To create an assume role for Systems Manager Quick Setup:Permissions Policies

Configuration for Assume Role for Systems Manager

To create an assume role for Systems Manager Quick Setup:

Systems Manager Quick Setup requires a role that allows Systems Manager to securely perform actions in your account. This role grants Systems Manager the permissions needed to run commands on your instances and configure EC2 instances, IAM roles, and other Systems Manager resources on your behalf.

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Policies, and then Create Policy
Add the SsmOnboardingInlinePolicy policy using the JSON below. (This policy enables actions required in order to attach instance profile permissions to instances you specify. For example allowing creation of instance profiles and associating them with EC2 instances).
Once complete, in the navigation pane, choose Roles, and then choose Create role.
For Trusted entity type, keep it as default (service).
Under Use case, choose Systems Manager, then choose Next.
On the Add permissions page:
Add the SsmOnboardingInlinePolicy policy
Choose Next
For Role name, enter a descriptive name (for example, AmazonSSMRoleForAutomationAssumeQuickSetup).
(Optional) Add tags to help identify and organize the role.
Choose Create role.

Important

The role must include a trust relationship with ssm.amazonaws.com. This is automatically configured when you select Systems Manager as the service in step 4.

After creating the role, you can select it when configuring Quick Setup. The role enables Systems Manager to manage EC2 instances, IAM roles, and other Systems Manager resources and run commands on your behalf while maintaining security through specific, limited permissions.

Permissions Policies

`SsmOnboardingInlinePolicy`

The following policy defines the permissions for Systems Manager Quick Setup:


{
    "Version": "2012-10-17" 		 	 	 ,
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "ec2:DescribeIamInstanceProfileAssociations",
                "iam:GetInstanceProfile",
                "iam:AddRoleToInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AssociateIamInstanceProfile"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "Null": {
                    "ec2:InstanceProfile": "true"
                },
                "ArnLike": {
                    "ec2:NewInstanceProfile": "arn:aws:iam::*:instance-profile/[INSTANCE_PROFILE_ROLE_NAME]"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/[INSTANCE_PROFILE_ROLE_NAME]",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
        }

Trust Relationship

This is added automatically via the above steps


{
    "Version": "2012-10-17" 		 	 	 ,
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
     ]
        }

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting started with Quick Setup

Using a delegated administrator for Quick Setup