Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

cdk should create service linked roles

See original GitHub issue

🐛 Bug Report

What is the problem?

I’m having an issue with setting up AWS::ApplicationAutoScaling::ScalableTarget for fargate service. Apparently cdk doesn’t create service-linked roles. I found similar issue (diff service) but it was closed #3734. Are we expected to pre-create these roles? I think the expected behavior should be for cdk to create the service-linked roles.

Reproduction Steps

    const fargateService = new ecs.FargateService(this, "fargateService", {
      cluster,
      taskDefinition: taskDef,
      desiredCount: 1,
      propagateTaskTagsFrom: ecs.PropagatedTagSource.SERVICE
    });

    const scaling = tnmaccessService.autoScaleTaskCount({
      minCapacity: 0,
      maxCapacity: 1
    });

    scaling.scaleOnSchedule("scalingUp", {
      schedule: Schedule.expression("cron(0 15 ? * MON-FRI *)"), // MON-FRI @ 9am MT
      minCapacity: 1,
      maxCapacity: 1
    });

    scaling.scaleOnSchedule("scalingDown", {
      schedule: Schedule.expression("cron(0 22 ? * MON-FRI *)"), // MON-FRI @ 4pm MT
      minCapacity: 0,
      maxCapacity: 0
    });

Verbose Log

3/4 | 11:46:15 AM | CREATE_FAILED        | AWS::ApplicationAutoScaling::ScalableTarget | fargateService/TaskCount/Target (fargateServiceTaskCountTarget655BF465) 
Unable to assume IAM role: arn:aws:iam::1234567890:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService 
(Service: AWSApplicationAutoScaling; Status Code: 400; Error Code: ValidationException; Request ID: e0fa3fe9-d8a9-11e9-9457-e58085b5712e)

Environment

CDK CLI Version: 1.8.0 (build 5244f97)
OS: OSX High Sierra
Language: TypeScript

Other information

https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-service-linked-roles.html

Issue Analytics

State:
Created 4 years ago
Reactions:17
Comments:9 (7 by maintainers)

Top GitHub Comments

2reactions

holmesjrcommented, Mar 11, 2020

I can confirm this is an issue even if CDK creates a simple Fargate service with no autoscaling etc. If ECS has never run in the account before by the wizard or via the CLI, a CF deployment will not create the service-linked role. I had to manually create and then delete a fargate cluster in the console to create and link the role - deployment worked after that.

0reactions

peterwoodworthcommented, Jun 20, 2022

I can’t find any issues specifically related to this in the cloudformation roadmap

if there’s anything we need from CloudFormation - what would it be? Even if it doesn’t work for all resources, did we try to see if the customSuffix field works for application autoscaling?

Top Results From Across the Web

class CfnServiceLinkedRole (construct) · AWS CDK

Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can...

IAM Role Examples in AWS CDK - Complete Guide | bobbyhadz

IAM Roles are collections of policies that grant specific permissions to access resources. In order to create an IAM Role in AWS CDK...

Using service-linked roles for Amazon ECS - 亚马逊云科技

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked...

AWS CDK: How to create an IAM role that can be assumed by ...

This can be done using CompositePrincipal: lambda_role = iam.Role( self, "lambda_redirect_role", assumed_by=iam.CompositePrincipal( iam.

awslabs/aws-cdk - Gitter

Aparently cdk doesn't create service-linked roles. I found similar issue (diff service) but it was closed #3734. Are we expected to pre-create these...