AWS service roles allow AWS services to access resources in other AWS services on your behalf. A service must assume a service role to perform actions, on your behalf, on other AWS services. In some cases, AWS services provide a predefined service role out of the box—these are called service-linked roles. The list of services supporting service-linked roles can be found at https://packt.link/80RzZ
Note:
The list of supporting service-linked roles keeps evolving over time so, when in doubt, please make sure to consult the AWS documentation.
The above documentation page will tell you whether a given AWS service supports using service-linked roles or whether it supports other forms of temporary credentials. When a given AWS service does not offer a service-linked role but supports IAM temporary credentials, it is then up to you to set up an IAM role for that service—aka a service role—when needed. You then have to refer to the specific service documentation to understand which permissions you need to associate with the service role. The advantage when a service provides a service-linked role is that it does create the service role automatically with the right set of permissions on your behalf.
Creating a service-linked role using the AWS CLI is extremely easy. You simply run a command such as the following:
aws iam create-service-linked-role –aws-service-name SERVICE- NAME.amazonaws.com –description “My service-linked role to support Service XYZ”
So, for instance, if you were to create a service-linked role for Amazon Relational Database Service (RDS), you would run something like this:
aws iam create-service-linked-role –aws-service-name rds.amazonaws.com –description “My service-linked role to support RDS”
This would result in the creation of a role called AWSServiceRoleForRDS automatically associated with the right permissions required by Amazon RDS to work.
Note
It is unlikely that you will be required to create the above service-linked role manually for Amazon RDS as the service does create it for you upon database creation if it does not exist in your account. However, if you do need to create one—for instance, if you have deleted the service-linked role by accident—then you can use the preceding command to re-create it manually.
Now, for AWS services that do not support service-linked roles, you have to provide service roles yourself. Unfortunately, in such cases, you have to do the heavy lifting, which service-linked roles do in the background for you. You have to first create a trust policy, using a command such as the following:
aws iam create-role –role-name MyServiceRole –assume-role- policy-document file://MyServiceRole-Trust-Policy.json
The trust policy instructs IAM that a given service, as defined in the trust policy JavaScript Object Notation (JSON) document, is trusted to assume that specific role you just created. For instance, if you have created a role to be assumed by Amazon EC2, the trust policy would look like this:
{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Principal”: {“Service”: “ec2.amazonaws.com”},
“Action”: “sts:AssumeRole”
}
}
Then, you need to attach a permissions policy to the role so that the trusted service has the right privileges for performing its task, using a command like this:
aws iam put-role-policy –role-name MyServiceRole –policy-name MyServicePolicy –policy-document file://MyService-Policy.json
Suppose you want to grant an Amazon EC2 instance permissions to access Amazon S3 to list the contents of a specific bucket. In that case, your policy document would look something like this:
{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Action”: “s3:ListBucket”,
“Resource”: “arn:aws:s3:::my_bucket”
}
}
Optionally, you can also add permissions boundaries or tags to define the maximum permissions the role can ever have.
Note that if you intend to use the role with Amazon EC2 instances or an AWS service that will use Amazon EC2, the role must be packaged in an instance profile that can be later attached to an Amazon EC2 instance. So, in our case, two additional commands must be run for that. The first command is to create an instance profile and the second one is to add the role to the instance profile. Both commands are presented below:
aws iam create-instance-profile –instance-profile-name MyEC2Profile
aws iam add-role-to-instance-profile –instance-profile-name MyEC2Profile –role-name MyServiceRole