![]() If you no longer need to use a feature or service that requires a service-linked role, we Deleting a Service-Linked Role for Lightsail Service-Linked Role in the IAM User Guide. However, you can edit the description of the role using IAM. After youĬreate a service-linked role, you cannot change the name of the role because various entities Lightsail does not allow you to edit the AWSServiceRoleForLightsail service-linked role. Editing a Service-Linked Role for Lightsail To do this, complete the steps that are in the following Service-Linked Role You must configure IAM permissions to allow Lightsail to create the service-linked Lightsail creates the service-linked role for you again. EC2 COPYIMAGE UPDATEWhen you export your Lightsail instance or block storage disk snapshot to Amazon EC2, or create or update a Lightsail bucket, Process to recreate the role in your account. If you delete this service-linked role and need to create it again, you can use the same When youĮxport your Lightsail instance or block storage disk snapshot to Amazon EC2, or create or update a Lightsail bucket in the Management Console, the AWSĬLI, or the AWS API, Lightsail creates the service-linked role for You don't need to manually create a service-linked role. Creating a Service-Linked Role for Lightsail EC2 COPYIMAGE FULLTo allow an IAM entity to delete any serviceĭelete a service-linked role, or any service-role.Īlternatively, you can use an AWS managed policy to provide full access to To allow an IAM entity to delete a specific service-linked To allow an IAM entity to edit the description of any serviceĮdit the description of a service-linked role, or any service role. "Resource": "arn:aws:iam::*:role/aws-service-role/*" To allow an IAM entity to create any service-linkedĪdd the following statement to the permissions policy for the IAM entity that needs toĬreate a service-linked role, or any service role that includes the needed policies. "Resource": "arn:aws:iam::*:role/aws-service-role//AWSServiceRoleForLightsail*" "Resource": "arn:aws:iam::*:role/aws-service-role//AWSServiceRoleForLightsail*", To allow an IAM entity to create a specific service-linkedĪdd the following policy to the IAM entity that needs to create the service-linked To create or edit the description of a service-linked role. You must configure permissions to allow an IAM entity (such as a user, group, or role) The role permissions policy allows Lightsail to complete the following actions on theĪction: ec2:CopySnapshot on all AWS resources.Īction: ec2:DescribeSnapshots on all AWS resources.Īction: ec2:CopyImage on all AWS resources.Īction: ec2:DescribeImages on all AWS resources.Īction: cloudformation:DescribeStacks on all AWSĪction: s3:GetAccountPublicAccessBlock on all AWS The AWSServiceRoleForLightsail service-linked role trusts the following services to assume the To get the current account-level Block Public Access configuration from Amazon Simple Storage Service (Amazon S3). Role to export Lightsail instance and block storage disk snapshots to Amazon Elastic Compute Cloud (Amazon EC2), and Lightsail uses the service-linked role named AWSServiceRoleForLightsail – Service-Linked Role Permissions for Lightsail Choose a Yes with a link to view the service-linked role documentation for that IAM and look for the services that have Yes in the Protects your Lightsail resources because you can't inadvertently remove permission toįor information about other services that support service-linked roles, see AWS Services That Work with You can delete a service-linked role only after first deleting their related resources. Theĭefined permissions include the trust policy and the permissions policy, which cannot be Service-linked roles, and unless defined otherwise, only Lightsail can assume its roles. Include all the permissions that Lightsail requires to call other AWS services onĪ service-linked role makes setting up Lightsail easier because you don’t have to Service-linked roles are predefined by Lightsail and A service-linked role is a unique type of IAM role that is Version-Release number of selected component (if applicable):Ĥ.3 release - SHA 637eaddb8031a33c8b95b667bc28bb0457007c2f54ab9aaeb0a7fe36d1eb4ea9ġ.Create SCP deny policy that restricts API calls to a specific region eg. Install fails because AWS Organization SCP policy restricts API calls to a specific region eg. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |