# Identity and access management for Amazon Lex V2
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Amazon Lex V2 resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [Audience](#security_iam_audience)
+ [Authenticating with identities](#security_iam_authentication)
+ [Managing access using policies](#security_iam_access-manage)
+ [How Amazon Lex V2 works with IAM](security_iam_service-with-iam.md)
+ [Identity-based policy examples for Amazon Lex V2](security_iam_id-based-policy-examples.md)
+ [Resource-based policy examples for Amazon Lex V2](security_iam_resource-based-policy-examples.md)
+ [AWS managed policies for Amazon Lex V2](security-iam-awsmanpol.md)
+ [Using service-linked roles for Amazon Lex V2](using-service-linked-roles.md)
+ [Troubleshooting Amazon Lex V2 identity and access](security_iam_troubleshoot.md)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting Amazon Lex V2 identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How Amazon Lex V2 works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [Identity-based policy examples for Amazon Lex V2](security_iam_id-based-policy-examples.md))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### Federated identity
As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials.
A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.
For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# How Amazon Lex V2 works with IAM
Before you use IAM to manage access to Amazon Lex V2, learn what IAM features are available to use with Amazon Lex V2.
**IAM features you can use with Amazon Lex V2**
| IAM feature | Amazon Lex V2 support |
| --- | --- |
| [Identity-based policies](#security_iam_service-with-iam-id-based-policies) | *Yes* |
| [Resource-based policies](#security_iam_service-with-iam-resource-based-policies) | *Yes* |
| [Policy actions](#security_iam_service-with-iam-id-based-policies-actions) | *Yes* |
| [Policy resources](#security_iam_service-with-iam-id-based-policies-resources) | *Yes* |
| [Policy condition keys](#security_iam_service-with-iam-id-based-policies-conditionkeys) | *No* |
| [ACLs](#security_iam_service-with-iam-acls) | *No* |
| [ABAC (tags in policies)](#security_iam_service-with-iam-tags) | *Yes* |
| [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds) | *No* |
| [Principal permissions](#security_iam_service-with-iam-principal-permissions) | *Yes* |
| [Service roles](#security_iam_service-with-iam-roles-service) | *Yes* |
| [Service-linked roles](#security_iam_service-with-iam-roles-service-linked) | *Partial* |
To get a high-level view of how Amazon Lex V2 and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Identity-based policies for Amazon Lex V2
**Supports identity-based policies:** *Yes*
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Identity-based policy examples for Amazon Lex V2
To view examples of Amazon Lex V2 identity-based policies, see [Identity-based policy examples for Amazon Lex V2](security_iam_id-based-policy-examples.md).
## Resource-based policies within Amazon Lex V2
**Supports resource-based policies:** *Yes*
Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM role trust policies and Amazon S3 bucket policies. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Principals can include users, roles, federated users, or AWS services.
You can't use cross-account or cross-region policies with Amazon Lex V2. If you create a policy for a resource with a cross-account or cross-region ARN, Amazon Lex V2 returns an error.
The Amazon Lex V2 service supports resource-based policies called a *bot policy* and a *bot alias* policy, which are attached to a bot or a bot alias. These policies define which principals can perform actions on the bot or bot alias.
Actions can only be used on specific resources. For example, the `UpdateBot` action can only be used on bot resources, the `UpdateBotAlias` action can only be used on bot alias resources. If you specify an action in a policy that can't be used on the resource specified in the policy, Amazon Lex V2 returns an error. For the list of actions and the resources that they can be used with, see the following table.
| Action | Supports resource-based policy | Resource |
| --- | --- | --- |
| BuildBotLocale | Supported | BotId |
| CreateBot | No | |
| CreateBotAlias | No | |
| CreateBotChannel [permission only] | Supported | BotId |
| CreateBotLocale | Supported | BotId |
| CreateBotVersion | Supported | BotId |
| CreateExport | Supported | BotId |
| CreateIntent | Supported | BotId |
| CreateResourcePolicy | Supported | BotId, BotAliasId |
| CreateSlot | Supported | BotId |
| CreateSlotType | Supported | BotId |
| CreateUploadUrl | No | |
| DeleteBot | Supported | BotId, BotAliasId |
| DeleteBotAlias | Supported | BotAliasId |
| DeleteBotChannel [permission only] | Supported | BotId |
| DeleteBotLocale | Supported | BotId |
| DeleteBotVersion | Supported | BotId |
| DeleteExport | Supported | BotId |
| DeleteImport | Supported | BotId |
| DeleteIntent | Supported | BotId |
| DeleteResourcePolicy | Supported | BotId, BotAliasId |
| DeleteSession | Supported | BotAliasId |
| DeleteSlot | Supported | BotId |
| DeleteSlotType | Supported | BotId |
| DescribeBot | Supported | BotId |
| DescribeBotAlias | Supported | BotAliasId |
| DescribeBotChannel [permission only] | Supported | BotId |
| DescribeBotLocale | Supported | BotId |
| DescribeBotVersion | Supported | BotId |
| DescribeExport | Supported | BotId |
| DescribeImport | Supported | BotId |
| DescribeIntent | Supported | BotId |
| DescribeResourcePolicy | Supported | BotId, BotAliasId |
| DescribeSlot | Supported | BotId |
| DescribeSlotType | Supported | BotId |
| GetSession | Supported | BotAliasId |
| ListBotAliases | Supported | BotId |
| ListBotChannels [permission only] | Supported | BotId |
| ListBotLocales | Supported | BotId |
| ListBots | No | |
| ListBotVersions | Supported | BotId |
| ListBuiltInIntents | No | |
| ListBuiltIntSlotTypes | No | |
| ListExports | No | |
| ListImports | No | |
| ListIntents | Supported | BotId |
| ListSlots | Supported | BotId |
| ListSlotTypes | Supported | BotId |
| PutSession | Supported | BotAliasId |
| RecognizeText | Supported | BotAliasId |
| RecognizeUtterance | Supported | BotAliasId |
| StartConversation | Supported | BotAliasId |
| StartImport | Supported | BotId, BotAliasId |
| TagResource | No | |
| UpdateBot | Supported | BotId |
| UpdateBotAlias | Supported | BotAliasId |
| UpdateBotLocale | Supported | BotId |
| UpdateBotVersion | Supported | BotId |
| UpdateExport | Supported | BotId |
| UpdateIntent | Supported | BotId |
| UpdateResourcePolicy | Supported | BotId, BotAliasId |
| UpdateSlot | Supported | BotId |
| UpdateSlotType | Supported | BotId |
| UntagResource | No | |
To learn how to attach a resource-based policy to a bot or bot alias, see [Resource-based policy examples for Amazon Lex V2](security_iam_resource-based-policy-examples.md).
