AWS Cloud WAN service-linked roles - AWS Network Manager
AWSServiceRoleForNetworkManagerCloudWANAWSServiceRoleForVPCTransitGatewayAWSServiceRoleForNetworkManagerCreate the service-linked roleEdit the service-linked roleDelete the service-linked roleSupported Regions
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

AWS Cloud WAN service-linked roles

AWS Cloud WAN uses the following service-linked roles for the permissions that it requires to call other AWS services on your behalf:

AWSServiceRoleForNetworkManagerCloudWAN

AWS Cloud WAN uses the service-linked role named AWSServiceRoleForNetworkManagerCloudWAN to create and announce transit gateway route tables, and then propagates transit gateway routes to those tables.

The AWSServiceRoleForNetworkManagerCloudWAN service-linked role trusts the following service to assume the role:

  • networkmanager.amazonaws.com

This service-linked role uses the managed policy AWSNetworkManagerCloudWANServiceRolePolicy. To view the permissions for this policy, see AWSNetworkManagerCloudWANServiceRolePolicy in the AWS Managed Policy Reference.

AWSServiceRoleForVPCTransitGateway

Amazon VPC uses the service-linked role named AWSServiceRoleForVPCTransitGateway to create and manage resources for your transit gateway on your behalf.

The AWSServiceRoleForVPCTransitGateway service-linked role trusts the following service to assume the role:

  • transitgateway.amazonaws.com

This service-linked role uses the managed policy AWSVPCTransitGatewayServiceRolePolicy. To view the permissions for this policy, see AWSVPCTransitGatewayServiceRolePolicy in the AWS Managed Policy Reference.

AWSServiceRoleForNetworkManager

AWS Cloud WAN uses the service-linked role named AWSServiceRoleForNetworkManager to call actions on your behalf when you work with global networks.

The AWSServiceRoleForNetworkManager service-linked role trusts the following service to assume the role:

  • networkmanager.amazonaws.com

This service-linked role uses the managed policy AWSNetworkManagerServiceRolePolicy. To view the permissions for this policy, see AWSNetworkManagerServiceRolePolicy in the AWS Managed Policy Reference.

Create the service-linked role

You don't need to manually create these service-linked roles.

  • Network Manager creates the AWSServiceRoleForNetworkManager role when you create your first global network.

  • Amazon VPC creates the AWSServiceRoleForVPCTransitGateway role when you attach a VPC to a transit gateway in your account.

For Network Manager to create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-linked role permissions in the IAM User Guide.

Edit the service-linked role

You can edit the descriptions of the AWSServiceRoleForNetworkManager and AWSServiceRoleForVPCTransitGateway roles using IAM. For more information, see Edit a service-linked role description in the IAM User Guide.

Delete the service-linked role

If you no longer need to use Network Manager, we recommend that you delete the AWSServiceRoleForNetworkManager and AWSServiceRoleForVPCTransitGateway roles.

You can delete these service-linked roles only after you delete your global network. For information about deleting your global network, see Delete a global network.

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Delete a service-linked role in the IAM User Guide.

After you delete AWSServiceRoleForNetworkManager, Network Manager will create the role again when you create a new global network. After you delete AWSServiceRoleForVPCTransitGateway, Amazon VPC will create the role again when you attach a VPC to a transit gateway in your account.

Supported Regions

Service-linked roles are supported in all the AWS Regions where the service is available. For more information, see Region availability.