- Newest
- Most votes
- Most comments
When you request a service quota increase, AWS may need to create a new service-linked role or modify an existing one to handle the increased capacity. If the role that your Lambda function is assuming doesn't have permission to create or modify service-linked roles, then you'll see the DependencyAccessDeniedException.
In your case, it sounds like your Lambda function might not have the necessary permissions in your production account. Here are a few things you can check:
-
IAM Role Permissions: Ensure that the IAM role associated with your Lambda function has the iam:CreateServiceLinkedRole permission in the production environment. This permission allows the function to create service-linked roles, which might be necessary when requesting a quota increase.
-
Service-Linked Role: In some cases, AWS might not be able to create a service-linked role if an IAM role with the same name already exists. Check if there is an existing role in the IAM console that could be conflicting with the service-linked role that AWS is trying to create.
-
Different Policies in Dev and Prod: Make sure that the policies and roles attached to your Lambda function are the same in both your development and production environments. It's possible that the policies are not the same, which could be why the function works in development but not in production.
Hi, request for Quota Increase seems to be only possible when associated to creation of service-linked rolr (SLR).
SLR are described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
The kind of credentials that are then needed:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/SERVICE-NAME.amazonaws.com/SERVICE-LINKED-ROLE-NAME-PREFIX*",
"Condition": {"StringLike": {"iam:AWSServiceName": "SERVICE-NAME.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/SERVICE-NAME.amazonaws.com/SERVICE-LINKED-ROLE-NAME-PREFIX*"
}
]
}
So, you have 2 ways to go
- set Resource:* for the resource in the iam:CreateServiceLinkedRole auth to see via IAM console which role has just been created and then restrict your role policy to this exact role (even though most of them are created only once)
- Use CloudTrail to find if the failing CreateServiceLinkedRole is logged with role in question
Update: from https://github.com/org-formation/aws-resource-providers/issues/75, it seems that the role in question is "arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas*"
but revert to 1. and 2. above in case I'm wrong
Best,
Didier
Relevant content
- Accepted Answerasked 5 days ago
- asked 7 months ago
- asked 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago