Menu
Amazon ElastiCache
User Guide (API Version 2015-02-02)

Using Service-Linked Roles for ElastiCache

Amazon ElastiCache uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to an AWS service, such as ElastiCache. ElastiCache service-linked roles are predefined by ElastiCache and include all the permissions that the service requires to call AWS services on behalf of your clusters.

A service-linked role makes setting up ElastiCache easier because you don’t have to manually add the necessary permissions. The roles already exist within your AWS account but are linked to ElastiCache use cases and have predefined permissions. Only ElastiCache can assume these roles, and only these roles can use the predefined permissions policy. You can delete the roles only after first deleting their related resources. This protects your ElastiCache resources because you can't inadvertently remove necessary permissions to access the resources.

For information about other services that support service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-Linked Role Permissions for ElastiCache

ElastiCache uses the service-linked role named AWSServiceRoleForElastiCache – This policy allows ElastiCache to manage AWS resources on your behalf as necessary for managing your cache..

The AWSServiceRoleForElastiCache service-linked role permissions policy allows ElastiCache to complete the following actions on the specified resources:

Permission policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateNetworkInterface",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteNetworkInterface",
        "ec2:DeleteSecurityGroup",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:RevokeSecurityGroupIngress",
      ],
      "Resource": "*"
    }
  ]
}

To allow an IAM entity to create AWSServiceRoleForElastiCache service-linked roles

Add the following policy statement to the permissions for that IAM entity:

Copy
{ "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache*", "Condition": {"StringLike": {"iam:AWSServiceName": "elasticache.amazonaws.com"}} }

To allow an IAM entity to delete AWSServiceRoleForElastiCache service-linked roles

Add the following policy statement to the permissions for that IAM entity:

Copy
{ "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": "arn:aws:iam::*:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache*", "Condition": {"StringLike": {"iam:AWSServiceName": "elasticache.amazonaws.com"}} }

Alternatively, you can use an AWS managed policy to provide full access to ElastiCache.

Creating a Service-Linked Role (IAM)

You can create a service-linked role using the IAM console, CLI, or API.

Creating a Service-Linked Role (IAM Console)

You can use the IAM console to create a service-linked role.

To create a service-linked role (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the IAM console, choose Roles. Then choose Create new role.

  3. Expand the AWS service-linked role section, and then select the service that you want to allow to assume this new service-linked role.

  4. Next to the AWSServiceRoleForElastiCache service-linked role, choose Select.

  5. For Role name, type a suffix to add to the service-linked role default name. This suffix helps you identify the purpose of this role. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both <service-linked-role-name>_SAMPLE and <service-linked-role-name>_sample. Because various entities might reference the role, you cannot edit the name of the role after it has been created.

  6. (Optional) For Role description, edit the description for the new service-linked role.

  7. Review the role and then choose Create role.

Creating a Service-Linked Role (IAM CLI)

You can use IAM operations from the AWS Command Line Interface to create a service-linked role with the trust policy and inline policies that the service needs to assume the role.

To create a service-linked role (CLI)

Use the following operation:

Copy
$ aws iam create-service-linked-role --aws-service-name elasticache.amazonaws.com

Creating a Service-Linked Role (IAM API)

You can use the IAM API to create a service-linked role with the trust policy and inline policies that the service needs to assume the role.

To create a service-linked role (API)

Use the CreateServiceLinkedRole API call. In the request, specify a service name of elasticache.amazonaws.com.

Editing the Description of a Service-Linked Role for ElastiCache

ElastiCache does not allow you to edit the AWSServiceRoleForElastiCache service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM.

Editing a Service-Linked Role Description (IAM Console)

You can use the IAM console to edit a service-linked role description.

To edit the description of a service-linked role (console)

  1. In the navigation pane of the IAM console, choose Roles.

  2. Choose the name of the role to modify.

  3. To the far right of Role description, choose Edit.

  4. Type a new description in the box and choose Save.

Editing a Service-Linked Role Description (IAM CLI)

You can use IAM operations from the AWS Command Line Interface to edit a service-linked role description.

To change the description of a service-linked role (CLI)

  1. (Optional) To view the current description for a role, use the AWS CLI for IAM operation get-role.

    Copy
    $ aws iam get-role --role-name AWSServiceRoleForElastiCache

    Use the role name, not the ARN, to refer to roles with the CLI operations. For example, if a role has the following ARN: arn:aws:iam::123456789012:role/myrole, refer to the role as myrole.

