Use service-linked roles for transit gateways in Amazon VPC Transit Gateways
Amazon VPC uses service-linked roles for the permissions that it requires to call other Amazon services on your behalf. For more information, see Using service-linked roles in the IAM User Guide.
Transit gateway service-linked role
Amazon VPC uses service-linked roles for the permissions that it requires to call other Amazon services on your behalf when you work with a transit gateway.
Permissions granted by the service-linked role
Amazon VPC uses the service-linked role named AWSServiceRoleForVPCTransitGateway to call the following actions on your behalf when you work with a transit gateway:
ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:ModifyNetworkInterfaceAttribute
ec2:DeleteNetworkInterface
ec2:CreateNetworkInterfacePermission
ec2:AssignIpv6Addresses
ec2:UnAssignIpv6Addresses
The AWSServiceRoleForVPCTransitGateway role trusts the following services to assume the role:
transitgateway.amazonaws.com
AWSServiceRoleForVPCTransitGateway uses the managed policy AWSVPCTransitGatewayServiceRolePolicy.
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.
Create the service-linked role
You don't need to manually create the AWSServiceRoleForVPCTransitGateway role. Amazon VPC creates this role for you when you attach a VPC in your account to a transit gateway.
For Amazon VPC to create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-linked role permissions in the IAM User Guide.
Edit the service-linked role
You can edit the description of AWSServiceRoleForVPCTransitGateway using IAM. For more information, see Editing a service-linked role in the IAM User Guide.
Delete the service-linked role
If you no longer need to use transit gateways, we recommend that you delete AWSServiceRoleForVPCTransitGateway.
You can delete this service-linked role only after you delete all transit gateway VPC attachments in your Amazon account. This ensures that you can't inadvertently remove permission to access your VPC attachments.
You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a service-linked role in the IAM User Guide.
After you delete AWSServiceRoleForVPCTransitGateway, Amazon VPC creates the role again if you attach a VPC in your account to a transit gateway.