Using service-linked roles for Resource Groups
AWS Resource Groups uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Resource Groups. Service-linked roles are predefined by Resource Groups and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up Resource Groups easier because you don’t have to manually add the necessary permissions. Resource Groups defines the permissions of its service-linked roles and sets trust policies on each that ensures that only the Resource Groups service can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.
For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to view the service-linked role documentation for that service.
Service-linked role permissions for Resource Groups
Resource Groups uses the following service-linked role to support group lifecycle events. Choose the link on the role name to view the role in the IAM console after you create it.
Resource Groups uses the permissions in this role to query the AWS services that own your resources to help resolve group membership and to keep the group up-to-date. It allows Resource Groups to emit service-related events to the Amazon EventBridge service.
The AWSServiceRoleForResourceGroups
service-linked role trusts only the following service to assume the
role:
-
resourcegroups.amazonaws.com
The permissions attached to the role come from the following AWS managed policy. Choose the link on the policy name to view the policy in the IAM console.
Creating the service-linked role for Resource Groups
Important
This service-linked role can appear in your account if you complete an action in another service that requires the features supported by this role. For more information, see A new role appeared in my AWS account.
To create the service-linked role, turn on the group lifecycle events feature.
Editing a service-linked role for Resource Groups
Resource Groups doesn't allow you to edit the AWSServiceRoleForResourceGroups service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.
Deleting a service-linked role for Resource Groups
You can delete the service-linked role only after you turn off the group lifecycle events feature.
Important
-
AWS prevents you from removing the service-linked role until you first turn off the group lifecycle events feature that created it.
-
We recommend that you do not delete the service-linked role as long as you have any resource groups in your AWS account. The Resource Groups service can't interact with other AWS services to manage your groups if you delete this role.
Manually delete the service-linked role
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForResourceGroups service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.
Supported Regions for Resource Groups service-linked roles
Resource Groups supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see AWS Regions and Endpoints.