DependencyAccessDeniedException when calling the RequestServiceQuotaIncrease operation for AppStream

Question

I have a Lambda function using boto3 to request Quota Increase. I've tested it in the development account and it worked fine, requesting the desired value of AppStream Graphics Design instances. But when that function runs in our production account where we would eventually start providing the service on AppStream instances Quota Service responds with:

```
DependencyAccessDeniedException when calling the RequestServiceQuotaIncrease operation: Service-linked role creation access denied
```
The functions Role have the necessary permissions. The only difference between our dev and prod accounts is that I actually applied for the AppStream Graphics Design instances for fleets manually months ago.

What's causing **DependencyAccessDeniedException**?

Accepted Answer

When you request a service quota increase, AWS may need to create a new service-linked role or modify an existing one to handle the increased capacity. If the role that your Lambda function is assuming doesn't have permission to create or modify service-linked roles, then you'll see the DependencyAccessDeniedException.

In your case, it sounds like your Lambda function might not have the necessary permissions in your production account. Here are a few things you can check:

-  IAM Role Permissions: Ensure that the IAM role associated with your Lambda function has the iam:CreateServiceLinkedRole permission in the production environment. This permission allows the function to create service-linked roles, which might be necessary when requesting a quota increase.

- Service-Linked Role: In some cases, AWS might not be able to create a service-linked role if an IAM role with the same name already exists. Check if there is an existing role in the IAM console that could be conflicting with the service-linked role that AWS is trying to create.

- Different Policies in Dev and Prod: Make sure that the policies and roles attached to your Lambda function are the same in both your development and production environments. It's possible that the policies are not the same, which could be why the function works in development but not in production.

Answer

Hi, request for Quota Increase seems to be only possible when associated to creation of service-linked rolr (SLR).

SLR are described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

The kind of credentials that are then needed:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/SERVICE-NAME.amazonaws.com/SERVICE-LINKED-ROLE-NAME-PREFIX*",
            "Condition": {"StringLike": {"iam:AWSServiceName": "SERVICE-NAME.amazonaws.com"}}
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/SERVICE-NAME.amazonaws.com/SERVICE-LINKED-ROLE-NAME-PREFIX*"
        }
    ]
}
```

So, you have 2 ways to go
1.  set Resource:* for the resource in the iam:CreateServiceLinkedRole auth to see via IAM console which role has just been created and then restrict your role policy to this exact role (even though most of them are created only once)
2. Use CloudTrail to find if the failing CreateServiceLinkedRole  is logged with role in question

Update: from https://github.com/org-formation/aws-resource-providers/issues/75, it seems that the role in question is `"arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas*"` but revert to 1. and 2. above in case I'm wrong

Best,

Didier

DependencyAccessDeniedException when calling the RequestServiceQuotaIncrease operation for AppStream

Relevant content