Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[autoscaling] Unable to use the same iam role for multiple AutoscalingGroups

See original GitHub issue

I had an EKS Cluster with an iam assigned to an autoscaling group used for the worker nodes. When creating a second ASG and assigning the same iam Role I get the error in cloudformation: “Property ManagedPolicyArns contains duplicate values.”

Reproduction Steps

this.eksCluster = new eks.Cluster(this, 'Cluster', {
            clusterName: clusterName,
            defaultCapacity: 0,
            role: clusterRole,
            securityGroup: eksSg,
            version: context['ClusterVersion'],
            vpc: vpc,
            vpcSubnets: [
                vpcSubnets
            ]
        });
const workerRole = new iam.Role(this, "WorkerRole", {
            assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
            roleName: `${applicationName}${environment}${uniqueIdentifier}EKSWorkerRole`,
            inlinePolicies: {
                "WorkerPolicies": new iam.PolicyDocument({
                    statements: [
                        new iam.PolicyStatement({
                            effect: Effect.ALLOW,
                            actions: [
                                "autoscaling:DescribeAutoScalingGroups"
                            ],
                            resources: ["*"]
                        })
                    ]
                })
            }
        })
const onDemandASG = new autoscaling.AutoScalingGroup(this, 'OnDemandASG', {
            vpc: vpc,
            role: workerRole,
            minCapacity: 2,
            maxCapacity: 10,
            instanceType: new ec2.InstanceType("t3.large"),
            machineImage: new eks.EksOptimizedImage({
                kubernetesVersion: clusterVersion,
                nodeType: eks.NodeType.STANDARD  // wihtout this, incorrect SSM parameter for AMI is resolved
            }),
            updateType: autoscaling.UpdateType.ROLLING_UPDATE,
            vpcSubnets: vpcSubnets
        });
this.eksCluster.addAutoScalingGroup(onDemandASG, {
            bootstrapEnabled: true,
            mapRole: true
        })
 const elasticsearchASG = new autoscaling.AutoScalingGroup(this, 'ElasticsearchASG', {
            vpc: vpc,
            role: workerRole,
            minCapacity: 3,
            maxCapacity: 4,
            desiredCapacity: 3,
            instanceType: new ec2.InstanceType("t3.large"),
            machineImage: new eks.EksOptimizedImage({
                kubernetesVersion: clusterVersion,
                nodeType: eks.NodeType.STANDARD  // wihtout this, incorrect SSM parameter for AMI is resolved
            }),
            updateType: autoscaling.UpdateType.ROLLING_UPDATE,
            vpcSubnets: {
                subnets: [ publicSubnet1a ]
            }
        });

elasticsearchASG.connections.allowFrom(ec2.Peer.ipv4(context['OfficeIP']), ec2.Port.allTcp())
        this.eksCluster.addAutoScalingGroup(elasticsearchASG, {
            bootstrapEnabled: true,
            mapRole: true
        })

Error Log

In cloudformation I get the following error:

WorkerRole8DD27D41 | UPDATE_FAILED | Property ManagedPolicyArns contains duplicate values.

Environment

**CLI Version : 1.23.0 (build 01f326e)
**Language : Typescript

This is 🐛 Bug Report

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

moatazelmasry2commented, Feb 19, 2020

Nop. I’d say this is still a bug. In cloudformation I’m able to reuse an iam role for multiple ASGs, so I’d expect the same from CDK

On Wed 19. Feb 2020 at 20:07, Somaya notifications@github.com wrote:

@moatazelmasry2 https://github.com/moatazelmasry2 I’m glad you found a solution! Can I go ahead and close this issue?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aws/aws-cdk/issues/6368?email_source=notifications&email_token=ABCADRLXKDE2IWHF6PQNDMDRDV7QXA5CNFSM4KX52EVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMJCZKY#issuecomment-588393643, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCADRPPDMD3RFF7IEJYFALRDV7QXANCNFSM4KX52EVA .

1reaction

moatazelmasry2commented, Feb 19, 2020

Solved the problem by creating a second role and assigning it to the second ASG