[autoscaling] Unable to use the same iam role for multiple AutoscalingGroups
See original GitHub issueI had an EKS Cluster with an iam assigned to an autoscaling group used for the worker nodes. When creating a second ASG and assigning the same iam Role I get the error in cloudformation: “Property ManagedPolicyArns contains duplicate values.”
Reproduction Steps
this.eksCluster = new eks.Cluster(this, 'Cluster', {
clusterName: clusterName,
defaultCapacity: 0,
role: clusterRole,
securityGroup: eksSg,
version: context['ClusterVersion'],
vpc: vpc,
vpcSubnets: [
vpcSubnets
]
});
const workerRole = new iam.Role(this, "WorkerRole", {
assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
roleName: `${applicationName}${environment}${uniqueIdentifier}EKSWorkerRole`,
inlinePolicies: {
"WorkerPolicies": new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
effect: Effect.ALLOW,
actions: [
"autoscaling:DescribeAutoScalingGroups"
],
resources: ["*"]
})
]
})
}
})
const onDemandASG = new autoscaling.AutoScalingGroup(this, 'OnDemandASG', {
vpc: vpc,
role: workerRole,
minCapacity: 2,
maxCapacity: 10,
instanceType: new ec2.InstanceType("t3.large"),
machineImage: new eks.EksOptimizedImage({
kubernetesVersion: clusterVersion,
nodeType: eks.NodeType.STANDARD // wihtout this, incorrect SSM parameter for AMI is resolved
}),
updateType: autoscaling.UpdateType.ROLLING_UPDATE,
vpcSubnets: vpcSubnets
});
this.eksCluster.addAutoScalingGroup(onDemandASG, {
bootstrapEnabled: true,
mapRole: true
})
const elasticsearchASG = new autoscaling.AutoScalingGroup(this, 'ElasticsearchASG', {
vpc: vpc,
role: workerRole,
minCapacity: 3,
maxCapacity: 4,
desiredCapacity: 3,
instanceType: new ec2.InstanceType("t3.large"),
machineImage: new eks.EksOptimizedImage({
kubernetesVersion: clusterVersion,
nodeType: eks.NodeType.STANDARD // wihtout this, incorrect SSM parameter for AMI is resolved
}),
updateType: autoscaling.UpdateType.ROLLING_UPDATE,
vpcSubnets: {
subnets: [ publicSubnet1a ]
}
});
elasticsearchASG.connections.allowFrom(ec2.Peer.ipv4(context['OfficeIP']), ec2.Port.allTcp())
this.eksCluster.addAutoScalingGroup(elasticsearchASG, {
bootstrapEnabled: true,
mapRole: true
})
Error Log
In cloudformation I get the following error:
WorkerRole8DD27D41 | UPDATE_FAILED | Property ManagedPolicyArns contains duplicate values.
Environment
- **CLI Version : 1.23.0 (build 01f326e)
- **Language : Typescript
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:5 (4 by maintainers)
Top Results From Across the Web
How Amazon EC2 Auto Scaling works with IAM
You can use ARNs to identify the Auto Scaling groups and launch configurations that the IAM policy applies to. An Auto Scaling group...
Read more >Amazon EC2: Auto Scaling - Medium
By using the scaling policy, auto-scaling can launch or terminate the EC2 instances ... Launch configuration can be used for multiple auto scaling...
Read more >Auto Scaling Archives - Jayendra's Cloud Certification Blog
This process works for groups with or without a load balancer, as long as the new multi-zone group is in one of the...
Read more >We strongly recommend using a launch template when calling ...
For more information, see Auto Scaling groups in the Amazon EC2 Auto Scaling User ... these sizes with the same units that you...
Read more >Autoscaling groups of instances - Google Cloud
In the Google Cloud console, go to the IAM page. ... When you set multiple signals in a policy, the autoscaler calculates the...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Nop. I’d say this is still a bug. In cloudformation I’m able to reuse an iam role for multiple ASGs, so I’d expect the same from CDK
On Wed 19. Feb 2020 at 20:07, Somaya notifications@github.com wrote:
Solved the problem by creating a second role and assigning it to the second ASG