AWS::IAM::ServiceLinkedRole - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::IAM::ServiceLinkedRole

Creates an IAM role that is linked to a specific Amazon service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your Amazon resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed. For more information, see Using service-linked roles in the IAM User Guide.

To attach a policy to this service-linked role, you must make the request using the Amazon service that depends on this role.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::IAM::ServiceLinkedRole", "Properties" : { "AWSServiceName" : String, "CustomSuffix" : String, "Description" : String } }

YAML

Type: AWS::IAM::ServiceLinkedRole Properties: AWSServiceName: String CustomSuffix: String Description: String

Properties

AWSServiceName

The service principal for the Amazon service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com.

Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see Amazon services that work with IAM in the IAM User Guide. Look for the services that have Yes in the Service-Linked Role column. Choose the Yes link to view the service-linked role documentation for that service.

Required: No

Type: String

Pattern: [\w+=,.@-]+

Minimum: 1

Maximum: 128

Update requires: Replacement

CustomSuffix

A string that you provide, which is combined with the service-provided prefix to form the complete role name. If you make multiple requests for the same service, then you must supply a different CustomSuffix for each request. Otherwise the request fails with a duplicate role name error. For example, you could add -1 or -debug to the suffix.

Some services do not support the CustomSuffix parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.

Required: No

Type: String

Pattern: [\w+=,.@-]+

Minimum: 1

Maximum: 64

Update requires: Replacement

Description

The description of the role.

Required: No

Type: String

Pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*

Maximum: 1000

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the RoleName created for the service-linked role. The CustomSuffix is appended to the service-provided prefix with an underscore followed by the CustomSuffix to form the complete role name. For example, AWSServiceRoleForAutoScaling or AWSServiceRoleForAutoScaling_TestSuffix if a CustomSuffix is specified.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

RoleName

Returns the friendly name that identifies the role. For example, AWSServiceRoleForAutoScaling or AWSServiceRoleForAutoScaling_TestSuffix if a CustomSuffix is specified.

Examples

IAM Service-Linked Role for Auto Scaling

The following example creates a service-linked role that can be assumed by the Auto Scaling service.

JSON

{ "Description": "SLR resource create test - Auto Scaling", "Resources": { "BasicSLR": { "Type": "AWS::IAM::ServiceLinkedRole", "Properties": { "AWSServiceName": "autoscaling.amazonaws.com", "Description": "Test SLR description", "CustomSuffix": "TestSuffix" } } }, "Outputs": { "SLRId": { "Value": { "Ref": "BasicSLR" } } } }

YAML

Description: SLR resource create test - Auto Scaling Resources: BasicSLR: Type: 'AWS::IAM::ServiceLinkedRole' Properties: AWSServiceName: autoscaling.amazonaws.com Description: Test SLR description CustomSuffix: TestSuffix Outputs: SLRId: Value: !Ref BasicSLR

See also