AWS Cloud WAN service-linked roles - AWS Network Manager
AWSServiceRoleForNetworkManagerCloudWANAWSServiceRoleForVPCTransitGatewayAWSServiceRoleForNetworkManagerCreate the service-linked roleEdit the service-linked roleDelete the service-linked roleSupported Regions

AWS Cloud WAN service-linked roles

AWS Cloud WAN uses the following service-linked roles for the permissions that it requires to call other AWS services on your behalf:

AWSServiceRoleForNetworkManagerCloudWAN

AWS Cloud WAN uses the service-linked role named AWSServiceRoleForNetworkManagerCloudWAN to create and announce transit gateway route tables, and then propagates transit gateway routes to those tables.

The AWSServiceRoleForNetworkManagerCloudWAN service-linked role trusts the following service to assume the role:

  • networkmanager.amazonaws.com

This service-linked role uses the managed policy AWSNetworkManagerCloudWANServiceRolePolicy. To view the permissions for this policy, see AWSNetworkManagerCloudWANServiceRolePolicy in the AWS Managed Policy Reference.

AWSServiceRoleForVPCTransitGateway

Amazon VPC uses the service-linked role named AWSServiceRoleForVPCTransitGateway to create and manage resources for your transit gateway on your behalf.

The AWSServiceRoleForVPCTransitGateway service-linked role trusts the following service to assume the role:

  • transitgateway.amazonaws.com

This service-linked role uses the managed policy AWSVPCTransitGatewayServiceRolePolicy. To view the permissions for this policy, see AWSVPCTransitGatewayServiceRolePolicy in the AWS Managed Policy Reference.

AWSServiceRoleForNetworkManager

AWS Cloud WAN uses the service-linked role named AWSServiceRoleForNetworkManager to call actions on your behalf when you work with global networks.

The AWSServiceRoleForNetworkManager service-linked role trusts the following service to assume the role:

  • networkmanager.amazonaws.com

This service-linked role uses the managed policy AWSNetworkManagerServiceRolePolicy. To view the permissions for this policy, see AWSNetworkManagerServiceRolePolicy in the AWS Managed Policy Reference.

Create the service-linked role

You don't need to manually create these service-linked roles.

  • Network Manager creates the AWSServiceRoleForNetworkManager role when you create your first global network.

  • Amazon VPC creates the AWSServiceRoleForVPCTransitGateway role when you attach a VPC to a transit gateway in your account.

For Network Manager to create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-linked role permissions in the IAM User Guide.

Edit the service-linked role

You can edit the descriptions of the AWSServiceRoleForNetworkManager and AWSServiceRoleForVPCTransitGateway roles using IAM. For more information, see Edit a service-linked role description in the IAM User Guide.

Delete the service-linked role

If you no longer need to use Network Manager, we recommend that you delete the AWSServiceRoleForNetworkManager and AWSServiceRoleForVPCTransitGateway roles.

You can delete these service-linked roles only after you delete your global network. For information about deleting your global network, see Delete a global network.

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Delete a service-linked role in the IAM User Guide.

After you delete AWSServiceRoleForNetworkManager, Network Manager will create the role again when you create a new global network. After you delete AWSServiceRoleForVPCTransitGateway, Amazon VPC will create the role again when you attach a VPC to a transit gateway in your account.

Supported Regions

Service-linked roles are supported in all the AWS Regions where the service is available. For more information, see Region availability.