Using service-linked roles to create OpenSearch Serverless collections - Amazon OpenSearch Service
Service-linked role permissions for OpenSearch ServerlessCreating the service-linked role for OpenSearch ServerlessEditing the service-linked role for OpenSearch ServerlessDeleting the service-linked role for OpenSearch ServerlessSupported Regions for OpenSearch Serverless service-linked roles
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using service-linked roles to create OpenSearch Serverless collections

OpenSearch Serverless uses Amazon Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to OpenSearch Service. Service-linked roles are predefined by OpenSearch Service and include all the permissions that the service requires to call other Amazon services on your behalf.

OpenSearch Serverless uses the service-linked role named AWSServiceRoleForAmazonOpenSearchServerless, which provides the permissions necessary for the role to publish serverless-related CloudWatch metrics to your account.

Service-linked role permissions for OpenSearch Serverless

OpenSearch Serverless uses the service-linked role named AWSServiceRoleForAmazonOpenSearchServerless, which allows OpenSearch Serverless to call Amazon services on your behalf.

The AWSServiceRoleForAmazonOpenSearchServerless service-linked role trusts the following services to assume the role:

  • observability.aoss.amazonaws.com

The role permissions policy named AmazonOpenSearchServerlessServiceRolePolicy allows OpenSearch Serverless to complete the following actions on the specified resources:

  • Action: cloudwatch:PutMetricData on all Amazon resources

Note

The policy includes the condition key {"StringEquals": {"cloudwatch:namespace": "AWS/AOSS"}}, which means that the service-linked role can only send metric data to the AWS/AOSS CloudWatch namespace.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Creating the service-linked role for OpenSearch Serverless

You don't need to manually create a service-linked role. When you create an OpenSearch Serverless collection in the Amazon Web Services Management Console, the Amazon CLI, or the Amazon API, OpenSearch Serverless creates the service-linked role for you.

Note

The first time you create a collection, you must be assigned the iam:CreateServiceLinkedRole in an identity-based policy.

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create an OpenSearch Serverless collection, OpenSearch Serverless creates the service-linked role for you again.

You can also use the IAM console to create a service-linked role with the Amazon OpenSearch Serverless use case. In the Amazon CLI or the Amazon API, create a service-linked role with the observability.aoss.amazonaws.com service name:

aws iam create-service-linked-role --aws-service-name "observability.aoss.amazonaws.com"

For more information, see Creating a service-linked role in the IAM User Guide. If you delete this service-linked role, you can use this same process to create the role again.

Editing the service-linked role for OpenSearch Serverless

OpenSearch Serverless does not allow you to edit the AWSServiceRoleForAmazonOpenSearchServerless service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting the service-linked role for OpenSearch Serverless

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. This prevents you from having an unused entity that isn't actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.

To delete the AWSServiceRoleForAmazonOpenSearchServerless, you must first delete all OpenSearch Serverless collections in your Amazon Web Services account.

Note

If OpenSearch Serverless is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

To manually delete the service-linked role using IAM

Use the IAM console, the Amazon CLI, or the Amazon API to delete the AWSServiceRoleForAmazonOpenSearchServerless service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

Supported Regions for OpenSearch Serverless service-linked roles

OpenSearch Serverless supports using the AWSServiceRoleForAmazonOpenSearchServerless service-linked role in every Region where OpenSearch Serverless is available. For a list of supported Regions, see Amazon OpenSearch Serverless endpoints and quotas in the Amazon Web Services General Reference.