configservice/aws.sdk.kotlin.services.configservice.model/ConfigurationRecorder/roleArn

roleArn

val roleArn: String?

The Amazon Resource Name (ARN) of the IAM role assumed by Config and used by the specified configuration recorder.

The server will reject a request without a defined roleARN for the configuration recorder

While the API model does not require this field, the server will reject a request without a defined roleARN for the configuration recorder.

Policies and compliance results

IAM policies and other policies managed in Organizations can impact whether Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use Config.

Keep Minimum Permisions When Reusing an IAM role

If you use an Amazon Web Services service that uses Config, such as Security Hub or Control Tower, and an IAM role has already been created, make sure that the IAM role that you use when setting up Config keeps the same minimum permissions as the pre-existing IAM role. You must do this to ensure that the other Amazon Web Services service continues to run as expected.

For example, if Control Tower has an IAM role that allows Config to read S3 objects, make sure that the same permissions are granted to the IAM role you use when setting up Config. Otherwise, it may interfere with how Control Tower operates.

The service-linked IAM role for Config must be used for service-linked configuration recorders

For service-linked configuration recorders, you must use the service-linked IAM role for Config: AWSServiceRoleForConfig.

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Generated by dokka