# Create an IAM role for AMS to access your account
<a name="create-iam-role-for-ams"></a>

Now that you've successfully created your new AWS account, the next step in the process is to allow AMS access to the new account to create and configure your AMS environment, and for ongoing change and provisioning requests to be fulfilled. For details, see [Delegate Access Across AWS Accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html).

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).

# Activate IAM access to the AWS console
<a name="activate-iam-access-to-console"></a>

1. Sign in to the AWS Management console with your root account credentials (the email and password that you used to create your AWS account). Do not sign in with other IAM credentials. The AWS Management console home page opens.

1. In the top navigation bar, open the drop-down menu for your account name, and then choose **Account**. The Billing home page opens.

1. Scroll down to **IAM user and role access to Billing information**, and choose **Edit**. An **Activate IAM access** area opens.

1. Select the check box and then choose **Update**. You can now use IAM policies to control which pages a user can access.

# Create an IAM Role for AMS to use
<a name="create-an-iam-role-for-ams-to-use"></a>

1. Obtain a JSON or YAML file that defines an IAM role for AMS to use to create your infrastructure. Either:
   + Your AMS cloud architect (CA) provides you with a JSON or YAML file.
   + You can download [onboarding\$1iam\$1roles.zip](samples/onboarding_iam_roles.zip) and choose one of the following:
     + **onboarding\$1role\$1admin.json** (shorter, grants full admin access)
     + **onboarding\$1role\$1minimal.json** (longer, grants [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege))

1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

    ![\[CloudFormation Stacks interface showing no stacks and options to create or view guide.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/image1.png)

1. Choose **Create Stack**. You see the following page.

   ![\[Create stack interface with options to specify template and upload template file.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/image2.png)

1. Choose **Upload a template file**, upload the JSON or YAML file of the IAM role, and then choose **Next**. You see the following page.

   ![\[Form for specifying stack details, including stack name and parameters fields.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/image3.png)

1. Enter **ams-onboarding-role** into the **Stack name** section and continue scrolling down and selecting next until you reach this page.

   ![\[Capabilities section with AWSIAM role requirement and checkbox for custom names.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/image4.png)

1. Make sure the check box is selected and then select **Create Stack**.

1. Make sure the stack was created successfully.