Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Service Linked Role Requred for ElasticSearch Domain Not Created Automatically

See original GitHub issue

🐛 Bug Report

What is the problem?

CfnDomain does not create a service linked role automatically. I think this makes is impossible to deploy reliably using only CDK as the role may have been created by a previous domain and can’t be created twice in the same region. The only option seems to be pre-creating the role in the CLI before deploying which is awkward to document and difficult (maybe impossible) to automate.

Reproduction Steps

const vpc = new Vpc(this, "Vpc", {
    maxAzs: 3
new CfnDomain(scope, 'Search', {
    elasticsearchVersion: '6.7',
    elasticsearchClusterConfig: {
      instanceCount: 2,
      zoneAwarenessEnabled: true,
      instanceType: 't2.small.elasticsearch',
    ebsOptions: {
      ebsEnabled: true,
      volumeSize: 10,
      volumeType: 'gp2'
    vpcOptions: {
      securityGroupIds: [
      subnetIds: => subnet.subnetId),

Verbose Log

$ npm run cdk deploy
15/27 | 2:04:49 PM | CREATE_FAILED        | AWS::Elasticsearch::Domain            | Search Before you can proceed, you must enable a service-linked role to give Amazon ES permissions to access your VPC. (Service: AWSElasticsearch; Status Code: 400; Error Code: ValidationException;)


Related to #569 which indicates that these roles should be built automatically.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:13 (1 by maintainers)

github_iconTop GitHub Comments

jrjohnsoncommented, May 28, 2020

I think it is under appreciated how difficult a one off job like creating this role is in a fully automated provisioning setup. Especially if there is an arbitrary delay before it seems to work. Our setup requires us to be able to reliably build and deploy to a new region (or entirely new account) quickly. Having a single manual step in an otherwise automated process is a huge foot gun. It’s safer for us to just execute a well written set of instructions instead, validating on each step.

This single issue is completely blocking our migration to CDK. Given that this was closed without resolution a year ago I thought there might be a long term plan to add support for all services in CDK. I guess not? Telling us to build it ourselves is a weird stance to take from a company that makes billions of dollars and for a service we pay for. I’m happy to take a crack at it if AWS is willing to foot the bill for development time or provide my university free service in exchange.

logemanncommented, May 28, 2020

You are right with your point that closing this case is wrong because it doesnt work for a lot of users as it seems. Furthermore doing stuff like this manually contradicts the whole concept of CDK. I can live with manually creating a Client VPN Endpoint but Roles should really work in order to get deploy step running.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Before you can proceed, you must enable a service-linked ...
The service-linked role can be created using the AWS CLI. aws iam create-service-linked-role --aws-service-name opensearchservice.amazonaws.
Read more >
Using service-linked roles for Amazon OpenSearch Service
A service-linked role is a unique type of IAM role that is linked directly to OpenSearch Service. Service-linked roles are predefined by OpenSearch...
Read more >
Before you can proceed, you must enable a service-linked ...
In the IAM console, I cannot select that service for a role. I believe it is supposed to be created automatically. Has...
Read more >
Amazon Elasticsearch Service - Gruntwork Docs
Whether or not the Service Linked Role for Elasticsearch should be created within this module. Normally the service linked role is created automatically...
Read more >
aws_elasticsearch_domain | Resources | hashicorp/aws
desired_state - (Required) The Auto-Tune desired state for the domain. ... You must have created the service linked role for the Elasticsearch service...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found