search

aws-samples / amazon-cloudwatch-auto-alarms

Automatically create and configure Amazon CloudWatch alarms for EC2 instances, RDS, and AWS Lambda using tags for standard and custom CloudWatch Metrics.
MIT No Attribution
91 stars 85 forks source link

AccessDenied on creating alarm #47

Closed marksawers closed 1 year ago

marksawers commented 1 year ago

On one of three accounts I've deployed this to so far, there is a permissions issue. On all alarm creations there is an error in the lambda logs:

     Error creating alarm AutoAlarm-###-AWS/EC2-EBSReadOps-GreaterThanThreshold-30000-1m-1p-Average!: An error occurred (AccessDenied) when calling the PutMetricAlarm operation: User: arn:aws:sts::###:assumed-role/amazon-cloudwatch-auto-al-CloudWatchAutoAlarmLambd-TCKGG4NPM4VD/CloudWatchAutoAlarms is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::###:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents because no identity-based policy allows the iam:CreateServiceLinkedRole action

I added this inline policy, retried and the alarms were created:

    {
        "Effect": "Allow",
        "Action": "iam:CreateServiceLinkedRole",
        "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents"
    }

But then I removed the policy, it still works. Then I dropped and recreated the stack. It works. It's a head scratcher.

Any ideas?

marksawers commented 1 year ago

I'm answering this. Per this aws doc, the service linked role has to be created once per account for any alarm to have take an ec2 action. I modified the lambda to add an ec2 action based on the alarm tag description, e.g. Ec2ActionTerminate adds a terminate action to the sns topic send.