End of support notice: On May 31, 2026, AWS will end support for AWS Panorama. After May 31, 2026, you will no longer be able to access the AWS Panorama console or AWS Panorama resources. For more information, see [AWS Panorama end of support](https://docs.aws.amazon.com/panorama/latest/dev/panorama-end-of-support.html).
# AWS Panorama permissions
You can use AWS Identity and Access Management (IAM) to manage access to the AWS Panorama service and resources like appliances and applications. For users in your account that use AWS Panorama, you manage permissions in a permissions policy that you can apply to IAM roles. To manage permissions for an application, you create a role and assign it to the application.
To [manage permissions for users](permissions-user.md) in your account, use the managed policy that AWS Panorama provides, or write your own. You need permissions to other AWS services to get application and appliance logs, view metrics, and assign a role to an application.
An AWS Panorama Appliance also has a role that grants it permission to access AWS services and resources. The appliance's role is one of the [service roles](permissions-services.md) that the AWS Panorama service uses to access other services on your behalf.
An [application role](permissions-application.md) is a separate service role that you create for an application, to grant it permission to use AWS services with the AWS SDK for Python (Boto). To create an application role, you need administrative privileges or the help of an administrator.
You can restrict user permissions by the resource an action affects and, in some cases, by additional conditions. For example, you can specify a pattern for the Amazon Resource Name (ARN) of an application that requires a user to include their user name in the name of applications that they create. For the resources and conditions that are supported by each action, see [Actions, resources, and condition keys for AWS Panorama](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html) in the Service Authorization Reference.
For more information, see [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/) in the IAM User Guide.
**Topics**
+ [Identity-based IAM policies for AWS Panorama](permissions-user.md)
+ [AWS Panorama service roles and cross-service resources](permissions-services.md)
+ [Granting permissions to an application](permissions-application.md)
# Identity-based IAM policies for AWS Panorama
To grant users in your account access to AWS Panorama, you use identity-based policies in AWS Identity and Access Management (IAM). Apply identity-based policies to IAM roles that are associated with a user. You can also grant users in another account permission to assume a role in your account and access your AWS Panorama resources.
AWS Panorama provides managed policies that grant access to AWS Panorama API actions and, in some cases, access to other services used to develop and manage AWS Panorama resources. AWS Panorama updates the managed policies as needed, to ensure that your users have access to new features when they're released.
+ **AWSPanoramaFullAccess** – Provides full access to AWS Panorama, AWS Panorama access points in Amazon S3, appliance credentials in AWS Secrets Manager, and appliance logs in Amazon CloudWatch. Includes permission to create a [service-linked role](permissions-services.md) for AWS Panorama. [View policy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSPanoramaFullAccess)
The `AWSPanoramaFullAccess` policy allows you to tag AWS Panorama resources, but does not have all tag-related permissions used by the AWS Panorama console. To grant these permissions, add the following policy.
+ **ResourceGroupsandTagEditorFullAccess** – [View policy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ResourceGroupsandTagEditorFullAccess)
The `AWSPanoramaFullAccess` policy does not include permission to purchase devices from the AWS Panorama console. To grant these permissions, add the following policy.
+ **ElementalAppliancesSoftwareFullAccess** – [View policy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ElementalAppliancesSoftwareFullAccess)
Managed policies grant permission to API actions without restricting the resources that a user can modify. For finer-grained control, you can create your own policies that limit the scope of a user's permissions. Use the full-access policy as a starting point for your policies.
**Creating service roles**
The first time you use [the AWS Panorama console](https://console.aws.amazon.com/panorama/home), you need permission to create the [service role](permissions-services.md) used by the AWS Panorama Appliance. A service role gives a service permission to manage resources or interact with other services. Create this role before granting access to your users.
For details on the resources and conditions that you can use to limit the scope of a user's permissions in AWS Panorama, see [Actions, resources, and condition keys for AWS Panorama](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html) in the Service Authorization Reference.
# AWS Panorama service roles and cross-service resources
AWS Panorama uses other AWS services to manage the AWS Panorama Appliance, store data, and import application resources. A service role gives a service permission to manage resources or interact with other services. When you sign in to the AWS Panorama console for the first time, you create the following service roles:
****
+ **AWSServiceRoleForAWSPanorama** – Allows AWS Panorama to manage resources in AWS IoT, AWS Secrets Manager, and AWS Panorama.
