问题
I'm running into an error when creating a spot fleet request through cloudformation. The request is created but I'm getting the error mentioned in the title when the fleet attempts to request an instance.
The permissions needed are described in here, however when I try to follow the steps to create the AWSServiceRoleForEC2SpotFleet role I don't have the option to choose "EC2 - Spot Fleet", only EC2 FLeet. What's odd is that when I create the CF stack it actually does create that service linked role for me.
My user has admin credentials and I'm using the "aws-ec2-spot-fleet-tagging-role" as the fleet role.
As I understand it the service linked role just needs to exist in order for this to work, but I'm unable to create it manually. I am able to successfully create the fleet via the console, using the exact same values as what I'm using in the template and I choose the same "aws-ec2-spot-fleet-tagging-role" there as well.
I also gave my user the IAM credentials mentioned in that document, even though it's admin, just to see if I needed the pass through permission, but as I understand I only really need that if I'm supplying an instance profile in the launch specification, which I'm not. This is my resource definition in the template:
SpotFleetRequestConfigData:
TargetCapacity: 1
IamFleetRole: arn:aws:iam::73682036499:role/aws-ec2-spot-fleet-tagging-role
LaunchSpecifications:
- ImageId: '{{resolve:ssm:TestImage:4}}' #param stored reference to AMI
InstanceType: t2.small
NetworkInterfaces:
- SubnetId: !ImportValue CustomVPCStack-dmz-subnet-1
DeviceIndex: 0
Groups:
- !Ref EC2MCServerSecurityGroup
TagSpecifications:
-
ResourceType: instance
Tags:
-
Key: Name
Value: spotfleetserver
ReplaceUnhealthyInstances: true
Type: maintain #default```
回答1:
It's likely your AWS account is old enough that it didn't have the service-linked role created. Issue the following command with Admin permissions to create the role with the proper trust:
aws iam create-service-linked-role --aws-service-name spot.amazonaws.com
回答2:
I was able to get it to work, though I'm still not entirely clear why. When I create a Spot Fleet through the console, the default role selected is the "aws-ec2-spot-fleet-tagging-role". This is the role I was using for the fleet resource definition in my cloudformation template, but it would result in the IAM error I mentioned. I first tried making sure the service linked roles I needed were created, described here: https://docs.aws.amazon.com/batch/latest/userguide/spot_fleet_IAM_role.html. But I was still getting the error while using the spot fleet tagging role. I could only get it to complete an instance request successfully after creating a new policy with the following permissions:
"ec2:DescribeImages",
"ec2:TerminateInstances",
"ec2:RequestSpotInstances",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:DescribeSubnets",
"ec2:DescribeInstanceStatus"
and
"iam:CreateServiceLinkedRole",
"iam:ListRoles",
"iam:ListInstanceProfiles"
The tagging role I was using previously only had the first set of permissions for ec2, not the IAM permissions. If anyone has a better answer I'll take it, because as I said it's still not clear why when I use the tagging role in the console it works, but through cloudformation it results in the IAM error. When I create the stack I'm not specifying any IAM permissions, so it should be using the same permissions as my user, which is an admin user.
来源:https://stackoverflow.com/questions/64136679/error-the-provided-credentials-do-not-have-permission-to-create-the-service-lin