Roles Required for AppStream 2.0, Application Auto Scaling, and AWS Certificate Manager Private CA - Amazon AppStream 2.0
AmazonAppStreamServiceAccessApplicationAutoScalingForAmazonAppStreamAccessAWSServiceRoleForApplicationAutoScaling_AppStreamFleetAmazonAppStreamPCAAccess

Roles Required for AppStream 2.0, Application Auto Scaling, and AWS Certificate Manager Private CA

In AWS, IAM roles are used to grant permissions to an AWS service so it can access AWS resources. The policies that are attached to the role determine which AWS resources the service can access and what it can do with those resources. For AppStream 2.0, in addition to having the permissions defined in the AmazonAppStreamFullAccess policy, you must also have the following roles in your AWS account.

AmazonAppStreamServiceAccess

This role is a service role that is created for you automatically when you get started with AppStream 2.0 in an AWS Region. For more information about services roles, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

While AppStream 2.0 resources are being created, the AppStream 2.0 service makes API calls to other AWS services on your behalf by assuming this role. To create fleets, you must have this role in your account. If this role is not in your AWS account and the required IAM permissions and trust relationship policies are not attached, you cannot create AppStream 2.0 fleets.

For more information, see Checking for the AmazonAppStreamServiceAccess Service Role and Policies.

ApplicationAutoScalingForAmazonAppStreamAccess

This role is a service role that is created for you automatically when you get started with AppStream 2.0 in an AWS Region. For more information about services roles, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

Automatic scaling is a feature of AppStream 2.0 fleets. To configure scaling policies, you must have this service role in your AWS account. If this service role is not in your AWS account and the required IAM permissions and trust relationship policies are not attached, you cannot scale AppStream 2.0 fleets.

For more information, see Checking for the ApplicationAutoScalingForAmazonAppStreamAccess Service Role and Policies.

AWSServiceRoleForApplicationAutoScaling_AppStreamFleet

This role is a service-linked role that is created for you automatically. For more information, see Service-linked roles in the Application Auto Scaling User Guide.

Application Auto Scaling uses a service-linked role to perform automatic scaling on your behalf. A service-linked role is an IAM role that is linked directly to an AWS service. This role includes all the permissions that the service requires to call other AWS services on your behalf.

For more information, see Checking for the AWSServiceRoleForApplicationAutoScaling_AppStreamFleet Service-Linked Role and Policies.

AmazonAppStreamPCAAccess

This role is a service role that is created for you automatically when you get started with AppStream 2.0 in an AWS Region. For more information about services roles, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

Certificate-based authentication is a feature of AppStream 2.0 fleets joined to Microsoft Active Directory domains. To enable and use certificate-based authentication, you must have this service role in your AWS account. If this service role is not in your AWS account and the required IAM permissions and trust relationship policies are not attached, you cannot enable or use certificate-based authentication.

For more information, see Checking for the AmazonAppStreamPCAAccess Service Role and Policies.