  2. To update a service-linked role's description, use the AWS CLI for IAM operation update-role-description.

    For Linux, macOS, or Unix:

    Copy
    $ aws iam update-role-description \ --role-name AWSServiceRoleForElastiCache \ --description "new description"

    For Windows:

    Copy
    $ aws iam update-role-description ^ --role-name AWSServiceRoleForElastiCache ^ --description "new description"

Editing a Service-Linked Role Description (IAM API)

You can use the IAM API to edit a service-linked role description.

To change the description of a service-linked role (API)

  1. (Optional) To view the current description for a role, use the IAM API operation GetRole.

    Copy
    https://iam.amazonaws.com/ ?Action=GetRole &RoleName=AWSServiceRoleForElastiCache &Version=2010-05-08 &AUTHPARAMS
  2. To update a role's description, use the IAM API operation UpdateRoleDescription.

    Copy
    https://iam.amazonaws.com/ ?Action=UpdateRoleDescription &RoleName=AWSServiceRoleForElastiCache &Version=2010-05-08 &Description="New description"

Deleting a Service-Linked Role for ElastiCache

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can delete it.

Amazon ElastiCache does not delete the service-linked role for you.

Cleaning Up a Service-Linked Role

Before you can use IAM to delete a service-linked role, you must first confirm that the role has no resources, clusters or replication groups, associated with the role.

To check whether the service-linked role has an active session in the IAM console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the IAM console, choose Roles. Then choose the name (not the check box) of the AWSServiceRoleForElastiCache role.

  3. On the Summary page for the selected role, choose the Access Advisor tab.

  4. On the Access Advisor tab, review recent activity for the service-linked role.

To delete ElastiCache resources that require AWSServiceRoleForElastiCache (console)

Deleting a Service-Linked Role (IAM Console)

You can use the IAM console to delete a service-linked role.

To delete a service-linked role (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the IAM console, choose Roles. Then select the check box next to the role name that you want to delete, not the name or row itself.

  3. For Role actions at the top of the page, choose Delete role.

  4. In the confirmation dialog box, review the service last accessed data, which shows when each of the selected roles last accessed an AWS service. This helps you to confirm whether the role is currently active. If you want to proceed, choose Yes, Delete to submit the service-linked role for deletion.

  5. Watch the IAM console notifications to monitor the progress of the service-linked role deletion. Because the IAM service-linked role deletion is asynchronous, after you submit the role for deletion, the deletion task can succeed or fail. If the task fails, you can choose View details or View Resources from the notifications to learn why the deletion failed.

Deleting a Service-Linked Role (IAM CLI)

You can use IAM operations from the AWS Command Line Interface to delete a service-linked role.

To delete a service-linked role (CLI)

  1. If you don't know the name of the service-linked role that you want to delete, type the following operation to list the roles and their Amazon Resource Names (ARNs) in your account:

    Copy
    $ aws iam get-role --role-name role-name

    Use the role name, not the ARN, to refer to roles with the CLI operations. For example, if a role has the following ARN: arn:aws:iam::123456789012:role/myrole, you refer to the role as myrole.

  2. Because a service-linked role cannot be deleted if it is being used or has associated resources, you must submit a deletion request. That request can be denied if these conditions are not met. You must capture the deletion-task-id from the response to check the status of the deletion task. Type the following to submit a service-linked role deletion request:

    Copy
    $ aws iam delete-service-linked-role --role-name role-name
  3. Type the following to check the status of the deletion task:

    Copy
    $ aws iam get-service-linked-role-deletion-status --deletion-task-id deletion-task-id

    The status of the deletion task can be NOT_STARTED, IN_PROGRESS, SUCCEEDED, or FAILED. If the deletion fails, the call returns the reason that it failed so that you can troubleshoot.

Deleting a Service-Linked Role (IAM API)

You can use the IAM API to delete a service-linked role.

To delete a service-linked role (API)

  1. To submit a deletion request for a service-linked roll, call DeleteServiceLinkedRole. In the request, specify a role name.

    Because a service-linked role cannot be deleted if it is being used or has associated resources, you must submit a deletion request. That request can be denied if these conditions are not met. You must capture the DeletionTaskId from the response to check the status of the deletion task.

  2. To check the status of the deletion, call GetServiceLinkedRoleDeletionStatus. In the request, specify the DeletionTaskId.

    The status of the deletion task can be NOT_STARTED, IN_PROGRESS, SUCCEEDED, or FAILED. If the deletion fails, the call returns the reason that it failed so that you can troubleshoot.