错误:提供的凭据无权为EC2竞价型实例创建服务链接角色 [英] Error: The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances

问题描述

通过cloudformation创建现场车队请求时，我遇到了一个错误.请求已创建，但是当舰队尝试请求实例时，出现标题中提到的错误.

I'm running into an error when creating a spot fleet request through cloudformation. The request is created but I'm getting the error mentioned in the title when the fleet attempts to request an instance.

The permissions needed are described in here, however when I try to follow the steps to create the AWSServiceRoleForEC2SpotFleet role I don't have the option to choose "EC2 - Spot Fleet", only EC2 FLeet. What's odd is that when I create the CF stack it actually does create that service linked role for me.

我的用户具有管理员凭据，并且我正在使用"aws-ec2-spot-fleet-tagging-role"作为舰队角色.

My user has admin credentials and I'm using the "aws-ec2-spot-fleet-tagging-role" as the fleet role.

据我了解，服务链接角色仅需要存在才能使其正常运行，但是我无法手动创建它.我可以使用与模板中使用的值完全相同的值，通过控制台成功创建车队，并选择相同的"aws-ec2-spot-fleet-tagging-role"在那里.

As I understand it the service linked role just needs to exist in order for this to work, but I'm unable to create it manually. I am able to successfully create the fleet via the console, using the exact same values as what I'm using in the template and I choose the same "aws-ec2-spot-fleet-tagging-role" there as well.

我还向用户提供了该文档中提到的IAM凭据，即使它是管理员，也只是为了查看我是否需要传递权限，但是据我了解，只有在提供实例配置文件时，我才真正需要它.启动规范，我不是.这是我在模板中的资源定义:

I also gave my user the IAM credentials mentioned in that document, even though it's admin, just to see if I needed the pass through permission, but as I understand I only really need that if I'm supplying an instance profile in the launch specification, which I'm not. This is my resource definition in the template:

     SpotFleetRequestConfigData: 
        TargetCapacity: 1
        IamFleetRole:  arn:aws:iam::73682036499:role/aws-ec2-spot-fleet-tagging-role
        LaunchSpecifications: 
          - ImageId: '{{resolve:ssm:TestImage:4}}' #param stored reference to AMI
            InstanceType: t2.small
            NetworkInterfaces:
              - SubnetId: !ImportValue CustomVPCStack-dmz-subnet-1
                DeviceIndex: 0
                Groups:
                  - !Ref EC2MCServerSecurityGroup
            TagSpecifications:
              - 
                ResourceType: instance
                Tags: 
                  - 
                    Key: Name
                    Value: spotfleetserver
        ReplaceUnhealthyInstances: true
        Type: maintain #default```

推荐答案

您的AWS帐户很老，可能没有创建与服务相关的角色.发出具有管理员权限的以下命令以创建具有适当信任的角色:

It's likely your AWS account is old enough that it didn't have the service-linked role created. Issue the following command with Admin permissions to create the role with the proper trust:

aws iam create-service-linked-role --aws-service-name spot.amazonaws.com

这篇关于错误:提供的凭据无权为EC2竞价型实例创建服务链接角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！