsitewise:BatchAssociateProjectAssets",
"iotsitewise:BatchDisassociateProjectAssets",
"iotsitewise:ListProjectAssets",
"iotsitewise:CreateDashboard",
"iotsitewise:DescribeDashboard",
"iotsitewise:UpdateDashboard",
"iotsitewise:DeleteDashboard",
"iotsitewise:ListDashboards",
"iotsitewise:CreateAccessPolicy",
"iotsitewise:DescribeAccessPolicy",
"iotsitewise:UpdateAccessPolicy",
"iotsitewise:DeleteAccessPolicy",
"iotsitewise:ListAccessPolicies",
"iotsitewise:DescribeAsset",
"iotsitewise:ListAssets",
"iotsitewise:ListAssociatedAssets",
"iotsitewise:DescribeAssetProperty",
"iotsitewise:GetAssetPropertyValue",
"iotsitewise:GetAssetPropertyValueHistory",
"iotsitewise:GetAssetPropertyAggregates",
"iotsitewise:BatchPutAssetPropertyValue",
"iotsitewise:ListAssetRelationships",
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels",
"iotsitewise:UpdateAssetModel",
"iotsitewise:UpdateAssetModelPropertyRouting",
"sso-directory:DescribeUsers",
"sso-directory:DescribeUser",
"iotevents:DescribeAlarmModel",
"iotevents:ListTagsForResource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iotevents:BatchAcknowledgeAlarm",
"iotevents:BatchSnoozeAlarm",
"iotevents:BatchEnableAlarm",
"iotevents:BatchDisableAlarm"
],
"Resource": "*",
"Condition": {
"Null": {
"iotevents:keyValue": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iotevents:CreateAlarmModel",
"iotevents:TagResource"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/iotsitewisemonitor": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iotevents:UpdateAlarmModel",
"iotevents:DeleteAlarmModel"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/iotsitewisemonitor": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"iotevents.amazonaws.com"
]
}
}
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:CreateProject",
"iotsitewise:DescribeProject",
"iotsitewise:UpdateProject",
"iotsitewise:DeleteProject",
"iotsitewise:ListProjects",
"iotsitewise:BatchAssociateProjectAssets",
"iotsitewise:BatchDisassociateProjectAssets",
"iotsitewise:ListProjectAssets",
"iotsitewise:CreateDashboard",
"iotsitewise:DescribeDashboard",
"iotsitewise:UpdateDashboard",
"iotsitewise:DeleteDashboard",
"iotsitewise:ListDashboards",
"iotsitewise:CreateAccessPolicy",
"iotsitewise:DescribeAccessPolicy",
"iotsitewise:UpdateAccessPolicy",
"iotsitewise:DeleteAccessPolicy",
"iotsitewise:ListAccessPolicies",
"iotsitewise:DescribeAsset",
"iotsitewise:ListAssets",
"iotsitewise:ListAssociatedAssets",
"iotsitewise:DescribeAssetProperty",
"iotsitewise:GetAssetPropertyValue",
"iotsitewise:GetAssetPropertyValueHistory",
"iotsitewise:GetAssetPropertyAggregates"
],
"Resource": "*"
}
]
}
```
------
For more information about the required permissions for alarms, see [Set up permissions for event alarms in AWS IoT SiteWise](alarms-iam-permissions.md).
When a portal user signs in, SiteWise Monitor creates a [session policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) based on the intersection of the service role and that user's access policies. Access policies define identities' level of access to your portals and projects. For more information about portal permissions and access policies, see [Administer your SiteWise Monitor portals](administer-portals.md) and [CreateAccessPolicy](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAccessPolicy.html).
## Service role permissions for SiteWise Monitor (AI-aware)
When you create a portal, AWS IoT SiteWise lets you create a role whose name starts with **IoTSiteWisePortalRole**. This role allows federated SiteWise Monitor users to access your portal configuration, assets, asset data, and IAM Identity Center configuration.
