AWS Auto Scaling service-linked roles - AWS Auto Scaling

AWS Auto Scaling service-linked roles

Important

To get complete information about the service-linked roles that are required to use scaling plans, see Service-linked roles.

AWS Auto Scaling uses service-linked roles for the permissions that it requires to call other AWS on your behalf. A service-linked role is a unique type of AWS Identity and Access Management (IAM) role that is linked directly to an AWS service.

Service-linked roles provide a secure way to delegate permissions to Amazon Web Services because only the linked service can assume a service-linked role. For more information, see Using service-linked roles in the IAM User Guide.

The following sections describe how to create and manage the AWS Auto Scaling service-linked role. Start by configuring permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role.

Permissions granted by the service-linked role

AWS Auto Scaling uses the AWSServiceRoleForAutoScalingPlans_EC2AutoScaling service-linked role to manage predictive scaling of Amazon EC2 Auto Scaling groups on your behalf. This role is predefined with permissions to make the following calls on your behalf:

  • cloudwatch:GetMetricData

  • autoscaling:DescribeAutoScalingGroups

  • autoscaling:DescribeScheduledActions

  • autoscaling:BatchPutScheduledUpdateGroupAction

  • autoscaling:BatchDeleteScheduledAction

This role trusts the autoscaling-plans.amazonaws.com service to assume it.

Create the service-linked role (automatic)

AWS Auto Scaling creates the AWSServiceRoleForAutoScalingPlans_EC2AutoScaling role for you the first time that you create a scaling plan with predictive scaling enabled.

Important

Make sure that you have enabled the IAM permissions that allow an IAM entity (such as a user, group, or role) to create the service-linked role. Otherwise, the automatic creation fails. For more information, see Service-linked role permissions in the IAM User Guide or the information about Permissions required to create a service-linked role in this guide.

Create the service-linked role (manual)

To create the service-linked role manually, you can use the IAM console, AWS CLI, or IAM API. For more information, see Creating a service-linked role in the IAM User Guide.

To create a service-linked role (AWS CLI)

Use the following create-service-linked-role CLI command to create the AWS Auto Scaling service-linked role.

aws iam create-service-linked-role --aws-service-name autoscaling-plans.amazonaws.com

Edit the service-linked role

With the AWSServiceRoleForAutoScalingPlans_EC2AutoScaling role created by AWS Auto Scaling, you can edit only its description and not its permissions. For more information, see Editing a service-linked role in the IAM User Guide.

Delete the service-linked role

If you no longer use scaling plans, we recommend that you delete the service-linked role. You can delete a service-linked role only after first deleting the associated dependent resources. If a service-linked role is used with multiple scaling plans, you must delete all scaling plans with predictive scaling enabled before you can delete the role. This protects your scaling plans by preventing you from inadvertently removing the permissions that you need to manage them. For more information, see Step 5: Clean up.

You can use IAM to delete the service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

After you delete the AWSServiceRoleForAutoScalingPlans_EC2AutoScaling service-linked role, AWS Auto Scaling creates the role again when you create a scaling plan with predictive scaling enabled.

Supported regions for the service-linked role

AWS Auto Scaling supports using service-linked roles in all of the Regions where the service is available.