### Resource-based policy examples within Amazon Lex V2
To view examples of Amazon Lex V2 resource-based policies, see [Resource-based policy examples for Amazon Lex V2](security_iam_resource-based-policy-examples.md).
## Policy actions for Amazon Lex V2
**Supports policy actions:** *Yes*
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
To see a list of Amazon Lex V2 actions, see [Actions defined by Amazon Lex V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html#amazonlexv2-actions-as-permissions) in the *Service Authorization Reference*.
Policy actions in Amazon Lex V2 use the following prefix before the action:
```
lex
```
To specify multiple actions in a single statement, separate them with commas.
```
"Action": [
"lex:action1",
"lex:action2"
]
```
To view examples of Amazon Lex V2 identity-based policies, see [Identity-based policy examples for Amazon Lex V2](security_iam_id-based-policy-examples.md).
## Policy resources for Amazon Lex V2
**Supports policy resources:** *Yes*
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
To see a list of Amazon Lex V2 resource types and their ARNs, see [Resources defined by Amazon Lex V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html#amazonlexv2-resources-for-iam-policies) in the *Service Authorization Reference*. To learn with which actions you can specify the ARN of each resource, see [Actions defined by Amazon Lex V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html#amazonlexv2-actions-as-permissions).
To view examples of Amazon Lex V2 identity-based policies, see [Identity-based policy examples for Amazon Lex V2](security_iam_id-based-policy-examples.md).
## Policy condition keys for Amazon Lex V2
**Supports service-specific policy condition keys:** *No*
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
To see a list of Amazon Lex V2 condition keys, see [Condition keys for Amazon Lex V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html#amazonlexv2-policy-keys) in the *Service Authorization Reference*. To learn with which actions and resources you can use a condition key, see [Actions defined by Amazon Lex V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html#amazonlexv2-actions-as-permissions).
To view examples of Amazon Lex V2 identity-based policies, see [Identity-based policy examples for Amazon Lex V2](security_iam_id-based-policy-examples.md).
## Access control lists (ACLs) in Amazon Lex V2
**Supports ACLs:** *No*
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
## Attribute-based access control (ABAC) with Amazon Lex V2
**Supports ABAC (tags in policies):** *Yes*
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and AWS resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource.
To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys.
If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**.
For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
## Using Temporary credentials with Amazon Lex V2
**Supports temporary credentials:** *No*
Temporary credentials provide short-term access to AWS resources and are automatically created when you use federation or switch roles. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) and [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Cross-service principal permissions for Amazon Lex V2
**Supports forward access sessions (FAS):** *Yes*
Forward access sessions (FAS) use the permissions of the principal calling an AWS service, combined with the requesting AWS service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html).
## Service roles for Amazon Lex V2
**Supports service roles:** *Yes*
A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
**Warning**
Changing the permissions for a service role might break Amazon Lex V2 functionality. Edit service roles only when Amazon Lex V2 provides guidance to do so.
## Service-linked roles for Amazon Lex V2
**Supports service-linked roles:** *Partial*
A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
For details about creating or managing service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Find a service in the table that includes a `Yes` in the **Service-linked role** column. Choose the **Yes** link to view the service-linked role documentation for that service.
# Identity-based policy examples for Amazon Lex V2
By default, users and roles don't have permission to create or modify Amazon Lex V2 resources. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies.
To learn how to create an IAM identity-based policy by using these example JSON policy documents, see [Create IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User Guide*.
For details about actions and resource types defined by Amazon Lex V2, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for Amazon Lex V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html) in the *Service Authorization Reference*.
**Topics**
+ [Policy best practices](#security_iam_service-with-iam-policy-best-practices)
+ [Using the Amazon Lex V2 console](#security_iam_id-based-policy-examples-console)
+ [Allow users to add functions to a bot](#security_iam-bot-role)
+ [Allow users to add channels to a bot](#security_iam-channel-role)
+ [Allow users to create and update bots](#security_iam-bot-create-update)
+ [Allow users to use the Automated Chatbot Designer](#security_iam-bot-designer)
+ [Allow users to use a AWS KMS key to encrypt and decrypt files](#security_iam-bot-key)
+ [Allow users to delete bots](#security_iam-bot-delete)
+ [Allow users to have a conversation with a bot](#security_iam-bot-conversation)
+ [Allow a specific user to manage resource-based policies](#security_iam_id-based-policy-examples-allow-resource)
+ [Allow a user to export bots and bot locales](#security_iam_id-based-policy-examples-export)
+ [Allow a user to export a custom vocabulary](#security_iam_id-based-policy-examples-import-vocab)
+ [Allow a user to import bots and bot locales](#security_iam_id-based-policy-examples-import)
+ [Allow a user to import a custom vocabulary](#secruity_iam_id-based-policy-examples-import-vocab)
+ [Allow a user to migrate a bot from Amazon Lex to Amazon Lex V2](#security_iam_id-based-policy-examples-migrate)
+ [Allow users to view their own permissions](#security_iam_id-based-policy-examples-view-own-permissions)
+ [Allow a user to draw conversation flow with visual conversation builder in Amazon Lex V2](#security_iam_allow-draw-conversation-flow)
+ [Allow users to create and view bot replicas, but not to delete them](#security_iam_id-based-policy-examples-gr-permissions)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete Amazon Lex V2 resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [ AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [ AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Using the Amazon Lex V2 console
To access the Amazon Lex V2 console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Amazon Lex V2 resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that they're trying to perform.
To ensure that users and roles can still use the Amazon Lex V2 console, users need to have Console access. For more information about creating a user with Console access, see [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) in the *IAM User Guide*.
## Allow users to add functions to a bot
This example shows a policy that allows IAM users to add Amazon Comprehend, sentiment analysis and Amazon Kendra query permissions to an Amazon Lex V2 bot.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Id1",
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*"
},
{
"Sid": "Id2",
"Effect": "Allow",
"Action": "iam:GetRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*"
}
]
}
```
------
## Allow users to add channels to a bot
This example is a policy that allows IAM users to add a messaging channel to a bot. A user must have this policy in place before they can deploy a bot on a messaging platform.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Id1",
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
},
{
"Sid": "Id2",
"Effect": "Allow",
"Action": "iam:GetRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
}
]
}
```
------
## Allow users to create and update bots
This example shows an example policy that allows IAM users to create and update any bot. The policy includes permissions to complete this action on the console or using the AWS CLI or AWS API.
