AWS App Studio is in preview and is subject to change.

Service-linked roles for App Studio

App Studio uses a service-linked role named AWSServiceRoleForAppStudio for the permissions that it requires to call other AWS services on your behalf. A service-linked role is a unique type of AWS Identity and Access Management (IAM) role that is linked directly to an AWS service, in this case, App Studio. The service-linked role provides a secure way to delegate permissions to App Studio because only App Studio can assume the service-linked role.

App Studio uses the service-linked role to persistently manage AWS services, to maintain the application building experience.

The service-linked role makes setting up App Studio easier because you don't have to manually add necessary permissions. App Studio defines the permissions of its service-linked role, and unless the permissions are defined otherwise, only App Studio can assume the role. The defined permissions include the trust policy and the permissions policy, and you can't attach that permissions policy to any other IAM entity.

Service-linked role permissions for App Studio

App Studio uses the service-linked role named AWSServiceRoleForAppStudio. It's a service-linked role required for App Studio to persistently manage AWS services, to maintain the application building experience.

The AWSServiceRoleForAppStudio service-linked role uses the following trust policy, and only trust the appstudio-service.amazonaws.com service.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "appstudio-service.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

For permissions, the AWSServiceRoleForAppStudio service-linked role uses the AppStudioServiceRolePolicy managed policy. For more information about the managed policy, including the permissions it includes, see AWS managed policy: AppStudioServiceRolePolicy.

Creating a service-linked role for App Studio

The AWSServiceRoleForAppStudio service-linked role is automatically created when a user requests a specific operation.

Editing a service-linked role for App Studio

App Studio doesn't allow you to edit the AWSServiceRoleForAppStudio service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role by using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for App Studio

If you no longer need to use App Studio, we recommend that you delete the service-linked role. That way, you don't have an unused entity that isn't actively monitored or maintained.

To manually delete the service-linked role using IAM

Use the IAM console, the IAM CLI, or the IAM API to delete the AWSServiceRoleForAppStudio service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.