# Least privileged deployment IAM role

The least privileged deployment role scopes the required permissions to deploy, manage and delete Code Ocean AWS CloudFormation stack. We publish the role as an AWS CloudFormation template as well, side by side with Code Ocean's latest release template. [Follow this link](https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=codeocean-least-privileged-role\&templateURL=https://codeocean-vpc.s3.amazonaws.com/templates/v2.16.3/codeocean-least-privileged-role.yaml) to deploy the role's CloudFormation stack.

{% hint style="info" %}
To avoid upgrades failures, we recommend to update the role stack prior to each upgrade
{% endhint %}

### Template URL

If you wish to create the role manually, the role's AWS CloudFormation template is publicly available here: <https://codeocean-vpc.s3.amazonaws.com/templates/v2.16.3/codeocean-least-privileged-role.template.yaml>