## Allow users to use the Automated Chatbot Designer
This example shows an example policy that allows IAM users to run the Automated Chatbot Designer.
## Allow users to use a AWS KMS key to encrypt and decrypt files
This example shows an example policy that allows IAM users to use a AWS KMS customer managed key to encrypt and decrypt data.
## Allow users to delete bots
This example shows an example policy that allows IAM users to delete any bot. The policy includes permissions to complete this action on the console or using the AWS CLI or AWS API.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"lex:DeleteBot",
"lex:DeleteBotLocale",
"lex:DeleteBotAlias",
"lex:DeleteIntent",
"lex:DeleteSlot",
"lex:DeleteSlottype"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lex:us-east-1:123412341234:bot/*",
"arn:aws:lex:us-east-1:123412341234:bot-alias/*"
]
}
]
}
```
------
## Allow users to have a conversation with a bot
This example shows an example policy that allows IAM users have a conversation with any bot. The policy includes permissions to complete this action on the console or using the AWS CLI or AWS API.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"lex:StartConversation",
"lex:RecognizeText",
"lex:RecognizeUtterance",
"lex:GetSession",
"lex:PutSession",
"lex:DeleteSession"
],
"Effect": "Allow",
"Resource": "arn:aws:lex:us-east-1:123412341234:bot-alias/*"
}
]
}
```
------
## Allow a specific user to manage resource-based policies
The following example grants permission for a specific user to manage the resource-based policies. It allows console and API access to the policies associated with bots and bot aliases.
## Allow a user to export bots and bot locales
The following IAM permission policy enables a user to create, update, and get an export for a bot or bot locale.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"lex:CreateExport",
"lex:UpdateExport",
"lex:DescribeExport",
"lex:DescribeBot",
"lex:DescribeBotLocale",
"lex:ListBotLocales",
"lex:DescribeIntent",
"lex:ListIntents",
"lex:DescribeSlotType",
"lex:ListSlotTypes",
"lex:DescribeSlot",
"lex:ListSlots",
"lex:DescribeCustomVocabulary"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lex:us-east-1:123456789012:bot/*"
]
}
]
}
```
------
## Allow a user to export a custom vocabulary
The following IAM permission policy allows a user to export a custom vocabulary from a bot locale.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"lex:CreateExport",
"lex:UpdateExport",
"lex:DescribeExport",
"lex:DescribeCustomVocabulary"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lex:us-east-1:123456789012:bot/*"
]
}
]
}
```
------
## Allow a user to import bots and bot locales
The following IAM permission policy allows a user to import a bot or bot locale and to check the status of an import.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"lex:CreateUploadUrl",
"lex:StartImport",
"lex:DescribeImport",
"lex:CreateBot",
"lex:UpdateBot",
"lex:DeleteBot",
"lex:CreateBotLocale",
"lex:UpdateBotLocale",
"lex:DeleteBotLocale",
"lex:CreateIntent",
"lex:UpdateIntent",
"lex:DeleteIntent",
"lex:CreateSlotType",
"lex:UpdateSlotType",
"lex:DeleteSlotType",
"lex:CreateSlot",
"lex:UpdateSlot",
"lex:DeleteSlot",
"lex:CreateCustomVocabulary",
"lex:UpdateCustomVocabulary",
"lex:DeleteCustomVocabulary",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lex:us-east-1:123456789012:bot/*",
"arn:aws:lex:us-east-1:123456789012:bot-alias/*"
]
}
]
}
```
------
## Allow a user to import a custom vocabulary
The following IAM permission policy allows a user to import a custom vocabulary to a bot locale.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"lex:CreateUploadUrl",
"lex:StartImport",
"lex:DescribeImport",
"lex:CreateCustomVocabulary",
"lex:UpdateCustomVocabulary",
"lex:DeleteCustomVocabulary"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lex:us-east-1:123456789012:bot/*"
]
}
]
}
```
------
## Allow a user to migrate a bot from Amazon Lex to Amazon Lex V2
The following IAM permission policy allows a user to start migrating a bot from Amazon Lex to Amazon Lex V2.
## Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## Allow a user to draw conversation flow with visual conversation builder in Amazon Lex V2
The following IAM permission policy allows a user to draw the conversation flow with visual conversation builder in Amazon Lex V2.
## Allow users to create and view bot replicas, but not to delete them
You can attach the following permissions to an IAM role to allow it to only create and view bot replicas. By omitting `lex:DeleteBotReplica`, you prevent the role from deleting bot replicas. For more information, see [Permissions to replicate bots and manage bot replicas in Lex V2](gr-permissions.md).
# Resource-based policy examples for Amazon Lex V2
A *resource-based policy* is attached to a resource, such as a bot or a bot alias. With a resource-based policy you can specify who has access to the resource and the actions that they can perform on it. For example, you can add resource-based policies that enable a user to modify a specific bot, or to allow a user to use runtime operations on a specific bot alias.
When you use a resource-based policy you can allow other AWS services to access resources in your account. For example, you can allow Amazon Connect to access an Amazon Lex V2 bot.
To learn how to create a bot or bot alias, see [Working with Amazon Lex V2 bots](building-bots.md).
**Topics**
+ [Use the console to specify a resource-based policy](#security_iam_resource-based-policy-examples-console)
+ [Use the API to specify a resource-based policy](#security_iam_resource-based-policy-examples-api)
+ [Allow an IAM role to update a bot and list bot aliases](#security_iam_resource-based-policy-examples-allow-lex-models)
+ [Allow a user to have a conversation with a bot](#security_iam_resource-based-policy-examples-allow-lex-runtime)
+ [Allow an AWS service to use a specific Amazon Lex V2 bot](#security_iam_resource-based-policy-examples-allow-lex-connect)
## Use the console to specify a resource-based policy
You can use the Amazon Lex V2 console to manage the resource-based policies for your bots and bot aliases. You enter the JSON structure of a policy and the console associates it with the resource. If there is a policy already associated with a resource, you can use the console to view and modify the policy.
