---
title: "Configuring IAM Roles in AWS"
slug: "configuring-iam-roles"
updated: 2026-06-15T11:15:18Z
published: 2026-06-15T11:15:18Z
canonical: "docs.britive.com/configuring-iam-roles"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.britive.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring IAM Roles in AWS

Britive needs the following access permissions in the AWS IAM role to connect to AWS successfully:

- IAM ReadOnly Access
- AWSOrganization ReadOnly Access

Note:

Only read-only access is needed here as the role is mainly used for scanning in Britive. Hence, write access is not required for the role.

### Creating an IAM Role in AWS

Perform the following steps to create an IAM role in an AWS account:

1. Log in to the AWS console with administrator privileges.
2. Open the IAM console.
3. Select **IAM > Access management -> Roles**.
4. Click **Create role**.
5. Enter the following in the **Create role**page:
  1. Select **SAML 2.0 federation**.
  2. Select the identity provider in the **SAML 2.0-based provider,**added as explained in the section [Configuring Britive Identity Provider in AWS](https://docs.britive.com/docs/configuring-identity-provider).
  3. Select **Allow programmatic access only**.
  4. Enter the following for the **Attribute** and **Value**fields:
    - **Attribute** : **SAML:aud**.
    - **Value**: [](https://signin.aws.amazon.com/saml) [](https://signin.aws.amazon.com/saml)[https://signin.aws.amazon.com/saml](https://signin.aws.amazon.com/saml) [](https://signin.aws.amazon.com/saml)
  5. Click **Next**.
  6. Enter the following on the **Add Permissions**page:
    1. Search for **IAMReadOnlyAccess** in **Filter policies.**
    2. Select **IAMReadOnlyAccess.**
    3. Search for **AWSOrganizationsReadOnlyAccess** in **Filter policies.**
    4. Select **AWSOrganizationsReadOnlyAcces.**
    5. Click **Next.**
  7. For **session invalidation** (optional), see [Configuring Session Invalidation](/v1/docs/configuring-for-session-invalidation).
  8. **(Optional) For Britive-managed roles support:**If an application needs to support the creation of Britive-managed roles through Access Builder, each Integration Role in the AWS environment must be updated to allow the following:

Inline policyInline policy

```Inlinepolicy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DetachRolePolicy",
                "iam:UntagRole",
                "iam:DeleteRolePolicy",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:UpdateRole",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::<account_id>:role/britive/managed/*"
        }
    ]
}
```
  9. Scan AI Identities (Optional): To enable scanning of AI identities, attach the **AmazonBedrockReadOnly** AWS managed policies.
  10. Enter the following values in the **Name, Review and create** page:
    1. Enter a **Role name**(64 characters limit) that can include alphanumeric characters and special characters such as @ or *.
    2. Enter a **Role description** (optional).
    3. Add the following actions in the trust relationship as shown in the example below:

Trust RelationshipTrust Relationship

```TrustRelationship
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Federated":"arn:aws:iam::<account>:saml-provider/Britive"
         },
         "Action":[
            "sts : AssumeRolewithSAML",
            "sts : SetSourceIdentity"
         ],
         "Condition":{
            "StringEquals":{
               "SAML: aud":"https://signin.aws.amazon.com/saml"
            }
         }
      }
   ]
}
```
    4. Click **Create role**. A message is displayed that the role is created.
6. You can select the newly created IAM role from the role list for the AWS account and view the role details on the **Summary** page. Note that the **maximum session duration** value displayed on the **summary** page is used when configuring the role properties within the Britive tenant.

Now that you have completed the onboarding prerequisites, you can choose to onboard AWS applications or AWS standalone applications per your requirement and proceed with the onboarding process.

For more information about creating a role in AWS, see [Creating a role for SAML 2.0 federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html).

See also:

- [Onboarding an AWS Application](/v1/docs/onboarding-an-aws-application)
- [](https://docs.britive.com/v1/docs/en/onboarding-a-standalone-aws-application)[Onboarding an AWS Standalone Application](/v1/docs/onboarding-a-standalone-aws-application)[](https://docs.britive.com/v1/docs/en/onboarding-a-standalone-aws-application)