Use service-linked roles for your transit gateways - Amazon VPC
Transit gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use service-linked roles for your transit gateways

Amazon VPC uses service-linked roles for the permissions that it requires to call other Amazon services on your behalf. For more information, see Using service-linked roles in the IAM User Guide.

Transit gateway service-linked role

Amazon VPC uses service-linked roles for the permissions that it requires to call other Amazon services on your behalf when you work with a transit gateway.

Permissions granted by the service-linked role

Amazon VPC uses the service-linked role named AWSServiceRoleForVPCTransitGateway to call the following actions on your behalf when you work with a transit gateway:

  • ec2:CreateNetworkInterface

  • ec2:DescribeNetworkInterfaces

  • ec2:ModifyNetworkInterfaceAttribute

  • ec2:DeleteNetworkInterface

  • ec2:CreateNetworkInterfacePermission

  • ec2:AssignIpv6Addresses

  • ec2:UnAssignIpv6Addresses

The AWSServiceRoleForVPCTransitGateway role trusts the following services to assume the role:

  • transitgateway.amazonaws.com

AWSServiceRoleForVPCTransitGateway uses the managed policy AWSVPCTransitGatewayServiceRolePolicy.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Create the service-linked role

You don't need to manually create the AWSServiceRoleForVPCTransitGateway role. Amazon VPC creates this role for you when you attach a VPC in your account to a transit gateway.

For Amazon VPC to create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-linked role permissions in the IAM User Guide.

Edit the service-linked role

You can edit the description of AWSServiceRoleForVPCTransitGateway using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Delete the service-linked role

If you no longer need to use transit gateways, we recommend that you delete AWSServiceRoleForVPCTransitGateway.

You can delete this service-linked role only after you delete all transit gateway VPC attachments in your Amazon account. This ensures that you can't inadvertently remove permission to access your VPC attachments.

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a service-linked role in the IAM User Guide.

After you delete AWSServiceRoleForVPCTransitGateway, Amazon VPC creates the role again if you attach a VPC in your account to a transit gateway.