Service-linked roles for IPAM - Amazon Virtual Private Cloud

Service-linked roles for IPAM

Service-linked roles in AWS Identity and Access Management (IAM) enable AWS services to call other AWS services on your behalf. For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

There is currently only one service-linked role for IPAM: AWSServiceRoleForIPAM.

Permissions granted to the service-linked role

IPAM uses the AWSServiceRoleForIPAM service-linked role to call the actions in the attached AWSIPAMServiceRolePolicy managed policy. For more information on the allowed actions in that policy, see AWS managed policies for IPAM.

Also attached to the service-linked role is an IAM trusted policy that allows the ipam.amazonaws.com service to assume the service-linked role.

Create the service-linked role

IPAM monitors the IP address usage in one or more accounts by assuming the service-linked role in an account, discovering the resources and their CIDRs, and integrating the resources with IPAM.

The service-linked role is created in one of two ways:

  • When you integrate with AWS Organizations

    If you Integrate IPAM with AWS Organizations using the IPAM console or using the enable-ipam-organization-admin-account AWS CLI command, the AWSServiceRoleForIPAM service-linked role is automatically created in each of your AWS Organizations member accounts. As a result, the resources within all member accounts are discoverable by IPAM.

    Important

    For IPAM to create the service-linked role on your behalf:

    • The AWS Organizations management account that enables IPAM integration with AWS Organizations must have an IAM policy attached to it that permits the following actions:

      • ec2:EnableIpamOrganizationAdminAccount

      • organizations:EnableAwsServiceAccess

      • organizations:RegisterDelegatedAdministrator

      • iam:CreateServiceLinkedRole

    • The IPAM account must have an IAM policy attached to it that permits the iam:CreateServiceLinkedRole action.

  • When you create an IPAM using a single AWS account

    If you Use IPAM with a single account, the AWSServiceRoleForIPAM service-linked role is automatically created when you create an IPAM as that account.

    Important

    If you use IPAM with a single AWS account, before you create an IPAM, you must ensure that the AWS account you are using has an IAM policy attached to it that permits the iam:CreateServiceLinkedRole action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role. For more information on managing IAM policies, see Editing IAM policies in the IAM User Guide.

Edit the service-linked role

You cannot edit the AWSServiceRoleForIPAM service-linked role.

Delete the service-linked role

If you no longer need to use IPAM, we recommend that you delete the AWSServiceRoleForIPAM service-linked role.

Note

You can delete the service-linked role only after you delete all IPAM resources in your AWS account. This ensures that you can't inadvertently remove the monitoring capability of IPAM.

Follow these steps to delete the service-linked role via the AWS CLI:

  1. Delete your IPAM resources using deprovision-ipam-pool-cidr and delete-ipam. For more information, see Deprovision CIDRs from a pool and Delete an IPAM.

  2. Disable the IPAM account with disable-ipam-organization-admin-account.

  3. Disable the IPAM service with disable-aws-service-access using the --service-principal ipam.amazonaws.com option.

  4. Delete the service-linked role: delete-service-linked-role. When you delete the service-linked role, the IPAM managed policy is also deleted. For more information, see Deleting a service-linked role in the IAM User Guide.