Using service-linked roles to create VPC domains and direct query data sources
Amazon OpenSearch Service uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to OpenSearch Service. Service-linked roles are predefined by OpenSearch Service and include all the permissions that the service requires to call other AWS services on your behalf.
OpenSearch Service uses the service-linked role named AWSServiceRoleForAmazonOpenSearchService, which provides the minimum Amazon EC2 and Elastic Load Balancing permissions necessary for the role to enable VPC access for a domain or a direct query data source.
Legacy Elasticsearch role
Amazon OpenSearch Service uses a service-linked role called AWSServiceRoleForAmazonOpenSearchService
. Your accounts
might also contain a legacy service-linked role called
AWSServiceRoleForAmazonElasticsearchService
, which works with the
deprecated Elasticsearch API endpoints.
If the legacy Elasticsearch role doesn't exist in your account, OpenSearch Service automatically
creates a new OpenSearch service-linked role the first time you create an
OpenSearch domain. Otherwise your account continues to use the Elasticsearch role.
In order for this automatic creation to succeed, you must have permissions for the
iam:CreateServiceLinkedRole
action.
Permissions
The AWSServiceRoleForAmazonOpenSearchService
service-linked role trusts the following services to
assume the role:
-
opensearchservice.amazonaws.com
The role permissions policy named
AmazonOpenSearchServiceRolePolicy
allows OpenSearch Service to
complete the following actions on the specified resources:
-
Action:
acm:DescribeCertificate
on*
-
Action:
cloudwatch:PutMetricData
on*
-
Action:
ec2:CreateNetworkInterface
on*
-
Action:
ec2:DeleteNetworkInterface
on*
-
Action:
ec2:DescribeNetworkInterfaces
on*
-
Action:
ec2:ModifyNetworkInterfaceAttribute
on*
-
Action:
ec2:DescribeSecurityGroups
on*
-
Action:
ec2:DescribeSubnets
on*
-
Action:
ec2:DescribeVpcs
on*
-
Action:
ec2:CreateTags
on all network interfaces and VPC endpoints -
Action:
ec2:DescribeTags
on*
-
Action:
ec2:CreateVpcEndpoint
on all VPCs, security groups, subnets, and route tables, as well as all VPC endpoints when the request contains the tagOpenSearchManaged=true
-
Action:
ec2:ModifyVpcEndpoint
on all VPCs, security groups, subnets, and route tables, as well as all VPC endpoints when the request contains the tagOpenSearchManaged=true
-
Action:
ec2:DeleteVpcEndpoints
on all endpoints when the request contains the tagOpenSearchManaged=true
-
Action:
ec2:AssignIpv6Addresses
on*
-
Action:
ec2:UnAssignIpv6Addresses
on*
-
Action:
elasticloadbalancing:AddListenerCertificates
on*
-
Action:
elasticloadbalancing:RemoveListenerCertificates
on*
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.
Creating the service-linked role
You don't need to manually create a service-linked role. When you create a
VPC-enabled domain or a direct query data source using the AWS Management Console, OpenSearch Service creates
the service-linked role for you. In order for this automatic creation to succeed,
you must have permissions for the iam:CreateServiceLinkedRole
action.
You can also use the IAM console, the IAM CLI, or the IAM API to create a service-linked role manually. For more information, see Creating a service-linked role in the IAM User Guide.
Editing the service-linked role
OpenSearch Service doesn't let you edit the AWSServiceRoleForAmazonOpenSearchService
service-linked role. After
you create a service-linked role, you can't change the name of the role because
various entities might reference the role. However, you can edit the description of
the role using IAM. For more information, see Editing a service-linked role in the
IAM User Guide.
Deleting the service-linked role
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.
Cleaning up the service-linked role
Before you can use IAM to delete a service-linked role, you must first confirm that the role has no active sessions and remove any resources used by the role.
To check whether the service-linked role has an active session in the IAM console
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane of the IAM console, choose Roles. Then choose the name (not the check box) of the
AWSServiceRoleForAmazonOpenSearchService
role. -
On the Summary page for the selected role, choose the Access Advisor tab.
-
On the Access Advisor tab, review recent activity for the service-linked role.
Note
If you're unsure whether OpenSearch Service is using the
AWSServiceRoleForAmazonOpenSearchService
role, you can try to delete the role. If the service is using the role, then the deletion fails and you can view the resources using the role. If the role is being used, then you must wait for the session to end before you can delete the role, and/or delete the resources using the role. You cannot revoke the session for a service-linked role.
Manually deleting a service-linked role
Delete service-linked roles from the IAM console, API, or AWS CLI. For instructions, see Deleting a service-linked role in the IAM User Guide.