0
0
AwsHow-ToBeginner · 3 min read

How to Use Service Linked Role in AWS: Simple Guide

A service linked role in AWS is a special role that lets AWS services perform actions on your behalf securely. You use it by creating the role linked to a specific AWS service, which then automatically manages permissions needed for that service to work.
📐

Syntax

A service linked role is created with a trust policy that allows a specific AWS service to assume the role. The basic syntax involves specifying the service principal and attaching the AWS-managed policy for that service.

  • Role Name: Unique name for the service linked role.
  • Service Principal: The AWS service that will use the role (e.g., ecs.amazonaws.com).
  • Permissions: AWS-managed policies that grant the service permissions.
bash
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
Output
Service linked role created successfully with name AWSServiceRoleForECS
💻

Example

This example shows how to create a service linked role for Amazon ECS using the AWS CLI. The role allows ECS to manage resources like EC2 instances on your behalf.

bash
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
Output
{ "Role": { "Path": "/aws-service-role/ecs.amazonaws.com/", "RoleName": "AWSServiceRoleForECS", "RoleId": "AROAJEXAMPLEID", "Arn": "arn:aws:iam::123456789012:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS", "CreateDate": "2024-06-01T12:00:00Z" } }
⚠️

Common Pitfalls

Common mistakes when using service linked roles include:

  • Trying to create a service linked role manually with incorrect trust policies instead of using AWS CLI or console commands.
  • Deleting a service linked role that is still in use by the AWS service, which can cause service failures.
  • Not granting the necessary permissions for the AWS service to assume the role.

Always use the AWS CLI or console to create service linked roles to avoid trust policy errors.

bash
aws iam create-role --role-name MyServiceLinkedRole --assume-role-policy-document file://wrong-trust-policy.json
# This is wrong because the trust policy must allow the specific AWS service principal.

# Correct way:
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
📊

Quick Reference

TermDescription
Service Linked RoleA role linked to an AWS service to delegate permissions.
Service PrincipalThe AWS service that assumes the role (e.g., ecs.amazonaws.com).
AWS CLI Commandaws iam create-service-linked-role --aws-service-name
Role DeletionAvoid deleting if service is actively using the role.
PermissionsManaged by AWS, no manual policy needed.

Key Takeaways

Use the AWS CLI command 'create-service-linked-role' to create roles correctly.
Service linked roles let AWS services manage resources securely without manual permission setup.
Do not delete service linked roles while the service is using them to avoid failures.
AWS manages the permissions for service linked roles automatically.
Always specify the correct AWS service principal when creating the role.

Related by keyword

When to Use Which AWS Service: A Simple GuideAWS vs OtherHow to Choose AWS Region: Simple Guide for BeginnersGetting StartedHow to Use Elastic IP in AWS: Simple GuideEC2How to Set Bucket Policy in AWS S3: Simple GuideS3How to Set Lifecycle Rule in AWS S3: Simple GuideS3

Up next

AWS Shared Responsibility Model: What It Is and How It WorksWhat is AWS Used For: Key Uses and ExamplesALB vs NLB vs CLB: Key Differences and When to Use EachEBS vs Instance Store in AWS: Key Differences and Usage Guide

More in IAM

How to Attach a Policy to an AWS Role: Simple StepsHow to Attach a Policy to a User in AWS IAMHow to Create Custom IAM Policy in AWS: Simple GuideHow to Create IAM Group in AWS: Step-by-Step Guide