Service-linked roles for Application Auto Scaling - Application Auto Scaling
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service-linked roles for Application Auto Scaling

Application Auto Scaling uses service-linked roles for the permissions that it requires to call other Amazon services on your behalf. A service-linked role is a unique type of Amazon Identity and Access Management (IAM) role that is linked directly to an Amazon service. Service-linked roles provide a secure way to delegate permissions to Amazon services because only the linked service can assume a service-linked role.

For services that integrate with Application Auto Scaling, Application Auto Scaling creates service-linked roles for you. There is one service-linked role for each service. Each service-linked role trusts the specified service principal to assume it. For more information, see Service-linked role ARN reference.

Application Auto Scaling includes all of the necessary permissions for each service-linked role. These managed permissions are created and managed by Application Auto Scaling, and they define the allowed actions for each resource type. For details about the permissions that each role grants, see Amazon managed policies for Application Auto Scaling.

Permissions required to create a service-linked role

Application Auto Scaling requires permissions to create a service-linked role the first time any user in your Amazon Web Services account calls RegisterScalableTarget for a given service. Application Auto Scaling creates a service-linked role for the target service in your account, if the role does not exist already. The service-linked role grants permissions to Application Auto Scaling so that it can call the target service on your behalf.

For automatic role creation to succeed, users must have permission for the iam:CreateServiceLinkedRole action.

"Action": "iam:CreateServiceLinkedRole"

The following is an identity-based policy that grants permission to create a service-linked role for Spot Fleet. You can specify the service-linked role in the policy's Resource field as an ARN, and the service principal for your service-linked role as a condition, as shown. For the ARN for each service, see Service-linked role ARN reference.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/", "Condition": { "StringLike": { "iam:AWSServiceName":"" } } } ] }

The iam:AWSServiceName IAM condition key specifies the service principal to which the role is attached, which is indicated in this example policy as Do not try to guess the service principal. To view the service principal for a service, see Amazon Web Services that you can use with Application Auto Scaling.

Create service-linked roles (automatic)

You don't need to manually create a service-linked role. Application Auto Scaling creates the appropriate service-linked role for you when you call RegisterScalableTarget. For example, if you set up automatic scaling for an Amazon ECS service, Application Auto Scaling creates the AWSServiceRoleForApplicationAutoScaling_ECSService role.

Create service-linked roles (manual)

To create the service-linked role, you can use the IAM console, Amazon CLI, or IAM API. For more information, see Creating a service-linked role in the IAM User Guide.

To create a service-linked role (Amazon CLI)

Use the following create-service-linked-role CLI command to create the Application Auto Scaling service-linked role. In the request, specify the service name "prefix".

To find the service name prefix, refer to the information about the service principal for the service-linked role for each service in the Amazon Web Services that you can use with Application Auto Scaling section. The service name and the service principal share the same prefix. For example, to create the Amazon Lambda service-linked role, use

aws iam create-service-linked-role --aws-service-name

Edit the service-linked roles

With the service-linked roles created by Application Auto Scaling, you can edit only their descriptions. For more information, see Editing a service-linked role in the IAM User Guide.

Delete the service-linked roles

If you no longer use Application Auto Scaling with a supported service, we recommend that you delete the corresponding service-linked role.

You can delete a service-linked role only after first deleting the related Amazon resources. This protects you from inadvertently revoking Application Auto Scaling permissions to your resources. For more information, see the documentation for the scalable resource. For example, to delete an Amazon ECS service, see Deleting a service in the Amazon Elastic Container Service Developer Guide.

You can use IAM to delete a service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

After you delete a service-linked role, Application Auto Scaling creates the role again when you call RegisterScalableTarget.

Supported Regions for Application Auto Scaling service-linked roles

Application Auto Scaling supports using service-linked roles in all of the Amazon Regions where the service is available.

Service-linked role ARN reference

The following table lists the Amazon Resource Name (ARN) of the service-linked role for each Amazon Web Service that works with Application Auto Scaling.

Service ARN
AppStream 2.0 arn:aws-cn:iam::012345678910:role/aws-service-role/
Aurora arn:aws-cn:iam::012345678910:role/aws-service-role/
Comprehend arn:aws-cn:iam::012345678910:role/aws-service-role/
DynamoDB arn:aws-cn:iam::012345678910:role/aws-service-role/
ECS arn:aws-cn:iam::012345678910:role/aws-service-role/
ElastiCache arn:aws-cn:iam::012345678910:role/aws-service-role/
Keyspaces arn:aws-cn:iam::012345678910:role/aws-service-role/
Lambda arn:aws-cn:iam::012345678910:role/aws-service-role/
MSK arn:aws-cn:iam::012345678910:role/aws-service-role/
Neptune arn:aws-cn:iam::012345678910:role/aws-service-role/
SageMaker arn:aws-cn:iam::012345678910:role/aws-service-role/
Spot Fleets arn:aws-cn:iam::012345678910:role/aws-service-role/
WorkSpaces arn:aws-cn:iam::012345678910:role/aws-service-role/
Custom resources arn:aws-cn:iam::012345678910:role/aws-service-role/

You can specify the ARN of a service-linked role for the RoleARN property of an AWS::ApplicationAutoScaling::ScalableTarget resource in your Amazon CloudFormation stack templates, even if the specified service-linked role doesn't yet exist. Application Auto Scaling automatically creates the role for you.