Service-linked roles for Application Auto Scaling
Application Auto Scaling uses service-linked roles for the permissions that it requires to call other AWS services on your behalf. A service-linked role is a unique type of AWS Identity and Access Management (IAM) role that is linked directly to an AWS service. Service-linked roles provide a secure way to delegate permissions to AWS services because only the linked service can assume a service-linked role.
For services that integrate with Application Auto Scaling, Application Auto Scaling creates service-linked roles for you. There is one service-linked role for each service. Each service-linked role trusts the specified service principal to assume it. For more information, see Service-linked role ARN reference.
Application Auto Scaling includes all of the necessary permissions for each service-linked role. These managed permissions are created and managed by Application Auto Scaling, and they define the allowed actions for each resource type. For details about the permissions that each role grants, see AWS managed policies for Application Auto Scaling.
Contents
Permissions required to create a service-linked role
Application Auto Scaling requires permissions to create a service-linked role the first time any user in
your AWS account calls RegisterScalableTarget for a given service. Application Auto Scaling
creates a service-linked role for the target service in your account, if the role does not
exist already. The service-linked role grants permissions to Application Auto Scaling so that it can call
the target service on your behalf.
For automatic role creation to succeed, users must have permission for the
iam:CreateServiceLinkedRole action.
"Action": "iam:CreateServiceLinkedRole"The following is an identity-based policy that grants permission to create a
service-linked role for Spot Fleet. You can specify the service-linked role in the policy's
Resource field as an ARN, and the service principal for your service-linked
role as a condition, as shown. For the ARN for each service, see Service-linked role ARN reference.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest",
"Condition": {
"StringLike": {
"iam:AWSServiceName":"ec2.application-autoscaling.amazonaws.com"
}
}
}
]
}Note
The iam:AWSServiceName IAM condition key specifies the service
principal to which the role is attached, which is indicated in this example policy as
ec2.application-autoscaling.amazonaws.com
Create service-linked roles (automatic)
You don't need to manually create a service-linked role. Application Auto Scaling creates the
appropriate service-linked role for you when you call RegisterScalableTarget.
For example, if you set up automatic scaling for an Amazon ECS service, Application Auto Scaling creates the
AWSServiceRoleForApplicationAutoScaling_ECSService role.
Create service-linked roles (manual)
To create the service-linked role, you can use the IAM console, AWS CLI, or IAM API. For more information, see Creating a service-linked role in the IAM User Guide.
To create a service-linked role (AWS CLI)
Use the following create-service-linked-role CLI command to create the Application Auto Scaling service-linked role. In the request, specify the service name "prefix".
To find the service name prefix, refer to the information about the service principal
for the service-linked role for each service in the AWS services that you can use with Application Auto Scaling section.
The service name and the service principal share the same prefix. For example, to create
the AWS Lambda service-linked role, use
lambda.application-autoscaling.amazonaws.com.
aws iam create-service-linked-role --aws-service-nameprefix.application-autoscaling.amazonaws.com
Edit the service-linked roles
With the service-linked roles created by Application Auto Scaling, you can edit only their descriptions. For more information, see Editing a service-linked role in the IAM User Guide.
Delete the service-linked roles
If you no longer use Application Auto Scaling with a supported service, we recommend that you delete the corresponding service-linked role.
You can delete a service-linked role only after first deleting the related AWS resources. This protects you from inadvertently revoking Application Auto Scaling permissions to your resources. For more information, see the documentation for the scalable resource. For example, to delete an Amazon ECS service, see Deleting a service in the Amazon Elastic Container Service Developer Guide.
You can use IAM to delete a service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.
After you delete a service-linked role, Application Auto Scaling creates the role again when you call
RegisterScalableTarget.
Supported Regions for Application Auto Scaling service-linked roles
Application Auto Scaling supports using service-linked roles in all of the AWS Regions where the service is available.
Service-linked role ARN reference
The following table lists the Amazon Resource Name (ARN) of the service-linked role for each AWS service that works with Application Auto Scaling.
| Service | ARN |
|---|---|
| AppStream 2.0 | arn:aws:iam:: |
| Aurora | arn:aws:iam:: |
| Comprehend | arn:aws:iam:: |
| DynamoDB | arn:aws:iam:: |
| ECS | arn:aws:iam:: |
| ElastiCache | arn:aws:iam:: |
| Keyspaces | arn:aws:iam:: |
| Lambda | arn:aws:iam:: |
| MSK | arn:aws:iam:: |
| Neptune | arn:aws:iam:: |
| SageMaker | arn:aws:iam:: |
| Spot Fleets | arn:aws:iam:: |
| Custom resources | arn:aws:iam:: |
Note
You can specify the ARN of a service-linked role for the RoleARN property
of an AWS::ApplicationAutoScaling::ScalableTarget resource in your AWS CloudFormation stack
templates, even if the specified service-linked role doesn't yet exist. Application Auto Scaling
automatically creates the role for you.
