This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IAM policy to allow user access to add AWS configs

Go to solution
andre_vdveen
DynaMight Leader
DynaMight Leader

‎24 Jul 2025 11:39 AM - last edited on ‎29 Jul 2025 07:05 AM by Community Team

Hi,

I'm trying to give a user very specific access to allow them to add AWS/Azure integration via Settings Classic -> Cloud and virtualization menu; they should not have access to the entire Settings menu, preferably.
This is what they currently see:

andre_vdveen_0-1753353335259.png

What would the policy need to contain to achieve this?
I've tried the below, but he still doesn't get access to AWS in the menu.

ALLOW settings:schemas:read;
ALLOW hyperscaler-authentication:aws:authenticate;
ALLOW settings:objects:write WHERE settings:schemaId = 'group:cloud-and-virtualization' AND settings:schemaId = 'builtin:cloud.aws';
ALLOW settings:objects:read WHERE settings:schemaId = 'group:cloud-and-virtualization' AND settings:schemaId = 'builtin:cloud.aws';

 

Labels:
Reply
5 REPLIES 5

Go to solution
Maheedhar_T
Mentor

‎24 Jul 2025 11:51 AM

Hi @andre_vdveen ,
This requires environment level settings permission.
I think this would work in this case.

ALLOW environment:roles:manage-settings WHERE settings:schemaId = 'group:cloud-and-virtualization' AND settings:schemaId = 'builtin:cloud.aws';


Let me know if it works.
Regards,
@Maheedhar_T 

Maheedhar
Reply

Go to solution
andre_vdveen
DynaMight Leader
DynaMight Leader
In response to Maheedhar_T

‎24 Jul 2025 03:56 PM

Hi @Maheedhar_T 

Thanks for the suggestion, but unless I understand the documentation wrong, that role only works with condition 

environment:management-zone

I've set it up using a Mgmt Zone that the user has access to, but it didn't work;even if I leave the WHERE clause out and just add 

ALLOW environment:roles:manage-settings;

over and above what I originally added. 

0 Kudos
Reply

Go to solution
andre_vdveen
DynaMight Leader
DynaMight Leader

‎24 Jul 2025 08:25 PM

I think herein lies the answer to my question and problem. 

andre_vdveen_0-1753384975502.png

This means I have to assign the policy "Environment role - Change monitoring settings" to the user, which means they can change any setting, not just AWS.

0 Kudos
Reply

Go to solution
Kenny_Gillette
DynaMight Leader
DynaMight Leader

‎24 Jul 2025 08:40 PM

Agree 100%.  I posted in Dec 2023 about this and other scenarios.  Crazy that it is not fixed yet.

https://community.dynatrace.com/t5/Open-Q-A/Settings-1-0-2-0-and-some-settings-are-on-neither/td-p/2...

 

 

Dynatrace Certified Professional
Reply

Go to solution
Kenny_Gillette
DynaMight Leader
DynaMight Leader

‎25 Jul 2025 01:50 PM - edited ‎25 Jul 2025 02:02 PM

Looking more at this, this is setting 1.0 so you should be able to provide write access to page (not read).  I just tested write access to aws page and it worked.

Here is my IAM policy
ALLOW settings:objects:write, settings:schemas:read WHERE settings:schemaId IN ("builtin:cloud.aws");

Dynatrace Certified Professional
0 Kudos
Reply
Ask a question

Featured Posts