What is a service role?
It is the role which gets assumed by a service for the sake of processing actions on your behalf. A lot of services need roles for allowing them to get access into resources that are located in different services. In the case that a role will serve as a specialized purpose for a specific service, it will be named as a service role for this specific serve, for example service role for EC2 instances, or it will be categorized as being a service-linked role.
Permissions for Service Role:
For the sake of allowing an IAM entity to go ahead with creating or editing a service role, you will need to get permissions configured.
Keep in mind
An ARN associated with a service-linked role has a service principal= SERVICE-NAME.amazonaws.com. (case sensitive).
How to give permission to an IAM entity for creating a specific service role?
By adding the below policy to your chosen IAM entity, you will be able to get a service role created for the selected service having a particular name. Later, the role can get managed or inline policies attached to it.
{ |
“Version”: “2012-10-17”, |
“Statement”: [ |
{ |
“Effect”: “Allow”, |
“Action”: [ |
“iam:AttachRolePolicy”, |
“iam:CreateRole”, |
“iam:PutRolePolicy” |
], |
“Resource”: “arn:aws:iam::*:role/SERVICE-ROLE-NAME“ |
} |
] |
} |
How to give permission to an IAM entity for creating any service role?
By adding the below statement, you will be able to create whatever service role you’d like for whatever service you choose. After that, you can get managed or inline policies attached to this role.
{ |
“Effect”: “Allow”, |
“Action”: [ |
“iam:AttachRolePolicy”, |
“iam:CreateRole”, |
“iam:PutRolePolicy” |
], |
“Resource”: “*” |
} |
How to give permission to an IAM entity for editing a service role?
Go ahead and add the below policy to your chosen IAM entity for editing the required service role.
{ |
“Version”: “2012-10-17”, |
“Statement”: [ |
{ |
“Sid”: “EditSpecificServiceRole”, |
“Effect”: “Allow”, |
“Action”: [ |
“iam:AttachRolePolicy”, |
“iam:DeleteRolePolicy”, |
“iam:DetachRolePolicy”, |
“iam:GetRole”, |
“iam:GetRolePolicy”, |
“iam:ListAttachedRolePolicies”, |
“iam:ListRolePolicies”, |
“iam:PutRolePolicy”, |
“iam:UpdateRole”, |
“iam:UpdateRoleDescription” |
], |
“Resource”: “arn:aws:iam::*:role/SERVICE-ROLE-NAME“ |
}, |
{ |
“Sid”: “ViewRolesAndPolicies”, |
“Effect”: “Allow”, |
How to give permission to an IAM entity for deleting a specific service role?
By adding the below statement you will be giving permission to the IAM entity to be able to delete a specified service role.
{ |
“Effect”: “Allow”, |
“Action”: “iam:DeleteRole”, |
“Resource”: “arn:aws:iam::*:role/SERVICE-ROLE-NAME“ |
} |
How to give permission to an IAM entity for deleting any service role?
By adding the below statement.
{ |
“Effect”: “Allow”, |
“Action”: “iam:DeleteRole”, |
“Resource”: “*” |
} |
How to Create a Role for a Service using the Console?
The Management Console can help you in creating a role for a particular service. By assigning the required policies to this role for allowing the service to assume it.
Creating a role for a service through the console:
1. First, login to the Management Console and go straight to the IAM console using this link https://console.aws.amazon.com/iam/.
2. From the IAM console navigation pane, click on Roles, and select the option Create role.
3. In Select type of trusted entity, click on the option AWS service.
4. Select which service you’d like to give permission to assume this role.
5. Select the required use case for this service. In case it merely has one use case, this use case will get chosen for you. After this, click on Next: Permissions.
6. In case it can be done, choose which policy you’d want to utilize for permissions policy, otherwise click on Create policyfor heading to a new browser tab and getting a new policy created. Upon finishing with creating this policy, close the current tab then head back to the original one. Click on the check box for the permissions policies which you’d like the service to take on.