AWSServiceRoleForApplicationAutoScaling_RDSCluster user throwing errors when executing autoscaling

Question

I have an autoscaling policy on my RDS Aurora cluster which has been working well for a while.  I recently added cloudtrail alerts when a role attempts to do something that is unauthorized, and every time there is a scaling action the AWSServiceRoleForApplicationAutoScaling_RDSCluster throws an error:

```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "XXXXX:AutoScaling-UpdateDesiredCapacity",
        "arn": "arn:aws:sts::XXXXX:assumed-role/AWSServiceRoleForApplicationAutoScaling_RDSCluster/AutoScaling-UpdateDesiredCapacity",
        "accountId": "XXXXX",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "XXXXX",
                "arn": "arn:aws:iam::XXXXX:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster",
                "accountId": "XXXXX",
                "userName": "AWSServiceRoleForApplicationAutoScaling_RDSCluster"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-01-09T16:54:55Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "rds.application-autoscaling.amazonaws.com"
    },
    "eventTime": "2023-01-09T16:54:56Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "DescribeSubnets",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "rds.application-autoscaling.amazonaws.com",
    "userAgent": "rds.application-autoscaling.amazonaws.com",
    "errorCode": "Client.UnauthorizedOperation",
    "errorMessage": "You are not authorized to perform this operation.",
    "requestParameters": {
        "subnetSet": {},
        "filterSet": {
            "items": [
                {
                    "name": "subnet-id",
                    "valueSet": {
                        "items": [
                            {
                                "value": "XXXXX"
                            },
                            {
                                "value": "XXXXX"
                            }
                        ]
                    }
                }
            ]
        }
    },
    "responseElements": null,
    "requestID": "XXXXX",
    "eventID": "XXXXX",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "XXXXX",
    "eventCategory": "Management"
}
```
I don't see any way that I can modify the permissions of this service role, but I also don't like my cloudwatch alerts being filled with these notifications.  Any way I can give this role the proper permissions?

Answer

Hello,

I hope you're doing well.

Thank you for reaching out to us with your concern.

Firstly, I would like to inform you that the service-linked policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.  To know more, Please follow the solution defined in AWS Documentation. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html?icmpid=docs_iam_console#iam-term-service-linked-role.

Alternatively, you can create a service role and assign a specific permission for the role. For Creating a role to delegate permissions to an AWS service : https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html

From the cloudtrail log , I could see that you are facing "Client UnauthorizedOperation" error. This error usually happned because the user/role, who is trying to access the configuration may lack with permission.

As we have only limited information, we can't find the actual cause of the issue. sry for the inconvience caused. To troubleshoot further, I would request you raise a support case ticket, where we can go deep dive into the issue to find out the actual root cause.

AWSServiceRoleForApplicationAutoScaling_RDSCluster user throwing errors when executing autoscaling

관련 콘텐츠