When you save a policy with the policy editor, the console checks the syntax of the policy. If the policy contains errors, such as a non-existent user or an action that is not supported by the resource, it returns an error and doesn't save the policy.
The following shows the resource-based policy editor for a bot in the console. The policy editor for a bot alias is similar.
![\[\]](http://docs.aws.amazon.com/lexv2/latest/dg/images/resource-policy-editor.png)
**To open the policy editor for a bot**
1. Sign in to the AWS Management Console and open the Amazon Lex console at [https://console.aws.amazon.com/lex/](https://console.aws.amazon.com/lex/).
1. From the **Bots** list, choose the bot whose policy you want to edit.
1. In the **Resource-based policy** section, choose **Edit**.
**To open the policy editor for a bot alias**
1. Sign in to the AWS Management Console and open the Amazon Lex console at [https://console.aws.amazon.com/lex/](https://console.aws.amazon.com/lex/).
1. From the **Bots** list, choose the bot that contains the alias that you want to edit.
1. From the left menu, choose **Aliases**, then choose the alias to edit.
1. In the **Resource-based policy** section, choose **Edit**.
## Use the API to specify a resource-based policy
You can use API operations to manage the resource-based policies for your bots and bot aliases. There are operations to create, update and delete policies.
[CreateResourcePolicy](https://docs.aws.amazon.com/lexv2/latest/APIReference/API_CreateResourcePolicy.html)
Adds a new resource policy with the specified policy statements to a bot or bot alias.
[CreateResourcePolicyStatement](https://docs.aws.amazon.com/lexv2/latest/APIReference/API_CreateResourcePolicyStatement.html)
Adds a new resource policy statement to a bot or bot alias.
[DeleteResourcePolicy](https://docs.aws.amazon.com/lexv2/latest/APIReference/API_DeleteResourcePolicy.html)
Removes a resource policy from a bot or bot alias.
[DeleteResourcePolicyStatement](https://docs.aws.amazon.com/lexv2/latest/APIReference/API_DeleteResourcePolicyStatement.html)
Removes a resource policy statement from a bot or bot alias.
[DescribeResourcePolicy](https://docs.aws.amazon.com/lexv2/latest/APIReference/API_DescribeResourcePolicy.html)
Gets a resource policy and the policy revision.
[UpdateResourcePolicy](https://docs.aws.amazon.com/lexv2/latest/APIReference/API_UpdateResourcePolicy.html)
Replaces the existing resource policy for a bot or bot alias with a new one.
### Examples
------
#### [ Java ]
The following example shows how to use the resource-based policy operations to manage a resource-based policy.
```
/*
* Create a new policy for the specified bot alias
* that allows a role to invoke lex:UpdateBotAlias on it.
* The created policy will have revision id 1.
*/
CreateResourcePolicyRequest createPolicyRequest =
CreateResourcePolicyRequest.builder()
.resourceArn("arn:aws:lex:Region:123456789012:bot-alias/MYBOTALIAS/TSTALIASID")
.policy("{\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"BotAliasEditor\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::123456789012:role/BotAliasEditor\"},\"Action\": [\"lex:UpdateBotAlias\"],\"Resource\":[\"arn:aws:lex:Region:123456789012:bot-alias/MYBOTALIAS/TSTALIASID\"]]}")
lexmodelsv2Client.createResourcePolicy(createPolicyRequest);
/*
* Overwrite the policy for the specified bot alias with a new policy.
* Since no expectedRevisionId is provided, this request overwrites the current revision.
* After this update, the revision id for the policy is 2.
*/
UpdateResourcePolicyRequest updatePolicyRequest =
UpdateResourcePolicyRequest.builder()
.resourceArn("arn:aws:lex:Region:123456789012:bot-alias/MYBOTALIAS/TSTALIASID")
.policy("{\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"BotAliasEditor\",\"Effect\": \"Deny\",\"Principal\": {\"AWS\": \"arn:aws:iam::123456789012:role/BotAliasEditor\"},\"Action\": [\"lex:UpdateBotAlias\"],\"Resource\":[\"arn:aws:lex:Region:123456789012:bot-alias/MYBOTALIAS/TSTALIASID\"]]}")
lexmodelsv2Client.updateResourcePolicy(updatePolicyRequest);
/*
* Creates a statement in an existing policy for the specified bot alias
* that allows a role to invoke lex:RecognizeText on it.
* This request expects to update revision 2 of the policy. The request will fail
* if the current revision of the policy is no longer revision 2.
* After this request, the revision id for this policy will be 3.
*/
CreateResourcePolicyStatementRequest createStatementRequest =
CreateResourcePolicyStatementRequest.builder()
.resourceArn("arn:aws:lex:Region:123456789012:bot-alias/MYBOTALIAS/TSTALIASID")
.effect("Allow")
.principal(Principal.builder().arn("arn:aws:iam::123456789012:role/BotRunner").build())
.action("lex:RecognizeText")
.statementId("BotRunnerStatement")
.expectedRevisionId(2)
.build();
lexmodelsv2Client.createResourcePolicyStatement(createStatementRequest);
/*
* Deletes a statement from an existing policy for the specified bot alias by statementId.
* Since no expectedRevisionId is supplied, the request will remove the statement from
* the current revision of the policy for the bot alias.
* After this request, the revision id for this policy will be 4.
*/
DeleteResourcePolicyRequest deleteStatementRequest =
DeleteResourcePolicyRequest.builder()
.resourceArn("arn:aws:lex:Region:123456789012:bot-alias/MYBOTALIAS/TSTALIASID")
.statementId("BotRunnerStatement")
.build();
lexmodelsv2Client.deleteResourcePolicy(deleteStatementRequest);
/*
* Describe the current policy for the specified bot alias
* It always returns the current revision.
*/
DescribeResourcePolicyRequest describePolicyRequest =
DescribeResourcePolicyRequest.builder()
.resourceArn("arn:aws:lex:Region:123456789012:bot-alias/MYBOTALIAS/TSTALIASID")
.build();
lexmodelsv2Client.describeResourcePolicy(describePolicyRequest);
/*
* Delete the current policy for the specified bot alias
* This request expects to delete revision 3 of the policy. Since the revision id for
* this policy is already at 4, this request will fail.
