Service-linked roles for IPAM
Service-linked roles in Amazon Identity and Access Management (IAM) enable Amazon services to call other Amazon services on your behalf. For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.
There is currently only one service-linked role for IPAM: AWSServiceRoleForIPAM.
Permissions granted to the service-linked role
IPAM uses the AWSServiceRoleForIPAM service-linked role to call the actions in the attached AWSIPAMServiceRolePolicy managed policy. For more information on the allowed actions in that policy, see Amazon managed policies for IPAM.
Also attached to the service-linked role is an IAM trusted policyipam.amazonaws.com
service to assume the service-linked role.
Create the service-linked role
IPAM monitors the IP address usage in one or more accounts by assuming the service-linked role in an account, discovering the resources and their CIDRs, and integrating the resources with IPAM.
The service-linked role is created in one of two ways:
-
When you integrate with Amazon Organizations
If you Integrate IPAM with accounts in an Amazon Organization using the IPAM console or using the
enable-ipam-organization-admin-account
Amazon CLI command, the AWSServiceRoleForIPAM service-linked role is automatically created in each of your Amazon Organizations member accounts. As a result, the resources within all member accounts are discoverable by IPAM.Important
For IPAM to create the service-linked role on your behalf:
-
The Amazon Organizations management account that enables IPAM integration with Amazon Organizations must have an IAM policy attached to it that permits the following actions:
-
ec2:EnableIpamOrganizationAdminAccount
-
organizations:EnableAwsServiceAccess
-
organizations:RegisterDelegatedAdministrator
-
iam:CreateServiceLinkedRole
-
-
The IPAM account must have an IAM policy attached to it that permits the
iam:CreateServiceLinkedRole
action.
-
-
When you create an IPAM using a single Amazon account
If you Use IPAM with a single account, the AWSServiceRoleForIPAM service-linked role is automatically created when you create an IPAM as that account.
Important
If you use IPAM with a single Amazon account, before you create an IPAM, you must ensure that the Amazon account you are using has an IAM policy attached to it that permits the
iam:CreateServiceLinkedRole
action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role. For more information on managing IAM policies, see Editing IAM policies in the IAM User Guide.
Edit the service-linked role
You cannot edit the AWSServiceRoleForIPAM service-linked role.
Delete the service-linked role
If you no longer need to use IPAM, we recommend that you delete the AWSServiceRoleForIPAM service-linked role.
Note
You can delete the service-linked role only after you delete all IPAM resources in your Amazon account. This ensures that you can't inadvertently remove the monitoring capability of IPAM.
Follow these steps to delete the service-linked role via the Amazon CLI:
Delete your IPAM resources using deprovision-ipam-pool-cidr and delete-ipam. For more information, see Deprovision CIDRs from a pool and Delete an IPAM.
Disable the IPAM account with disable-ipam-organization-admin-account.
Disable the IPAM service with disable-aws-service-access
using the --service-principal ipam.amazonaws.com
option.Delete the service-linked role: delete-service-linked-role
. When you delete the service-linked role, the IPAM managed policy is also deleted. For more information, see Deleting a service-linked role in the IAM User Guide.