**Warning**
**Project owner** and **Project viewer** roles are not supported for SiteWise Monitor (AI-aware).
The role trusts the following service to assume the role:
+ `monitor.iotsitewise.amazonaws.com`
The role uses the following permissions policy, which starts with **IoTSiteWiseAIPortalAccessPolicy**, to allow SiteWise Monitor users to complete actions on resources in your account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:CreateProject",
"iotsitewise:DescribePortal",
"iotsitewise:ListProjects",
"iotsitewise:DescribeProject",
"iotsitewise:UpdateProject",
"iotsitewise:DeleteProject",
"iotsitewise:CreateDashboard",
"iotsitewise:DescribeDashboard",
"iotsitewise:UpdateDashboard",
"iotsitewise:DeleteDashboard",
"iotsitewise:ListDashboards",
"iotsitewise:ListAssets",
"iotsitewise:DescribeAsset",
"iotsitewise:ListAssociatedAssets",
"iotsitewise:ListAssetProperties",
"iotsitewise:DescribeAssetProperty",
"iotsitewise:GetAssetPropertyValue",
"iotsitewise:GetAssetPropertyValueHistory",
"iotsitewise:GetAssetPropertyAggregates",
"iotsitewise:GetInterpolatedAssetPropertyValues",
"iotsitewise:BatchGetAssetPropertyAggregates",
"iotsitewise:BatchGetAssetPropertyValue",
"iotsitewise:BatchGetAssetPropertyValueHistory",
"iotsitewise:ListAssetRelationships",
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels",
"iotsitewise:DescribeAssetCompositeModel",
"iotsitewise:DescribeAssetModelCompositeModel",
"iotsitewise:ListAssetModelProperties",
"iotsitewise:ExecuteQuery",
"iotsitewise:ListTimeSeries",
"iotsitewise:DescribeTimeSeries",
"iotsitewise:InvokeAssistant",
"iotsitewise:DescribeDataset",
"iotsitewise:ListDatasets",
"iotevents:DescribeAlarmModel",
"iotevents:ListTagsForResource",
"iottwinmaker:ListWorkspaces",
"iottwinmaker:ExecuteQuery",
"iottwinmaker:GetWorkspace",
"identitystore:DescribeUser"
],
"Resource": "*"
}
]
}
```
------
When a portal user signs in, SiteWise Monitor creates a [session policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) based on the intersection of the service role and that user's access policies.
## Manage the SiteWise Monitor service role (console)
The AWS IoT SiteWise console facilitates the management of the SiteWise Monitor service role for portals. Upon creating a portal, the console checks for existing roles suitable for attachment. If none are available, the console can create and configure a service role for you. For more information, see [Create a portal in SiteWise Monitor](monitor-create-portal.md).
**Topics**
+ [
### Find a portal's service role (console)
](#find-portal-role-console)
+ [
### Create a SiteWise Monitor service role (AWS IoT SiteWise console)
](#create-portal-role-sitewise-console)
+ [
### Create a SiteWise Monitor service role (IAM console)
](#create-portal-role-iam-console)
+ [
### Change a portal's service role (console)
](#change-portal-role-console)
### Find a portal's service role (console)
Use the following steps to find the service role attached to a SiteWise Monitor portal.
**To find a portal's service role**
1. Navigate to the [AWS IoT SiteWise console](https://console.aws.amazon.com/iotsitewise/).
1. In the left navigation pane, choose **Portals**.
1. Choose the portal for which you want to find the service role.
The role attached to the portal appears under **Permissions**, **Service role**.
### Create a SiteWise Monitor service role (AWS IoT SiteWise console)
When you create a SiteWise Monitor portal, you can create a service role for your portal. For more information, see [Create a portal in SiteWise Monitor](monitor-create-portal.md).
You can also create a service role for an existing portal in the AWS IoT SiteWise console. This replaces the portal's existing service role.
**To create a service role for an existing portal**
1. Navigate to the [AWS IoT SiteWise console](https://console.aws.amazon.com/iotsitewise/).
1. In the navigation pane, choose **Portals**.
1. Choose the portal for which you want to create a new service role.
1. Under **Portal details**, choose **Edit**.
1. Under **Permissions**, choose **Create and use a new service role** from the list.
1. Enter a name for your new role.
1. Choose **Save**.
### Create a SiteWise Monitor service role (IAM console)
You can create a service role from the service role template in the IAM console. This role template includes the [AWSIoTSiteWiseMonitorPortalAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSIoTSiteWiseMonitorPortalAccess) managed policy and specifies SiteWise Monitor as a trusted entity.
