AWS App Studio is in preview and is subject to change.
Service-linked roles for App Studio
App Studio uses a service-linked
role named AWSServiceRoleForAppStudio
for the permissions that it requires to call other AWS services on your
behalf. A service-linked role is a unique type of AWS Identity and Access Management (IAM) role that is linked
directly to an AWS service, in this case, App Studio. The service-linked role provides a secure way to delegate
permissions to App Studio because only App Studio can assume the service-linked role.
App Studio uses the service-linked role to persistently manage AWS services, to maintain the application building experience.
The service-linked role makes setting up App Studio easier because you don't have to manually add necessary permissions. App Studio defines the permissions of its service-linked role, and unless the permissions are defined otherwise, only App Studio can assume the role. The defined permissions include the trust policy and the permissions policy, and you can't attach that permissions policy to any other IAM entity.
Contents
Service-linked role permissions for App Studio
App Studio uses the service-linked role named AWSServiceRoleForAppStudio
. It's a service-linked role
required for App Studio to persistently manage AWS services, to maintain the application building experience.
The AWSServiceRoleForAppStudio
service-linked role uses the following trust policy, and only trust the appstudio-service.amazonaws.com
service.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appstudio-service.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
For permissions, the AWSServiceRoleForAppStudio
service-linked role uses the AppStudioServiceRolePolicy
managed
policy. For more information about the managed policy, including the permissions it includes, see
AWS managed policy: AppStudioServiceRolePolicy.
Creating a service-linked role for App Studio
The AWSServiceRoleForAppStudio
service-linked role is automatically created when a user
requests a specific operation.
Editing a service-linked role for App Studio
App Studio doesn't allow you to edit the AWSServiceRoleForAppStudio
service-linked role. After
you create a service-linked role, you can't change the name of the role because various
entities might reference the role. However, you can edit the description of the role by
using IAM. For more information, see Editing a service-linked role in the
IAM User Guide.
Deleting a service-linked role for App Studio
If you no longer need to use App Studio, we recommend that you delete the service-linked role. That way, you don't have an unused entity that isn't actively monitored or maintained.
To manually delete the service-linked role using IAM
Use the IAM console, the IAM CLI, or the IAM API to delete the
AWSServiceRoleForAppStudio
service-linked role. For more information, see Deleting a service-linked role in the
IAM User Guide.