Service-linked roles for IPAM - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service-linked roles for IPAM

Service-linked roles in Amazon Identity and Access Management (IAM) enable Amazon services to call other Amazon services on your behalf. For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

There is currently only one service-linked role for IPAM: AWSServiceRoleForIPAM.

Permissions granted to the service-linked role

IPAM uses the AWSServiceRoleForIPAM service-linked role to call the actions in the attached AWSIPAMServiceRolePolicy managed policy. For more information on the allowed actions in that policy, see Amazon managed policies for IPAM.

Also attached to the service-linked role is an IAM trusted policy that allows the ipam.amazonaws.com service to assume the service-linked role.

Create the service-linked role

IPAM monitors the IP address usage in one or more accounts by assuming the service-linked role in an account, discovering the resources and their CIDRs, and integrating the resources with IPAM.

The service-linked role is created in one of two ways:

  • When you integrate with Amazon Organizations

    If you Integrate IPAM with accounts in an Amazon Organization using the IPAM console or using the enable-ipam-organization-admin-account Amazon CLI command, the AWSServiceRoleForIPAM service-linked role is automatically created in each of your Amazon Organizations member accounts. As a result, the resources within all member accounts are discoverable by IPAM.

    Important

    For IPAM to create the service-linked role on your behalf:

    • The Amazon Organizations management account that enables IPAM integration with Amazon Organizations must have an IAM policy attached to it that permits the following actions:

      • ec2:EnableIpamOrganizationAdminAccount

      • organizations:EnableAwsServiceAccess

      • organizations:RegisterDelegatedAdministrator

      • iam:CreateServiceLinkedRole

    • The IPAM account must have an IAM policy attached to it that permits the iam:CreateServiceLinkedRole action.

  • When you create an IPAM using a single Amazon account

    If you Use IPAM with a single account, the AWSServiceRoleForIPAM service-linked role is automatically created when you create an IPAM as that account.

    Important

    If you use IPAM with a single Amazon account, before you create an IPAM, you must ensure that the Amazon account you are using has an IAM policy attached to it that permits the iam:CreateServiceLinkedRole action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role. For more information on managing IAM policies, see Editing IAM policies in the IAM User Guide.

Edit the service-linked role

You cannot edit the AWSServiceRoleForIPAM service-linked role.

Delete the service-linked role

If you no longer need to use IPAM, we recommend that you delete the AWSServiceRoleForIPAM service-linked role.

Note

You can delete the service-linked role only after you delete all IPAM resources in your Amazon account. This ensures that you can't inadvertently remove the monitoring capability of IPAM.

Follow these steps to delete the service-linked role via the Amazon CLI:

  1. Delete your IPAM resources using deprovision-ipam-pool-cidr and delete-ipam. For more information, see Deprovision CIDRs from a pool and Delete an IPAM.

  2. Disable the IPAM account with disable-ipam-organization-admin-account.

  3. Disable the IPAM service with disable-aws-service-access using the --service-principal ipam.amazonaws.com option.

  4. Delete the service-linked role: delete-service-linked-role. When you delete the service-linked role, the IPAM managed policy is also deleted. For more information, see Deleting a service-linked role in the IAM User Guide.