Managed policy: [AWSPanoramaServiceLinkedRolePolicy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSPanoramaServiceLinkedRolePolicy)
+ **AWSPanoramaApplianceServiceRole** – Allows an AWS Panorama Appliance to upload logs to CloudWatch, and to get objects from Amazon S3 access points created by AWS Panorama.
Managed policy: [AWSPanoramaApplianceServiceRolePolicy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSPanoramaApplianceServiceRolePolicy)
To view the permissions attached to each role, use the [IAM console](https://console.aws.amazon.com/iam). Wherever possible, the role's permissions are restricted to resources that match a naming pattern that AWS Panorama uses. For example, `AWSServiceRoleForAWSPanorama` grants only permission for the service to access AWS IoT resources that have `panorama` in their name.
**Topics**
+ [Securing the appliance role](#permissions-services-appliance)
+ [Use of other services](#permissions-services-otherservices)
## Securing the appliance role
The AWS Panorama Appliance uses the `AWSPanoramaApplianceServiceRole` role to access resources in your account. The appliance has permission to upload logs to CloudWatch Logs, read camera stream credentials from AWS Secrets Manager, and to access application artifacts in Amazon Simple Storage Service (Amazon S3) access points that AWS Panorama creates.
**Note**
Applications don't use the appliance's permissions. To give your application permission to use AWS services, create an [application role](permissions-application.md).
AWS Panorama uses the same service role with all appliances in your account, and does not use roles across accounts. For an added layer of security, you can modify the appliance role's trust policy to enforce this explicitly, which is a best practice when you use roles to grant a service permission to access resources in your account.
**To update the appliance role trust policy**
1. Open the appliance role in the IAM console: [AWSPanoramaApplianceServiceRole](https://console.aws.amazon.com/iam/home#/roles/AWSPanoramaApplianceServiceRole?section=trust)
1. Choose **Edit trust relationship**.
1. Update the policy contents and then choose **Update trust policy**.
The following trust policy includes a condition that ensures that when AWS Panorama assumes the appliance role, it is doing so for an appliance in your account. The `aws:SourceAccount` condition compares the account ID specified by AWS Panorama to the one that you include in the policy.
**Example trust policy – Specific account**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "panorama.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
```
If you want to restrict AWS Panorama further, and allow it to only assume the role with a specific device, you can specify the device by ARN. The `aws:SourceArn` condition compares the ARN of the appliance specified by AWS Panorama to the one that you include in the policy.
**Example trust policy – Single appliance**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "panorama.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:panorama:us-east-1:123456789012:device/device-lk7exmplpvcr3heqwjmesw76ky"
},
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
```
If you reset and reprovision the appliance, you must remove the source ARN condition temporarily and then add it again with the new device ID.
For more information on these conditions, and security best practices when services use roles to access resources in your account, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the IAM User Guide.
## Use of other services
AWS Panorama creates or accesses resources in the following services:
****
+ [AWS IoT](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsiot.html) – Things, policies, certificates, and jobs for the AWS Panorama Appliance
+ [Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html) – Access points for staging application models, code, and configurations.
+ [Secrets Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssecretsmanager.html) – Short-term credentials for the AWS Panorama Appliance.
For information about Amazon Resource Name (ARN) format or permission scopes for each service, see the topics in the *IAM User Guide* that are linked to in this list.
# Granting permissions to an application
You can create a role for your application to grant it permission to call AWS services. By default, applications do not have any permissions. You create an application role in IAM and assign it to an application during deployment. To grant your application only the permissions that it needs, create a role for it with permissions for specific API actions.
The [sample application](gettingstarted-sample.md) includes an CloudFormation template and script that create an application role. It is a [service role](permissions-services.md) that AWS Panorama can assume. This role grants permission for the application to call CloudWatch to upload metrics.
**Example [aws-panorama-sample.yml](https://github.com/awsdocs/aws-panorama-developer-guide/blob/main/sample-apps/aws-panorama-sample/aws-panorama-sample.yml) – Application role**
```
Resources:
runtimeRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Service:
- panorama.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: cloudwatch-putmetrics
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'cloudwatch:PutMetricData'
Resource: '*'
Path: /service-role/
```
You can extend this script to grant permissions to other services, by specifying a list of API actions or patterns for the value of `Action`.
For more information on permissions in AWS Panorama, see [AWS Panorama permissions](panorama-permissions.md).