A service-linked role is a special type of IAM role that's directly associated with an AWS service. These roles are predefined by the service and include all the permissions the service needs to interact with other AWS services on your behalf. It is also a prerequisite for many of the services.
Service-linked roles make it easier to configure a service since you don’t need to manually assign permissions for it to perform actions on your behalf.
These predefined roles help define the permissions that an AWS service will need to function. These roles are only setup when you start using the service. You can view but not edit the permissions of these roles. You can, however, edit the description of the role in some cases.
For example, when you use ECS (container service), a service linked role is configured with ARN like arn:aws:iam::{AWS::AccountID}:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS.
Note that, service linked roles and not same as service role. The service role is the IAM role that defines the permissions that the particular instance of the service or task can assume. For example, each Lambda function has its own IAM permissions requirement which is defined in service role. Service-linked role, on the other hand, is defined by AWS and defines what each of the instances of your service can assume by default.
Also, not all services require service linked roles. You can find the list of the services that need it at here.
Other important characteristics of service linked role are that
- it is not impacted by service control policies (SCP)
- it is not impacted by resource control policies (RCP)
How can you create the service linked role
You can create the service linked role by using AWS console, API or CLI. For example, if you want to create it from the console, you can go to IAM role, create Role, choose service, and it will show you if it needs / supports a service linked role. Refer to the screen shot below.
Top comments (0)