Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EKS Auto cannot create AWSServiceRoleForEC2Spot Service Linked Role

1

I'm using EKS Auto with a custom Node Pool to use EC2 Spot Instances. EKS Auto fails to spin up EC2 Spot instances because the AWSServiceRoleForEC2Spot service-linked role does not exist. EKS Auto tries to create the AWSServiceRoleForEC2Spot service-linked role and fail with error "no session policy allows the iam:CreateServiceLinkedRole action". The Cluster IAM Role has the iam:CreateServiceLinkedRole permission, but it seems that when the EKS assume the role and create the session, a session policy is passed in and that session policy doesn't request iam:CreateServiceLinkedRole.

I have the following setup.

        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::{ACCOUNT_ID}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
        }

I observed the following error in a CloudTrail event.

"errorMessage": "User: arn:aws:sts::{ACCOUNT_ID}:assumed-role/CustomRoleForAmazonEKSAutoCluster/aws-go-sdk-1746204116907768802 is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::{ACCOUNT_ID}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot because no session policy allows the iam:CreateServiceLinkedRole action"

This can easily be fixed by running CLI command aws iam create-service-linked-role --aws-service-name spot.amazonaws.com, but I managed multiple-hundred AWS accounts and would need to do this for each account. Running this script for multiple accounts and every time a new account gets provisioned is not an acceptable solution for us end EKS Auto clearly tries to provision the service-linked role already.

What configuration can we change so that EKS Auto will have the correct permissions in the session to create the service-linked role?

Topics
ComputeSecurity, Identity, & ComplianceContainers
Tags
AWS IAM Identity CenterAmazon EC2 Spot InstancesAmazon EKS Auto Mode
Language
English
asked 9 months ago262 views
3 Answers
1

The error you're encountering is related to session policies when EKS Auto assumes the CustomRoleForAmazonEKSAutoCluster role. Even though your role has the iam:CreateServiceLinkedRole permission, the session policy applied during role assumption is restricting this action.

There are a few approaches to resolve this issue:

  1. Pre-create the service-linked role in each account. You can do this by running the AWS CLI command you mentioned:
aws iam create-service-linked-role --aws-service-name spot.amazonaws.com

If the role already exists, you'll see an error message indicating that the role name has been taken, which you can safely ignore.

  1. For automation across multiple accounts, you could create a script or use AWS automation tools (like AWS Systems Manager Automation or AWS Lambda) to create this service-linked role in all your accounts.

  2. Ensure that the IAM policy attached to your CustomRoleForAmazonEKSAutoCluster includes the proper permission without restrictions. The inline policy you've added looks correct, but make sure there are no contradicting deny statements elsewhere in the policy.

  3. If you're using AWS Organizations, you could consider using Service Control Policies (SCPs) to ensure this permission is available across all accounts.

Note that when you run the create-service-linked-role command and see the error message about the role already existing, this is expected behavior and confirms that the role is already set up correctly in that account.
Sources
Tutorial: Create Amazon EC2 spot fleet roles with the AWS CLI - AWS Batch
Community | Run Kubernetes Clusters for Less with Amazon EC2 Spot and Karpenter
Community | Run Kubernetes Clusters for Less with Amazon EC2 Spot and Karpenter

answered 9 months ago
EXPERT
reviewed 9 months ago
  • JD
    9 months ago

    Not acceptable because I need to do this automated out of the box for managing 100s of AWS accounts and also when creating new AWS accounts, there should be no manual step required.

1

You're right -->this is a common issue when using EKS Auto with Spot capacity, especially in multi-account setups. Here’s what’s happening under the hood:

Even though your custom EKS cluster role (CustomRoleForAmazonEKSAutoCluster) has iam:CreateServiceLinkedRole in its IAM policy, the STS AssumeRole call from EKS includes a session policy that doesn’t include this permission. As a result, even though the base role allows it, the session is effectively restricted. Hence, the no session policy allows the iam:CreateServiceLinkedRole error.

Why This Happens:

  1. EKS Auto tries to create the AWSServiceRoleForEC2Spot service-linked role if it doesn’t already exist.
  2. The iam:CreateServiceLinkedRole call requires that:
  3. The IAM role has permission in its policy AND
  4. The STS session policy includes this permission (explicitly or by default)

When EKS assumes your cluster role, the session policy restricts permissions further, and iam:CreateServiceLinkedRole isn't included.

Solution (Fully Automated, Zero Manual Step) To solve this at scale for 100s of accounts and new account provisioning, you need to proactively create the service-linked role in each account using automation. EKS Auto will then skip trying to create it, since it already exists.

Option A: Use an Account Bootstrapping Lambda (preferred) Set up a centralized pipeline or Account Vending Machine (AVM) that runs this once per account when created:

aws iam create-service-linked-role --aws-service-name spot.amazonaws.com

Wrap this in an automation pipeline (e.g., Control Tower lifecycle event, Terraform, or AWS Config Custom Rule + Lambda).

Option B: SCP Bypass (not recommended long-term) You could remove session restrictions via SCP or adjust the way the EKS Auto cluster role is assumed, but this is fragile and not officially supported. The STS session policy used by EKS Auto is managed by AWS and can’t be customized directly.

answered 9 months ago
  • JD
    9 months ago

    Say I consider Option B, how would you do this by removing session restrictions with SCPs? We do use SCPs but there's no SCP restriction blocking anything related to creating service-linked roles or sessions. I don't think this is achievable with SCPs.

0

The only reliable fix: Pre-create the AWSServiceRoleForEC2Spot service-linked role in every account during provisioning. Once it exists, EKS Auto doesn’t attempt to create it, and the session policy restriction is avoided entirely.

Note: Please ignore that he Option B... The intention was to flag it as a common rabbit hole that people look into, but not a recommended or functional solution, which is why it was marked: "Option B: SCP Bypass (not recommended long-term)" "...but this is fragile and not officially supported."

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content