Service-linked roles for IPAM - Amazon Virtual Private Cloud

Service-linked roles for IPAM

Service-linked roles in AWS Identity and Access Management (IAM) enable AWS services to call other AWS services on your behalf. For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

There is currently only one service-linked role for IPAM: AWSServiceRoleForIPAM.

Permissions granted to the service-linked role

IPAM uses the AWSServiceRoleForIPAM service-linked role to call the actions in the attached AWSIPAMServiceRolePolicy managed policy. For more information on the allowed actions in that policy, see AWS managed policies for IPAM.

Also attached to the service-linked role is an IAM trusted policy that allows the ipam.amazonaws.com service to assume the service-linked role.

Create the service-linked role

If you enable IPAM integration with AWS Organizations using the IPAM console or using the enable-ipam-organization-admin-account AWS CLI command, the AWSServiceRoleForIPAM service-linked role is automatically created in each of your AWS Organizations member accounts. If you Use IPAM with a single account, this service-linked role is also created. For more information, see Configure permissions for your IPAM.

IPAM monitors the IP address usage in one or more accounts by assuming the service-linked role in each account, discovering the resources and their CIDRs, and integrating them with IPAM. If you've enabled IPAM integration with AWS Organizations, the resources within all member accounts will be discoverable by IPAM.

If you Integrate IPAM with AWS Organizations, for IPAM to create the service-linked role on your behalf, the AWS Organizations management account that enables monitoring or IPAM integration with AWS Organizations must have an IAM role that permits the following actions:

  • ec2:EnableIpamOrganizationAdminAccount

  • organizations:EnableAwsServiceAccess

  • organizations:RegisterDelegatedAdministrator

  • iam:CreateServiceLinkedRole

Edit the service-linked role

You cannot edit the AWSServiceRoleForIPAM service-linked role.

Delete the service-linked role

If you no longer need to use IPAM, we recommend that you delete the AWSServiceRoleForIPAM service-linked role.

Note

You can delete the service-linked role only after you delete all IPAM resources in your AWS account. This ensures that you can't inadvertently remove the monitoring capability of IPAM.

Follow these steps to delete the service-linked role via the AWS CLI:

  1. Delete your IPAM resources using deprovision-ipam-pool-cidr and delete-ipam. For more information, see Deprovision CIDRs from a pool and Delete an IPAM.

  2. Disable the IPAM account with disable-ipam-organization-admin-account.

  3. Disable the IPAM service with disable-aws-service-access using the --service-principal ipam.amazonaws.com option.

  4. Delete the service-linked role: delete-service-linked-role. When you delete the service-linked role, the IPAM managed policy is also deleted. For more information, see Deleting a service-linked role in the IAM User Guide.