**To create a service role from the portal service role template**
1. Navigate to the [IAM console](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. Choose **Create role**.
1. In **Choose a use case**, choose **IoT SiteWise**.
1. In **Select your use case**, choose **IoT SiteWise Monitor - Portal**.
1. Choose **Next: Permissions**.
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. Enter a **Role name** for the new service role.
1. Choose **Create role**.
### Change a portal's service role (console)
Use the following procedure to choose a different SiteWise Monitor service role for a portal.
**To change a portal's service role**
1. Navigate to the [AWS IoT SiteWise console](https://console.aws.amazon.com/iotsitewise/).
1. In the navigation pane, choose **Portals**.
1. Choose the portal for which you want to change the service role.
1. Under **Portal details**, choose **Edit**.
1. Under **Permissions**, choose **Use an existing role**.
1. Choose an existing role to attach to this portal.
1. Choose **Save**.
## Manage the SiteWise Monitor service role (CLI)
You can use the AWS CLI for the following portal service role management tasks:
**Topics**
+ [
### Find a portal's service role (CLI)
](#find-portal-role-cli)
+ [
### Create the SiteWise Monitor service role (CLI)
](#create-portal-role-cli)
### Find a portal's service role (CLI)
To find the service role attached to a SiteWise Monitor portal, run the following command to list all of your portals in the current Region.
```
aws iotsitewise list-portals
```
The operation returns a response that contains your portal summaries in the following format.
```
{
"portalSummaries": [
{
"id": "a1b2c3d4-5678-90ab-cdef-aaaaaEXAMPLE",
"name": "WindFarmPortal",
"description": "A portal that contains wind farm projects for Example Corp.",
"roleArn": "arn:aws:iam::123456789012:role/service-role/role-name",
"startUrl": "https://a1b2c3d4-5678-90ab-cdef-aaaaaEXAMPLE.app.iotsitewise.aws",
"creationDate": "2020-02-04T23:01:52.90248068Z",
"lastUpdateDate": "2020-02-04T23:01:52.90248078Z"
}
]
}
```
You can also use the [DescribePortal](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribePortal.html) operation to find your portal's role if you know the ID of your portal.
### Create the SiteWise Monitor service role (CLI)
Use the following steps to create a new SiteWise Monitor service role.
**To create a SiteWise Monitor service role**
1. Create a role with a trust policy that allows SiteWise Monitor to assume the role. This example creates a role named **MySiteWiseMonitorPortalRole** from a trust policy stored in a JSON string.
------
#### [ Linux, macOS, or Unix ]
```
aws iam create-role --role-name MySiteWiseMonitorPortalRole --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "monitor.iotsitewise.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
```
------
#### [ Windows command prompt ]
```
aws iam create-role --role-name MySiteWiseMonitorPortalRole --assume-role-policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"monitor.iotsitewise.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
```
------
1. Copy the role ARN from the role metadata in the output. When you create a portal, you use this ARN to associate the role with your portal. For more information about creating a portal, see [CreatePortal](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreatePortal.html) in the *AWS IoT SiteWise API Reference*.
1.
1. For the SiteWise Monitor (Classic) – Attach the `AWSIoTSiteWiseMonitorPortalAccess` policy to the role, or attach a policy that defines equivalent permissions.
```
aws iam attach-role-policy --role-name MySiteWiseMonitorPortalRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSIoTSiteWiseMonitorPortalAccess
```
1. For the SiteWise Monitor (AI-aware) – Attach the `IoTSiteWiseAIPortalAccessPolicy` policy to the role, or attach a policy that defines equivalent permissions. For example, create a policy with portal access permissions. The following example creates a policy named `MySiteWiseMonitorPortalAccess`.
