Editing an IAM Service Role, and Attaching Service Roles to AWS Resources

mudathirlawal

Mudathir Lawal

Posted on March 31, 2024

Editing an IAM Service Role, and Attaching Service Roles to AWS Resources

Overview

One common challenge you might have come across is how to edit service roles for AWS resources. This is usually necessary when you forget to attach an appropriate role to the service in question. After executing a task, you tend to get errors such as:

Insufficient permission; or the provided role does not have sufficient permissions.

Here we will describe how this can be solved by creating a new service role, and modifying it to suite our purpose. We will also show how the new role can be attached to an existing resource.

What is a Service Role?

A service-linked role is a unique type of IAM role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.

Scenario

We require an AWS CodeDeploy service role for EC2 in order to be able to deploy an application to an EC2 instance. We, therefore, need to create one and attach it to our EC2 instance.

Procedure

In the AWS console, go to IAM, then Roles, then Create role. Under Trusted entity type select AWS service; and under Use case, select EC2.

Under Add permissions, search for the appropriate permission. In our case, we will use the AWSCodeDeployRole role. Select Next and give your new role a meaningful name. Then click Create role.

Image description

Image description

Note: Do not bother to edit the role using the Edit button, because you will not be able to. Just go ahead and create; the editing will be done after the creation.

Go back to Roles or click on View role to view your newly created service role. Select the Trust relationships tab. Then click the Edit trust policy button, and make the necessary modifications to the policy settings.

Image description

In our case, we change the ec2 on line 7 to codedeploy. You can now return to your AWS resource and attach the newly created role to it.

Image description

Image description

Image description

In our own scenario (demonstrated in the clips above), we created an AWS service role for EC2 instances. Note that we have attached the new role by first selecting he instance, then clicking on Actions -> Security -> Modify IAM role (First picture after the last paragraph). When attached to an instance, this service role will allow EC2 instances to call AWSCodeDeploy on our behalf. These types of roles are important for automating the deployment of workloads into the AWS cloud.

Thank you for reading.

Reference: AWS official documentation on service-linked roles., accessed 2024/03/31

💖 💪 🙅 🚩
mudathirlawal
Mudathir Lawal

Posted on March 31, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related