*/
DeleteResourcePolicyRequest deletePolicyRequest =
DeleteResourcePolicyRequest.builder()
.resourceArn("arn:aws:lex:Region:123456789012:bot-alias/MYBOTALIAS/TSTALIASID")
.expectedRevisionId(3);
.build();
lexmodelsv2Client.deleteResourcePolicy(deletePolicyRequest);
```
------
## Allow an IAM role to update a bot and list bot aliases
The following example grants permissions for a specific IAM role to call Amazon Lex V2 model building API operations to modify an existing bot. The user can list aliases for a bot and update the bot, but can't delete the bot or bot aliases.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "botBuilders",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/BotBuilder"
},
"Action": [
"lex:ListBotAliases",
"lex:UpdateBot"
],
"Resource": [
"arn:aws:lex:us-east-1:123456789012:bot/MYBOT"
]
}
]
}
```
------
## Allow a user to have a conversation with a bot
The following example grants permission for a specific user to call Amazon Lex V2 runtime API operations on a single alias of a bot.
The user is specifically denied permission to update or delete the bot alias.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "botRunners",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/botRunner"
},
"Action": [
"lex:RecognizeText",
"lex:RecognizeUtterance",
"lex:StartConversation",
"lex:DeleteSession",
"lex:GetSession",
"lex:PutSession"
],
"Resource": [
"arn:aws:lex:us-east-1:123456789012:bot-alias/MYBOT/MYBOTALIAS"
]
},
{
"Sid": "botRunners",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/botRunner"
},
"Action": [
"lex:UpdateBotAlias",
"lex:DeleteBotAlias"
],
"Resource": [
"arn:aws:lex:us-east-1:123456789012:bot-alias/MYBOT/MYBOTALIAS"
]
}
]
}
```
------
## Allow an AWS service to use a specific Amazon Lex V2 bot
The following example grants permission for AWS Lambda and Amazon Connect to call Amazon Lex V2 runtime API operations.
The condition block is required for service principals, and must use the global context keys `AWS:SourceAccount` and `AWS:SourceArn`.
The `AWS:SourceAccount` is the account ID that is calling the Amazon Lex V2 bot.
The `AWS:SourceArn` is the resource ARN of the Amazon Connect service instance or Lambda function that the call to the Amazon Lex V2 bot alias originates from.
# AWS managed policies for Amazon Lex V2
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AmazonLexReadOnly
You can attach the `AmazonLexReadOnly` policy to your IAM identities.
This policy grants read-only permissions that allow users to view all actions in the Amazon Lex V2 and Amazon Lex model building service.
**Permissions details**
This policy includes the following permissions:
+ `lex` – Read-only access to Amazon Lex V2 and Amazon Lex resources in the model building service.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonLexReadOnlyStatement1",
"Effect": "Allow",
"Action": [
"lex:GetBot",
"lex:GetBotAlias",
"lex:GetBotAliases",
"lex:GetBots",
"lex:GetBotChannelAssociation",
"lex:GetBotChannelAssociations",
"lex:GetBotVersions",
"lex:GetBuiltinIntent",
"lex:GetBuiltinIntents",
"lex:GetBuiltinSlotTypes",
"lex:GetIntent",
"lex:GetIntents",
"lex:GetIntentVersions",
"lex:GetSlotType",
"lex:GetSlotTypes",
"lex:GetSlotTypeVersions",
"lex:GetUtterancesView",
"lex:DescribeBot",
"lex:DescribeBotAlias",
"lex:DescribeBotChannel",
"lex:DescribeBotLocale",
"lex:DescribeBotRecommendation",
"lex:DescribeBotReplica",
"lex:DescribeBotVersion",
"lex:DescribeExport",
"lex:DescribeImport",
"lex:DescribeIntent",
"lex:DescribeResourcePolicy",
"lex:DescribeSlot",
"lex:DescribeSlotType",
"lex:ListBots",
"lex:ListBotLocales",
"lex:ListBotAliases",
"lex:ListBotAliasReplicas",
"lex:ListBotChannels",
"lex:ListBotRecommendations",
"lex:ListBotReplicas",
"lex:ListBotVersions",
"lex:ListBotVersionReplicas",
"lex:ListBuiltInIntents",
"lex:ListBuiltInSlotTypes",
"lex:ListExports",
"lex:ListImports",
"lex:ListIntents",
"lex:ListRecommendedIntents",
"lex:ListSlots",
"lex:ListSlotTypes",
"lex:ListTagsForResource",
"lex:SearchAssociatedTranscripts",
"lex:ListCustomVocabularyItems"
],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonLexRunBotsOnly
You can attach the `AmazonLexRunBotsOnly` policy to your IAM identities.
This policy grants read-only permissions that allow access to run Amazon Lex V2 and Amazon Lex conversational bots. .
**Permissions details**
This policy includes the following permissions:
+ `lex` – Read-only access to all actions in the Amazon Lex V2 and Amazon Lex runtime.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lex:PostContent",
"lex:PostText",
"lex:PutSession",
"lex:GetSession",
"lex:DeleteSession",
"lex:RecognizeText",
"lex:RecognizeUtterance",
"lex:StartConversation"
],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonLexFullAccess
You can attach the `AmazonLexFullAccess` policy to your IAM identities.
This policy grants administrative permissions that allow the user permission to create, read, update, and delete Amazon Lex V2 and Amazon Lex resources; and to run Amazon Lex V2 and Amazon Lex conversational bots.
**Permissions details**
This policy includes the following permissions:
+ `lex` – Allows principals read and write access to all actions in the Amazon Lex V2 and Amazon Lex model building and runtime services.
+ `cloudwatch` – Allows principals to view Amazon CloudWatch metrics and alarms.
+ `iam` – Allows principals to create and delete service-linked roles, pass roles, and attach and detach policies to a role. The permissions are restricted to "lex.amazonaws.com" for Amazon Lex operations and to "lexv2.amazonaws.com" for Amazon Lex V2 operations.
+ `kendra` – Allows principals to list Amazon Kendra indexes.
+ `kms` – Allows principals to describe AWS KMS keys and aliases.
+ `lambda` – Allows principals to list AWS Lambda functions and manage permissions attached to any Lambda function.
+ `polly` – Allows principals to describe Amazon Polly voices and synthesize speech.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonLexFullAccessStatement1",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"kms:DescribeKey",
"kms:ListAliases",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListAliases",
"lambda:ListVersionsByFunction",
"lex:*",
"polly:DescribeVoices",
"polly:SynthesizeSpeech",
"kendra:ListIndices",
"iam:ListRoles",
"s3:ListAllMyBuckets",
"logs:DescribeLogGroups",
"s3:GetBucketLocation"
],
"Resource": [
"*"
]
},
{
"Sid": "AmazonLexFullAccessStatement2",
"Effect": "Allow",
"Action": [
"bedrock:ListFoundationModels"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel"
],
"Resource": "arn:aws:bedrock:*::foundation-model/*"
},
{
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:RemovePermission"
],
"Resource": "arn:aws:lambda:*:*:function:AmazonLex*",
"Condition": {
"StringEquals": {
"lambda:Principal": "lex.amazonaws.com"
}
}
},
{
"Sid": "AmazonLexFullAccessStatement3",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots",
"arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels",
"arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*",
"arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*",
"arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*"
]
},
{
"Sid": "AmazonLexFullAccessStatement4",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "lex.amazonaws.com"
}
}
},
{
"Sid": "AmazonLexFullAccessStatement5",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "channels.lex.amazonaws.com"
}
}
},
{
"Sid": "AmazonLexFullAccessStatement6",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "lexv2.amazonaws.com"
}
}
},
{
"Sid": "AmazonLexFullAccessStatement7",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "channels.lexv2.amazonaws.com"
}
}
},
{
"Sid": "AmazonLexFullAccessStatement8",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "replication.lexv2.amazonaws.com"
}
}
},
{
"Sid": "AmazonLexFullAccessStatement9",
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots",
"arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels",
"arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*",
"arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*",
"arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*"
]
},
{
"Sid": "AmazonLexFullAccessStatement10",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lex.amazonaws.com"
]
}
}
},
{
"Sid": "AmazonLexFullAccessStatement11",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lexv2.amazonaws.com"
]
}
}
},
{
"Sid": "AmazonLexFullAccessStatement12",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"channels.lexv2.amazonaws.com"
]
}
}
},
{
"Sid": "AmazonLexFullAccessStatement13",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lexv2.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS managed policy: AmazonLexReplicationPolicy
You can't attach `AmazonLexReplicationPolicy` to your IAM entities. This policy is attached to a service-linked role that allows Amazon Lex V2 to perform actions on your behalf. For more information, see [Using service-linked roles for Amazon Lex V2](using-service-linked-roles.md).
This policy grants administrative permissions that allows Amazon Lex V2 to replicate AWS resources across Regions on your behalf. You can attach this policy to permit a role to easily replicate resources, including bots, locales, versions, aliases, intents, slot types, slots, and custom vocabularies.
**Permissions details**
This policy includes the following permissions.
+ `lex` – Allows principals to replicate resources in other Regions.
+ `iam` – Allows principals to pass roles from IAM. This is required so that Amazon Lex V2 has permissions to replicate resources in other Regions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReplicationPolicyStatement1",
"Effect": "Allow",
"Action": [
"lex:BuildBotLocale",
"lex:ListBotLocales",
"lex:CreateBotAlias",
"lex:UpdateBotAlias",
"lex:DeleteBotAlias",
"lex:DescribeBotAlias",
"lex:CreateBotVersion",
"lex:DeleteBotVersion",
"lex:DescribeBotVersion",
"lex:CreateExport",
"lex:DescribeBot",
"lex:UpdateExport",
"lex:DescribeExport",
"lex:DescribeBotLocale",
"lex:DescribeIntent",
"lex:ListIntents",
"lex:DescribeSlotType",
"lex:ListSlotTypes",
"lex:DescribeSlot",
"lex:ListSlots",
"lex:DescribeCustomVocabulary",
"lex:StartImport",
"lex:DescribeImport",
"lex:CreateBot",
"lex:UpdateBot",
"lex:DeleteBot",
"lex:CreateBotLocale",
"lex:UpdateBotLocale",
"lex:DeleteBotLocale",
"lex:CreateIntent",
"lex:UpdateIntent",
"lex:DeleteIntent",
"lex:CreateSlotType",
"lex:UpdateSlotType",
"lex:DeleteSlotType",
"lex:CreateSlot",
"lex:UpdateSlot",
"lex:DeleteSlot",
"lex:CreateCustomVocabulary",
"lex:UpdateCustomVocabulary",
"lex:DeleteCustomVocabulary",
"lex:DeleteBotChannel",
"lex:ListTagsForResource",
"lex:TagResource",
"lex:UntagResource",
"lex:CreateResourcePolicy",
"lex:DeleteResourcePolicy",
"lex:DescribeResourcePolicy",
"lex:UpdateResourcePolicy"
],
"Resource": [
"arn:aws:lex:*:*:bot/*",
"arn:aws:lex:*:*:bot-alias/*"
]
},
{
"Sid": "ReplicationPolicyStatement2",
"Effect": "Allow",
"Action": [
"lex:CreateUploadUrl",
"lex:ListBots"
],
"Resource": "*"
},
{
"Sid": "ReplicationPolicyStatement3",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "lexv2.amazonaws.com"
}
}
}
]
}
```
------
## AWS managed policy: AmazonLexV2BedrockAgentPolicy
Amazon Lex V2 policy for Amazon Bedrock agents
Response
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Sid": "LexV2TrustPolicy",
"Principal": {
"Service": "lexv2.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{accountId}"
}
}
}
]
}
```
------
## AWS managed policy: AmazonLexV2BedrockKnowledgeBasePolicy
Amazon Lex V2 policy for Amazon Bedrock knowledge bases
Response
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Sid": "LexV2TrustPolicy",
"Principal": {
"Service": "lexv2.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{accountId}"
}
}
}
]
}
```
------
## AWS managed policy: AmazonLexV2BedrockAgentPolicyInternal
Amazon Lex V2 internal policy for Amazon Bedrock agents
Response
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Sid": "LexV2InternalTrustPolicy",
"Principal": {
"Service": "lexv2.aws.internal"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{accountId}"
}
}
}
]
}
```
------
## AWS managed policy: AmazonLexV2BedrockKnowledgeBasePolicyInternal
Amazon Lex V2 internal policy for Amazon Bedrock knowledge bases
Response
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LexV2InternalTrustPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lexv2.aws.internal"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{accountId}"
}
}
}
]
}
```
------
