Amazon Braket service-linked role - Amazon Braket

Amazon Braket service-linked role

When you enable Amazon Braket, a service-linked role is created in your account.

A service-linked role is a unique type of IAM role that, in this case, is linked directly to Amazon Braket. The Amazon Braket service-linked role is predefined to include all the permissions that Braket requires when calling other AWS services on your behalf.

A service-linked role makes setting up Amazon Braket easier because you don’t have to add the necessary permissions manually. Amazon Braket defines the permissions of its service-linked roles. Unless you change these definitions, only Amazon Braket can assume its roles. The defined permissions include the trust policy and the permissions policy. The permissions policy cannot be attached to any other IAM entity.

The service-linked role that Amazon Braket sets up is part of the AWS Identity and Access Management (IAM) service-linked roles capability. For information about other AWS services that support service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-linked role permissions for Amazon Braket

Amazon Braket uses the service-linked role named with the prefix AWSServiceRoleForAmazonBraket.

The AWSServiceRoleForAmazonBraket service-linked role trusts the following services to assume the role:

  • Amazon Braket

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.

The service-linked role in Amazon Braket is granted the following permissions by default:

  • Amazon S3 – permissions to list the buckets in your account, and put objects into and get objects from any bucket in your account with a name that starts with amazon-braket-.

  • Amazon CloudWatch Logs – permissions to list and create log groups and the associated log streams, and put events into the log group created for Amazon Braket.

The following policy is attached to the AWSServiceRoleForAmazonBraket service-linked role:

{"Version": "2012-10-17", "Statement": [ {"Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::amazon-braket*" }, {"Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket/*" }, {"Effect": "Allow", "Action": "braket:*", "Resource": "*" }, {"Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/braket.amazonaws.com/AWSServiceRoleForAmazonBraket*", "Condition": {"StringEquals": {"iam:AWSServiceName": "braket.amazonaws.com" } } } ] }