cdk should create service linked roles
See original GitHub issue🐛 Bug Report
What is the problem?
I’m having an issue with setting up AWS::ApplicationAutoScaling::ScalableTarget
for fargate service. Apparently cdk doesn’t create service-linked roles. I found similar issue (diff service) but it was closed #3734. Are we expected to pre-create these roles? I think the expected behavior should be for cdk to create the service-linked roles.
Reproduction Steps
const fargateService = new ecs.FargateService(this, "fargateService", {
cluster,
taskDefinition: taskDef,
desiredCount: 1,
propagateTaskTagsFrom: ecs.PropagatedTagSource.SERVICE
});
const scaling = tnmaccessService.autoScaleTaskCount({
minCapacity: 0,
maxCapacity: 1
});
scaling.scaleOnSchedule("scalingUp", {
schedule: Schedule.expression("cron(0 15 ? * MON-FRI *)"), // MON-FRI @ 9am MT
minCapacity: 1,
maxCapacity: 1
});
scaling.scaleOnSchedule("scalingDown", {
schedule: Schedule.expression("cron(0 22 ? * MON-FRI *)"), // MON-FRI @ 4pm MT
minCapacity: 0,
maxCapacity: 0
});
Verbose Log
3/4 | 11:46:15 AM | CREATE_FAILED | AWS::ApplicationAutoScaling::ScalableTarget | fargateService/TaskCount/Target (fargateServiceTaskCountTarget655BF465)
Unable to assume IAM role: arn:aws:iam::1234567890:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService
(Service: AWSApplicationAutoScaling; Status Code: 400; Error Code: ValidationException; Request ID: e0fa3fe9-d8a9-11e9-9457-e58085b5712e)
Environment
- CDK CLI Version: 1.8.0 (build 5244f97)
- OS: OSX High Sierra
- Language: TypeScript
Other information
Issue Analytics
- State:
- Created 4 years ago
- Reactions:17
- Comments:9 (7 by maintainers)
Top Results From Across the Web
class CfnServiceLinkedRole (construct) · AWS CDK
Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can...
Read more >IAM Role Examples in AWS CDK - Complete Guide | bobbyhadz
IAM Roles are collections of policies that grant specific permissions to access resources. In order to create an IAM Role in AWS CDK...
Read more >Using service-linked roles for Amazon ECS - 亚马逊云科技
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked...
Read more >AWS CDK: How to create an IAM role that can be assumed by ...
This can be done using CompositePrincipal: lambda_role = iam.Role( self, "lambda_redirect_role", assumed_by=iam.CompositePrincipal( iam.
Read more >awslabs/aws-cdk - Gitter
Aparently cdk doesn't create service-linked roles. I found similar issue (diff service) but it was closed #3734. Are we expected to pre-create these...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I can confirm this is an issue even if CDK creates a simple Fargate service with no autoscaling etc. If ECS has never run in the account before by the wizard or via the CLI, a CF deployment will not create the service-linked role. I had to manually create and then delete a fargate cluster in the console to create and link the role - deployment worked after that.
I can’t find any issues specifically related to this in the cloudformation roadmap
if there’s anything we need from CloudFormation - what would it be? Even if it doesn’t work for all resources, did we try to see if the customSuffix field works for application autoscaling?