Example 1: Allow a user to run an automation document and view the automation execution Example 2: Allow a user to execute a specific version of an automation document Example 3: Allow a user to execute automation documents with a specific tag Example 4: Allow a user to execute an automation document when a specific tag parameter is provided for the automation execution

Setting up identity based policies examples

The following sections provide example IAM identity-based policies for AWS Systems Manager Automation service. For more information about how to create an IAM identity-based policy using these example JSON Policy documents, see Creating IAM policies in the IAM User Guide.

Note

All examples contain fictitious account IDs. The account ID shouldn't be specified in the Amazon Resource Name (ARN) for AWS owned public documents.

Examples

Example 1: Allow a user to run an automation document and view the automation execution
Example 2: Allow a user to execute a specific version of an automation document
Example 3: Allow a user to execute automation documents with a specific tag
Example 4: Allow a user to execute an automation document when a specific tag parameter is provided for the automation execution

Example 1: Allow a user to run an automation document and view the automation execution

The following example IAM policy allows a user to do the following:

Execute the automation document specified in the policy. The name of the document is determined by the following entry.
```
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
```
Stop and send signals to an automation execution.
View details about the automation execution after it has been started.

Example 2: Allow a user to execute a specific version of an automation document

The following example IAM policy grants permissions to a user to run automation execution using a specific version of an automation document:

The name of the automation document is determined by the following entry.
```
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
```
The version of the automation document is determined by the following entry.
```
"ssm:DocumentVersion": "5"
```

Example 3: Allow a user to execute automation documents with a specific tag

The following example IAM policy allows a user to run automation execution using any automation document that has a specific tag:

The name of the automation document is determined by the following entry.
```
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
```
The tag of the automation document is determined by the following entry.
```
"ssm:DocumentVersion": "5"
```

Example 4: Allow a user to execute an automation document when a specific tag parameter is provided for the automation execution

The following example IAM policy grants permissions to a user to run automation execution using automation documents when a specific tag parameter is provided for the automation execution:

Execute the automation document specified in the policy. The name of the document is determined by the following entry.
```
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
```
Must provide a specific tag parameter for the automation execution. The tag parameter for the automation execution resource is determined by the following entry.
```
"aws:ResourceTag/stage": "production"
```
Stop and send signals to automation executions that have the specified tag.
View details about the automation executions that have the specified tag.
Add the specified tag to SSM resources.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create the service roles for Automation using the console

Allowing Automation to adapt to your concurrency needs