Using service-linked roles for IAM Roles Anywhere - IAM Roles Anywhere
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using service-linked roles for IAM Roles Anywhere

Amazon Identity and Access Management Roles Anywhere uses IAM service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to IAM Roles Anywhere. Service-linked roles are predefined by IAM Roles Anywhere and include all the permissions that the service requires to publish CloudWatch metrics. They also ensure that you receive auditing information regarding IAM Roles Anywhere. Service-linked roles are different from the roles that you configure for the service and obtain temporary credentials for.

A service-linked role makes setting up IAM Roles Anywhere easier because you don’t have to manually add the necessary permissions. IAM Roles Anywhere defines the permissions of its service-linked roles. Unless defined otherwise, only IAM Roles Anywhere can assume its service-linked roles. The defined permissions include the trust policy and the permissions policy. The permissions policy cannot be attached to any other IAM entity.

You can delete a service-linked role only after first deleting its related resources. This protects your IAM Roles Anywhere resources because you can't inadvertently remove permission to access the resources.

For information about other services that support service-linked roles, see Amazon services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-linked role permissions for IAM Roles Anywhere

IAM Roles Anywhere uses the service-linked role named AWSServiceRoleForRolesAnywhere which allows IAM Roles Anywhere to publish CloudWatch metrics in your account. This service-linked role has an IAM policy attached to it named AWSRolesAnywhereServicePolicyV2.

The AWSServiceRoleForRolesAnywhere service-linked role trusts the following services to assume the role:

  • rolesanywhere.amazonaws.com

The role permissions policy named AWSRolesAnywhereServicePolicyV2 allows IAM Roles Anywhere to complete the following actions on the specified resources:

  • Actions on CloudWatch:

    • cloudwatch:PutMetricData - Allows IAM Roles Anywhere to publish metric data points to the AWS/RolesAnywhere and AWS/Usage namespaces.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": [ "AWS/RolesAnywhere", "AWS/Usage" ] } } } ] }

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Creating a service-linked role for IAM Roles Anywhere

You don't need to manually create a service-linked role. When you create your first trust anchor in the Amazon Web Services Management Console, the Amazon CLI, or the Amazon API, IAM Roles Anywhere creates the service-linked role for you.

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. Note that credentials will still be issued, but metrics will not be reported.

You can also use the IAM console to create a service-linked role when you have trust anchors in your account but no service-linked role. In the Amazon CLI or the Amazon API, create a service-linked role with the rolesanywhere.amazonaws.com service name. For more information, see Creating a service-linked role in the IAM User Guide. If you delete this service-linked role, you can use this same process to create the role again.

Editing a service-linked role for IAM Roles Anywhere

IAM Roles Anywhere does not allow you to edit the AWSServiceRoleForRolesAnywhere service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for IAM Roles Anywhere

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.

Note

If IAM Roles Anywhere is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

To delete IAM Roles Anywhere resources used by the AWSServiceRoleForRolesAnywhere
  • Delete all trust anchors in your account in all Regions that contain them.

To manually delete the service-linked role using IAM
  • For information about using the IAM console, the Amazon CLI, or the Amazon API to delete the AWSServiceRoleForRolesAnywhere service-linked role, see Deleting a service-linked role in the IAM User Guide.

Supported regions for IAM Roles Anywhere service-linked roles

IAM Roles Anywhere supports using service-linked roles in all of the regions where the service is available. For more information, see Amazon regions and endpoints.

Region name Region identity Support in IAM Roles Anywhere
China (Beijing) cn-north-1 Yes
China (Ningxia) cn-northwest-1 Yes