# Using service-linked roles for Amazon Chime SDK messaging
<a name="using-roles"></a>

The Amazon Chime SDK uses AWS Identity and Access Management (IAM) [ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that links directly to Amazon Chime SDK. Amazon Chime SDK predefines the service-linked roles, and they include all the permissions that the service requires to call other AWS services on your behalf. 

A service-linked role makes setting up Amazon Chime SDK more efficient, because you aren't required to manually add the necessary permissions. Amazon Chime SDK defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Chime SDK can assume its roles. The defined permissions include the trust and permissions policies. The permissions policy cannot be attached to any other IAM entity.

You can delete a service-linked role only after first deleting its related resources. This protects your Amazon Chime SDK resources because you can't inadvertently remove permission to access the resources.

For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Look for the services that have **Yes** in the **Service-Linked Role** column. Choose a **Yes** with a link to view the documentation for that service.

**Topics**
+ [Using service-linked roles for data streaming in Amazon Chime SDK messaging](stream-service-linked.md)

# Using service-linked roles for data streaming in Amazon Chime SDK messaging
<a name="stream-service-linked"></a>

The following sections explain how to manage the service-linked role for data streaming.

**Topics**
+ [Service-linked role permissions](#role-permissions)
+ [Creating a service-linked role](#create-service-linked-role)
+ [Editing a service-linked role](#editing-roles)
+ [Deleting the resources used by a service-linked role](#cleaning-up)
+ [Deleting a service-linked role](#deleting-roles)

## Service-linked role permissions
<a name="role-permissions"></a>

Amazon Chime SDK uses the service-linked role named **AWSServiceRoleForChimeSDKMessaging**. The role grants access to the AWS services and resources used or managed by Amazon Chime SDK, such as the Kinesis streams used for data streaming. 

The **AWSServiceRoleForChimeSDKMessaging** service-linked role trusts the following services so that those services can assume the role:
+ messaging.chime.amazonaws.com

The role permissions policy allows Amazon Chime SDK to complete the following actions on the specified resource:
+ `kms:GenerateDataKey` only when the request is made using `kinesis.*.amazonaws.com`.
+ `kinesis:PutRecord`, `kinesis:PutRecords`, or `kinesis:DescribeStream` only on streams of the following format: `arn:aws:kinesis:*:*:stream/chime-messaging-*`.

The following example shows the policy.

------
#### [ JSON ]

****  

```
{
    	"Version":"2012-10-17",		 	 	 
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Action": [
    				"kms:GenerateDataKey"
    			],
    			"Resource": "*",
    			"Condition": {
    				"StringLike": {
    					"kms:ViaService": [
    						"kinesis.*.amazonaws.com"
    					]
    				}
    			}
    		},
    		{
    			"Effect": "Allow",
    			"Action": [
    				"kinesis:PutRecord",
    				"kinesis:PutRecords",
    				"kinesis:DescribeStream"
    			],
    			"Resource": [
    				"arn:aws:kinesis:*:*:stream/chime-messaging-*"
    			]
    		}
    	]
    }
```

------

You must configure permissions to allow an IAM entity such as a user, group, or role to create, edit, or delete a service-linked role. For more information, see [ Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM user Guide*.

## Creating a service-linked role
<a name="create-service-linked-role"></a>

You don't need to manually create a service-linked role. When you use the [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_messaging-chime_PutMessagingStreamingConfigurations.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_messaging-chime_PutMessagingStreamingConfigurations.html) API to create a data streaming configuration, Amazon Chime SDK creates the service-linked role for you. 

You can also use the IAM console to create a service-linked role with the Amazon Chime SDK use case. In the AWS CLI or the AWS API, create a service-linked role with the `messaging.chime.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM user Guide*. If you delete this role, you can repeat this process to create it again.

## Editing a service-linked role
<a name="editing-roles"></a>

After you create a service-linked role, you can only edit its description, and you do that using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM user Guide*.

## Deleting the resources used by a service-linked role
<a name="cleaning-up"></a>

Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role.

**Note**  
Deletions can fail if you try to delete resources while Amazon Chime SDK is using them. If a deletion fails, wait a few minutes and try the operation again.

**To delete resources used by the AmazonChimeServiceChatStreamingAccess role**  
Run the following CLI command to turn off data streaming for the app instance:
+ `aws chime-sdk-messaging delete-messaging-streaming-configurations --app-instance-arn app_instance_arn`

This action deletes all streaming configurations for your app instance.

## Deleting a service-linked role
<a name="deleting-roles"></a>

When you no longer need a feature or service that requires a service-linked role, it's a best practice to delete that role. Otherwise, you have an unused entity that is not actively monitored or maintained. However, you must delete the resources used by your service-linked role before you can manually delete the role.

You can use the IAM console, AWS CLI, or the AWS API to delete the **AmazonChimeServiceRoleForChimeSDKMessaging** service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the IAM user Guide.