## Amazon Lex V2 updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Lex V2 since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Lex V2 [Document history for Amazon Lex V2](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AmazonLexReplicationPolicy](#security-iam-awsmanpol-AmazonLexReplicationPolicy) – Updated policy | Amazon Lex V2 updated the policy to allow replication of tags and ResourceBasedPolicy. | June 24, 2025 |
| [AmazonLexV2BedrockKnowledgeBasePolicyInternal](#security-iam-awsmanpol-AmazonLexV2BedrockKnowledgeBasePolicyInternal) – New policy | Amazon Lex V2 added a new policy to allow replication of Amazon Bedrock knowledge base resources. | August 30, 2024 |
| [AmazonLexV2BedrockAgentPolicyInternal](#security-iam-awsmanpol-AmazonLexV2BedrockAgentPolicyInternal) – New policy | Amazon Lex V2 added a new policy to allow replication of Amazon Bedrock agent resources. | August 30, 2024 |
| [AmazonLexV2BedrockKnowledgeBasePolicy](#security-iam-awsmanpol-AmazonLexV2BedrockKnowledgeBasePolicy) – New policy | Amazon Lex V2 added a new policy to allow replication of Amazon Bedrock knowledge base resources. | August 30, 2024 |
| [AmazonLexV2BedrockAgentPolicy](#security-iam-awsmanpol-AmazonLexV2BedrockAgentPolicy) – New policy | Amazon Lex V2 added a new policy to allow replication of Amazon Bedrock agent resources. | August 30, 2024 |
| [AmazonLexReadOnly](#security-iam-awsmanpol-AmazonLexReadOnly) – Update to an existing policy | Amazon Lex V2 added new permissions to allow read-only access replicas of bot resources. | May 10, 2024 |
| [AmazonLexFullAccess](#security-iam-awsmanpol-AmazonLexFullAccess) – Update to an existing policy | Amazon Lex V2 added new permissions to allow replication of bot resources to other regions. | April 16, 2024 |
| [AmazonLexFullAccess](#security-iam-awsmanpol-AmazonLexFullAccess) – Update to an existing policy | Amazon Lex V2 added new permissions to allow replication of bot resources to other regions. | January 31, 2024 |
| [AmazonLexReplicationPolicy](#security-iam-awsmanpol-AmazonLexReplicationPolicy) – New policy | Amazon Lex V2 added a new policy to allow replication of bot resources to other regions. | January 31, 2024 |
| [AmazonLexReadOnly](#security-iam-awsmanpol-AmazonLexReadOnly) – Update to an existing policy | Amazon Lex V2 added new permissions to allow read-only access to list custom vocabulary items. | November 29, 2022 |
| [AmazonLexFullAccess](#security-iam-awsmanpol-AmazonLexFullAccess) – Update to an existing policy | Amazon Lex V2 added new permissions to allow read-only access to Amazon Lex V2 model building service operations. | August 18, 2021 |
| [AmazonLexReadOnly](#security-iam-awsmanpol-AmazonLexReadOnly) – Update to an existing policy | Amazon Lex V2 added new permissions to allow read-only access to Amazon Lex V2 Automated Chatbot Designer operations. | December 1, 2021 |
| [AmazonLexFullAccess](#security-iam-awsmanpol-AmazonLexFullAccess) – Update to an existing policy | Amazon Lex V2 added new permissions to allow read-only access to Amazon Lex V2 model building service operations. | August 18, 2021 |
| [AmazonLexReadOnly](#security-iam-awsmanpol-AmazonLexReadOnly) – Update to an existing policy | Amazon Lex V2 added new permissions to allow read-only access to Amazon Lex V2 model building service operations. | August 18, 2021 |
| [AmazonLexRunBotsOnly](#security-iam-awsmanpol-AmazonLexRunBotsOnly) – Update to an existing policy | Amazon Lex V2 added new permissions to allow read-only access to Amazon Lex V2 runtime service operations. | August 18, 2021 |
| Amazon Lex V2 started tracking changes | Amazon Lex V2 started tracking changes for its AWS managed policies. | August 18, 2021 |
# Using service-linked roles for Amazon Lex V2
Amazon Lex V2 uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Amazon Lex V2. Service-linked roles are predefined by Amazon Lex V2 and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up Amazon Lex V2 easier because you don’t have to manually add the necessary permissions. Amazon Lex V2 defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Lex V2 can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
You can delete a service-linked role only after first deleting related resources. This protects your Amazon Lex V2 resources because you can't inadvertently remove permissions to access the resources.
**Topics**
+ [Creating a service-linked role for Amazon Lex V2](#create-slr)
+ [Editing a service-linked role for Amazon Lex V2](#edit-slr)
+ [Deleting a service-linked role for Amazon Lex V2](#delete-slr)
+ [Service-linked role permissions for Amazon Lex V2](#slr-permissions)
+ [Supported regions for Amazon Lex V2 service-linked roles](#slr-regions)
## Creating a service-linked role for Amazon Lex V2
You don't need to manually create a service-linked role, because Amazon Lex V2 creates the service-linked role for you when you carry out the relevant action (see [Service-linked role permissions for Amazon Lex V2](#slr-permissions) for more information) in the AWS Management Console, AWS CLI, or AWS API.
If you delete this service-linked role, and then need to create one again, you can use the same process to create a new role in your account.
## Editing a service-linked role for Amazon Lex V2
Amazon Lex V2 doesn't allow you to edit service-linked roles. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of a role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for Amazon Lex V2
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the Amazon Lex V2 service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
To see the steps for deleting resources for specific service-linked roles in Amazon Lex V2, refer to the section specific to the role in [Service-linked role permissions for Amazon Lex V2](#slr-permissions).
**To manually delete a service-linked role using IAM**
After deleting resources related to a service-linked role, use the IAM console, the AWS CLI, or the AWS API to delete the role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Service-linked role permissions for Amazon Lex V2
Amazon Lex V2 uses service-linked roles with the following prefixes.
**Topics**
+ [AWSServiceRoleForLexV2Bots\$1](#slr-bots)
+ [AWSServiceRoleForLexV2Channels\$1](#slr-channels)
+ [AWSServiceRoleForLexV2Replication](#slr-replication)
### AWSServiceRoleForLexV2Bots\$1
The AWSServiceRoleForLexV2Bots\$1 role gives permissions to connect your bot to other required services. This role includes a trust policy to allow the lexv2.amazonaws.com service to assume the role and includes permissions to carry out the following actions.
+ Use Amazon Polly to synthesize speech on all Amazon Lex V2 resources that the action supports.
