AWSServiceRoleForAWSIQPermission AWSServiceRoleForAWSIQContract Creating a service-linked role for AWS IQ Editing a service-linked role for AWS IQ Deleting a service-linked role for AWS IQ Supported Regions for AWS IQ service-linked roles

Using service-linked roles in AWS IQ

AWS IQ uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to AWS IQ. Service-linked roles are predefined by AWS IQ and include all the permissions that the service requires to call other AWS services on your behalf.

For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose Yes with a link to view the service-linked role documentation for that service.

Topics

AWSServiceRoleForAWSIQPermission
AWSServiceRoleForAWSIQContract
Creating a service-linked role for AWS IQ
Editing a service-linked role for AWS IQ
Deleting a service-linked role for AWS IQ
Supported Regions for AWS IQ service-linked roles

`AWSServiceRoleForAWSIQPermission`

AWS IQ uses the service-linked role named AWSServiceRoleForAWSIQPermission. This role provides AWS IQ permissions to control the life cycle of permissions requests that you grant to AWS IQ experts.

The AWSServiceRoleForAWSIQPermission service-linked role trusts the following services to assume the role: permission.iq.amazonaws.com

The role permissions policy, AWSIQPermissionServiceRolePolicy, allows AWS IQ to complete the following actions on the specified resources:

Action: iam:DeleteRole, iam:ListAttachedRolePolicies,iam:AttachRolePolicy, iam:DetachRolePolicy on AWSIQPermission-*

Note

The policy includes the condition key { "ArnEquals": { "iam:PolicyARN": "arn:aws:iam::aws:policy/AWSDenyAll" }, which means that the service can only attach the AWSDenyAll policy.

`AWSServiceRoleForAWSIQContract`

AWS IQ uses the service-linked role named AWSServiceRoleForAWSIQContract. This role provides AWS IQ permissions to execute approved AWS IQ payment requests on your behalf. The AWSServiceRoleForAWSIQContract service-linked role trusts the following services to assume the role: contract.iq.amazonaws.com.

The role permissions policy named AWSIQContractServiceRolePolicy allows AWS IQ to complete the following actions on the specified resources:

Action: aws-marketplace:Subscribe on *

You must configure permissions to allow an IAM entity such as a user, group, or role to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions.

Creating a service-linked role for AWS IQ

In AWS IQ, AWS Marketplace creates the service-linked role for you when you set up integration with AWS License Manager. For more information, see Creating a service-linked role for AWS Marketplace.

Editing a service-linked role for AWS IQ

In AWS IQ, AWS Marketplace doesn't allow you to edit the service-linked role. For more information, see Editing a service-linked role for AWS Marketplace.

Deleting a service-linked role for AWS IQ

If you don't need to use a feature or service that requires a service-linked role, we recommend deleting that role. For more information, see Deleting a service-linked role for AWS Marketplace.

Supported Regions for AWS IQ service-linked roles

AWS IQ, through AWS Marketplace, supports using service-linked roles in all of the AWS Regions where service is available. For more information, see AWS Marketplace Regions and Endpoints.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Account permissions

Monitoring activity