[SOLVED] Error: The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances

Issue

I'm running into an error when creating a spot fleet request through cloudformation. The request is created but I'm getting the error mentioned in the title when the fleet attempts to request an instance.

The permissions needed are described in here, however when I try to follow the steps to create the AWSServiceRoleForEC2SpotFleet role I don't have the option to choose "EC2 - Spot Fleet", only EC2 FLeet. What's odd is that when I create the CF stack it actually does create that service linked role for me.

My user has admin credentials and I'm using the "aws-ec2-spot-fleet-tagging-role" as the fleet role.

As I understand it the service linked role just needs to exist in order for this to work, but I'm unable to create it manually. I am able to successfully create the fleet via the console, using the exact same values as what I'm using in the template and I choose the same "aws-ec2-spot-fleet-tagging-role" there as well.

I also gave my user the IAM credentials mentioned in that document, even though it's admin, just to see if I needed the pass through permission, but as I understand I only really need that if I'm supplying an instance profile in the launch specification, which I'm not. This is my resource definition in the template:

     SpotFleetRequestConfigData: 
        TargetCapacity: 1
        IamFleetRole:  arn:aws:iam::73682036499:role/aws-ec2-spot-fleet-tagging-role
        LaunchSpecifications: 
          - ImageId: '{{resolve:ssm:TestImage:4}}' #param stored reference to AMI
            InstanceType: t2.small
            NetworkInterfaces:
              - SubnetId: !ImportValue CustomVPCStack-dmz-subnet-1
                DeviceIndex: 0
                Groups:
                  - !Ref EC2MCServerSecurityGroup
            TagSpecifications:
              - 
                ResourceType: instance
                Tags: 
                  - 
                    Key: Name
                    Value: spotfleetserver
        ReplaceUnhealthyInstances: true
        Type: maintain #default```

Solution

The reason it works through the console is because it attaches the correct IAM instance profile. That's missing from your SpotFleetRequestConfigData.

I was trying to create a spot fleet request as well but using Terraform and I got the same error. Based on the code snippet in the question, I believe the correct syntax is:

SpotFleetRequestConfigData:
  LaunchSpecifications:
    iamInstanceProfile:
      arn: arn:aws:iam:::instance-profile/instance-compute-full-access

Note: you probably have to add your account ID to the ARN and a role with lesser permission than full compute access may also work.

Answered By - Scott

Answer Checked By - David Goodson (WPSolving Volunteer)