# 4.1-Creating the IAM Role The first "service console" we'll open is the **IAM console** (**IAM** is in the ***Security, Identity, & Compliance*** section), which is *region-agnostic*. You'll find the "**Roles**" option in the menu to the left : ![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LisDVnboAw9hRvLVL5y%2F-LisRz-yfkFjeRC4Qnei%2Fimage.png?alt=media\&token=52daa7b2-cec8-4493-b5e9-ef21c04bc0ab) **Choose this link**, then use the big blue "**Create Role**" button at the top, and you'll have a 4-steps process to follow\... ![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LisDVnboAw9hRvLVL5y%2F-LisSnv84ZeZ09suVAOq%2Fimage.png?alt=media\&token=efbf9707-dc38-4de2-8205-006527855bd9) Click : * the "**AWS service**" block under ***Select Type of trusted entity*** * the "**EC2**" block under ***Choose the service that will use this role*** Then click the big blue "**Next: Permissions**" button at the bottom (to step 2)... ![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LislZXUIiBKJXRAayb4%2F-Lisz25_uvEBXOMXd7zI%2Fimage.png?alt=media\&token=25d721e2-b843-441f-ab93-dd5ae6a9f9e4) *I already had some policies and roles defined in this account, which is why I had to blur specifics* Use the **search filter box** above the **list of permission policies** to locate and **put a** :white\_check\_mark: **check mark** on these 2 policies provided by AWS : * **AmazonEC2FullAccess** (search for "ec2fu") ![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LisDVnboAw9hRvLVL5y%2F-LisVEf88v5CzGGJHIsD%2Fimage.png?alt=media\&token=c07a6e78-fb78-46bb-8761-89e93a21a238) * **AmazonS3FullAccess** (search for "s3fu") ![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LisDVnboAw9hRvLVL5y%2F-LisVub5INERjfvSNtAW%2Fimage.png?alt=media\&token=7c11cf88-5166-473d-ab78-c76691a99ce7) Then click the blue "**Next: Tags**" button at the bottom (to step 3)... ![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LisDVnboAw9hRvLVL5y%2F-LisWn5xlUMO2E4SF01X%2Fimage.png?alt=media\&token=f7b022a2-e0a3-48a3-b413-4bd34f681fdd) We don't need tagging, so just click the blue "**Next: Review**" button at the bottom (to step 4)... ![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LisDVnboAw9hRvLVL5y%2F-LisXMLSe-rEmr2wNcto%2Fimage.png?alt=media\&token=62ac844c-dc12-4baf-8777-7ba3a09fc369) **Give a name** to your new role (i suggest **`"configuration name"-ec2role`** as shown above) and verify you have correctly included the **2 policies**. {% hint style="success" %} Then hit the blue "**Creale Role**" button and you're done. {% endhint %} ![Your shiny new IAM Role](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LisDVnboAw9hRvLVL5y%2F-Lisb72U_J1cOa7eu06_%2Fimage.png?alt=media\&token=6499308b-38cb-49a5-b7a5-f72a10dd3e81) {% hint style="info" %} You have just created an **IAM Role**, that you'll **assign to your OpenVPN server** later on, so that it can **access the EC2 and S3 services on your behalf at startup, without restriction**. {% endhint %} Your server will need that to : * auto-configure itself during startup (setting network options in the EC2 service) * download configuration parameters and scripts from S3 * without the need of passwords (=> :thumbsup: **safe parameter files and scripts** :thumbsup: ) ***Note:** This IAM Role could have been defined with restricted, custom-specified permissions, both in EC2 and S3, rather than "Full Access", but that would be too complex to explain here. Also if you connect to your server in an interactive terminal, you'll be happy to have access to the full EC2 and S3 APIs from there without restriction or needing an access key or password.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zeferby.gitbook.io/transparent-openvpn-for-fantasy-grounds/aws-setup-step-by-step/4.1-creating-the-iam-role.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.