By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cannot create arn:aws:iam::*********:role/service-role/AWSBatchServiceRole

0

Hello,

I tried to create the service-linked role for Batch following this link (9 steps at its bottom): https://docs.aws.amazon.com/batch/latest/userguide/service_IAM_role.html

but I saw the following error after clicking on the "Create role" button (the 9th step): "Failed to create role AWSServiceRoleForBatch. Role name prefix AWSServiceRoleFor can only be used for AWS Service Linked Roles"

I need this role to delete an invalid compute environment as explained by this link: https://repost.aws/questions/QUQDKKXZjnQZGwAAe6bQYB8g/how-to-delete-compute-environment-that-is-invalid

The invalid compute envrionment is showing this error:

"statusReason": "CLIENT_ERROR - User: batch.amazonaws.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::************:role/service-role/AWSBatchServiceRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: cab999c4-f3a6-4af2-8786-bad3a55b3109; Proxy: null)",

Could someone help? Thanks!

  • rePost-User-3662849
    a year ago

    I found a workaround......since the name ''AWSBatchServiceRole" is reserved, I change it to a different name "my_AWSBatchServiceRole". Then in the console, I went to AWS Batch/Compute environments, selected the invalid compute environment, clicked on the "Edit" button, and changed its associated role from "AWSBatchServiceRole" to "my_AWSBatchServiceRole". After doing this, I was able to delete it successfully.

Topics
Security, Identity, & ComplianceManagement & GovernanceCompute
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceAWS CloudFormationAWS BatchIAM Policies
Language
English
rePost-User-3662849
asked a year ago308 views
2 Answers
0

Are you deploying this in an AWS Organization? Have you checked if the service is enabled or not? This is an error that AWS returns when integrations are disabled at org level. Also check if the role already exists, these roles usually are created automatically by AWS when you use the service.

esgrano-evolate
answered a year ago
  • rePost-User-3662849
    a year ago

    Thanks, esgrano. I am not deploying this in an AWS Organization. The AWSBatchServiceRole role does not exist in my account now.

0

Ok, I finally found that the right way of creating it is using CLI......... aws iam create-service-linked-role --aws-service-name batch.amazonaws.com

The arn of the role created this way will be different though: arn:aws:iam:: ************::role/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch

rePost-User-3662849
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content