topic IAM policy to allow user access to add AWS configs in Open Q&A

IAM policy to allow user access to add AWS configs

andre_vdveen — Tue, 29 Jul 2025 06:05:08 GMT

Hi,

I'm trying to give a user very specific access to allow them to add AWS/Azure integration via Settings Classic -> Cloud and virtualization menu; they should not have access to the entire Settings menu, preferably.
This is what they currently see:

What would the policy need to contain to achieve this?
I've tried the below, but he still doesn't get access to AWS in the menu.

ALLOW settings:schemas:read;
ALLOW hyperscaler-authenticationauthenticate;
ALLOW settings:objects:write WHERE settings:schemaId = 'group:cloud-and-virtualization' AND settings:schemaId = 'builtin:cloud.aws';
ALLOW settings:objects:read WHERE settings:schemaId = 'group:cloud-and-virtualization' AND settings:schemaId = 'builtin:cloud.aws';

Re: IAM policy to allow user access to add AWS configs

Maheedhar_T — Thu, 24 Jul 2025 10:51:47 GMT

Hi @andre_vdveen ,
This requires environment level settings permission.
I think this would work in this case.

ALLOW environment:roles:manage-settings WHERE settings:schemaId = 'group:cloud-and-virtualization' AND settings:schemaId = 'builtin:cloud.aws';

Let me know if it works.
Regards,
@Maheedhar_T

Re: IAM policy to allow user access to add AWS configs

andre_vdveen — Thu, 24 Jul 2025 14:56:05 GMT

Hi @Maheedhar_T

Thanks for the suggestion, but unless I understand the documentation wrong, that role only works with condition

environment:management-zone

I've set it up using a Mgmt Zone that the user has access to, but it didn't work;even if I leave the WHERE clause out and just add

ALLOW environment:roles:manage-settings;

over and above what I originally added.

Re: IAM policy to allow user access to add AWS configs

andre_vdveen — Thu, 24 Jul 2025 19:25:33 GMT

I think herein lies the answer to my question and problem.

This means I have to assign the policy "Environment role - Change monitoring settings" to the user, which means they can change any setting, not just AWS.

Re: IAM policy to allow user access to add AWS configs

Kenny_Gillette — Thu, 24 Jul 2025 19:40:28 GMT

Agree 100%. I posted in Dec 2023 about this and other scenarios. Crazy that it is not fixed yet.

https://community.dynatrace.com/t5/Open-Q-A/Settings-1-0-2-0-and-some-settings-are-on-neither/td-p/231226

Re: IAM policy to allow user access to add AWS configs

Kenny_Gillette — Fri, 25 Jul 2025 13:02:09 GMT

Looking more at this, this is setting 1.0 so you should be able to provide write access to page (not read). I just tested write access to aws page and it worked.

Here is my IAM policy
ALLOW settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:cloud.aws");