Service-linked role permissions for OpenSearch Serverless Creating the service-linked role for OpenSearch Serverless Editing the service-linked role for OpenSearch Serverless Deleting the service-linked role for OpenSearch Serverless Supported Regions for OpenSearch Serverless service-linked roles

Using service-linked roles to create OpenSearch Serverless collections

OpenSearch Serverless uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to OpenSearch Service. Service-linked roles are predefined by OpenSearch Service and include all the permissions that the service requires to call other AWS services on your behalf.

OpenSearch Serverless uses the service-linked role named AWSServiceRoleForAmazonOpenSearchServerless, which provides the permissions necessary for the role to publish serverless-related CloudWatch metrics to your account. The role permissions policy associated with AWSServiceRoleForAmazonOpenSearchServerless is named AmazonOpenSearchServerlessServiceRolePolicy. For more information about the policy, see AmazonOpenSearchServerlessServiceRolePolicy in the AWS Managed Policy Reference Guide.

Service-linked role permissions for OpenSearch Serverless

OpenSearch Serverless uses the service-linked role named AWSServiceRoleForAmazonOpenSearchServerless, which allows OpenSearch Serverless to call AWS services on your behalf.

The AWSServiceRoleForAmazonOpenSearchServerless service-linked role trusts the following services to assume the role:

observability.aoss.amazonaws.com

The role permissions policy named AmazonOpenSearchServerlessServiceRolePolicy allows OpenSearch Serverless to complete the following actions on the specified resources:

Action: cloudwatch:PutMetricData on all AWS resources

Note

The policy includes the condition key {"StringEquals": {"cloudwatch:namespace": "AWS/AOSS"}}, which means that the service-linked role can only send metric data to the AWS/AOSS CloudWatch namespace.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Creating the service-linked role for OpenSearch Serverless

You don't need to manually create a service-linked role. When you create an OpenSearch Serverless collection in the AWS Management Console, the AWS CLI, or the AWS API, OpenSearch Serverless creates the service-linked role for you.

Note

The first time you create a collection, you must be assigned the iam:CreateServiceLinkedRole in an identity-based policy.

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create an OpenSearch Serverless collection, OpenSearch Serverless creates the service-linked role for you again.

You can also use the IAM console to create a service-linked role with the Amazon OpenSearch Serverless use case. In the AWS CLI or the AWS API, create a service-linked role with the observability.aoss.amazonaws.com service name:


aws iam create-service-linked-role --aws-service-name "observability.aoss.amazonaws.com"

For more information, see Creating a service-linked role in the IAM User Guide. If you delete this service-linked role, you can use this same process to create the role again.

Editing the service-linked role for OpenSearch Serverless

OpenSearch Serverless does not allow you to edit the AWSServiceRoleForAmazonOpenSearchServerless service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting the service-linked role for OpenSearch Serverless

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. This prevents you from having an unused entity that isn't actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.

To delete the AWSServiceRoleForAmazonOpenSearchServerless, you must first delete all OpenSearch Serverless collections in your AWS account.

Note

If OpenSearch Serverless is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

To manually delete the service-linked role using IAM

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAmazonOpenSearchServerless service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

Supported Regions for OpenSearch Serverless service-linked roles

OpenSearch Serverless supports using the AWSServiceRoleForAmazonOpenSearchServerless service-linked role in every Region where OpenSearch Serverless is available. For a list of supported Regions, see Amazon OpenSearch Serverless endpoints and quotas in the AWS General Reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

VPC domain and data source creation role

Pipeline creation role