AWS Chatbot is now Amazon Q Developer. [Learn more](service-rename.md)

# Using Service-Linked Roles for Amazon Q Developer in chat applications
Using Service-Linked Roles

A [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is a type of IAM role that links directly to an AWS service. It gives AWS services the permissions to access resources in other services to complete actions on your behalf.

For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose any **Yes** entry with a link to view the service-linked role documentation for that service.

When you create an Amazon Q Developer in chat applications resource in the Amazon Q Developer in chat applications console, you can also choose to provide a list of one or more SNS topics to associate with the new resource. Amazon Q Developer in chat applications automatically uses the **AWSServiceRoleForAWSChatbot** service-linked role to add or remove subscriptions to the Amazon Q Developer in chat applications global Amazon SNS subscription endpoint.

The service-linked role makes setting up Amazon Q Developer in chat applications easier because you don’t have to manually add the necessary permissions. Amazon Q Developer in chat applications defines the permissions for the service-linked role and only Amazon Q Developer in chat applications can assume that role. The permissions include a trust policy and a permissions policy, which apply only to the Amazon Q Developer in chat applications service.

**Topics**
+ [

# Amazon Q Developer in chat applications Service-linked role for performing operations on Amazon SNS topics and CloudWatch Logs
](slr-permissions.md)

# Amazon Q Developer in chat applications Service-linked role for performing operations on Amazon SNS topics and CloudWatch Logs
Service-linked role for performing operations on Amazon SNS topics and CloudWatch Logs

Amazon Q Developer uses the service-linked role named **AWSServiceRoleForAWSChatbot**. This is a managed IAM policy with scoped permissions that Amazon Q Developer in chat applications needs to run in customers’ accounts.

## Service-Linked Role Permissions for Amazon Q Developer


The Amazon Q Developer in chat applications service-linked role gives permissions for the following services and resources:
+ Amazon SNS notifications
+ CloudWatch Logs

These permissions allow Amazon Q Developer in chat applications to perform operations on Amazon SNS topics and CloudWatch Logs.

Administrators can view, but can't edit, the permissions for the Amazon Q Developer in chat applications service-linked role.

The **AWSServiceRoleForAWSChatbot** service-linked role provides trust permissions to the following service to assume its role:
+ `management.chatbot.amazonaws.com`

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.

When you create an Amazon Q Developer in chat applications configuration, it creates the following policy for the service-linked role:

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
              "sns:ListSubscriptionsByTopic",
              "sns:ListTopics",
              "sns:Unsubscribe",
              "sns:Subscribe",
              "sns:ListSubscriptions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
              "logs:PutLogEvents",
              "logs:CreateLogStream",
              "logs:DescribeLogStreams",
              "logs:CreateLogGroup",
              "logs:DescribeLogGroups"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/chatbot/*"
        }
    ]
}
```

------

You don't need to take any action to support this role beyond using the Amazon Q Developer in chat applications service.

## Enabling the service-linked role for Amazon Q Developer


When you configure Amazon Q Developer in chat applications for the first time, you configure a Microsoft Teams channel, a Slack channel, or Amazon Chime webhook to work with Amazon Simple Notification Service (Amazon SNS) topics for forwarding notifications to chat rooms. When you create the first resource, Amazon Q Developer in chat applications automatically creates the IAM service-linked role, which can be seen in the IAM console. You don't need to manually create or configure this role. 

## Editing a service-linked role for Amazon Q Developer


You can't edit the **AWSServiceRoleForAWSChatbot** service-linked role. You also can't change its name, because other entities might reference it. You can edit the role's description using the IAM console. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

## Manually deleting the AWSServiceRoleForAWSChatbot service-linked role


Under specific circumstances, you can manually delete the **AWSServiceRoleForAWSChatbot** service-linked role. If you no longer need to use any feature or service that requires a service-linked role, we recommend that you delete that role. Doing so prevents having an unused entity that is not actively maintained in your account.

To delete the Amazon Q Developer in chat applications service-linked role, you must delete all Amazon Q Developer in chat applications resources in your AWS account, including all Slack channels and Amazon Chime webhooks. You can delete all Amazon Q Developer in chat applications resources using the Amazon Q Developer in chat applications console, and then use the IAM console or AWS Command Line Interface (AWS CLI) to delete the service-linked role. 

**Note**  
If Amazon Q Developer is using the **AWSServiceRoleForAWSChatbot** service-linked role when you try to delete its resources, the deletion might fail. If that happens, wait a few minutes and try deleting it again.

**To delete Amazon Q Developer in chat applications resources**

1. [Open the Amazon Q Developer in chat applications console](https://us-east-2.console.aws.amazon.com/chatbot/home?region=us-east-2#/chat-clients).

1. To remove Amazon Chime webhook configurations, do the following:

   1. Choose **Amazon Chime**.

   1. Choose each webhook that you need to delete and choose **Delete webhook**. You can delete one at a time.

   1. Choose **Delete** to confirm the deletion.

   1. Repeat these steps to delete all webhook configurations.

1. To remove Slack channel configurations, do the following:

   1. Choose **Slack**.

   1. Choose the channel that you need to delete and choose **Delete channel**.

   1. Choose **Delete** to confirm the deletion.

   1. Repeat these steps to delete all Slack channel configurations.
**Note**  
If you delete the Amazon Q Developer in chat applications service-linked role, and then need to use it again, simply open the Amazon Q Developer in chat applications console and create a new Slack channel or Amazon Chime webhook resource to recreate the role in your account. When you create the first new resource in Amazon Q Developer, it creates the service-linked role for you again. 

1. To delete the **AWSServiceRoleForAWSChatbot** service-linked role, use the IAM console or the AWS Command Line Interface (AWS CLI) . For information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.

## Supported regions for Amazon Q Developer service-linked roles


AWSServiceRoleForAWSChatbot doesn't support using service-linked roles in every AWS Region where the service is available. The following table shows the Regions where you can use the **AWSServiceRoleForAWSChatbot**.


****  

| Region Name | Region Identity | Supported in Amazon Q Developer | 
| --- | --- | --- | 
| US East (N. Virginia) | us-east-1 | Yes | 
| US East (Ohio) | us-east-2 | Yes | 
| US West (N. California) | us-west-1 | Yes | 
| US West (Oregon) | us-west-2 | Yes | 
| Asia Pacific (Mumbai) | ap-south-1 | Yes | 
| Asia Pacific (Osaka) | ap-northeast-3 | Yes | 
| Asia Pacific (Seoul) | ap-northeast-2 | Yes | 
| Asia Pacific (Singapore) | ap-southeast-1 | Yes | 
| Asia Pacific (Sydney) | ap-southeast-2 | Yes | 
| Asia Pacific (Tokyo) | ap-northeast-1 | Yes | 
| Canada (Central) | ca-central-1 | Yes | 
| Europe (Frankfurt) | eu-central-1 | Yes | 
| Europe (Ireland) | eu-west-1 | Yes | 
| Europe (London) | eu-west-2 | Yes | 
| Europe (Paris) | eu-west-3 | Yes | 
| South America (São Paulo) | sa-east-1 | Yes | 
| AWS GovCloud (US) | us-gov-west-1 | No |