```
aws iam create-policy \
--policy-name MySiteWiseMonitorPortalAccess \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:CreateProject",
"iotsitewise:DescribePortal",
"iotsitewise:ListProjects",
"iotsitewise:DescribeProject",
"iotsitewise:UpdateProject",
"iotsitewise:DeleteProject",
"iotsitewise:CreateDashboard",
"iotsitewise:DescribeDashboard",
"iotsitewise:UpdateDashboard",
"iotsitewise:DeleteDashboard",
"iotsitewise:ListDashboards",
"iotsitewise:ListAssets",
"iotsitewise:DescribeAsset",
"iotsitewise:ListAssociatedAssets",
"iotsitewise:ListAssetProperties",
"iotsitewise:DescribeAssetProperty",
"iotsitewise:GetAssetPropertyValue",
"iotsitewise:GetAssetPropertyValueHistory",
"iotsitewise:GetAssetPropertyAggregates",
"iotsitewise:GetInterpolatedAssetPropertyValues",
"iotsitewise:BatchGetAssetPropertyAggregates",
"iotsitewise:BatchGetAssetPropertyValue",
"iotsitewise:BatchGetAssetPropertyValueHistory",
"iotsitewise:ListAssetRelationships",
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels",
"iotsitewise:DescribeAssetCompositeModel",
"iotsitewise:DescribeAssetModelCompositeModel",
"iotsitewise:ListAssetModelProperties",
"iotsitewise:ExecuteQuery",
"iotsitewise:ListTimeSeries",
"iotsitewise:DescribeTimeSeries",
"iotsitewise:InvokeAssistant",
"iotsitewise:DescribeDataset",
"iotsitewise:ListDatasets",
"iotevents:DescribeAlarmModel",
"iotevents:ListTagsForResource",
"iottwinmaker:ListWorkspaces",
"iottwinmaker:ExecuteQuery",
"iottwinmaker:GetWorkspace",
"identitystore:DescribeUser"
],
"Resource": "*"
}
]
}'
```
**To attach a service role to an existing portal**
1. To retrieve the portal's existing details, run the following command. Replace *portal-id* with the ID of the portal.
```
aws iotsitewise describe-portal --portal-id portal-id
```
The operation returns a response that contains the portal's details in the following format.
```
{
"portalId": "a1b2c3d4-5678-90ab-cdef-aaaaaEXAMPLE",
"portalArn": "arn:aws:iotsitewise:region:account-id:portal/a1b2c3d4-5678-90ab-cdef-aaaaaEXAMPLE",
"portalName": "WindFarmPortal",
"portalDescription": "A portal that contains wind farm projects for Example Corp.",
"portalClientId": "E-1a2b3c4d5e6f_sn6tbqHVzLWVEXAMPLE",
"portalStartUrl": "https://a1b2c3d4-5678-90ab-cdef-aaaaaEXAMPLE.app.iotsitewise.aws",
"portalContactEmail": "support@example.com",
"portalStatus": {
"state": "ACTIVE"
},
"portalCreationDate": "2020-04-29T23:01:52.90248068Z",
"portalLastUpdateDate": "2020-04-29T00:28:26.103548287Z",
"roleArn": "arn:aws:iam::123456789012:role/service-role/AWSIoTSiteWiseMonitorServiceRole_1aEXAMPLE"
}
```
1. To attach a service role to a portal, run the following command. Replace *role-arn* with the service role ARN, and replace the remaining parameters with the portal's existing values.
```
aws iotsitewise update-portal \
--portal-id portal-id \
--role-arn role-arn \
--portal-name portal-name \
--portal-description portal-description \
--portal-contact-email portal-contact-email
```
## SiteWise Monitor updates to AWSIoTSiteWiseMonitorServiceRole
You can view details about updates to **AWSIoTSiteWiseMonitorServiceRole** for SiteWise Monitor, beginning from when this service began tracking the changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS IoT SiteWise Document history page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSIoTSiteWiseMonitorPortalAccess](#monitor-service-role-permissions) – Updated policy | AWS IoT SiteWise updated the [AWSIoTSiteWiseMonitorPortalAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSIoTSiteWiseMonitorPortalAccess) managed policy for the alarms feature. | May 27, 2021 |
| AWS IoT SiteWise started tracking changes | AWS IoT SiteWise started tracking changes for its service role. | December 15, 2020 |