Missing Permission for Spot Instance Creation

[MartinLoeper]

I use spot instances for runners. However, after setting GitLabRunnerSpotInstance to "Yes", the manager could not create the new machines and the logs stated that:

Error creating machine: Error in driver during machine creation: Error request spot instance: AuthFailure.ServiceLinkedRoleCreationNotPermitted: The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances.

I had to add "iam:CreateServiceLinkedRole" for resource "*" to the manager's inline policy "Runners". I got the information from a related issue: https://github.com/AutoSpotting/AutoSpotting/issues/187

[fquffio]

Hi @MartinLoeper ! Thanks a lot for your interest in this project and your report.

I'm afraid I tested this on an account that already had a service linked role, so the iam:CreateServiceLinkedRole permission was not needed. 😱

I might try to force the creation of the service-linked role in the CloudFormation template to ensure it's present, but I wonder if that will work… 🤔

[MartinLoeper]

Hi @fquffio, unfortunately I do not know which service linked role has to be created there. :laughing:

I just wanted to make it work as quickly as possible and adding the permission above works well. If you come up with a proper solution, I might test it on our infrastructure.

[fquffio]

I'll try to open a PR in the afternoon, but I'm afraid you'd have to delete all service-linked roles before testing… 😞

I might try to find an AWS account in which I have never used spot instances. 🤔

[mpgo13]

I ran into the same issue. Here the PR #12

[lamoglia]

Looks like AWS creates the AWSServiceRoleForEC2Spot role automatically on the first ever spot instance request. So, if you make a spot request via aws (web), it will probably solve your problem