Using service-linked roles for Migration Hub Orchestrator - AWS Migration Hub Orchestrator

Using service-linked roles for Migration Hub Orchestrator

Migration Hub Orchestrator uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Migration Hub Orchestrator. Service-linked roles are predefined by Migration Hub Orchestrator and include all of the permissions that the service requires to call other AWS services on your behalf.

A service-linked role makes setting up Migration Hub Orchestrator easier because you don’t have to manually add the necessary permissions. Migration Hub Orchestrator defines the permissions of its service-linked roles, and unless you make changes to the configuration, only Migration Hub Orchestrator can assume its roles. Configurable permissions include the trust policy and the permissions policy. You can't attach the permissions policy to any other IAM entity.

For information about other services that support service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Follow the Yes link to view the service-linked role documentation for that service, if applicable.

Service-linked role permissions for Migration Hub Orchestrator

Migration Hub Orchestrator uses the service-linked role named AWSServiceRoleForMigrationHubOrchestrator and associates it with the AWSMigrationHubOrchestratorServiceRolePolicy IAM policy – Provides access to AWS Migration Hub and AWS Application Discovery Service. This policy also grants permissions for storing reports in Amazon Simple Storage Service (Amazon S3).

The AWSServiceRoleForMigrationHubOrchestrator service-linked role trusts the following services to assume the role:

  • migrationhub-orchestrator.amazonaws.com

The role permissions policy allows Migration Hub Orchestrator to complete the following actions.

AWS Application Discovery Service actions

discovery:ListConfigurations

discovery:DescribeConfigurations

AWS Launch Wizard actions

launchwizard:DescribeProvisionedApp

launchwizard:GetDeployment

launchwizard:ListDeployments

launchwizard:ListProvisionedApps

Amazon Elastic Compute Cloud actions

ec2:DescribeInstances

ec2:CreateLaunchTemplateVersion

ec2:ModifyLaunchTemplate

ec2:DescribeImportImageTasks

ec2:DescribeLaunchTemplates

AWS Migration Hub actions

mgh:GetHomeRegion

Amazon EC2 Systems Manager actions

ssm:SendCommand

ssm:GetCommandInvocation

ssm:CancelCommand

ssm:DescribeInstanceInformation

ssm:GetCommandInvocatio

Amazon S3 actions

s3:GetObject

s3:ListBucket

Amazon EventBridge actions

events:PutTargets

events:DescribeRule

events:DeleteRule

events:PutRule

events:RemoveTargets

AWS Application Migration Service actions

mgn:GetReplicationConfiguration

mgn:GetLaunchConfiguration

mgn:StartCutover

mgn:FinalizeCutover

mgn:StartTest

mgn:UpdateReplicationConfiguration

mgn:DescribeSourceServers

mgn:MarkAsArchived

mgn:ChangeServerLifeCycleState

mgn:StartReplication

To view the permissions for this policy, see AWSMigrationHubOrchestratorServiceRolePolicy in the AWS Managed Policy Reference Guide.

To view the update history of this policy, see Migration Hub Orchestrator updates to AWS managed policies.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.

Creating a service-linked role for Migration Hub Orchestrator

You don't need to manually create a service-linked role. When you agree to allow Migration Hub to create a service-linked role (SLR) in your account in the AWS Management Console, Migration Hub Orchestrator creates the service-linked role for you.

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you agree to allow Migration Hub to create a service-linked role (SLR) in your account, Migration Hub Orchestrator creates the service-linked role for you again.

Editing a service-linked role for Migration Hub Orchestrator

Migration Hub Orchestrator does not allow you to edit the AWSServiceRoleForMigrationHubOrchestrator service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using the Migration Hub Orchestrator console, CLI, or API.

Deleting a service-linked role for Migration Hub Orchestrator

To manually delete the service-linked role using IAM

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForMigrationHubOrchestrator service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

When deleting Migration Hub Orchestrator resources used by the AWSServiceRoleForMigrationHubOrchestrator SLR, you cannot have any running assessments (tasks for generating recommendations). No background assessments can be running, either. If assessments are running, the SLR deletion fails in the IAM console. If the SLR deletion fails, you can retry the deletion after all background tasks have completed. You don’t need to clean up any created resources before you delete the SLR.

Supported Regions for Migration Hub Orchestrator service-linked roles

Migration Hub Orchestrator supports using service-linked roles in all of the regions where the service is available. For more information, see AWS Regions and Endpoints.