- Newest
- Most votes
- Most comments
To create multiple service-linked roles for a service that has more than one, you need to use the CreateServiceLinkedRole
action multiple times, specifying the different service principal names.
Here's an example of how you can use the AWS SDK (in this case, the AWS CLI) to create all four service-linked roles for AWS Backup:
# Create AWSServiceRoleForBackup aws iam create-service-linked-role --aws-service-name backup.amazonaws.com # Create AWSBackupDefaultServiceRole aws iam create-service-linked-role --aws-service-name backup.amazonaws.com --description "AWSBackupDefaultServiceRole" # Create AWSServiceRoleForBackupReports aws iam create-service-linked-role --aws-service-name backup-reports.amazonaws.com --description "AWSServiceRoleForBackupReports" # Create AWSServiceRolePolicyForBackupRestoreTesting aws iam create-service-linked-role --aws-service-name backup-restore.amazonaws.com --description "AWSServiceRolePolicyForBackupRestoreTesting"
Here's a breakdown of what each command does:
-
aws iam create-service-linked-role --aws-service-name backup.amazonaws.com
: This creates theAWSServiceRoleForBackup
service-linked role, which is the default service-linked role for AWS Backup. -
aws iam create-service-linked-role --aws-service-name backup.amazonaws.com --description "AWSBackupDefaultServiceRole"
: This creates theAWSBackupDefaultServiceRole
service-linked role, which is used for backup operations. -
aws iam create-service-linked-role --aws-service-name backup-reports.amazonaws.com --description "AWSServiceRoleForBackupReports"
: This creates theAWSServiceRoleForBackupReports
service-linked role, which is used for backup reporting. -
aws iam create-service-linked-role --aws-service-name backup-restore.amazonaws.com --description "AWSServiceRolePolicyForBackupRestoreTesting"
: This creates theAWSServiceRolePolicyForBackupRestoreTesting
service-linked role, which is used for backup restore testing.
Note that the service principal names (backup.amazonaws.com
, backup-reports.amazonaws.com
, and backup-restore.amazonaws.com
) are specific to the AWS Backup service. For other AWS services that use multiple service-linked roles, you would need to use the appropriate service principal names.
Also, be aware that the CreateServiceLinkedRole
action can only be used to create new service-linked roles. If you need to update or delete existing service-linked roles, you'll need to use the appropriate IAM actions, such as UpdateServiceLinkedRole
or DeleteServiceLinkedRole
.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
That's about how to allow my user or role to create service linked roles. Once I've done that, how do I use the IAM API action CreateServiceLinkedRole to do that?
My question isn't about authorization, it's about sheer ability through the API.
understood, I am not sure if you have found how to do that via API. If you haven't already noticed, the documentation says, you wouldn't need to create them manually but doesn't give clue on how to create them manually.
https://docs.aws.amazon.com/aws-backup/latest/devguide/using-service-linked-roles-AWSServiceRolePolicyForBackupRestoreTesting.html#create-service-linked-role-AWSServiceRolePolicyForBackupRestoreTesting