Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using roles for Amazon Keyspaces CDC streams

Amazon Keyspaces (for Apache Cassandra) uses Amazon Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Keyspaces. Service-linked roles are predefined by Amazon Keyspaces and include all the permissions that the service requires to call other Amazon services on your behalf.

A service-linked role makes setting up Amazon Keyspaces easier because you don’t have to manually add the necessary permissions. Amazon Keyspaces defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Keyspaces can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

You can't delete the service-linked role.

Service-linked role permissions for Amazon Keyspaces

Amazon Keyspaces uses the service-linked role named AWSServiceRoleForAmazonKeyspacesCDC to allow Amazon Keyspaces CDC streams to publish CloudWatch metrics into your account on your behalf.

The AWSServiceRoleForAmazonKeyspacesCDC service-linked role trusts the following service to assume the role:

The role permissions policy named KeyspacesCDCServiceRolePolicy allows Amazon Keyspaces to complete the following action on resources in the CloudWatch namespace Amazon/Cassandra:

For more information about KeyspacesCDCServiceRolePolicy, see Amazon managed policy: KeyspacesCDCServiceRolePolicy.

To enable CDC streams for a table, which automatically creates the service-linked role AWSServiceRoleForAmazonKeyspacesCDC, the IAM principal needs the following permissions.

{
    "Sid": "KeyspacesCDCServiceLinkedRole",
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "arn:aws:iam::*:role/aws-service-role/cassandra-streams.amazonaws.com/AWSServiceRoleForAmazonKeyspacesCDC",
    "Condition": {
    "StringLike": {
        "iam:AWSServiceName": "cassandra-streams.amazonaws.com"
    }
}

Permissions to create the service-linked role AWSServiceRoleForAmazonKeyspacesCDC are included in the AmazonKeyspacesFullAccess managed policy. For more information, see Amazon managed policy: AmazonKeyspacesFullAccess.

Creating a service-linked role for Amazon Keyspaces

You don't need to manually create a service-linked role for Amazon Keyspaces CDC streams. When you enable Amazon Keyspaces CDC streams on a table with the Amazon Web Services Management Console, CQL, the Amazon CLI, or the Amazon API, Amazon Keyspaces creates the service-linked role for you.

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you enable Amazon Keyspaces CDC streams for a table, Amazon Keyspaces creates the service-linked role for you again.

Editing a service-linked role for Amazon Keyspaces

Amazon Keyspaces doesn’t allow you to edit the AWSServiceRoleForAmazonKeyspacesCDC service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Supported Regions for Amazon Keyspaces service-linked roles

Amazon Keyspaces supports using service-linked roles in all of the Regions where the service is available. For more information, see Amazon Regions and endpoints.