By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Create service linked roles for service with multiple service linked roles

0

In looking at AWS backup: https://docs.aws.amazon.com/aws-backup/latest/devguide/using-service-linked-roles.html

It seems to have four different and unique service linked roles. How would I use the IAM API CreateServiceLinkedRole action to create these? When I pass in backup.amazonaws.com to CreateServiceLinkedRole it creates AWSServiceRoleForBackup, and not the other three like AWSBackupDefaultServiceRole, AWSServiceRoleForBackupReports, or AWSServiceRolePolicyForBackupRestoreTesting.

2 Answers
1
Accepted Answer

To create multiple service-linked roles for a service that has more than one, you need to use the CreateServiceLinkedRole action multiple times, specifying the different service principal names.

Here's an example of how you can use the AWS SDK (in this case, the AWS CLI) to create all four service-linked roles for AWS Backup:

# Create AWSServiceRoleForBackup
aws iam create-service-linked-role --aws-service-name backup.amazonaws.com

# Create AWSBackupDefaultServiceRole
aws iam create-service-linked-role --aws-service-name backup.amazonaws.com --description "AWSBackupDefaultServiceRole"

# Create AWSServiceRoleForBackupReports
aws iam create-service-linked-role --aws-service-name backup-reports.amazonaws.com --description "AWSServiceRoleForBackupReports"

# Create AWSServiceRolePolicyForBackupRestoreTesting
aws iam create-service-linked-role --aws-service-name backup-restore.amazonaws.com --description "AWSServiceRolePolicyForBackupRestoreTesting"

Here's a breakdown of what each command does:

  1. aws iam create-service-linked-role --aws-service-name backup.amazonaws.com: This creates the AWSServiceRoleForBackup service-linked role, which is the default service-linked role for AWS Backup.

  2. aws iam create-service-linked-role --aws-service-name backup.amazonaws.com --description "AWSBackupDefaultServiceRole": This creates the AWSBackupDefaultServiceRole service-linked role, which is used for backup operations.

  3. aws iam create-service-linked-role --aws-service-name backup-reports.amazonaws.com --description "AWSServiceRoleForBackupReports": This creates the AWSServiceRoleForBackupReports service-linked role, which is used for backup reporting.

  4. aws iam create-service-linked-role --aws-service-name backup-restore.amazonaws.com --description "AWSServiceRolePolicyForBackupRestoreTesting": This creates the AWSServiceRolePolicyForBackupRestoreTesting service-linked role, which is used for backup restore testing.

Note that the service principal names (backup.amazonaws.com, backup-reports.amazonaws.com, and backup-restore.amazonaws.com) are specific to the AWS Backup service. For other AWS services that use multiple service-linked roles, you would need to use the appropriate service principal names.

Also, be aware that the CreateServiceLinkedRole action can only be used to create new service-linked roles. If you need to update or delete existing service-linked roles, you'll need to use the appropriate IAM actions, such as UpdateServiceLinkedRole or DeleteServiceLinkedRole.

AWS
answered 7 months ago
0

Hello, per here, looks you would need to add specific three service linked role prefixes to you IAM user/role policy being used to create the service linked roles.

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions