- Newest
- Most votes
- Most comments
Service linked roles (SLR) can be assumed only by AWS services to call other AWS services on your behalf. The permissions in the second policy allow an IAM principal to create the SLR for the specific services. Once that the SLR are created, the respective AWS services can operate in the account. Without the required SLRs, the respective services will not work.
Service Linked Roles and Service Roles are very different: you control Service Roles and their policies, while Service Linked Roles are managed by AWS - you can only allow the creation of the SLR, but you can't control their policies. For example, AWS Lambda can use service roles for allowing a function to access AWS services: you will define what permissions are required by your application. On the other hand, to create an Amazon EKS cluster you must have an SLR that allows EKS to create the required resources. If the SLR required by EKS does not exist in the account already, and the principal trying to create the EKS cluster does not have the permissions to create the SLR, then the creation of the cluster will fail.
Relevant content
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated 9 days ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 24 days ago
- AWS OFFICIALUpdated 3 months ago