By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWSServiceRoleForApplicationAutoScaling_RDSCluster user throwing errors when executing autoscaling

0

I have an autoscaling policy on my RDS Aurora cluster which has been working well for a while. I recently added cloudtrail alerts when a role attempts to do something that is unauthorized, and every time there is a scaling action the AWSServiceRoleForApplicationAutoScaling_RDSCluster throws an error:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "XXXXX:AutoScaling-UpdateDesiredCapacity",
        "arn": "arn:aws:sts::XXXXX:assumed-role/AWSServiceRoleForApplicationAutoScaling_RDSCluster/AutoScaling-UpdateDesiredCapacity",
        "accountId": "XXXXX",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "XXXXX",
                "arn": "arn:aws:iam::XXXXX:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster",
                "accountId": "XXXXX",
                "userName": "AWSServiceRoleForApplicationAutoScaling_RDSCluster"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-01-09T16:54:55Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "rds.application-autoscaling.amazonaws.com"
    },
    "eventTime": "2023-01-09T16:54:56Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "DescribeSubnets",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "rds.application-autoscaling.amazonaws.com",
    "userAgent": "rds.application-autoscaling.amazonaws.com",
    "errorCode": "Client.UnauthorizedOperation",
    "errorMessage": "You are not authorized to perform this operation.",
    "requestParameters": {
        "subnetSet": {},
        "filterSet": {
            "items": [
                {
                    "name": "subnet-id",
                    "valueSet": {
                        "items": [
                            {
                                "value": "XXXXX"
                            },
                            {
                                "value": "XXXXX"
                            }
                        ]
                    }
                }
            ]
        }
    },
    "responseElements": null,
    "requestID": "XXXXX",
    "eventID": "XXXXX",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "XXXXX",
    "eventCategory": "Management"
}

I don't see any way that I can modify the permissions of this service role, but I also don't like my cloudwatch alerts being filled with these notifications. Any way I can give this role the proper permissions?

Topics
Security, Identity, & ComplianceMigration & ModernizationAnalyticsDatabaseManagement & Governance
Tags
AWS Identity and Access ManagementAmazon Relational Database ServiceAWS Auto ScalingIAM Policies
Language
English
jonb
asked a year ago275 views
1 Answer
0

Hello,

I hope you're doing well.

Thank you for reaching out to us with your concern.

Firstly, I would like to inform you that the service-linked policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy. To know more, Please follow the solution defined in AWS Documentation. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html?icmpid=docs_iam_console#iam-term-service-linked-role.

Alternatively, you can create a service role and assign a specific permission for the role. For Creating a role to delegate permissions to an AWS service : https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html

From the cloudtrail log , I could see that you are facing "Client UnauthorizedOperation" error. This error usually happned because the user/role, who is trying to access the configuration may lack with permission.

As we have only limited information, we can't find the actual cause of the issue. sry for the inconvience caused. To troubleshoot further, I would request you raise a support case ticket, where we can go deep dive into the issue to find out the actual root cause.

rePost-User-5962359
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content