+ If a bot is configured to use Amazon Comprehend sentiment analysis, detect the sentiment on all Amazon Lex V2 resources that the action supports.
+ If a bot is configured to store audio logs in an S3 bucket, put objects in a specified bucket.
+ If a bot is configured to store audio and text logs, create a log stream in and put logs into a specified log group.
+ If a bot is configured to use a AWS KMS key to encrypt data, generate a specific data key.
+ If a bot is configured to use the `KendraSearchIntent` intent, query access to a specified Amazon Kendra index.
**To create the role**
Amazon Lex V2 creates a new AWSServiceRoleForLexV2Bots\$1 role with a random suffix in your account each time that you [create a bot](create-bot.md). Amazon Lex V2 modifies the role when you add additional capabilities to a bot. For example, if you [add Amazon Comprehend sentiment analysis to a bot](sentiment.md), Amazon Lex V2 adds permission for the `lex:DetectSentiment` action to the service role.
**To delete the role**
1. Sign in to the AWS Management Console and open the Amazon Lex console at [https://console.aws.amazon.com/lex/](https://console.aws.amazon.com/lex/).
1. From the left navigation pane, select **Bots** and choose the bot whose service-linked role you want to delete.
1. Select any version of the bot.
1. The **IAM permissions runtime role** is in the **Version details**.
1. Return to the **Bots** page and choose the radio button next to the bot to delete.
1. Select **Action** and then choose **Delete**.
1. Follow the steps at [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) to delete the IAM role.
### AWSServiceRoleForLexV2Channels\$1
The AWSServiceRoleForLexV2Channels\$1 role gives permission to list bots in an account and to call conversation APIs for a bot. This role includes a trust policy to allow the channels.lexv2.amazonaws.com service to assume the role. If a bot is configured to use a channel to communicate with a messaging service, the AWSServiceRoleForLexV2Channels\$1 role permissions policy allows Amazon Lex V2 to complete the following actions.
+ List permissions on all bots in an account.
+ Recognize text, get session and put session permissions on a specified bot alias.
**To create the role**
When you create a channel integration to deploy a bot on a messaging platform, Amazon Lex V2 creates a new service-linked role in your account for each channel with a random suffix.
**To delete the role**
1. Sign in to the AWS Management Console and open the Amazon Lex console at [https://console.aws.amazon.com/lex/](https://console.aws.amazon.com/lex/).
1. From the left navigation pane, select **Bots**.
1. Choose a bot.
1. From the left navigation pane, choose **Channel integrations** under **Deployments**.
1. Select a channel whose service-linked role you want to delete.
1. The **IAM permissions runtime role** is in the **General configuration**
1. Choose **Delete**, then choose **Delete** again to delete the channel.
1. Follow the steps at [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) to delete the IAM role.
### AWSServiceRoleForLexV2Replication
The AWSServiceRoleForLexV2Replication role gives permission to replicate bots in a second region. This role includes a trust policy to allow the replication.lexv2.amazonaws.com service to assume the role and also includes the [AmazonLexReplicationPolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonLexReplicationPolicy) AWS managed policy, which allows permissions for the following actions.
+ Pass bot IAM roles to the replica bot to reduplicate the appropriate permissions for the replica bot.
+ Create and manage bots and bot resources (versions, aliases, intents, slots, custom vocabularies, and so on) in other Regions.
**To create the role**
When you enable Global Resiliency for a bot, Amazon Lex V2 creates the AWSServiceRoleForLexV2Replication service-linked role in your account. Ensure that you have the correct [permissions](gr-permissions.md) to grant the Amazon Lex V2 service permissions to create the service-linked role.
**To delete Amazon Lex V2 resources used by AWSServiceRoleForLexV2Replication so that you can delete the role**
1. Sign in to the AWS Management Console and open the Amazon Lex console at [https://console.aws.amazon.com/lex/](https://console.aws.amazon.com/lex/).
1. Choose a bot for which Global Resiliency is enabled.
1. Select **Global Resiliency** under **Deployment**.
1. Select **Disable Global Resiliency**.
1. Repeat the process for all bots that have Global Resiliency enabled.
1. Follow the steps at [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) to delete the IAM role.
## Supported regions for Amazon Lex V2 service-linked roles
Amazon Lex V2 supports using service-linked roles in all of the regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).
# Troubleshooting Amazon Lex V2 identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon Lex V2 and IAM.
**Topics**
+ [I am not authorized to perform an action in Amazon Lex V2](#security_iam_troubleshoot-no-permissions)
+ [I am not authorized to perform iam:PassRole](#security_iam_troubleshoot-passrole)
+ [I'm an administrator and want to allow others to access Amazon Lex V2](#security_iam_troubleshoot-admin-delegate)
+ [Grant programmatic access to a user](#security_iam_programmatic_access)
+ [I want to allow people outside of my AWS account to access my Amazon Lex V2 resources](#security_iam_troubleshoot-cross-account-access)
## I am not authorized to perform an action in Amazon Lex V2
If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials.
The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a fictional `my-example-widget` resource but does not have the fictional `lex:GetWidget` permissions.
```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: lex:GetWidget on resource: my-example-widget
```
In this case, Mateo asks his administrator to update his policies to allow him to access the `my-example-widget` resource using the `lex:GetWidget` action.
## I am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Amazon Lex V2.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Amazon Lex V2. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I'm an administrator and want to allow others to access Amazon Lex V2
To allow others to access Amazon Lex V2, you must grant permission to the people or applications that need access. If you are using AWS IAM Identity Center to manage people and applications, you assign permission sets to users or groups to define their level of access. Permission sets automatically create and assign IAM policies to IAM roles that are associated with the person or application. For more information, see [Permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) in the *AWS IAM Identity Center User Guide*.
If you are not using IAM Identity Center, you must create IAM entities (users or roles) for the people or applications that need access. You must then attach a policy to the entity that grants them the correct permissions in Amazon Lex V2. After the permissions are granted, provide the credentials to the user or application developer. They will use those credentials to access AWS. To learn more about creating IAM users, groups, policies, and permissions, see [IAM Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) and [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
## Grant programmatic access to a user
For information about how to get your access key ID and secret access key, see [Understanding and getting your AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) in the AWS General Reference.
## I want to allow people outside of my AWS account to access my Amazon Lex V2 resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether Amazon Lex V2 supports these features, see [How Amazon Lex V2 works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.