# Amazon WorkSpaces Console operations permissions reference
<a name="wsp-console-permissions-ref"></a>

Some Amazon WorkSpaces APIs can only be called through the AWS Management Console. They are not public APIs, in the sense they cannot be called programmatically, and they are not provided by any SDK. These API operations include:
+ workspaces:DirectoryAccessManagement
+ workspaces:CreateRootClientCertificate
+ workspaces:UpdateRootClientCertificate
+ workspaces:DeleteRootClientCertificate
+ workspaces:DescribeConsent
+ workspaces:UpdateConsent
+ workspaces:InvokeTroubleshootingInvestigation
+ workspaces:GetTroubleshootingRecommendation
+ workspaces:ListTroubleshootingRecommendations

## WorkSpaces Console operations and required permissions for actions
<a name="wsp-console-operations"></a>

The console uses additional API actions for its features, so the permissions for the WorkSpaces public APIs may not be sufficient. For example, a user that has permissions to use the [CreateWorkspaces](https://docs.aws.amazon.com/workspaces/latest/api/API_CreateWorkspaces.html) API via CLI/SDK may encounter errors when trying to create a WorkSpace on the console, because they are missing certain permissions to select or create Users. This table lists the features that are only available on the WorkSpaces Console and the required additional permissions that enable users to work with these specific parts of the console.

The [Example policies](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html#workspaces-example-iam-policies) section provides the list of permissions to perform all WorkSpaces tasks for Personal, Pools and BYOL WorkSpaces. 

Alternatively, you could also use granular permissions to apply least-privilege permissions to perform a task.

This table lists the WorkSpaces Console features that rely on the APIs that are not provided by the SDK and the required permissions that enable users to work with these specific parts of the console. These permissions should be added in addition to other actions required for APIs provided by the SDK. 


| WorkSpaces Console operations | Required permissions | 
| --- | --- | 
| [WorkSpaces Personal Quick Setup](https://docs.aws.amazon.com/workspaces/latest/adminguide/managing-wsp-personal.html#getting-started) | workspaces:DirectoryAccessManagement<br />ds:\*<br />ec2:CreateVpc<br />ec2:CreateSubnet<br />ec2:CreateNetworkInterface<br />ec2:CreateInternetGateway<br />ec2:CreateRouteTable<br />ec2:CreateRoute<br />ec2:CreateTags<br />ec2:CreateSecurityGroup<br />ec2:DescribeInternetGateways<br />ec2:DescribeSecurityGroups<br />ec2:DescribeRouteTables<br />ec2:DescribeVpcs<br />ec2:DescribeSubnets<br />ec2:DescribeNetworkInterfaces<br />ec2:DescribeAvailabilityZones<br />ec2:AttachInternetGateway<br />ec2:AssociateRouteTable<br />ec2:AuthorizeSecurityGroupIngress<br />ec2:AuthorizeSecurityGroupEgress<br />iam:CreateRole<br />iam:GetRole<br />iam:PutRolePolicy<br />workspaces:DescribeAccount<br />workspaces:DescribeWorkspaceDirectories<br />workspaces:CreateWorkspaces<br />workspaces:DescribeWorkspaces<br />workspaces:RegisterWorkspaceDirectory<br />workspaces:DescribeWorkspaceBundles<br />workspaces:DescribeWorkspaces | 
| [Restrict access to Trusted Devices for WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html#configure-restriction) | workspaces:CreateRootClientCertificate<br />workspaces:UpdateRootClientCertificate<br />workspaces:DeleteRootClientCertificate<br />ds:DescribeDirectories<br />ec2:DescribeSubnets<br />ec2:DescribeSecurityGroups<br />workspaces:DescribeAccount<br />workspaces:DescribeWorkspaceDirectories<br />workspaces:DescribeTags<br />workspaces:DescribeClientProperties<br />workspaces:DescribeConnectClientAddins<br />workspaces:DirectoryAccessManagement | 
| [Creating a WorkSpace in WorkSpaces Personal on the Console](https://docs.aws.amazon.com/workspaces/latest/adminguide/create-workspaces-personal.html) – To create/search/describe Directory Service directory users | workspaces:DirectoryAccessManagement<br />workspaces:DescribeAccount<br />workspaces:CreateWorkspaces<br />workspaces:DescribeWorkspaces<br />workspaces:DescribeWorkspaceDirectories<br />workspaces:DescribeWorkspaceBundles<br />workspaces:DescribeTags<br />workspaces:CreateTags<br />workspaces:DescribeClientProperties<br />kms:ListKeys<br />kms:ListAliases<br />kms:DescribeKey<br />ds:DescribeTrusts<br />ds:DescribeDirectories<br />ec2:DescribeSubnets<br />ec2:DescribeSecurityGroups | 
| [Manage users in WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/manage-workspaces-users.html) – To edit users and send user invitation email | workspaces:DirectoryAccessManagement<br />workspaces:DescribeAccount<br />workspaces:DescribeWorkspaceDirectories<br />workspaces:DescribeWorkspaces<br />workspaces:DescribeTags<br />workspaces:DescribeWorkspaceBundles<br />workspaces:DescribeWorkspacesConnectionStatus<br />workspaces:DescribeWorkspaceAssociations<br />workspaces:DescribeWorkspaceSnapshots<br />workspaces:DescribeWorkspaceImages<br />workspaces:DescribeConnectionAliases | 
| [Update the AD Connector account (AD Connector) for WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/connect-account.html) | workspaces:DirectoryAccessManagement<br />ds:DescribeDirectories<br />ds:UpdateDirectory<br />ec2:DescribeSubnets<br />ec2:DescribeSecurityGroups<br />workspaces:DescribeAccount<br />workspaces:DescribeWorkspaceDirectories<br />workspaces:DescribeTags<br />workspaces:DescribeClientProperties<br />workspaces:DescribeConnectClientAddins | 
| [Select an organizational unit for WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/select-ou.html) | workspaces:DirectoryAccessManagement<br />ds:DescribeDirectories<br />ec2:DescribeSubnets<br />ec2:DescribeSecurityGroups<br />workspaces:DescribeAccount<br />workspaces:DescribeWorkspaceDirectories<br />workspaces:DescribeTags<br />workspaces:DescribeClientProperties<br />workspaces:DescribeConnectClientAddins<br />workspaces:ModifyWorkspaceCreationProperties | 
| [Enable your account for BYOL](https://docs.aws.amazon.com/workspaces/latest/adminguide/byol-windows-images.html) – To confirm understanding of the requirements to use BYOL WorkSpaces | workspaces:DescribeConsent<br />workspaces:UpdateConsent<br />workspaces:DescribeAccount<br />workspaces:ListAccountLinks<br />workspaces:DescribeWorkspaceBundles<br />workspaces:DescribeWorkspaceImages<br />workspaces:DescribeWorkspaceDirectories | 
| [Amazon WorkSpaces Advisor](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-advisor.html) | workspaces:InvokeTroubleshootingInvestigation<br />workspaces:GetTroubleshootingRecommendation<br />workspaces:ListTroubleshootingRecommendations |