aws-autoscaling-gitlab-runner icon indicating copy to clipboard operation
aws-autoscaling-gitlab-runner copied to clipboard

Published 20 hours ago verified publisher icon chialab

fix: add iam:CreateServiceLinkedRole

Open mpgo13 opened this issue 5 years ago • 5 comments

See issue #7

mpgo13 avatar Mar 22 '19 02:03 mpgo13

Hi @mpgo13 ! Thanks (again) for your contributions!

I'm not sure about the approach of this solution… 🤔 I know that iam:CreateServiceLinkedRole is a relatively safe permission, but I'd prefer not to grant it to an EC2 instance anyway.

How about creating a service-linked role in the CloudFormation template? (see docs)

ServiceLinkedRole:
    Type: 'AWS::IAM::ServiceLinkedRole'
    Properties:
        AWSServiceName: !Sub 'ec2.${AWS::URLSuffix}' # TODO: check if this is correct!!
        CustomSuffix: !Sub '-${AWS::StackName}'
        Description: !Sub 'Service-Linked Role for EC2 Spot Instances - ${AWS::StackName}'
    Condition: 'UseSpotInstances'

Or, at least, grant that permission in EC2 Instance Profile only if UseSpotInstances is true. 🙃

fquffio avatar Mar 22 '19 11:03 fquffio

Good point @fquffio , I'll have a look at it.

mpgo13 avatar Mar 23 '19 08:03 mpgo13

This worked now for me :) The fix will create the service linked role and cloudformation will automatically attach the managed policy AWSEC2SpotServiceRolePolicy to it.

mpgo13 avatar Mar 24 '19 23:03 mpgo13

Tested creating two stacks and got:

SLR [AWSServiceRoleForEC2Spot] already exists but has a different description: [Service-Linked Role for EC2 Spot Instances - gitlab-runner] Please verify your SLR use case. If you are sure the use case is correct please modify your CloudFormation template and keep SLR description consistent.

mpgo13 avatar Mar 24 '19 23:03 mpgo13

Thanks a lot, @mpgo13! I'll run a couple of tests today!

fquffio avatar Mar 25 '19 08:03 fquffio